Payoneer accounts in Argentina hacked in 2FA bypass attacks

Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping.
Payoneer is a financial services platform providing online money transfer and digital payment services.
The users report that right before this happened, they received an SMS requesting approval from a password reset on Payoneer, which they didn't grant.
Local journalists have been interviewing victims and tracking the hacks and discovered that most affected users were customers of the mobile service providers Movistar and Tuenti, with the majority using Movistar.
This has raised suspicions that a recent Movistar data leak may be behind the account hacks, but the data leak did not expose users' email addresses, which are required to reset passwords on Payoneer accounts.
Another theory is that the SMS provider used to deliver OTP codes was breached, allowing the threat actors to access codes sent by Payoneer.
An official statement from Movistar shared by journalist Julio Ernesto Lopez does not address this theory, simply stating that the telecom provider is not responsible for messages sent through its network.
Payoneer has not provided specific answers about the attack yet but acknowledged the issue and mentioned it is working with authorities to address the fraud, which it believes is the result of phishing.
Tech reporter Juan Brodersen received a statement from Payoneer that puts the blame on the users, alleging that they clicked on the URLs in the SMS phishing texts and then entered their login details on phishing pages.
Many affected by the account hacks state that they did not click on phishing links, accusing Payoneer of attempting to deflect responsibility and failing to acknowledge a potential error or vulnerability within the platform.
Lopez told BleepingComputer that Payoneer requires a new SMS OTP code to be entered when you add a new destination address and then again when you wire money.
If this was a phishing attack stealing OTP codes for the password reset, the threat actors should not have had access to later OTP codes required for these transactions.
While the hacks may be allowed by a 2FA bypass bug, like we saw last year with Comcast, other countries would likely be affected by the attacks.
A significant weakness in Payoneer's system is its reliance on SMS-based 2FA, further compounded by the platform's password recovery process, which only requires an SMS code.
BleepingComputer has contacted Payoneer with a request for a comment on the above, the status of their investigation, and whether they plan to offer restitution in the case that a weakness in its system is discovered to be the source of the hacks, but we have not heard back yet.
Until the situation clears up on who's to blame and what exactly happened, Payoneer users in Argentina are advised to withdraw funds from their accounts or disable SMS-based 2FA and reset their account password.
New phishing attack steals your Instagram backup codes to bypass 2FA. Google: Russian FSB hackers deploy new Spica backdoor malware.
Microsoft disrupts Russian hackers' operation on NATO targets.
UK and allies expose Russian FSB hacking group, sanction members.
Charming Kitten hackers use new 'NokNok' malware for macOS..


This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 19 Jan 2024 20:30:31 +0000


Cyber News related to Payoneer accounts in Argentina hacked in 2FA bypass attacks

Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
10 months ago Bleepingcomputer.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
8 months ago Techrepublic.com
GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
10 months ago Bleepingcomputer.com
Mandiant says X account brute forced without 2FA protection The Register - Well, Mandiant's carefully worded response basically said it wasn't implemented. It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some ...
10 months ago Go.theregister.com
US SEC's X account hacked to announce fake Bitcoin ETF approval - The X account for the U.S. Securities and Exchange Commission was hacked today to issue a fake announcement on the approval of Bitcoin ETFs on security exchanges. The announcement came this afternoon in a now-deleted tweet from the SEC's hacked X ...
10 months ago Bleepingcomputer.com
Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware - Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions. BleepingComputer has learned there is more to this attack, with threat actors ...
8 months ago Bleepingcomputer.com
Apex Legends players worried about RCE flaw after ALGS hacks - Electronic Arts has postponed the North American finals of the ongoing Apex Legends Global Series after hackers compromised players mid-match during the tournament. ALGS is an esports tournament series where players compete in a fast-paced, strategic ...
8 months ago Bleepingcomputer.com
Twilio will ditch its Authy desktop 2FA app in August, goes mobile only - The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. Authy is an authenticator app that allows users to set up ...
10 months ago Bleepingcomputer.com
New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
11 months ago Bleepingcomputer.com
2FA-less GitLab users vulnerable to account takeovers The Register - GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May ...
10 months ago Go.theregister.com
SEC confirms X account was hacked in SIM swapping attack - The U.S. Securities and Exchange Commission confirmed today that its X account was hacked through a SIM-swapping attack on the cell phone number associated with the account. Earlier this month, the SEC's X account was hacked to issue a fake ...
9 months ago Bleepingcomputer.com
Mandiant's X account hacked by crypto Drainer-as-a-Service gang - The threat actor who took over Mandiant's X social media account used it to share links, redirecting the company's over 123,000 followers to a phishing page to steal cryptocurrency. As Mandiant found during a follow-up investigation into the ...
10 months ago Bleepingcomputer.com
GitHub Wants All Users to Enable 2FA Before the End of 2023 - GitHub, the omnipresent nexus for developers and their code, has embarked on a decisive initiative aimed at fortifying the security of the software supply chain. In a groundbreaking announcement, the platform has set forth a mandate for two-factor ...
10 months ago Cybersecuritynews.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
7 months ago Securityboulevard.com
Mandiant's X Account Was Hacked in Brute-Force Password Attack - Cyber threat intelligence giant Mandiant has shared the result of its investigation on its recent X account hijacking following a wave of crypto-related X account hacks. On January 3, 2024, the X account of Mandiant, a subsidiary of Google Cloud, was ...
10 months ago Infosecurity-magazine.com
Hacker spins up 1 million virtual servers to illegally mine crypto - A 29-year-old man in Ukraine was arrested this week for using hacked accounts to create 1 million virtual servers used to mine $2 million in cryptocurrency. As announced today by Europol, the suspect is believed to be the mastermind behind a ...
10 months ago Bleepingcomputer.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
10 months ago Bleepingcomputer.com
What to do when receiving unprompted MFA OTP codes - Receiving an unprompted one-time passcode sent as an email or text should be a cause for concern as it likely means your credentials have been stolen. One of the initial components of a cyberattack is the theft of legitimate credentials to corporate ...
11 months ago Bleepingcomputer.com
Defusing the threat of compromised credentials - In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. Attackers ...
7 months ago Feedpress.me
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Hijacked: How hacked YouTube channels spread scams and malware - As one of today's most popular social media platforms, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. Thefts of popular YouTube channels up the game further. By extending the reach of the ...
4 months ago Welivesecurity.com
Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
10 months ago Infosecurity-magazine.com
Web3 security firm CertiK's X account hacked to push crypto drainer - The Twitter/X account of blockchain security firm CertiK was hijacked today to redirect the company's more than 343,000 followers to a malicious website pushing a cryptocurrency wallet drainer. Crypto fraud sleuth ZachXBT later leaked screenshots of ...
10 months ago Bleepingcomputer.com
Hackers Flood Dark Web Markets With Hijacked X Gold accounts - In the age of social media, verification badges hold significant power. On Twitter, the coveted blue tick signifies legitimacy and influence, commanding increased trust and engagement from followers. With the platform's recent monetization of ...
10 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)