ZeroFox Daily Intelligence Brief - May 5, 2026

ZeroFox Daily Intelligence Brief - May 5, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Law Enforcement Outreach Targets Card Skimmers
• DigiCert Neutralizes Certificates Exploited in Chat-Based Phishing
• Trusted Cloud Infrastructure Exploited for Large-Scale Phishing

Law Enforcement Outreach Targets Card Skimmers

Source: https://www.secretservice.gov/newsroom/releases/2026/05/us-secret-service-led-outreach-operation-nets-five-illegal-skimming

What we know: The U.S. Secret Service inspected over 3,000 terminals from April 27 to 29, removing five skimming devices from ATMs, gas pumps, or point‑of‑sale systems. The operation prevented an estimated USD 5.2 million in fraud.

Context: Scammers use skimming technology to capture card information from EBT cards and encode that data onto another card with a magnetic strip. Skimmers are overlays installed on card readers that capture card information when users swipe or insert their cards; criminals then clone the data or sell it to generate fraudulent transactions.

Analyst note: Organizations most likely at risk are those operating high‑volume and publicly accessible card readers with limited physical oversight. Such entities are advised to routinely inspect ATMs, POS terminals, and card readers for loose, damaged, or scratched components and prioritize tap‑to‑pay or chip‑based transactions over magnetic‑stripe swipes. Furthermore, users are advised to shield the keypad with a hand to block hidden cameras and remain alert for skimmers in high‑traffic tourist areas, which attackers are very likely to target.

DigiCert Neutralizes Certificates Exploited in Chat-Based Phishing

Source: https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/

What we know: Threat actors reportedly gained internal access to a DigiCert support analyst's system to obtain and misuse Extended Validation Code Signing certificates. DigiCert has identified and revoked 60 certificates associated with the incident.

Context: Threat actors used malicious screenshots (containing Zhong malware) in a customer chat to gain access to the internal portal. They exploited the portal's proxy feature to steal initialization codes for pending EV Code Signing certificate orders and combined these with approved order details to misuse valid certificates.

Analyst note: This incident highlights the high risk of supply chain attacks targeting trusted certificate authorities. Similar organizations are likely to face such "chat-based" phishing attempts, requiring new security protocols for help-desk environments. Even after revocation, some systems that do not check Certificate Revocation Lists (CRLs) or use Online Certificate Status Protocol (OCSP) will likely continue to trust the compromised files.

Trusted Cloud Infrastructure Exploited for Large-Scale Phishing

Source: https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/

What we know: Attackers have been observed to increasingly abuse Amazon’s Amazon Simple Email Service (SES) to send phishing emails that bypass standard security controls.

Context: These attacks are reportedly suspected to be driven by widespread exposure of AWS credentials in public assets like GitHub, .ENV files, and S3, which attackers automatically discover using tools like TruffleHog. Rapid detection and remediation of exposed keys remain critical to limiting ongoing abuse.

Analyst note: These attacks are likely to increase unless stronger controls are implemented to prevent credential exposure in public assets. Threat actors are likely to continue to use automated tools to scan for exposed AWS credentials and weaponize them for large-scale phishing and abuse.

DEEP AND DARK WEB INTELLIGENCE

Breached[.]st user MDGhost: Threat actor “MDGhost” has advertised, on dark web forum breached[.]st, a database exfiltrated from insurance company Transamerica. The dataset allegedly contains about 1 million records of personally identifiable information (PII) like names, dates of births, and contact details.

VULNERABILITY AND EXPLOIT INTELLIGENCE

MOVEit vulnerabilities: Progress Software released patches for two vulnerabilities in MOVEit Automation, including a critical authentication bypass flaw (CVE-2026-4670) and a privilege escalation bug (CVE-2026-5174). MOVEit Automation is a server-based managed file transfer (MFT) solution that automates enterprise file movement workflows. According to Progress Software, exploiting the vulnerabilities are likely to lead to unauthorized access, administrative control, and data exposure.

Affected products: MOVEit Automation versions prior to 2025.1.4, 2025.0.8, and 2024.1.7