KCS Information Technology Inc.

10/30/2025

We would like to inform you of an ongoing phishing campaign that has targeted several Microsoft users and has become increasingly common in the past month.

What is happening?

Users are receiving deceitful “urgent” emails from email addresses that use words such as Microsoft, it.support, domain.administrator, etc., as part of their domain name or username to trick users into thinking these emails are coming from legitimate organizations, such as Microsoft.

These emails commonly include headers evoking a sense of urgency, such as the following:

• “ACTION REQUIRED - Email services Affected”
• “Your Microsoft 365 subscription expires soon.”
• “Microsoft: Important - Verify Your Recent Purchase”
• “Action Required: Pay your past due invoice to avoid Microsoft services interruption.”

Furthermore, these emails often include HTML files that simulate a calendar invite, which automatically triggers Outlook to generate an event on the user's Outlook calendar.

What this means for you?

It’s important to highlight that receiving these emails and calendar invites does not mean that the user's account has been compromised. However, this is an indication that your organization is being targeted, and that users who are not following recommended cybersecurity practices, such as verifying email addresses of senders, using multi-factor authentication, using strong passwords, avoiding clicking on external links, etc., are at risk of being compromised.

If you or anyone in your company has experienced this issue, please send us an email at [email protected].

Reminders:

• Always check the sender email address for incoming email, especially if the email looks suspicious or is flagged as urgent.

• Do not click on links from emails unless you are sure you are expecting an email with a link from a legitimate sender.

• If an email looks suspicious, call or speak with the sender directly to confirm it is legitimate.

• Check official websites or call official numbers of the organizations you use, such as Microsoft, ComEd, Adobe, AT&T, etc., to verify the status of your services.


Thank you for staying alert and helping us keep you safe and secure.

KCS Information Technology Inc.

10/21/2025

Watch Out for Fake Google Job Offer Emails

We want to alert you about a new credential phishing scam that is targeting Google Workspace and Microsoft 365 users with fake job offers impersonating Google Careers.

According to researchers at Sublime Security, attackers are sending emails that appear to come from Google recruiters or departments such as “GG Careers”, using addresses like [email protected].

These scammers are constantly changing email addresses, domains, languages, and web pages to bypass spam filters and trick even cautious users. They also use hidden formatting techniques to disguise keywords like “Google Careers” from email security filters.

How the Scam Works?

1. The user receives an email invite with a link or button “Book a Call” or “Apply” for a position.

2. Clicking the link redirects users through several fake pages. Starts with a fake Cloudflare verification page, followed by a fake Google Careers scheduling form.

3. Finally, victims are sent to a spoofed Google login page designed to steal usernames and passwords.

Recommendations to Stay Protected:

1. Be skeptical of unexpected job offers, even if they appear to come from trusted companies like Google.

2. Check the sender’s email address carefully. Legitimate emails from Google will end with .com.

3. Do not click on links or download attachments from unsolicited job-related emails.

4. Verify through official channels before clicking. Visit careers.google.com or the company’s verified LinkedIn page instead of following email links.

5. Report suspicious emails to any of our KCS technicians and right-click on the email to report it as phishing or spam.

6. Enable multi-factor authentication (MFA) on your accounts to increase security.

We recommend you to read more about this topic on the following article(s):

https://support.google.com/faqs/answer/10122524?sjid=11968685626366774464-NC

https://hackread.com/fake-google-job-offer-email-scam-workspace-microsoft-365/

A new report from the leading cybersecurity firm Sublime Security has revealed an ongoing email scam that uses fake job offers from Google to trick people using Google Workspace and Microsoft 365 into giving away their private login details.

10/16/2025

Dear users,

We would like to inform you of a new Android malware threat called Pixnapping that can steal sensitive information from phone screens without the user’s knowledge or interaction.

What Is Pixnapping?

Pixnapping abuses how Android devices display content on your screen. When a malicious app is installed, it scans apps like Google Authenticator, Gmail, or payment apps. In the background, the app reads tiny bits of display data (pixels) from those apps—without taking a screenshot. Then, uses the data to rebuild sensitive information such as 2FA codes, messages, or payment details. This information can be used by threat actors to access accounts and steal personal information.

This attack affects Google Pixel 6–9 and Samsung Galaxy S25 devices running Android 13–16. At the moment, Google is developing a complete fix for this issue and is planning to release it for December’s Android update.

It’s important to note that no active attacks have been reported, but users are advised to take precautions now.

How to Protect Your Device?

Update your phone: Go to Settings → System → Software Update and install the latest available update.

Download apps safely: Only install apps from the Google Play Store or verified sources. Avoid installing apps through links in emails, texts, or social media.

Review app permissions: Check for apps that can “display over other apps” and revoke unnecessary access.

Use stronger MFA methods: When possible, use push-based authentication apps (such as DUO) or hardware keys over code-generating apps.

Thank you for staying alert and helping us keeping you safe and secure.

KCS Information Technology Inc.

We recommend you to read more about this topic on the following article(s):

https://www.cylab.cmu.edu/news/2025/10/13-pixnapping.html

https://lifehacker.com/tech/pixnapping-new-android-malware-attack

Researchers have discovered a new type of attack that can steal sensitive information on Android devices, like 2FA codes, without the user's knowledge.

10/07/2025

Dear KCS Clients,

We would like to inform you of a new cybersecurity threat involving a malicious software tool called MatrixPDF, which allows attackers to implant regular PDFs with site re-directions and malware.

About the Threat

Researchers from Varonis, a known cybersecurity platform, have identified that cybercriminals are using MatrixPDF to convert legitimate-looking PDF files into interactive files designed to bypass traditional email security. These PDFs often appear as secure or confidential documents but contain fake “Open Secure Document” buttons or links that redirect users to credential-stealing sites or malware downloads.

Since files generated through MatrixPDF do not initially contain malicious code, they can slip past antivirus and spam filters, only becoming dangerous once a user interacts with them.

How to Protect Yourself and Others?

•Be cautious with any PDF attachments, especially if they ask you to click a button or “unlock” secure content.

•Verify the sender’s email address and intent before opening attachments.

•Hover over links or buttons in PDFs to preview the destination URL—do not click if it looks unfamiliar.

•Report any suspicious emails or attachments to [email protected] immediately.

•DO NOT enter login credentials, payment details, or personal information via links from PDF files.

•DO NOT ignore email or browser warnings about external content, unrecognized senders, or unsafe sites.

•DO NOT forward suspicious messages to colleagues. Report them to us first.

If you have any questions or believe you may have interacted with a suspicious PDF, please email us at [email protected] or contact any of our technicians.

We recommend you to read more about this topic on the following article(s):
• https://www.bleepingcomputer.com/news/security/new-matrixpdf-toolkit-turns-pdfs-into-phishing-and-malware-lures/

• https://cyberpress.org/matrixpdf-exploit/

MatrixPDF exploit - MatrixPDF is a new phishing and malware toolkit turning benign PDFs into weaponized attack vectors. Using overlays.

10/06/2025

Dear KCS Clients,

We want to make you aware of a new online scam targeting Microsoft Teams users. Hackers are running fake advertisements and search results on the web that promote a malicious “Microsoft Teams” installer. If downloaded, it can secretly install malware that gives attackers access to company data and systems.

What does this mean for you?

•Do not download Teams (or any other software) by searching online. We recommend going to the official Microsoft Store or App Store which you will find among your installed apps.

•Be extra cautious of ads at the top of search results that look like download links.
What to do if you’re unsure?

•If there is a new app or program that you want to install on your computer and you can’t find it on the official Microsoft Store or App Store, please send us an email and we will help you find the right installer.

•If you accidentally downloaded something suspicious, do not open it and contact one of our technicians immediately or email us at [email protected].

Staying vigilant helps protect both you and the company. Thank you.

KCS Information Technology Inc.

We recommend you to read more about this topic on the following article(s):

• https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/

• https://www.techradar.com/pro/security/look-out-these-fake-microsoft-teams-installers-are-just-spreading-dangerous-malware

Be careful when searching for Microsoft Teams

09/26/2025

Dear KCS Clients,

A recent phishing campaign has been exploiting GitHub’s notification system to impersonate Y Combinator and trick developers into revealing cryptocurrency wallet credentials.

Cybercriminals created fake GitHub accounts with names similar to Y Combinator (e.g., ycombinato, ycommbbinator). They distributed phishing messages through GitHub issues, which appeared legitimate since they came via GitHub’s official notification system. Victims were lured with fake “funding opportunity” notifications that linked to a typo squatted domain (y-comblnator.com) hosting malicious pages.

What to watch for?

Unexpected notifications claiming you were “selected for funding.”

Requests to verify your wallet or make a deposit to secure opportunities.

GitHub accounts or apps with slight misspellings of trusted names.

Recommendations:

Verify the sender before clicking links in GitHub notifications.

Hover over links to confirm they point to trusted domains.

Report suspicious GitHub notifications to your us immediately.

Do not provide wallet credentials, private keys, or deposits in response to funding requests.

Stay cautious and help protect your accounts and assets.

Thank you,

KCS Information Technology Inc.

We recommend you to read more about this topic on the following article(s):

https://cybersecuritynews.com/hackers-leverage-github-notifications/

https://www.bleepingcomputer.com/news/security/github-notifications-abused-to-impersonate-y-combinator-for-crypto-theft/

A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.

09/04/2025

Watch Out for Caller ID Spoofing Scams

We want to make you aware of an ongoing phishing campaign involving caller ID spoofing. Users have reported seeing scammers impersonating trusted contacts, businesses, or even government agencies by manipulating the phone number and name that appear on their caller ID. These calls look legitimate by showing the exact number of a friend, family member, your bank, or a well-known company. The goal is to trick you into sharing sensitive information such as login credentials, bank details, or making urgent money transfers.

How Caller ID Spoofing Works?.

Scammers use apps and tools to make their phone calls appear to come from a familiar source. For example:

• A scammer may impersonate Google and claim there is suspicious activity on your account.

• Fraudsters may pose as government officials demanding immediate payment.

• Criminals may impersonate family members in distress to pressure you into sending money.

How to Prevent Falling for This?

• Be cautious of urgent requests for money, passwords, or personal information.

• Hang up immediately if something feels off, and call the person or company back using a verified number. Only use phone numbers from their official website.

• Enable spam/scam call filtering features on your smartphone.

• Do not share passwords, multi-factor authentication codes, or financial details over the phone.

• Do not press buttons, click links in texts, or engage with suspicious prompts during a call.

• Do not assume a familiar name or number on caller ID means the call is safe.

Legitimate organizations, including Google, the IRS, and your bank, will not call you unexpectedly to demand money, login credentials, or verification codes.

Staying alert and cautious is the best way to protect yourself from these scams. If you notice anything suspicious, no matter how small it is, please let us know as soon as possible.

We recommend you to read more about this topic on the following article(s):

https://lifehacker.com/tech/that-phone-call-from-google-is-probably-a-scam

https://us.norton.com/blog/online-scams/caller-id-spoofing

Thanks to caller ID spoofing, scammers can place phone calls under different names and numbers. To learn more about this scamming technique, follow this guide.

08/21/2025

Password Manager Autofill Vulnerabilities in Clickjacking Attacks

Dear KCS Clients,

We want to bring to your attention a newly disclosed security issue affecting several major password managers, which could expose sensitive information such as login credentials, two-factor authentication (2FA) codes, and credit card details.

What Happened?

Independent security researcher Marek Tóth, along with Socket Security, identified vulnerabilities in browser-based password managers that make them susceptible to clickjacking attacks. In these attacks, malicious websites or compromised pages can overlay invisible elements on top of password manager controls. When users believe they are clicking on harmless elements (such as popups or banners), they may unknowingly trigger their password manager’s autofill function—leaking sensitive data to attackers.

Affected Password Managers

The following products are currently vulnerable in specific versions:

- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- Enpass 6.11.6
- iCloud Passwords 3.1.25
- LastPass 4.146.3
- LogMeOnce 7.12.4

Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have already released fixes. Others, including LastPass, LogMeOnce, and 1Password, have acknowledged the issue and are working on updates.

LastPass and 1Password have implemented certain clickjacking safeguards, including pop-up notifications that require user confirmation that appear before auto-filling credit cards and personal details on all sites.

Recommendations

Until fixes are fully released and confirmed safe, we recommend the following precautions:

1. Disable Autofill: Turn off the autofill feature in your password manager and instead use copy-and-paste for credentials.

2. Update Regularly: Ensure your password manager is always running the latest version, as fixes are actively being released.

3. Be Vigilant Online: Avoid clicking on suspicious popups, banners, or overlays—especially on unfamiliar websites.

4. Use MFA Apps When Possible: For two-factor authentication, prefer using standalone authenticator apps instead of storing 2FA codes in password managers.

5. Stay Informed: Follow vendor announcements for updates and apply patches as soon as they are available.

We will continue monitoring this situation. If you need assistance reviewing your password manager settings or applying security updates, please reach out to the KCS team.

We recommend you to read more about this topic on the following article(s):

• https://cybernews.com/security/password-managers-autofill-credentials-for-attackers/

• https://thecyberexpress.com/dom%E2%80%91based-extension-clickjacking/

• https://thehackernews.com/2025/08/dom-based-extension-clickjacking.html

DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft | Read more hacking news on The Hacker News cybersecurity news website and learn how to protect against cyberattacks and software vulnerabilities.

08/05/2025

Dear KCS Clients,

We would like to inform you of an ongoing phishing attack involving the eM Client application, which has recently targeted several companies, including some of our clients.

eM Client is a legitimate software application that offers features for managing calendars, tasks, contacts, notes, and chat services. Unfortunately, attackers are exploiting this application to gain unauthorized access to accounts, including Microsoft 365 accounts.

When users download the application, they are prompted to add an account, such as their Microsoft 365 account, and then asked to grant specific permissions (see the image below). Once these permissions are granted, if the Microsoft account becomes compromised, attackers can exploit the granted permissions to further propagate their phishing attacks.

For example, once attackers gain access to an account, they can:

Modify the user's email settings, such as granting access to others.
Create forwarding rules and folders.
Move emails to different folders.
Export calendars and contacts.
Create local copies of the user's emails.
Use eM Client's mass mailing feature to spread phishing attacks to the user's contacts.
Maintain access to the account even after IT has attempted to revoke it.

User accounts can be compromised through several methods, including:

Visiting fake websites that prompt users to enter their account credentials.
Clicking on unverified email links that lead to credential prompts.
Not having multi-factor authentication (MFA) enabled and using weak or leaked passwords.
Having malware installed on devices that can extract account credentials.

What Can You Do?

Check with Colleagues: Inquire if any colleagues have received suspicious emails appearing to come from you or others in your office, especially those containing invitations or links to access files. If so, do not click on any links and report the incident to us immediately.

Monitor Email Behavior: Be vigilant for unusual email behavior, such as:
Not receiving expected emails.
Emails appearing in folders you did not move them to.
Emails in your “Sent” folder that you did not send.
Email rules you did not create.

If you notice any of these behaviors or similar, report them to us immediately.
Be Cautious with External Emails: Be on the lookout for unusual emails from individuals outside your organization, such as customers, suppliers, or service providers. If you receive such emails, do not click on any links and report them to us immediately.

KCS Information Technology Inc. has successfully mitigated these attacks and is implementing appropriate measures to prevent them from affecting other clients.

Stay vigilant and do not hesitate to reach out with any concerns.

Best regards,

KCS Information Technology Inc.

If you've found your way to this article, it's likely because you have found a suspicious application content for eM Client. This is an application that is similar in it's usage to PERFECTDATA SOFTWARE, but is also distinct. While the exact reason why threat actors use that application is not conclu...

07/23/2025

We would like to warn you of ongoing malicious tactics from scammers to trick you into going to fake websites or calling false numbers that appear to be from legitimate companies such as Comcast and AT&T.

Search Engine Optimization (SEO) poisoning is the scenario where fake websites and phone numbers appear among the top results after you make a search in your browser. Scammers achieve this by registering domain names similar to legitimate ones with small variations. Then, they utilize different methods such as keyword stuffing, cloaking, private link networks, bots, and humans to increase traffic and trick search engine algorithms to give their websites higher rankings.

To learn more about the terms mentioned in this paragraph, please visit: https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/seo-poisoning/

Unfortunately, very often, users do not read carefully the names and URLs of the websites they click on. Also, users misspell the names of the websites or companies they are trying to reach. Both instances increase the chances of users going to fake websites or seeing fake phone numbers, which can lead them to contact scammers and expose crucial personal information such as passwords and bank account details.

Our Recommendations:

1 # If you need to contact a company that services you or are planning on using, such as internet providers, phone companies, utility companies, software companies, etc. Use the contact information provided by them from a bill they sent you. If you don’t have a bill, be extremely careful when searching online by typing the company name correctly, looking for suspicious URLs of the sites showing in your results, and avoiding AI suggestions. Most legitimate sites have short and simple URLs with their company name properly spelled.

2 # Never provide credit or debit card information over the phone or website, unless you are 100% sure the website is real. In most cases, companies offering services either require users to create accounts with them to enter their management portals or assign users an account number. When contacting these companies, they will as for your account number to verify your identity. Also, they can use text codes such as those from MFA. They should not ask for your debit or credit card information to verify you are a user.

Here is a list of the websites of companies commonly used. Please use these as examples of how a company website URL should look.

www.xfinity.com
(previously known as Comcast)

www.att.com

www.comed.com

www.microsoft.com

www.amazon.com

www.ebay.com

www.verizon.com

www.t-mobile.com

www.adobe.com

If you need to contact any of these companies, go to the websites using the provided links and look at their contact information through their website. We strongly recommend bookmarking their website using the links provided to ensure you visit their legitimate website next time you need it.

SEO poisoning is a technique used by threat actors to increase the prominence of their malicious websites, making them look more authentic to consumers.

06/24/2025

Watch Out for DMV Scam over Text Messages

We would like to warn you of an ongoing phishing campaign over text messages where scammers are impersonating Department of Motor Vehicles (DMV) agencies from several states including Illinois.

These messages are very deceptive and are meant to intimidate people so they click on malicious links leading to state-themed phishing websites designed to collect personal information and credit card credentials under the guise of identity verification.

How do these messages look like?

These text messages contain alarming notices of unpaid toll violations, citations of fabricated legal codes such as “[State-Name] Administrative Code 15C-16.003”, and warnings of license suspension or legal penalties if immediate action is not taken. The messages include links to websites that prompt users for immediate payment of fines to resolve these fictitious legal issues. The text messages are being sent from spoofed phone numbers and email addresses. The messages are completely false and meant to create a sense of urgency to scare people and push them to go into the malicious websites.

Our Recommendations:

1. Check the phone number that the text messages are sent from

2. If the sender is unknown, do not reply.

3. Be wary of messages demanding immediate payment or threatening with severe consequences .

4. Remember DMVs do not send payment demands via text or email .

5. Do not click on links of texts from unknown senders.

6. Do not share personal or financial information in response to such messages.

7. When in doubt, call official organizations to make sure the message is coming from them.

8. Report any suspicious messages to the Federal Trade Commission (FTC) at reportfraud.ftc.gov

We recommend you to read more about this topic on the following article(s):

https://cybersecuritynews.com/weaponized-dmv-themed-phishing-attacking-u-s-citizens/

https://abc7chicago.com/post/dmv-scam-illinois-secretary-state-issues-warning-text-message/16581435/

06/16/2025

Watch Out for Malicious "Unsubscribe" Links in Emails

We want to alert you of a rising cybersecurity risk involving "unsubscribe" links in emails. While it may seem harmless to click these links to clean up your inbox, doing so can expose you to phishing attempts or confirm your email address to spammers.

What’s the risk?
* Malicious unsubscribe links may lead to phishing websites that try to steal your login credentials.

* Clicking unsubscribe buttons or links in spam emails confirms your email is active—encouraging more spam.

* According to DNSFilter, 1 in 644 unsubscribe link clicks leads to a malicious site.

Safe ways to manage unwanted emails:

1. Use built-in unsubscribe tools (safer than in-email links):

* Gmail:
Go to More > Manage subscriptions or click Unsubscribe next to the sender’s name.

* Outlook:
Go to Settings > Mail > Subscriptions or use the three dots menu > Block or Unsubscribe.

2. Set up filters or rules to manage emails:

Automatically move messages from unwanted senders to folders or spam.

* In Gmail: More > Filter messages like these

* In Outlook: Right-click > Rules > Create rule

3. Use a disposable or alias email address
For newsletters or sign-ups, consider using a separate or temporary email address to isolate and easily manage promotional emails.

Quick Reminders:
* Never enter your password on a site you reached via an unsubscribe link.

* If you don’t recognize the sender, don’t click any links.

* Mark suspicious messages as spam or phishing instead.

As your IT support, KCS is happy to assist you with the implementation any of these recommendations or answering any questions regarding this issue.

We recommend you to read more about this topic on the following article(s):
*

Like the flood of spam texts, your email inbox is likely filled with newsletters, promotions, and other messages that you don't care to read and perhaps don't know why you receive. But you shouldn't just start clicking unsubscribe links, which may open you up to certain cybersecurity risks.