Safari Flaw Makes Fullscreen Phishing Attacks More Effective
Security researchers have discovered that Apple's Safari browser has a flaw that makes it easier for attackers to carry out fullscreen phishing scams, specifically using a browser-in-the-middle method (BitM). This technique involves tricking users into entering sensitive login information on a fake website that appears to be legitimate. The attack usually starts with a user clicking a malicious link in an ad or a post, which loads a page controlled by the attacker. At first, it may look harmless, but as soon as the user attempts to log in, the attacker activates a hidden fullscreen window that displays a nearly identical login page. Because the window takes over the screen and hides browser indicators, users often don’t notice they’re no longer interacting with the original website. What makes this particularly effective on Safari is the browser's lack of strong visual cues when switching to fullscreen mode. Unlike Chrome and Firefox, which display warnings or visual indicators, Safari only shows a subtle swipe animation that most users miss. This allows the attacker’s fake window to blend in seamlessly and collect login credentials without raising suspicion. Even more concerning, this method doesn't trigger alerts from many security tools because it uses standard browser features, not malware. The issue was reported to Apple, but the company responded by saying the existing animation was sufficient to inform users, and they do not plan to change how fullscreen transitions are handled. This has raised concerns in the cybersecurity community about the risks Safari users may face until stronger safeguards are implemented.
UPDATE: Phishing Scams Go Undetected Through Google Apps Script Abuse
Threat actors are increasingly misusing Google Apps Script, a legitimate development tool within Google Workspace, to host phishing pages that are more difficult to detect. These attacks often begin with emails that appear to be invoices or tax-related notices designed to pressure recipients into clicking a link. Once clicked, the victim is taken to a phishing page hosted on “script.google.com,” a domain trusted by most security systems. Since the platform is a part of Google's infrastructure, many email filters and antivirus tools don’t block it. The phishing page mimics a legitimate login screen, encouraging users to enter their credentials, which are then quietly sent to the attacker’s server. To avoid suspicion, the victim is redirected to the actual service afterward, making the process appear legitimate. This tactic is especially dangerous because Google Apps Script allows public publishing of scripts, meaning anyone can create and share a web app using Google’s domain. This gives attackers a reliable and flexible way to manage phishing pages and adjust or switch content without sending out a new email. Many people don't realize they're being targeted because it relies on a platform that users already trust. Security researchers warn that this method is gaining popularity, especially among attackers looking for efficient ways to evade traditional detection. To combat this, experts recommend that organizations configure their email security to flag or block traffic to Google Apps Script URLs and educate users about the risks of clicking links, even when they appear to come from a familiar or trustworthy source. Google has yet to respond publicly with any new safeguards against this tactic.
New Malware Hides from Detection by Skipping PE Header in Windows
A newly discovered malware variant uses a stealth technique that removes or corrupts the Portable Executable (PE) header, a key part of how Windows and security tools identify executable files. Without this header, antivirus software and heuristic scanners struggle to analyze or detect the file, making the malware difficult to catch. Instead of following the normal process, the malware loads its code directly into system memory using low-level Windows functions. It then injects itself into trusted processes like dllhost.exe, making it appear legitimate. Fortinet researchers have confirmed this method has already been used in the wild, with a Remote Access Trojan that went undetected for weeks using this tactic. By corrupting both DOS and PE headers, the malware avoids triggering alarms and complicates analysis for security teams. This method represents a shift toward more advanced and evasive threats. The malware’s behavior poses a serious risk to industries that depend on traditional detection tools. Recent reports have shown that sectors like Logistics, Technology, and Manufacturing are being targeted, especially in politically sensitive contexts involving critical infrastructure or foreign aid. Attackers are likely using these techniques in advanced persistent threats (APTs), which are designed to infiltrate high-value targets quietly and over long periods. Dynamic analysis tools struggle to keep up because the malware operates entirely in memory and lacks a standard file structure. Experts recommend shifting to behavior-based detection that monitors real-time activity, system memory, and process behavior. File-based scanning alone is no longer enough to defend against threats using headerless execution. Organizations that don’t modernize their defenses will remain especially vulnerable as this tactic spreads.
