Alessandro C.

🚨PHISHING ALERT: AI-Powered "Vibe Coding" Phish via Evernote 🚨 KnowBe4 ThreatLabs is tracking an active campaign exploiting Evernote’s legitimate infrastructure to deliver high-fidelity Microsoft credential harvesters. This attack highlights a shifting landscape: threat actors are now leveraging Base44, an AI "vibe coding" platform, to build sophisticated phishing pages without writing a single line of code. The Attack Flow: The Hook: Users receive a "Note shared with you" email featuring high-pressure financial lures—payment approvals, contracts, or finance reports. The Bypass: Sent from no-reply[@]mail[.]evernote[.]com, these emails sail past SPF/DKIM/DMARC authentication. The Bridge: Links lead to real share.evernote[.]com notes containing a "View Document" CTA. The AI Twist: The CTA lands on a phishing page built with Base44 AI an AI "vibe coding" platform. These pages are protected by Cloudflare bot-checks to evade sandbox detection. The Sting: A pixel-perfect M365 login screen designed to harvest credentials in real-time. Why It Works: ✓ Reputation Hijacking: Sender and initial host are legitimate Evernote domains. ✓ AI-Speed: Base44 allows attackers to spin up unique, professional-grade pages instantly. ✓ Sandbox Evasion: Multi-stage redirects hide the final payload from automated scanners. Indicators of Compromise (IOCs) ashrafreda[.]com atomicurl[.]com voice0356[.]us techformulagrayfellowshipinvestments[.]tvwpotalsources[.]vu easywaytech[.]co[.]ke enthusiastic-secure-link-go[.]base44[.]app freight-sync-link[.]base44[.]app login[.]yum[.]homes office[.]cotiviti[.]top hticybernetics[.]com[.]sharepoint[.]com/s/finance/Eba1 berenzweiglaw[.]com[.]sharepoint[.]com/:f:/s/finance/Eba1 serviceamericanreprographicscompany[.]golkppdmansachs[.]vu/ #CyberSecurity #Phishing #M365 #OAuth #KnowBe4 #ThreatIntel #HumanRisk #Evernote #AI

🚨 CYBERINTEL ALERT: TOTAL COMPROMISE OF THE NATIONAL IDENTITY CORE – SAIME, SAREN, AND BORDER ID SYSTEM [STATUS: DATA DISASTER / CRITICAL] 🇻🇪 VECERT Intelligence monitoring systems have detected the largest data exfiltration in Venezuela's recent history. The threat actor group L4TAMFUCKERS, led by GordonFreeman, has announced the breach and massive exfiltration of the databases belonging to SAIME, SAREN, and the Border ID system. 🏢 Affected Entities: SAIME (Administrative Service for Identification, Migration, and Foreigners). SAREN (Autonomous Service of Registries and Notaries). Border ID (Border mobility system). 👤 Threat Actors: L4TAMFUCKERS (GordonFreeman, Izanagi, YoSoyGroot). 📂 Data Volume: Terabytes of exfiltrated information. 📅 Report Date: May 8, 2026. 📊 Inventory of Exfiltrated Assets SAIME (Biographical Database – 35.2 Million Records): Contains identity metadata for practically the entire population holding a national ID card. Data: National ID number, full names, gender, date of birth, profession, and system registration date. SAREN (Birth Certificates – 13.4 Million Documents): Exfiltration of 6 Terabytes of legal documents in PDF format. Compromise of the nation's civil core: Records establishing filiation, inheritance, and marital status. Border ID (92,000 Detailed Records): Complete database including: Foreign ID numbers, email addresses, passwords, phone numbers, and registration dates. 📊 Technical Analysis of the Attack (TTPs) The L4TAMFUCKERS group exploited structural flaws within the ministerial interconnection architecture: API Abuse and Blind Trust: The attackers compromised an entry point and utilized internal authentication keys to query other systems, exploiting the fact that the servers automatically trusted one another without requiring additional verification (API Chaining). Identifier Manipulation (IDOR / BOLA): By manually altering IDs within network requests, the system delivered citizen records without requiring prior authorization. Exfiltration via Official Tunnels: They utilized the very same government data channels to extract terabytes of information, thereby ensuring that the outbound traffic appeared legitimate and evaded Intrusion Detection Systems (IDS). 🛡️ Emergency Recommendations 🔒 For Citizens: It is recommended that you immediately change your personal email passwords and enable MFA (Multi-Factor Authentication). Remain extremely vigilant regarding any attempts at telephone or digital extortion that utilize specific details regarding your identity or family members. 🏛️ For Institutions: It is imperative to revoke all current API keys and implement a Zero Trust architecture. Monitor: https://t.co/wk9bZJ3laQ #CyberSecurity #Venezuela #SAIME #SAREN #DataBreach #L4TAMFUCKERS #IdentityTheft #VECERT #CyberAlert 🇻🇪🛡️⚠️🚨📂