Guardio Labs

3/3 it's live-operated AiTM! Attacker gets real-time login attempts to Telegram and controls it all from their C2. They log in to the victims' accounts on their end while orchestrating a fake login flow on the victim's screen. So you get a 2FA text message and type it into your login screen? This is not a real 2FA prompt - you just sent it to the attacker! Here you can see an inside look at how it looks on the attacker's end - and we saw enough operator fingerprints to keep pulling this thread even more. So who's behind WrongPress and how many have already wrong-pressed? soon... 💪 @GoDaddy @GoogleAds

2/3 The ad click first hits a cloaker, then flips real users to a fake @managewp login while too easily dodging Google's inspection of who authorized this sponsored search result! The actual kit and its infra (and attribution) is what's really interesting here...

Still Google for your account login? Beware not to "WrongPress"! We found yet another Google Ads phish, this time abusing search results for ManageWP, GoDaddy's WordPress admin platform. The fake result sits right on top of the real one, and one click later you're in an AiTM (Adversary in the Middle) trap that hijacks your account 👉 more...

👉 guard.io/labs/accountdu…

On the menu in Vietnam: pho, banh mi, dumplings... and 30,000 hijacked Facebook business accounts 🥟 Meet "AccountDumpling": phishing sent straight through Google's own infrastructure. Yum. Looks like it's a serious business over there. Steal the account. Resell it. Fabricate fake identities. Sell "recovery" right back to the victim for a fee and even more shenanigans. Brilliant deep-dive research by our own @shaked__chen! Learn how they abused Google to send phishing emails, so many methods and tricks they used along the way, and the mistakes they made that helped us catch them red-handed and reach victims in time to save what could still be saved. (link to full research in reply...)

3/3 Then the victim lands on a fake Meta Privacy Center and starts donating credentials. Password. Retry. 2FA code. Retry again. We saw 15 rotating phishing URLs in just 3 days, and kits now doing real-time 2FA interception. If your mail stack blindly whitelists business[.]facebook[.]com, time to rethink this. More on this campaign soon 👉

2/3 The "best" part? We reproduced it in minutes. Create a Business Manager account with 1 click. Change the business name to whatever scare-text you want. Change the requester name too. Send a partner invite to any email plus any valid business ID. Now @gmail treats the mail as trusted - NoMetaWhat! And the clickable name does the rest. @Meta @facebook

NoMetaWhat. Ever got a phishing email from Meta that actually came from Facebook ?! Oh No.. Attackers abuse Facebook Business Manager to send real emails from noreply@business.facebook.com, then stuff the invite with their own sender name, urgency bait, and a clickable phishing link! DKIM, SPF, DMARC all pass. Of course they do. 👉 more...

Read it here: guard.io/labs/googlefix…

Didn’t realize a church in Pennsylvania started offering macOS storage fix services?! The ClickFix gang is back with GoogleFix, and they’ve figured out how to make @GoogleAds own ad platform do their dirty work. @GuardioLabs full report now available with a technical deep dive, and tons of in-the-wild samples here 👇 @GuardioSecurity

Lovable builds the future. Guardio scans it when it goes live. You won’t see it. You won’t feel it. But without it? You’d be clicking into scams built by AI all day long. Introducing the new integration between Guardio and Lovable - making the web a cleaner, safer place for everyone. @lovable

Ever wonder how your data ends up for sale in the digital shadows? It’s a massive industry where groups like ShinyHunters exploit misconfigured SaaS databases for profit. The ultimate irony: they just breached Aura, a US firm dedicated to preventing identity theft. 🤦‍♂️ ~1M records leaked due to a Salesforce configuration error. If the "protectors" aren't safe, is privacy a losing battle? Read our full report analysis - link in the reply...