The Phishing-as-a-Service kit Sneaky 2FA was found to use Browser-in-the-browser attacks to steal login credentials.

Attackers have a new trick to steal your username and password: fake browser pop-ups that look exactly like real sign-in windows. These “Browser-in-the-Browser” attacks can fool almost anyone, but a password manager and a few simple habits can keep you safe.

Phishing attacks continue to evolve, and one of the more deceptive tricks in the attacker’s arsenal today is the Browser-in-the-Browser (BitB) attack. At its core, BitB is a social engineering technique that makes users believe they’re interacting with a genuine browser pop-up login window when, in reality, they’re dealing with a convincing fake built right into a web page.

Researchers recently found a Phishing-as-a-Service (PhaaS) kit known as “Sneaky 2FA” that’s making these capabilities available on the criminal marketplace. Customers reportedly receive a licensed, obfuscated version of the source code and can deploy it however they like.

Attackers use this kit to create a fake browser window using HTML and CSS. It’s very deceptive because it includes a perfectly rendered address bar showing the legitimate website’s URL. From a user’s perspective, everything looks normal: the window design, the website address, even the login form. But it’s a carefully crafted illusion designed to steal your username and password the moment you start typing.

Normally we tell people to check whether the URL in the address bar matches your expectations, but in this case that won’t help. The fake URL bar can fool the human eye, it can’t fool a well-designed password manager. Password managers are built to recognize only the legitimate browser login forms, not HTML fakes masquerading as browser windows. This is why using a password manager consistently matters. It not only encourages strong, unique passwords but also helps spot inconsistencies by refusing to autofill on suspicious forms.

Sneaky 2FA uses various tricks to avoid detection and analysis. For example, by preventing security tools from accessing the phishing pages: the phishers redirect unwanted visitors to harmless sites and show the BitB page only to high-value targets. For those targets the pop-up window adapts to match each visitor’s operating system and browser.

The domains the campaigns use are also short-lived. Attackers “burn and replace” them to stay ahead of blocklists. Which makes it hard to block these campaigns based on domain names.

**So, what can we do?**

In the arms race against phishing schemes, pairing a password manager with multi-factor authentication (MFA) offers the best protection.

As always, you’re the first line of defense. Don’t click on links in unsolicited messages of any type before verifying and confirming they were sent by someone you trust. Staying informed is important as well, because you know what to expect and what to look for.

And remember: it’s not just about trusting what you see on the screen. Layered security stops attackers before they can get anywhere.

Another effective security layer to defend against BitB attacks is Malwarebytes’ free browser extension, Browser Guard, which detects and blocks these attacks heuristically.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

 Attackers are using “Sneaky 2FA” to create fake sign-in windows that look real 

Orem, United States, November 18th, 2025, CyberNewsWire SecurityMetrics, a leading innovator in compliance and cybersecurity, today announced that…

Orem, United States, November 18th, 2025, CyberNewsWire

SecurityMetrics, a leading innovator in compliance and cybersecurity, today announced that its Shopping Cart Inspect (SCI) solutions has been selected as winner of the **“Data Leak Detection Solution of the Year”** award in the 9th annual CyberSecurity Breakthrough Awards program. Conducted by CyberSecurity Breakthrough, an independent market intelligence organization, the annual program recognizes the most innovative companies, products, and technologies driving progress in the global information security industry.

SCI reduces the chances of an e-commerce skimming attack through the inspection of a website’s shopping cart by a SecurityMetrics Forensic Investigator. The process involves the use of **patented WIM Technology** to determine if a website has fallen victim to JavaScript payment skimming. WIM technology can detect web skimming at the moment it is triggered and will alert a merchant if a webpage has been compromised, through tools like Shopping Cart Inspect and Shopping Cart Monitor.

Using Inspect, SecurityMetrics Forensic Analysts review the rendered webpage code in a shopping cart URL to collect evidence of a skimming attack. Inspect is non-intrusive and website reviews are conducted without business interruption or merchant installation/intervention.

Following the inspection, SecurityMetrics Forensic Analysts create a **risk report** illustrating a risk rating and include a list of vulnerabilities, ranking them from medium to high-risk based on the CVSS scale. The reports include a description of malicious JavaScript, identification of suspicious URLs on the website, a list of third-party domains participating in the e-commerce experience, and remediation recommendations. 24/7 technical support is also available to help with remediation.

> “We understand how important it is to keep a business running as usual, so we designed SCI to discover website skimming attacks while still allowing business to continue uninterrupted. Our solution has been purpose-built to strengthen merchants, and our Forensic Analysts are at the forefront of emerging cyber threats,” said Brad Caldwell, CEO of SecurityMetrics. “Our e-commerce investigations conducted by our expert Forensics Investigators will continue to identify trends that we will meet head-on with solutions that prioritize security technology for our valued global customer base.”

The 2025 awards program received thousands of nominations from more than 20 countries around the world, representing everything from disruptive startups to established global enterprises. This year’s winners embody the cutting edge of cybersecurity technology, delivering next-generation protection and resilience in today’s increasingly complex threat landscape.

> “SecurityMetrics knows that keeping your website up and running is vital to your business,” said Steve Johansson, managing director, CyberSecurity Breakthrough. “SCI from SecurityMetrics helps businesses tackle vulnerabilities confidently and gives them the tools and support they need to identify malicious scripts, protect their business, and ensure customer trust. That makes SCI our choice for 2025’s ‘Data Leak Detection Solution of the Year!’”

**About SecurityMetrics**

SecurityMetrics secures peace of mind for organizations that handle sensitive data. They have tested over 100 million systems for data security and compliance. Industry standards don’t keep up with the threat landscape, which is why SecurityMetrics hold their tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.

**About CyberSecurity Breakthrough**

Part of Tech Breakthrough, a leading market intelligence and recognition platform for global technology innovation and leadership, the CyberSecurity Breakthrough Awards program is devoted to honoring excellence in information security and cybersecurity technology companies, products and people. The CyberSecurity Breakthrough Awards provide a platform for public recognition around the achievements of breakthrough information security companies and products in categories including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Web and Email Security, UTM, Firewall and more. For more information, users can visit CyberSecurityBreakthrough.com.

Tech Breakthrough LLC does not endorse any vendor, product or service depicted in our recognition programs, and does not advise technology users to select only those vendors with award designations. Tech Breakthrough LLC recognition consists of the opinions of the Tech Breakthrough LLC organization and should not be construed as statements of fact. Tech Breakthrough LLC disclaims all warranties, expressed or implied, with respect to this recognition program, including any warranties of merchantability or fitness for a particular purpose.

**Contact**

Corporate Communications Manager

Landry French

SecurityMetrics

landry.french@securitymetrics.com

+1 801-995-6431

SecurityMetrics Wins “Data Leak Detection Solution of the Year” in 2025 CyberSecurity Breakthrough Awards Program

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. 

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-wq4c-57mh-5f7g: Apache Causeway vulnerable to deserialization in Java

ANY.RUN shows how early clarity, automation and shared data help SOC teams cut delays and speed up response during heavy alert loads.

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings._

What slows your Security Operations Center (SOC) down when a critical alert hits? For many teams, it’s not the alert itself but the time lost searching for clarity, switching between tools, and trying to confirm what’s real and what’s noise.

Leading SOCs have already started adopting specific strategies that help them cut this delay, shorten response time, and keep control even during heavy alert loads. Let’s discover what these strategies are and how you can bring them into your workflow.

****Why Response Time Slows Down****

Most delays inside a SOC come from one simple problem: analysts don’t get the right information fast enough. When an alert arrives without context, the team has to dig for answers; check logs, compare sources, wait for results from separate tools. Minutes disappear before anyone can say whether the threat is serious or not.

This gap creates three predictable issues:

*   **Uncertain prioritisation:** Teams waste time on alerts that don’t matter.

*   **Slow confirmation:** Analysts spend too long verifying what the threat is actually doing.

*   **Longer MTTR:** The whole response chain stretches because early steps take too much time.

This is exactly where high-performing SOCs have changed their approach: they focus on cutting the “uncertainty window” at the very beginning of the process.

****Strategy 1: Get Clarity Early to Avoid Wasting Time****

One pattern stands out across fast, well-organised SOCs: they reduce uncertainty at the very beginning of an alert. Instead of waiting for scattered tools to catch up, many teams now rely on interactive sandboxes like ANY.RUN to see what the threat is actually doing within moments.

For most samples, analysts receive a clear verdict in about 60 seconds, and in many cases, the full attack chain becomes visible almost instantly. This cuts down the usual back-and-forth, removes guesswork, and lets the team decide on the next steps without delay.

Fake Google Careers page exposed inside ANY.RUN sandbox in 60 seconds

When clarity arrives this quickly, response time drops sharply, and the entire workflow moves with far more confidence and control.

****Strategy 2: Automate Early Steps to Speed Up Your Response Cycle****

A surprising amount of lost time inside a SOC comes from actions that don’t require analyst expertise at all; opening lures, clicking through fake pages, solving CAPTCHAs, following redirects, or coaxing a threat to finally reveal itself. These tiny steps slow down the very beginning of the response cycle, making it harder for teams to react quickly when it matters most.

Leading SOCs avoid this slowdown by automating the early phase of alert validation. ANY.RUN’s automated interactivity blends automation with human-like actions: it can follow QR-code chains, interact with fake login pages, trigger multi-stage loaders, and bypass common barriers that usually require manual effort. All of this happens automatically, within seconds.

CAPTCHA challenge automatically solved inside ANY.RUN sandbox

As a result, teams report up to a 20% decrease in Tier 1 workload and fewer unnecessary Tier 1-to-Tier 2 escalations, because routine checks no longer require human time. Analysts get to the important part of the investigation faster, and the whole response cycle moves noticeably quicker.

****Strategy 3: Strengthen Collaboration So Your Response Doesn’t Stall****

A SOC can move quickly only if everyone involved sees the same picture and works from the same information. When data is scattered, screenshots in chats, logs in tickets, partial notes in emails, the response slows down simply because teams spend too much time syncing.

Leading SOCs avoid this by giving analysts, engineers, and incident responders a shared workspace with consistent, ready-to-use data. ANY.RUN makes this simple: every analysis generates a structured report with timelines, IOCs, network details, and behavioural highlights, all in a format that can be shared instantly across teams and tools.

Well-structured report with relevant IOCs, TTPs and other important information

This removes the usual communication lag, cuts back on repeated checks, and ensures that everyone involved can act immediately without waiting for clarification. The result is faster coordination, cleaner handoffs, and a response process that keeps moving instead of stopping to gather missing details.

****Achieve the Response Speed Your SOC Needs****

As you can see, reaching ultra-fast response time is absolutely possible when teams combine the right strategies with solutions designed to remove delays from the very start of an alert. SOCs using ANY.RUN’s sandbox has already proven this through measurable, real-world results from our latest survey:

*   **Up to 21 minutes reduced MTTR** per incident
*   **95% of SOC teams speed up threat investigations**
*   **94% of users report faster triage**
*   **3× SOC efficiency boost**
*   **24× more unique IOCs** to power downstream detection
*   **Fewer false positives** and more accurate prioritisation

If you want to see how much faster your team can operate with the same advantages, there’s only one way to know: Try ANY.RUN and measure the difference yourself.

****Free Webinar: SOC Leader’s Playbook – 3 Steps to Faster MTTR****

For readers who want a deeper look at practical ways to speed up incident response, ANY.RUN is hosting a one-hour session titled “SOC Leader’s Playbook: 3 Steps to Faster MTTR.” It will take place on 25 November 2025 at 16:00 CET.

During the webinar, experts will cover how leading SOCs:

*   Cut MTTR by 21 minutes per incident
*   Detect new attacks earlier with intelligence from 15,000 organisations
*   Achieve a 3× performance boost by reducing false positives

Save your seat now to get a clear, structured playbook for speeding up detection and response.

How to Achieve Ultra-Fast Response Time in Your SOC

Schools in the US are installing vape-detection tech in bathrooms to thwart student nicotine and cannabis use. A new investigation reveals the impact of using spying to solve a problem.

Vaping Is ‘Everywhere’ in Schools—Sparking a Bathroom Surveillance Boom

Singapore, Singapore, 19th November 2025, CyberNewsWire

**Singapore, Singapore, November 19th, 2025, CyberNewsWire**

The collaboration advances enterprise grade application security into decentralized ecosystems, uniting Checkmarx’s AppSec expertise with Web3 specialization by CredShields.

CredShields, a leading Web3 security firm, has partnered with Checkmarx, the global leader in agentic AI-powered application security testing, to work with AI-driven smart contract audits, vulnerability research, and blockchain security tooling from CredShields to work alongside the Checkmarx application security platform.

As the application security market accelerates toward an expected US $55 billion by 2029, decentralized architectures introduce new attack surfaces that traditional AppSec programs are not designed to address. Nearly half of the largest DeFi breaches trace back to smart contract flaws, and in 2025 to date, losses from cryptocurrency service hacks already surpass US $2.1 billion and are projected to climb further. Research further indicates that up to 89% of smart contracts contain vulnerabilities, highlighting the need for Web3-native security standards alongside legacy security frameworks.

Through this agreement, Checkmarx is adding CredShields as a Web3 security partner to provide customers with dedicated support for decentralized environments. The collaboration combines Checkmarx’s enterprise AppSec leadership with deep expertise in smart contract auditing, vulnerability assessment, and blockchain security research from CredShields, enabling organizations to extend their existing DevSecOps programs into Web3 with minimal friction.

> “This partnership represents a natural evolution in the AppSec landscape,” said **Shashank**, Co-founder of CredShields. “Together with Checkmarx, we’re delivering a seamless layer of security that protects enterprise systems, decentralized applications, and smart contracts with the same rigor and intelligence.”

**The partnership will focus on:**

*   Comprehensive security coverage for decentralized applications, smart contracts, and wallets
*   AI-assisted vulnerability detection and manual audits powered by CredShields’ proprietary systems
*   Joint contributions to global security frameworks, including OWASP Smart Contract Security Standards and Smart Contract Top 10
*   Enterprise enablement to integrate Web3 security into existing DevSecOps pipelines

> “As enterprises extend their digital footprint into Web3, new attack surfaces emerge,” said **Scott Sieper**, Director of Product Management at Checkmarx. “Partnering with CredShields enables us to bring our deep AppSec expertise to blockchain environments and help organizations innovate with confidence while maintaining the same rigorous security standards they expect from Checkmarx.”

Checkmarx and CredShields aim to redefine enterprise application security for the decentralized era, ensuring that innovation and security evolve in parallel as organizations adopt blockchain at scale.

For more information about securing code at the speed of AI and the Checkmarx One platform, users can visit the website.

**About CredShields**

CredShields is a Web3 security firm specializing in manual smart contract audits, AI-powered vulnerability detection, and security automation across blockchain ecosystems. A contributor to the OWASP Smart Contract Top 10, CredShields protects leading protocols and enterprises through full-spectrum decentralized security solutions.

Users can watch the demo: https://lnk.credshields.com/checkmarx-demo

**Contact**

**CredShields**  
**marketing@credshields.com**

CredShields Joins Forces with Checkmarx to Bring Smart Contract Security to Enterprise AppSec Programs

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild.
The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute

Vulnerability / Network Security

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild.

The medium-severity vulnerability, tracked as **CVE-2025-58034**, carries a CVSS score of 6.7 out of a maximum of 10.0.

"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability \[CWE-78\] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," the company said in a Tuesday advisory.

In other words, successful attacks require an attacker to first authenticate themselves through some other means and chain it with CVE-2025-58034 to execute arbitrary operating system commands.

It has been addressed in the following versions -

*   FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
*   FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above)
*   FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above)
*   FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
*   FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)

The company credited Trend Micro researcher Jason McFadyen for reporting the flaw under its responsible disclosure policy.

Interestingly, the development comes days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2.

"We activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing," a Fortinet spokesperson told The Hacker News. "Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency."

It's currently not clear why Fortinet opted to patch the flaws without releasing an advisory. But the move has left defenders at a disadvantage, effectively preventing them from mounting an adequate response.

"When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders," VulnCheck noted last week.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

GHSA-mwcc-7vpp-xmv9: MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

GHSA-7xcv-9j6c-2fmc: Modular Max Serve has Unsafe Deserialization vulnerability

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

Tag

#web