Cybersecurity · Saturday, 11 July 2026
01 · Briefing · what happened
Attackers phoned people and walked them through handing over a passkey — the strongest login there is
A vishing campaign talks victims through 'enrolling a passkey' on fake Microsoft pages while the attacker quietly registers their own key. Plus: ransomware that switches off antivirus with a signed driver, guilty pleas in old Ryuk cases, CISA's post-mortem on a leaked-keys blunder, and a UK plan to force platforms to ban scam ads.
Key takeaways
- Attackers are phoning people and coaching them through "adding a passkey" — while quietly registering the attacker's own key on the real account; no legitimate company calls you to do this.
- A new ransomware strain switches off antivirus by carrying a Microsoft-signed driver the system already trusts, and old ransomware crews are now pleading guilty and paying restitution.
- The UK plans to fine platforms up to 10% of global revenue if they keep running scam ads, which cost British victims about £200 million a year.
The strongest way to log in is supposed to be a passkey — a login tied to your own device that a fake website can’t steal. This week attackers found a way around it: they call you up and talk you through adding one.
The phone call that adds a stranger’s key to your account
Okta, an identity-security company, warned Friday that a group has been phoning employees at companies across automotive, aviation, construction, food and beverage, healthcare, and technology sectors
Here’s the trick. A passkey is phishing-resistant by design — it can’t be copied off a fake page like a password can. So the attackers don’t try to steal it. Instead, while you think you’re enrolling your passkey, they register their passkey on your real account in the background
What makes it hard to catch is that a person, not a script, runs it live. The fake page is a control panel an operator drives in real time, adapting each step to whatever second-check your account throws up
The tell for an ordinary person: real systems don’t ring you up to walk you through adding a security key. If a caller is directing you to enroll a passkey or approve a sign-in, the call itself is the attack. Hang up and go to the account yourself.
Ransomware that turns the computer’s own trust against it
A newer strain shows the same move in a different place — using something the system already trusts to get past the guard. Researchers at Symantec detailed “GodDamn,” a ransomware that carries a Microsoft-signed driver — a small piece of deeply-trusted software — and uses it to switch off the very defences meant to stop it
Ransomware is malware that locks up an organisation’s files and demands payment to unlock them. The old cases are still working through the courts. An Armenian man, Karen Vardanyan, pleaded guilty this week to a 2019–2020 campaign using Ryuk ransomware; he agreed to pay nearly $1.2 million and faces up to 15 years
A leaked key, and the agency that had to clean it up
Trust that’s granted and then forgotten showed up on the defenders’ side too. CISA — the US government’s cyber-defence agency — published a post-mortem on a blunder from May
Britain moves to make platforms carry the cost of scam ads
The under-covered story is a regulator trying to shift where the burden falls. The UK’s Ofcom proposed rules that would force Facebook, Instagram, Snapchat, X, YouTube, TikTok — plus Google and ChatGPT — to ban scam advertisers and stop them from simply opening new accounts
02 · Lesson · why it matters
The weakest point in a strong lock is the moment you add a key
The better we make the locks, the more the attack moves to the one step a lock can't refuse: the moment a system takes on a new key it has been told to trust.
The helpful call
The phone rings. Someone from IT support says your account needs a new passkey, and offers to walk you through it. You share your screen or open the link they send. Step by step, you follow along. At the end, there’s a new key registered on your account. It works perfectly. It just isn’t yours.
That is this week’s attack, stripped to its bones. A passkey is the strongest common login there is — a credential tied to your own device that a fake website can’t copy the way it copies a password. The attackers didn’t beat it. They stood next to you while you built one, and slipped their own key into the same slot.
The tell is simpler than the trick. Real systems don’t call you up to add a security key. The call is the attack.
The door a lock has to leave open
Think about what a passkey has to allow. You buy a new phone. You need to add it to your accounts. So every system that uses passkeys must have a step where a new key gets registered and trusted. Without that step, you could never set up a new device — you’d be locked out of your own life.
That step is the enrollment door. And here is the thing about it: it cannot be as hard as the wall around it. The wall’s whole job is to say no. The door’s whole job is to say yes — to grant trust to something that wasn’t trusted a moment ago. You can harden a wall almost without limit. A door that has to open can only be so guarded before it stops being a door.
The attackers understood this before most of us did. They stopped trying to climb the wall. They walked up to the door and got themselves waved through.
Two jobs pulling opposite ways
Every system that protects anything is really doing two jobs at once, and the two jobs fight.
One job is to keep the wrong people out. We pour effort into this side — longer passwords, second checks, passkeys. It gets stronger every year, and it feels like progress, because it is.
The other job is to let the right people in — and their new phones, their new keys, their reset passwords, their “trust this browser” clicks. This side has to stay soft. It exists to hand out trust. You cannot make onboarding as suspicious as a firewall without locking out the very people it’s for.
So security doesn’t have one weak point that engineers keep failing to fix. It has a permanent soft spot that no amount of skill removes, because the softness is the point. The stronger we make the “keep out” side, the more valuable the “let in” side becomes to an attacker — and the more clearly they can see it’s the way in.
The same door, everywhere in today’s news
Once you see the enrollment door, the rest of the week rhymes.
The new ransomware doesn’t smash through the antivirus. It carries a driver the operating system was told, long ago, to trust — signed, approved, waved past the guard — and uses that standing invitation to switch the guard off. Trust granted once and never re-checked is its own open door.
The scam ads that Britain is now trying to curb aren’t breaking into the platforms. They’re buying ad slots the platforms rent out on purpose. The fraud rides in through the front counter, because the front counter’s job is to take money from strangers. And the leaked government keys — a whole set of trusted credentials, left where anyone could pick them up — were a door that trusts whoever holds the key, no questions asked.
None of these attackers picked a lock. Each was let in through something the system had to leave open. That’s not four failures. It’s one shape.
You are the person standing at the door
Here’s where it stops being about companies and starts being about you. You have an enrollment door on every account you own. “Add a device.” “Reset your password.” “Register a new key.” “Approve this sign-in.” Each one is the same soft moment, and in each one the system trusts whoever is standing at the desk performing the steps.
Today, that person can be a voice on the phone — or, more precisely, it can be you, following a voice on the phone. The system can’t tell the difference between you setting up your own key and you being coached into setting up someone else’s. At the door, the genuine and the fake look identical. The only thing that separates them is who started it.
That’s why the reliable move isn’t learning to spot a better fake. It’s noticing who initiated the trust. If you began it — you went to the site, you decided to add the device — it’s yours. If someone reached out and walked you to the door, the walk is the attack, however real the page looks.
What the score doesn’t show
We keep score on the walls. We feel safer with each upgrade — the passkey, the second check, the longer password — and we’re not wrong to. But the safety of the whole was never the height of its strongest wall. It’s the softness of the door it had to leave open, and how little the person standing at that door can see of the whole picture.
The voice on the phone knows exactly which door it’s at, and why it’s soft. You, mid-setup, see only a helpful step in a process you half-recognise. That gap — between the one who planned the door and the one standing in it — is the whole game. Seeing it doesn’t make you safe. It just makes “I’ve got the strongest login, so I’m covered” a sentence worth holding a little more loosely.
03 · Lab · your turn
The Enrollment Desk
Rehearse deciding whether to complete a security step by who started it, not by how real it looks.
04 · Hope · carry this
The strongest defense against this week's attacks needs no expertise and no new gadget — only the small, human habit of finishing what you started yourself, and pausing when someone else walks you to the door. It's rare that safety comes down to something so ordinary, and so within everyone's reach.
More from Cybersecurity