Is it worth updating to iOS 18.6? Absolutely. While there are no new bells and whistles, it patches a high-severity WebKit zero-day (CVE-2025-6558) and more. Can I change the Action button? Sure! Go to Settings > Action Button to customize the new Action Button on iPhone 15 Pro/16/16E/16 Pro. Just swipe to pick a task like Camera, Shazam, Remote for Apple TV, or even a Shortcut or Visual Intelligence action, then tap Choose to set it. Can I customize the home screen? Of course. Give your home screen a fresh look by entering jiggle mode (long-press the screen), tapping Edit > Customize, and then: Reposition apps anywhere on the grid.Expand icons into widgets by tapping the resize handles.Choose Automatic, Dark, Light, or Tinted icon styles (use the eyedropper to match your wallpaper).Toggle Large icons to hide labels and boost visibility.Tap anywhere to apply and then exit. Voila! Will these tweaks work on any iPhone model? Most of these work on any iPhone running iOS 18 or later. However, features like Prioritize Notifications and the Action Button require an Apple Intelligence-capable iPhone 15 Pro or iPhone 16 model. Get the morning’s top stories in your inbox each day with our Tech Today newsletter. More

Joseph Maldonado/ZDNETFollow ZDNET: Add us as a preferred source More

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

On Thursday, Check Point Research published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains. 
The recent phishing attack began with one of several fraudulent email templates and would mimic Xerox/Xeros scan notifications including a target company employee’s name or title in the subject line. 
Also: Best VPNs • Best security keys • Best antivirus   
Phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources. 
Attackers behind the phishing scam included an attached HTML file containing embedded JavaScript code that had one function: covert background checks of password use. When credential input was detected, they would be harvested and users would be sent to legitimate login pages. 
“While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials,” Check Point says. 

The attackers’ infrastructure includes a web of websites, backed by the WordPress content management system (CMS), that were hijacked. Check Point says that each domain was used as “drop-zone servers” for processing incoming, stolen credentials. 
However, once stolen user data was sent to these servers, it was saved in files that were public and were indexed by Google — allowing anyone to view them through a simple search. 
Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts. 
“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations,” the team noted. “The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors.”
Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy. 

Check Point reached out to Google and informed them of the credential indexing. 
While attribution is often a challenge, a phishing email from August 2020 was compared with the latest campaign and was found to use the same JavaScript encoding, suggesting that the group behind this wave has been in operation for some time. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The device has a 1080p HD camera with LED lights at the tip. Adrian Kingsley-Hughes/ZDNETI have a number of inspection cameras More

Jack Wallen/ZDNETFollow ZDNET: Add us as a preferred source More