According to a Kaspersky report, attackers are moving away from traditional PC banking malware and increasingly relying on social engineering and dark web marketplaces, while mobile financial malware continues to grow.

Traditional financial phishing has not gone away. Pages that mimicked e-shops dominated the financial phishing landscape (48.5% in 2025, up 10.3% from 2024), followed by banks (26.1% in 2025, down by 16.5% from 2024) and payment systems (25.5% in 2025, up by 6.2% from 2024).

The decline in bank phishing may suggest that these services are becoming increasingly difficult to successfully impersonate, and fraudsters are turning to easier ways to access users’ finances.

Attackers are adapting campaigns to regional digital habits. In the Middle East, financial phishing is overwhelmingly concentrated on e-commerce (85.8%), indicating a heavy reliance on online retail lures, whereas in Africa bank-related phishing leads (53.75%), which may indicate that user account security there is still insufficient.

Latin America shows a more balanced distribution but with a higher share of e-commerce and bank targeting, while APAC and Europe display a more even spread across all three categories, pointing to diversified attack strategies.

In 2025, the decline in users affected by financial PC malware continued as users increasingly rely on mobile devices to manage their finances.

Contrary to PC banking malware, mobile banker attacks grew by 1.5 times in 2025 compared to the previous year.

Complementing traditional financial malware, infostealers played a significant role in enabling financial crime both on PCs and mobile devices by harvesting login credentials, cookies, bank card numbers, crypto wallet seed phrases, and autofill data from browsers and applications, which attackers then used for account takeovers or direct banking fraud.

Kaspersky data pointed to a surge in infostealer detections (up by 59% globally, 53% in Africa and 26% in the Middle East, on PCs from 2024 to 2025), fueling credential-based attacks.

According to Kaspersky Digital Footprint Intelligence (DFI), in 2025 over one million online banking accounts served by the world’s 100 largest banks fell victim to infostealers: credentials for these accounts were being freely shared on the dark web.

The countries with the highest median number of compromised accounts per bank were India, Spain, and Brazil.

74% of payment cards that were compromised by infostealer malware, published on dark web resources and identified by Kaspersky DFI team in 2025, remained valid as of March 2026.

This means that attackers could still use cards that had been stolen months or even years prior.

“The dark web has become a central hub for financial cybercrime. Stolen credentials and bank cards that have been harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services. This creates a self-sustaining ecosystem where data theft and fraud operations reinforce each other, making attacks scalable and easy to carry out by fraudsters with minimal experience. Breaking this cycle requires proactive threat intelligence on the part of organisations, and increased awareness and scrutiny from individual users,” comments Polina Tretyak, Kaspersky digital footprint intelligence analyst.

The post Infostealer Malware Compromised Over 1 Million Banking Accounts in 2025 appeared first on Tech | Business | Economy.

The company’s Digital Crimes Unit (DCU), armed with a U.S. court order, seized 338 domains that cybercriminals used to impersonate Microsoft and trick unsuspecting users into entering their credentials. 

The operation, led by Nigeria-based developer Joshua Ogundipe, relied on Telegram to sell phishing kits to more than 850 subscribers.

According to Microsoft, the service has been used to steal at least 5,000 login details across 94 countries since it launched in July 2024. The group reportedly earned over $100,000 in cryptocurrency payments from customers who used its kits to run phishing campaigns.

Steven Masada, assistant general counsel at Microsoft’s DCU, warned about the simplicity, and the danger, of such services. “Cybercriminals don’t need to be sophisticated to cause widespread harm. Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

Investigators said Raccoon0365 targeted a wide range of industries, including financial institutions and healthcare providers. One campaign, themed around U.S. tax filings, attempted to compromise more than 2,300 organisations in just two weeks earlier this year. 

Microsoft’s partner in the lawsuit, the Health Information Sharing & Analysis Centre (Health-ISAC), confirmed that at least five healthcare organisations had already fallen victim.

Errol Weiss, chief security officer at Health-ISAC, explained that: “So many of the attacks start because somebody gave up their user name and password to a bad guy. Once that cybercriminal has access to the network, then it’s just up to the imagination in terms of what comes next and how they monetise it.”

Cloudflare, which had unknowingly hosted some of the operators’ infrastructure, worked with Microsoft and the U.S. Secret Service to shut down the phishing network. 

The internet security company said the attackers were skilled but left operational security lapses that exposed their identities. Blake Darché, Cloudflare’s head of threat intelligence, stated: “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped.”

Court filings show that Ogundipe and his associates played specific roles including coding the phishing tools, managing subscriptions, and offering customer support to fellow cybercriminals. 

Investigators were able to tie him to the network after he mistakenly exposed a cryptocurrency wallet connected to the scheme. A criminal referral has been sent to international law enforcement.

The case highlights a disturbing evolution of phishing-as-a-service. Raccoon0365 recently introduced AI-MailCheck, an artificial intelligence feature designed to scale phishing operations further. Security researchers warn that this could make phishing attempts harder to detect and more damaging.

Check Point Research has noted that Microsoft is the most imitated brand in phishing attacks globally, accounting for 25% of attempts between April and June 2025; the rapid spread of networks like Raccoon0365 is a huge factor in this surge.

For Microsoft, the seizure is only one step. The company said more enforcement actions are expected as it works with global partners to dismantle the wider criminal ecosystem feeding off its brand identity.

The post Microsoft Seizes 338 Nigerian-Linked Websites Running Raccoon0365 Phishing Network appeared first on Tech | Business | Economy.