Atrosec

Tag: WhatsApp Fraud

  • AI Account Phishing : 20 Million Logins Stolen (And Rising)

    AI Account Phishing : 20 Million Logins Stolen (And Rising)

    Telecom Security – Part 10 of 10 in the series.
    AI Account Phishing

     

    AI platforms have become essential work tools, handling everything from documents and analysis to code, prototypes, and sensitive conversations. Yet the accounts behind these platforms remain surprisingly unprotected. Attackers have already noticed. In the past two years, stolen credentials for ChatGPT and other AI services have appeared across dark-web markets in volumes nobody expected.

    Group-IB found over 225,000 compromised ChatGPT accounts traded between Jan and Oct 2023.
    Kaspersky reported a sharp rise in AI-service credential leaks in 2023,
    with about 664,000 OpenAI-related records exposed – a 33-fold increase in just one year.

    And by 2025, the scale became staggering,
    with reports claiming nearly 20 million OpenAI logins circulating on dark-web markets.

    These numbers confirm a simple truth. AI Account Phishing is already mainstream.

    Attackers are combining this stolen-credential pipeline with convincing phishing. . They impersonate AI platforms, replicate login flows, clone branding, and deliver carefully crafted links across email, messaging apps, SMS, and even search ads. A 2024 campaign documented by Barracuda used fake OpenAI billing notifications with realistic domains, varied URL paths, and valid TLS certificates

    The goal is simple. Get users to click a link and hand over their AI login or API key.

    AI Account Phishing Attempt
    AI Account Phishing Attempt

    How AI Account Phishing Works, and Why It’s Growing So Fast

    The attack always starts the same way, with a message claiming something urgent. Payment failed. API key unsafe. Access paused. A new model is waiting. Each lure prompts the user to click on a link that appears legitimate, often shortened or disguised behind redirects.

    The landing pages are nearly indistinguishable from real AI login portals. Domains differ by a character or use trusted-looking TLDs. Many pages have valid HTTPS and mimic the exact flow, design, and CSS of official platforms. Once credentials or API keys are entered, attackers harvest stored files, chat history, documents, and code fragments. They run expensive workloads or bundle the stolen account into a marketplace “log.”

    Three structural forces are accelerating this trend.
    AI accounts now hold high-value data – prompts, documents, project context, and API keys.
    Users trust the channels these platforms use – so fake alerts feel naturally credible.
    Users do not treat AI accounts like mission-critical assets – many people access AI tools on personal devices, where infostealer malware spreads easily. Research shows families like LummaC2, Raccoon, and RedLine are a major source of leaked AI credentials

    Phishing and malware feed each other. Malware steals existing accounts. Phishing steals fresh ones. Both circulate rapidly across dark-web markets

    Stopping the Attack Before the Login Page Loads

    Most AI Account Phishing depends on one thing.  A link.

    Whether delivered by email, chat, SMS, or a search ad, the attack requires the victim to click a URL. That URL is the earliest and most reliable point to break the attack.

    Modern detection focuses on how the domain behaves. Most phishing pages rely on newly registered lookalike domains, AI-themed TLDs, redirect chains hiding the final page, obfuscated parameters, shorteners like bit.ly or t.ly, or fast-rotating hosts with real TLS certificates.

    This is where Fortress URL Scanner DB comes in.

    Built for high-volume, real-time link inspection, it analyzes domains, redirects, and obfuscated URLs to identify dangerous behavior associated with AI Account Phishing. It catches lookalike AI login pages, domains impersonating AI brands, and malicious hosting patterns that change rapidly. It works across messaging channels, notifications, internal systems, and automated workflows.

    Fortress URL Scanner DB also maintains a continuously updated risk model for AI-related threat patterns, including:

    • domains containing brand-adjacent keywords
    • redirect behavior typical of AI-phishing kits
    • short-lived hosting and rapid domain churn
    • cross-channel delivery patterns common in AI-account lures

     

    The aim is clear – Stop the attack before users ever land on a fake login screen, even when the phishing infrastructure is brand new, short-lived, or built to look legitimate.

    AI Account Phishing iPhone Message

    How to Protect against AI Account Phishing

    A few practical habits make a significant difference.

    Never log in through links in emails, messages, or ads.
    Always check the exact domain in the address bar.
    Treat AI accounts like any SaaS platform that stores sensitive data.
    Rotate API keys regularly and avoid using the same key for multiple projects.
    Store minimal sensitive data in chat history or uploads.
    Block suspicious links before they reach users.
    Use systems that detect brand impersonation domains and aggressive redirect behavior.

    And if checking every link feels exhausting,
    Fortress URL Scanner DB is happy to lose sleep so you don’t have to.

    Conclusion

    AI platforms have quietly become part of everyday professional workflows. That makes their accounts part of the modern security perimeter. Attackers target these accounts because they expose data, cost money, and unlock valuable API capabilities. Since almost every attack begins with a link, the most effective defense is stopping that link before the page loads.
    Fortress URL Scanner DB intercepts these threats at their earliest point, helping neutralize AI Account Phishing before credentials or API keys can be taken.

    Want to protect your subscribers from link-based fraud across every channel?
    See how Fortress URL Scanner stops phishing links before the user even sees them!

  • TikTok Phishing Is Exploding Online

    TikTok Phishing Is Exploding Online

    Telecom Security – Part 9 of 10 in the series.
    Tiktok Phishing

     

    TikTok is the place where trends start, creators rise, and short videos become global movements in minutes. It is also a place where phishing attackers now operate at full speed. More than 1.6 billion people use TikTok every month, which makes it an irresistible target for fraud operations that rely on one thing above all else.
    A link.

    TikTok phishing can show up as a fake brand offer, a “you won” message, a misleading ad, or a comment on a viral video, but the structure is always similar. Build curiosity or trust, send a link, redirect the user away from TikTok, and steal something of value.

    The FTC reports more than $2.7 billion in social media fraud losses in just the past three years. UK consumer group Which? has repeatedly warned about TikTok-based impersonation scams.
    Security companies like ESET and Norton confirm that more than 70 percent of these attacks include a URL, often shortened or hidden.

    The content changes. The hook changes. The personalities change.
    The URL is the constant.

    Humans can’t moderate TikTok Phishing 

    TikTok moves faster than any other platform. Trends rise and collapse in hours. Comment sections explode within minutes. A malicious link can appear, go viral, and disappear before a human moderator even opens the dashboard.

    Shortened links hide the true destination. Redirect chains hide the landing page. Cloaking hides malicious behavior and shows reviewers a “clean” version of the site. TikTok can remove accounts, but in most cases, the removal happens after users report the scam, not before.

    This is the core problem. The platform sees the link only at the surface level.
    Everything harmful happens behind it.

    TikTok fake profile
    TikTok fake profile

    How TikTok Phishing Works,
    and Why the Link Is the Real Weapon

    TikTok phishing attacks are diverse, but they all rely on the same playbook.
    Build trust, then redirect the victim off the platform.

    Fake Brand Collaboration
    Creators receive a message from someone claiming to represent a well-known brand. The offer looks real, the brief sounds convincing, and the link looks harmless because it is shortened. The final page is a cloned login screen that captures credentials.

    Giveaway Impersonations
    Users are told they won a reward, a prize, or a brand bundle. The link leads to a fake verification form that requests personal or payment details. Which? has flagged these scams multiple times.

    Fake TikTok Ads
    Scammers pay for legitimate-looking ads. The landing page promotes a crypto opportunity or financial app. CNBC reports that these ad-based scams are growing, especially among younger users.

    Viral Trend Hijacks
    Malicious links are inserted into comment threads under high-traffic videos. Many follow three to seven redirects before revealing the real destination. Some activate only on mobile devices to evade review systems.

    Across all scenarios, TikTok is not the problem. The link is.

    Why TikTok Cannot See Link Risk Without Help

    A platform can detect fake accounts, keyword abuse, or suspicious activity patterns.
    It cannot detect what is behind a link unless it follows and analyzes it.

    Shortened URLs
    Bit.ly, tinyurl, t.co, and similar services make phishing links appear safe. Norton highlights how common this tactic is.

    Redirect Chains
    Attackers route users through several domains before showing the real phishing page. Moderation tools typically see only the first hop.

    Cloaking Tactics
    Fraudsters show harmless content to moderation systems, but malicious content to real users. Device based switching is now standard in phishing kits.

    Dynamic Changes
    A link can behave differently by time, region, or device. A domain that looks safe for reviewers may turn malicious later.

    No human team can keep up with this level of deception.
    The solution is visibility, and visibility requires the right technology.

    Fake TikTok Scam

    The Solution: Fortress URL Scanner DB

    Fortress URL Scanner DB gives platforms, security teams, and digital ecosystems the missing visibility they need. It turns every suspicious link into a fully analyzed, risk-scored object that a platform can act on instantly.

    Full Redirect Discovery
    Fortress expands every shortened link and follows every hop, even deep redirect chains. Platforms see the same final page the victim would see.

    Behavioral and Reputation Scoring
    Fortress evaluates domain age, DNS patterns, hosting infrastructure, global threat intelligence, and historical behavior. This creates a precise risk profile for every URL.

    Cloaking and Obfuscation Detection
    Fortress identifies encoded redirects, hidden elements, and conditional page behavior. This is the layer that stops scammers who try to fool review systems.

    Continuous Updating
    Phishing links evolve quickly. Fortress updates each profile as behavior changes. It uses intelligent analysis, automation, and selective AI components to scan at scale without slowing down user experiences.

    Easy Integration With Any Platform
    Fortress URL Scanner DB acts as a standalone product, and can be added to any platform!

    The result is simple. Platforms no longer operate blindly.
    They see the real destination, the real behavior, and the real risk behind every link.

    TikTok Phishing Can Be Stopped With Link Intelligence

    TikTok phishing is not slowing down. It is accelerating because attackers know that most platforms cannot see what happens behind a link. Manual moderation cannot keep pace with cloaking, redirect chains, and fast changing landing pages.

    Fortress URL Scanner DB gives platforms the missing visibility they need. It reveals every redirect, scores every URL, detects hidden behavior, and stops malicious links before users click them. Any environment that handles user generated links needs this level of protection.

    TikTok will continue to grow. Phishing will continue to follow. The only reliable defense is the ability to see the link for what it really is.

    Want to protect your subscribers from link-based fraud across every channel?
    See how Fortress URL Scanner stops phishing links before the user even sees them!

  • RCS Fraud: Richer Messaging, Richer Scams

    RCS Fraud: Richer Messaging, Richer Scams

    Telecom Security – Part 8 of 10 in the series.

     

    RCS was meant to be the next big leap in mobile messaging. With verified business accounts, interactive buttons, and rich media, it promised to replace plain text with true digital conversation. That promise is becoming real: RCS monthly active users passed 1.2 billion in 2024, up over 550 percent year-on-year.

    But this evolution has a cost – RCS Fraud.

    According to Juniper Research, RCS Business Messaging fraud is projected to cost mobile subscribers $4.3 billion globally within five years. As adoption spreads, so does the surface area for abuse. Telcos that treat RCS as “just a modern SMS” risk facing the same fraud problems, amplified by richer content and deeper trust.

    The hidden cost of “trusted” rich messaging

    What makes RCS appealing to brands also makes it powerful for fraudsters. The format allows verified business profiles, company logos, and embedded buttons. Users naturally trust those cues. In tests, messages carrying fake brand logos were clicked up to three times more often than classic SMS scams.

    RCS Fraud looks scarily good.

    Fraud actors now exploit this built-in credibility. A fake courier notification with a brand image and “Track Your Parcel” button can trigger instant engagement.
    When messaging looks official, users hesitate less and lose more.

    Example of RCS Chat with a Hotel Vendor

    How fraudsters exploit the new channel

    RCS Fraud is growing in sophistication, offering more vectors for deception:

    • Impersonation attacks.
      Criminals hijack or mimic verified business handles.

    • Malicious interactive content.
      Buttons, QR codes, or carousels redirect to credential-harvesting sites.

    • Bait-and-switch campaigns.
      Legitimate-looking notifications morph into payment requests or refund traps.

    • Cross-platform blending.
      Attackers link SMS, WhatsApp, and RCS in one sequence to appear continuous.

     

    A 2025 GLF report found that 35 percent of operators experienced higher messaging-fraud activity despite new filtering tools, a sign that detection frameworks built for the SMS era can’t read the new playbook.

    Why do legacy firewalls fall short?

    Most operator defenses were designed for simple text. Traditional firewalls rely on pattern rules, keyword filters, or blacklists. RCS Fraud, on the other hand, can hide behind structured metadata, branded assets, and conversational logic that don’t fit those patterns.

    RCS traffic travels through OTT environments where operators can’t fully inspect payloads. The result is that fraudulent messages can appear compliant while hiding behavioral anomalies invisible to static rule engines.

    To protect against RCS Fraud, operators need more than new rules – they need systems that can truly understand message behavior and context.

    Mobile Subscriber Loss to RCS Fraud

    The Fortress approach:
    Intelligent pattern recognition at scale

    Fortress Advanced Messaging Firewall was built for this new generation of threats. It continuously analyzes vast messaging flows, building detailed profiles of senders, routes, timing, and content structure to understand what “normal” traffic looks like.

    Each new message is evaluated in real time against this learned context. The firewall detects subtle irregularities—unusual sending bursts, timing mismatches, inconsistent templates, or suspicious delivery paths—that often precede fraud.

    Its classification engine blends advanced heuristics with AI-assisted pattern detection, refining itself through continuous network feedback. This data-driven intelligence allows the firewall to assess risk dynamically and block or quarantine questionable RCS sessions in under 50 milliseconds, even at carrier throughput.

    It’s not about scanning for known bad links, it’s about recognizing when something doesn’t belong.

    Securing the next chapter of messaging

    RCS is redefining how enterprises reach customers, but its credibility can also be its weakness. The same trust signals that power engagement can amplify deception if left unguarded.

    Operators who embed intelligent, data-rich firewalls today will be the ones who secure both revenue and reputation tomorrow. Fortress Firewall provides that foundation, a protection layer that reads patterns, learns behavior, and stops threats before they spread.

    “The networks that learn fastest will be the ones users trust longest.”

    Want to protect your subscribers from link-based fraud across every channel?
    See how Fortress URL Scanner stops phishing links before the user even sees them!

  • WhatsApp Fraud – Can Telecoms Help?

    WhatsApp Fraud – Can Telecoms Help?

    Telecom Security – Part of 10 in the series.

     

    In 2025, WhatsApp isn’t just where we talk – it’s where we trust.
    Friends, banks, deliveries, even government alerts – they all live in one chat feed.
    And that’s exactly why scammers love WhatsApp Fraud.

    WhatsApp removed 6.8 million accounts tied to scam operations in just the first half of 2025.
    That shows the scale of WhatsApp Fraud, but also the limitation: banning accounts doesn’t stop the real weapon of modern fraudsters: the link.

    End-to-end encryption keeps messages private, not safe.
    Fraudsters now exploit that privacy to send perfectly crafted phishing links that steal credentials, OTPs, and payment data.
    The moment you click, the crime begins.

    ⚠️ Anatomy of a WhatsApp Fraud

    Here’s how a typical attack unfolds:

    1️⃣ A new chat appears – someone posing as a bank, courier, or even a friend.

    “Hi, this is DHL Support. Please verify your delivery details: [bit.ly/DHL-Confirm].”

    2️⃣ The message looks legitimate – logo, tone, and urgency all seem right.
    3️⃣ The victim clicks the link, believing it’s official.
    4️⃣ The link silently redirects through several domains, landing on a fake banking or payment site.
    5️⃣ The user enters login credentials, card details, or an OTP.
    6️⃣ Within minutes, attackers use that data to steal money, hijack accounts, or even take over the victim’s WhatsApp itself.

    Cyber-safety experts warn that common WhatsApp scams rely on links or attachments requesting money, personal data, or verification – all red flags that still trick millions of users each year.

    The entire process takes less than a minute.
    No malware.  No exploit.  Just trust – weaponized.

    WhatsApp account termination in the European Union in 2024, by violation
    WhatsApp account termination in the European Union in 2024, by violation

    🧱 Why Traditional Defenses Fail

    Here’s the hard truth: no one is inspecting those links in time.

    • WhatsApp’s end-to-end encryption prevents operators or regulators from seeing message content.

    • Device antivirus tools rarely analyze shortened or dynamic URLs.

    • Most users assume WhatsApp = safe.

    • And by the time banks detect suspicious activity, the money’s already gone.

    Meanwhile, according to the Communications Fraud Control Association (CFCA), the telecom industry lost US $38.95 billion to fraud in 2023, up 12 % from 2021.
    The threat is no longer theoretical — it’s a global, growing financial drain.

    So if WhatsApp fraud happens after the click… where can protection even exist?

    Example of a WhatsApp Fraud – Gold WhatsApp Scam

    🛡️ Fortress Steps In – At the Click

    You can’t scan the message, but you can stop the click.

    When a user taps a link – in WhatsApp, Telegram, or SMS – the phone still needs to connect through the operator’s network.
    Before the browser loads any page, it performs DNS lookups, IP requests, and TLS handshakes.
    That’s where Fortress URL Scanner silently intervenes.

    How It Works:

    1. The user taps a link inside WhatsApp.

    2. The device requests that web address through the mobile network.

    3. Fortress intercepts and scans the URL at the telecom layer.

    4. It unshortens every redirect, checks domain reputation, and applies ML-based pattern detection.

    5. If malicious, Fortress blocks the request or redirects to a safe warning page:

      “⚠️ Suspicious link detected – this site may be trying to steal your information.”

    6. If safe, the browser loads instantly – no delay, no visible change.

    This protection is app-agnostic and privacy-safe.
    Fortress doesn’t see inside the message – it protects what happens after the tap.

    🌐 Operators, Wake Up!

    Telcos already own the infrastructure that every click passes through.
    With Fortress, that control becomes protection.

    ✅ Stop fraud before it reaches the endpoint
    ✅ Preserve customer trust in your brand
    ✅ Offer “Link-Protection-as-a-Service” to enterprise clients
    ✅ Turn network security into new recurring revenue

    In a messaging world that’s encrypted and decentralized, operators are the last mile of trust – the only ones who can protect users beyond the message itself.

    “Users may trust WhatsApp – but they pay you.
    That’s why security must start with the operator.”
    (Ohad Kamer, CMO & Co-Founder of Atrinet)

    🔒 Security Beyond the Message

    Phishing no longer lives in SMS alone.
    Links are everywhere – WhatsApp, Telegram, RCS, even email.

    By implementing URL scanning at the network layer, Fortress turns every click into a checkpoint – a place where WhatsApp fraud can be stopped silently, instantly, and privately.

    You don’t need to see the chat to protect the user.
    You just need to see the connection.

    Want to protect your subscribers from link-based fraud across every channel?
    See how Fortress URL Scanner stops phishing links before the page even loads.