We're officially introducing PhishCore.
PhishCore helps organizations test, measure, and improve their defenses against phishing attacks using realistic simulations and security awareness training.
We’re currently building the platform and have opened a waitlist for early adopters.
If you’re interested, sign up for the waitlist:
https://t.co/kB1z4kaTk4
We’re building in public and will share more updates soon.
Pegasus can be on your phone right now and you'd never know.
But here's what you can actually do.
If you think you're a target:
Download the Mobile Verification Toolkit by Amnesty International. free. open source. it analyzes your phone's logs and backups for traces of Pegasus.
https://t.co/fWki5X8sMp
iPhone: run MVT against an iTunes backup. no jailbreak needed for a basic scan.
Android: harder to detect. MVT works but requires command-line knowledge. if in doubt, contact Citizen Lab or Amnesty International's Security Lab directly.
Alternatively: iMazing has a free built-in spyware detector that uses the same methodology. easier for non-technical users. https://t.co/vygCts7Lte
Pegasus costs hundreds of thousands of dollars per target. it is not sprayed broadly. journalists, activists, lawyers, opposition politicians, dissidents, and people close to them.
if you're none of those: your risk is low but not zero. 50,000 numbers were on the leaked list. not all were journalists.
What reduces risk for everyone:
— update your phone immediately. always. Pegasus exploits unpatched vulnerabilities.
— enable Lockdown Mode on iPhone. Settings → Privacy & Security → Lockdown Mode. it disables iMessage features, FaceTime links, and other attack surfaces Pegasus uses. it will break some functionality. that's the point.
— restart your phone daily. some versions of Pegasus don't survive a reboot. not a cure. a friction point.
— disable iMessage and FaceTime if you don't use them. Settings → Messages → toggle off iMessage.
— if you suspect compromise: don't restore from backup. the backup may be infected. replace the device.
If you find it:
Contact Citizen Lab at the University of Toronto or Amnesty International's Security Lab. they have helped hundreds of victims. they are free. they are the best in the world at this.
https://t.co/J2Urr9m85C
https://t.co/EzDdDNP3fW
you are probably not a target.
but the people who were thought the same thing.
Not every urgent email deserves an immediate response.
Attackers rely on panic:
- "Your account will be suspended."
- "Payment failed."
- "Verify now."
Pause for 30 seconds. Verify first.
Think before you click.
Your fingerprints can be lifted from photos. Here's what to actually do about it.
1. Be mindful of hand photos. high-resolution photos of your fingertips at close range are the risk. a normal selfie or group photo is not. The concern is clear: close shots of your fingers, peace signs, hands holding items, and typing shots.
2. Don't rely on fingerprint authentication alone for high-stakes accounts. Use a strong PIN or password as your primary unlock method. fingerprint as convenience, not as your only lock.
3. Use a passkey or hardware security key for your most sensitive accounts. These cannot be spoofed from a photo.
4. For banking apps: enable a secondary PIN in addition to biometric. Most banking apps support this. Use it.
5. Know your threat model. For most people, a spoofed fingerprint attack requires physical access to your device afterward. The photo gets the print. The attacker still needs to be holding your phone. If you're not a high-value target, your risk is low.
If you are a high-value target:
Disable fingerprint authentication entirely on your most sensitive devices. Use a long alphanumeric PIN. Assume any high-resolution photo of your hands is a liability.
Your fingerprint is the one password you can never change.
treat it accordingly.
Scam Wednesday
QR codes aren't automatically safe.
Attackers can place malicious QR codes over legitimate ones.
Before entering credentials or payment details:
• Check the website address
• Verify the source
• Be cautious of QR codes in public places
A QR code is just a shortcut to a link.
Tuesday Security Tip
Hover before you click.
On desktops, place your cursor over a link to preview the real destination.
If the URL looks suspicious or unrelated, don't click.
SIM swapping.
Your phone number receives your password reset codes. Your banking OTPs. Your two-factor authentication. Whoever controls your number controls your accounts.
Attackers collect your name, date of birth, and last four digits of your SSN. All available from data breaches for a few dollars on dark web markets.
Then they call your carrier pretending to be you.
Traditionally, this required a convincing human impersonation. In 2026, it doesn't.
AI voice cloning tools can replicate your voice from 3 seconds of audio. Your voicemail greeting, a social media video, or a podcast appearance is enough.
And with eSIM, there's no waiting for a physical card. The number transfers digitally. in under 5 minutes.
Your phone shows "no service."
The attacker's device is now you.
They reset your email. Your bank. Your crypto wallet. your iCloud. everything tied to that number.
One arrest last year: a 19-year-old Canadian. $13 million in Bitcoin.
How to protect yourself:
— Call your carrier and add a SIM lock or port freeze. It's free.
— switch from SMS-based 2FA to an authenticator app or a hardware key.
— Your phone number should not be the recovery method for your email or bank. ever.
There are various ways this can happen:
1. SIM swapping
Your phone number isn’t actually tied to your physical SIM card. It’s tied to your carrier account. Attackers call or chat with your carrier, impersonate you using info pulled from old data breaches or scraped off your social media, and talk support into porting your number to a SIM they control. From that point on, your calls and texts go to them, not you.
2. OTP/2FA interception
Most people still rely on SMS for two-factor authentication. Once an attacker owns your number, every “here’s your verification code” text lands in their inbox instead of yours. Bank account, email, crypto exchange, it doesn’t matter which. They hit “forgot password,” the OTP shows up on their phone, and they’re in.
3. Account takeover cascade
Email is usually the master key to everything else. Reset your email password using the hijacked number, and now they can reset passwords for anything tied to that inbox: banking, social media, cloud storage, work logins. One domino falls and the rest follow.
4. Social engineering amplifier
With your real number in hand, they can also pose as you to your contacts, texting friends or family asking for money, or calling your bank’s support line where caller ID is treated as a trust signal.
5. OSINT stacking
A phone number alone can unlock even more. Linked social profiles, leaked breach records, caller ID lookup apps, sometimes even a home address. Each new piece makes it easier to convince a human support agent they’re really talking to you.
Phone numbers were never built to be identity anchors. They were built to be public. The security industry just backed into using them that way anyway, and we’re all paying for it now.
Our pentester found a critical vulnerability in production last week.
No Burp. No Nmap. No recon.
How?
He asked the developer what the admin password was.
The developer told him.
ClickFIX. Yes, hackers actually use fake CAPTCHAs to trick people into downloading malware or giving away secrets.
When malicious actors compromise a vulnerable website, they replace or overlay the real page with a fake security check that looks exactly like the familiar "I am not a robot" prompt.
Instead of keeping automated bots out, this fake page is designed to deceive human visitors.
Because people are highly trained to trust CAPTCHAs, they rarely suspect foul play and willingly follow the instructions on the screen.
The primary goal of this tactic is to bypass standard browser security warnings by making the user execute harmful commands.
For instance, the fake page might claim verification failed and instruct the user to press a specific keyboard shortcut, like Windows + R, paste an encoded line of text, and hit enter.
In reality, this sequence opens the computer's command prompt and runs a malicious script that installs ransomware or steals saved passwords.
By turning the victim into an unwitting accomplice, hackers can slip past antivirus defenses that usually block automatic downloads.
Hackers occasionally break into legitimate websites and replace part of the page with a fake CAPTCHA.
To visitors, nothing looks suspicious.
The website is real, the logo is real, and seeing a CAPTCHA feels completely normal.
Then comes the trick.
Instead of asking you to identify traffic lights or bicycles, the fake page tells you to press certain keys, copy a command, or download something to continue.
Many people follow the instructions because they trust the CAPTCHA.
But at that moment, they may unknowingly install malware or give attackers access to their computer.
The scary part is that no complicated hacking is happening.
Did you know some phishing pages self-destruct after stealing your credentials?
Here's how it works:
you click a link. land on a fake login page. enter your credentials. the page immediately redirects you to the real website. looks like a glitch. you log in normally. you forget it happened.
behind the scenes: your credentials were just sent to an attacker's server. the phishing page is now dead. the link returns a 404. the URL is gone. the attacker's infrastructure is already rotating to a new domain.
By the time IT investigates the suspicious email, there is nothing to find.
Some kits go further:
— single-use links that expire the moment credentials are submitted
— pages that only load for specific IP ranges, blocking security scanners entirely
— real-time credential relay that logs you into the real site simultaneously, intercepting your MFA code before it expires
— geofencing that shows the phishing page only to targets in a specific country and a 404 to everyone else
If you typed your password somewhere and something felt slightly off, it may already be over. 😐