Password Theft Becomes The New Goal For Hackers

Barracuda Networks a month ago hailed a "critical alert" when it discerned an attack that endeavoured to steal user's passwords. This risk baits victims with Microsoft 365 Office files asserting to be tax documents or other official reports; assailants utilize dire dialect to persuade people to open the attachment.

Files named "taxletter.doc" and phrases like ""We are apprising you upon the arisen tax arrears in the number of 2300CAD" are a major example of the strategy utilized by hackers. Users, when they download and open the malignant record are hit with the password stealer. At the point when the report opens, a macro inside launches PowerShell, which acts out of sight in the background while the victim views the document.

Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past, says "Today's documents are far more active … you're putting in a lot of content, media, links," he further added in this context "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

Millions of individuals have known to be affected by these phishing emails as attackers figure out how to dodge detection by creating different emails. While Exchange server makes up an extensive segment of individuals affected the alternate sorts of email accounts are additionally focused with the malevolent records.

This password theft is expanding in general, an indication of attackers moving their objectives and procedures, Shi clarifies further. Ransomware was huge a year ago; but this year, password stealers are showing up in phishing emails, browser extensions, and different programs as hoodlums chase the login information.
The real reason however, concerning why usernames and passwords have been focused on is on the grounds that they are equipped for giving access to numerous frameworks and applications that a specific user is attached to and operates at a regular schedule.

"Some attackers try to be like a sleeper cell on your system," Shi notes. The subtle signs that slowly bring it to the users focus and lets them know that their system has now been compromised and that they’ve lost control over all their applications is the conventional slowing down of their systems and the sudden upsurge in the pop-ups displayed.

"Some attackers try to be like a sleeper cell on your system," Shi notes.

A month ago, the IRS Online Fraud Detection & Prevention Centre (OFDP) reported an ascent of compromised emails in the beginning of January 2017 as the IRS authorities are also prescribing alert in the midst of an expansion of tax related phishing emails.
Here and now the cybercriminals are going for mass information burglary, and it's a timely opportunity for assailants to exploit users' wariness of tax season and make their crusades more compelling. In this way, it is smarter to be mindful and watchful while opening any business related or official looking report got by means of mail or some other online medium on the grounds that around here, it's better to be as careful as possible.

Lazarus Hacking Group back with new hacking campaign targeting banks and bitcoin users

The North Korean Lazarus Hacking Group, which was believed to be behind the WannaCry ransomware attack last year, has returned with a new campaign targeting financial institutions and bitcoin users.

The new campaign, as discovered by the McAfee Advanced Threat Research (ATR) analysts and dubbed as “HaoBao”, was termed by McAfee as an “aggressive Bitcoin-stealing phishing campaign” that uses “sophisticated malware with long-term impact.”

It resumes Lazarus’ phishing emails, posed as job recruiters, from before but now targets global banks and bitcoin users.

It works by sending malicious documents as attachments to unsuspecting targets, who open the malicious document and unknowingly allow the malware to scan for Bitcoin activity, after which it establishes an implant for long-term data gathering on being successful.

According to the firm, McAfee ATR first discovered of the malware on January 15th, when they spotted a malicious document passed off as a job recruitment for a Business Development Executive at a multi-national bank based in Hong Kong.

More information can be found in a blog by McAfee regarding the campaign.

While the form of attack seems nothing new, the two-stage attack malware has surprised researchers.

“This campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence,” said McAfee analyst Ryan Sherstobitoff. “The implants contain a hardcoded word ‘haobao’ that is used as a switch when executing from the Visual Basic macro.”

According to Sherstobitoff, the dropped implants have “never been seen before in the wild” and were not used in the last campaign either.

He believes that, because of a lack of solid regulations in respect to cryptocurrencies and the fact that sanctions against North Korea are difficult to enforce with digital currencies than with hard currency, such attacks will only grow — which could spell bad news for bitcoin users.

Aside from the link to the WannaCry attack, Lazarus is also believed to be linked to the Sony hack in 2014 and the attack on South Korean cryptocurrency exchanges last year.

Fake Verification of Twitter account could lead to Phishing and Credit Card theft

The verification of somebody's account on Twitter is a pretty big deal as you as an user cannot do anything about it. It is only if you are recognizable by thousands of people that Twitter verifies your account.

The chance to get a verified account on Twitter can seem very tempting and that is how somebody operating Twitter account 'Verified6379' is scamming people into divulging their payment details.

The user which claims to be an 'Official Verification Page' of Twitter redirects you using a shortened Goo.gl URL and lands you on a page that looks like twitter.

The page then demands secure information like username, password, credit card numbers and others to verify your account.

The URL has seen over 18,000 hits over the last month.

Cybercriminals abusing Microsoft Azure for phishing attacks


CyberCriminals usually host fake web pages on hacked websites, free web hosting, more recently they abused Google Docs.  These fake pages(phishing pages) trick unsuspecting users into handing over their personal and financial information.

Now, the cyber criminals have started to abuse the Microsoft's Azure cloud platform to host their fake websites.

Creating accounts on Azure is very easy and they are also offering a 30-day trial.  Once you are done with account creation, you can easily create your web pages using the main dashboard.

However, Registration process is not easy for criminals.  Because, it needs you to provide a valid phone number and credit card details.

MalwareBytes researchers says the attackers may have stolen the username and passwords from legitimate users that were already registered.

Netcraft has identified several phishing pages targeting users of Paypal, Apple, Visa, American express, Cielo hosted on Azure.

PhishTank records:
http://www.phishtank.com/phish_detail.php?phish_id=2428419
http://www.phishtank.com/phish_detail.php?phish_id=2391951
http://www.phishtank.com/phish_detail.php?phish_id=2342647
http://www.phishtank.com/phish_detail.php?phish_id=2174737

Australian Foreign Minister Julie Bishop Twitter account hacked


It's not usual tweet from Australian Foreign Minister Julie Bishop which suggest users to check out the post weight loss.

"LOL u gotta read this, its crazy [link]", " I'm laughing so hard right now at this[LINK]" these are one of the tweets posted from her account.

If you are regular user of E Hacking News, you would have already realized that this is nothing other than spam tweet.  However, most of people do not aware of that.

At first, i thought the link leads to simple weight loss spam website.  While analyzing few similar links, i found that some links are leading to a Twitter phishing page.

The JulieBishopMp account has more than 57k followers.  It means the phishing page has reached thousands of users.  We are not sure how many of them fall victim to these attack.

We already seeing plenty of similar fake tweets are being posted from several accounts(some accounts have more than 10k followers) which leads to the phishing pages.

Julie Bishop recovered and posted the following tweet:  "Yes my Twitter account has been hacked/compromised"

Beware of these new twitter phishing attack !  Share this post with your friends and make them aware about these kind of attacks. 

Microsoft confirms phishing attack compromised the employee's email account

Social Engineering attacks is one of the most successful attack method- Even the system which is claimed to be 100% secure can be hacked, if an attacker is able to manipulate one employee.

We recently covered a news about the recent Microsoft's twitter account hack in which Syrian hackers compromised the email accounts of Microsoft's employees through a phishing attack.

Microsoft has finally admitted that the Syrian Electronic Army has hacked into several Microsoft employee email accounts via phishing attack. 

"A social engineering cyberattack method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted." Microsoft spokesperson said in an email sent to Geekwire.

Microsoft said that the compromised accounts have been recovered.  They also claimed that no customer info stolen in the attak. 

"We continue to take a number of actions to protect our employees and accounts against this industry-wide issue."

Halifax Bank phishing email claims "3rd party Intrusion detected"


A phishing email targeting UK-based Halifax Bank users attempt to trick recipients into handing over their sensitive information.

The email informs the recipients that "3rd party intrusions" have been detected and their account has been limited for security reasons, according to Hoax-slayer.

To restore the account, it asks recipients to confirm their identify and verify that their account has not been used for fraud purposes, by filling an online validation form.

Once the victim opened the link provided in the email, it will take them to a fake Halifax Bank website where it will ask them to log in.  Then, it will ask victims to enter their personal information such as name, phone number, birth dates.

In next form, they will be asked to enter sensitive information such as Account Number, sort code, card number, expiration date and security code.

As usual in phishing scams, once the form is filled, the victim will be automatically redirected to the legitimate Halifax Bank website.

Victim fell prey to 'phishing' scam and lost £1 Million to fraudsters


This is another incident that reveals why you should be careful on the Internet. A British woman fell prey to a phishing scam and lost her £1million life savings.

The victim unwittingly handed over her personal details to fraudsters after receiving a bogus bank notification email.

Tamer Abdelhamid, the fraudster who stole the personal data then sold the info to Nigerian national, Rilwan Oshodi.  A 26 year old woman from Sierra Leone used the data to change the bank details by pretending to be the victim.

Detectives seized Oshodi's computer during a raid on his home with details of more than 11,000 credit cards, according to DailyMail report.

The fraudsters purchased cheeseburgers, high-end computers, gold with the stolen money. They are facing jail for their roles in the scam.

Phishing Scam alert: Samantha very hot scene from Telugu Movie

The recent report from Symantec shows that, even Cyber criminals became a fan of Telugu actresses Kajal agarwal and Samantha.  Cybercriminals started to use these actresses' name in their phishing campaign.

Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.

"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "


The phishing page requests the internauts who visit the page to log in for watching the video.  When a user give the login credentials, they will be redirected to the legitimate movie website.

" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.

Microsoft Cyber-Crime Department Phishing Scam

A spam mail purporting to be from the Microsoft Cyber-Crime Department claims that all email users around the world are required to validate their account by clicking a link in the message or risk having their email address deleted from the world email server.

“As part of the security measures to secure all email users across the world, All email users are mandated to have their account details registered as requested by the Microsoft Cyber-crime Dept ( M C D ),” part of the email reads.

“You are here by required to validate your account within 24 hours so as not to have your email account suspended and deleted from the world email server. Kindly validate your email account to have your account registered, follow d link below: [Link],” it continues.

To make it more legitimate-looking, the logo of Microsoft’s Digital Crime Unit has been embedded into the notification.

When users click on the link, they’re taken to a bogus website that’s designed to collect sensitive information and send it back to the attackers, Hoax Slayer reports.

Lloyds TSB Bank Phishing Scam

“You have an incoming payment. We have encountered difficulty verifying your account information. This payment has been put into pending transaction. Click here to fix this transaction and view your current balance. LOG IN to verify,” reads a malicious email allegedly originating from Lloyds TSB Bank

"Email asks you to confirm/update/verify your account data at Lloyds TSB Bank by visiting the given link. You will be taken to a spoof website where your details will be captured for the phishers."www.millersmiles.co.uk statement reads.

The scheme itself is old, but this time around the masterminds that run it have slightly altered the message, most likely to ensure that in case potential victims want to verify it, it won’t show up on any scam alert websites.

Users who fall for it and click on the link are taken to the compromised website of a Turkish tourism company which hosts a webpage that mimics the site of Lloyds TSB.

Here, the user is asked to provide the valuable login credentials that can be utilized by the crooks to gain entry to his/her account.

Cyber Criminals use Google Docs for phishing attack

Usually, cyber criminals uses fake domains for phishing attack. Recently,  Sophos researchers come across a phishing attack in which the Google Docs page is used for the attack.

In one of the spam mails, the email asks the recipient to confirm their email account details or risk having it shut down.

Confirm your e-mail account please enter your Mailbox Details by clicking the link below:
[LINK]
Failure to provide details correctly will result to immediate closure of your mailbox account from our database.

The link points to a page on Google Docs (docs.google.com). That gives the link a false aura of legitimacy. Once users visit the link,  the page falsely claims that your email account will be shut down in three days and the only way it claims you can resolve the situation is by entering your username and password.


"Free Mobile Recharge Coupons" scam hijacks Facebook accounts


A recent phishing scam "Free Mobile Recharge" targets Facebook users, hijacks accounts and making impossible to recover the account, warned by McAfee.

The scam automatically post a tricky free recharge offer on the victim's wall to convince their friends to click on that link. Following the link will land you in a phishing website, which asks for their Facebook account details. Once you fill the detail and press the login button, it will take you to survey page. Meanwhile it will send your login details to attacker.

The same scam message is posted on that victim’s wall to further spread the attack.

The attacker not only change the account passwords but also deleted their primary information such as email . Even if the victims try to reset their passwords, they will never get the password reset email from Facebook.

TAX Refund Notification: HMRC phishing scam


"New Spam mail are currently circulating that purport to be sent by the UK tax organization HM Revenue & Customs (HMRC). These e-mails claim that the recipient is eligible to receive a tax refund and that he or she must download an attached file and open it in a browser" report from sophos.

The scam e-mail :


TAX REFUND NOTIFICATION

Dear Taxpayer,
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 223.56 GBP.

Please submit the tax refund request and allow us 6-9 days in order to process it.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email
- open it in a browser
- follow the instructions on your screen

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.


If victim open the attachment, it will ask to enter his/her personal information. Ofcourse submitting the form won't actually send the information to HMRC; it will instead be sent to a malicious third party without the victim's knowledge or approval.

Are you interested to buy iPhone 4s? Beware about ebay Phishing pages


Are you interested to buy iPhone 4s ? Beware CyberCriminals can trick you into giving out your online financial credentials. TrendMicro Researchers have found a new phishing scam that targets users who are out to purchase an iPhone 4S through eBay.

Hackers create a phishing page by copying eBay posts for iPhone 4S units.  The page may look like legitimate one . All the link in the fake page are linked to legitimate site except the "Buy it Now", it leads to fake login page.

When user has filled it all up, users are directed to a page that says they must contact the seller via email in order to proceed with the transaction.

"We’re pretty sure that this is not how transactions go when buying something over eBay. This is most likely a scam that aims to steal money and personal information from its victims. The iPhone 4S is one of the top smartphones in this year’s holiday sales, and clearly the cybercriminals taking advantage of its demand.

This iPhone 4S scam is just one of the many attacks that people might encounter this season. Cybercriminals often leverage holiday activities—such as sending holiday greetings, shopping online, and looking for deals and promos—to launch attacks targeting unsuspecting users." Report from TrendMicro

Your credit card has been removed from your PayPal account : Spam Mails

A New spam mail purporting to be from PayPal claims that the recipient's credit card has been removed from the PayPal account and that they should follow a link to rectify the issue, recent report from Hoax-Slayer .

If anyone follow the link, it leads to a paypal Phishing page that asks them to fill the personal informations including credit card details.

The attackers can use this information to login into paypal or steal money using their credit card data.

Your Amazon Account is about to Expire : Spam Email

A New spam mail targets Amazon users with subject "You have (1) Message from Amazon", it masquerades as Amazon Team. Naked Security Reported today about this spam email.

Spam Mail:
Subject: You have (1) Message from Amazon
Attached file: NO003950033.html

Message body:
Dear customer,

Your online account is about to expire and will be deactivated.

Please confirm wether you want to continue using Amazon or not.

If the answer is yes, download and complete the attached form.

If the answer is no, please ignore this e-mail.

Best wishes,
Amazon Team

Note - Do not reply to this e-mail.

As you can see, the email has an attachment extends with ".html". Yes, it is Trojan, Sophos Security products detect it as "Troj/Phish-AZ" Malware.

Screenshot of Spam Email



Hackers steal millions of pounds from Xbox Live customers using Phishing Attack


CyberCriminals used phishing attack on Xbxo Live Accounts and stolen millions of pounds. The average loss to gamers in 35 countries hit by the scam is around £100, but many lost £200.

Attackers send mail to Xbox Live Customers with Phishing page that claims "offering free Microsoft points that can be used to buy games." The gamers entered the personal info without knowing that it was phishing page. These criminals take small amounts from credit cards over several weeks so that victims can not detect theft. Other victims lost money when passwords were accessed.

The victims only realised when their online profile became "locked out" , meaning someone else had used it.

Microsoft confirmed there had been no breach in the security of Xbox Live itself. Microsoft is investigating and says a small percentage of users are affected. Microsoft spokesman said:
"We take the security of the Xbox Live service seriously and work to improve it against evolving threats.

Very occasionally, though, we are contacted by members regarding alleged unauthorized access to their accounts by outside individuals.

We work closely with impacted members directly to resolve any unauthorized changes to their accounts and, as always, highly recommend all Xbox Live users follow our account security guidance in order to protect their account details."



Facebook Phishing Scam promotes Indonesian rock star


A New Facebook phishers used Indonesian Rock star as beit for their phishing sites.

"This is unlike the previous Indonesian adult scams whose phishing pages gave the impression that the adult video would be of a random celebrity. In October 2011 phishers continued their adult scams on Facebook, but this time they chose the Indonesian rock star Ahmad Dhani in particular." reported by Symantec.

Dhani is the frontman of the rock bands “Dewa 19” and “Ahmad Band”.

The phishing site contained a photograph of Ahmad Dhani and Indonesian singer Dewi Persik. The Indonesian caption of the photograph translated: “To view videos of Ahmad Dhani recorded from CCTV cameras, please login below”. After users entered their Facebook login credentials, the phishing page redirected to a pornographic website. Of course, if users gave away their login credentials to the phishing site, phishers would have successully stolen their information for identity theft. The phishing site was hosted on a free Web hosting site.

Celebrities have been a common target in phishing attacks. In the past, we have seen Aishwarya Rai and Katrina Kaif used as phishing bait. Phishers are choosing celebrities with a large fan following because they perceive a larger audience will mean more duped users.

Security Tips to avoid Phishing Attack ,provided by Symantec:
  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software, such as Norton Internet Security 2011, to protect you from online phishing.
Security Tips from BreakTheSecurity:
  • Before entering the login information ,check the url
  • Use Secure Connection(Ex: https://gmail.com)
  • Use some AntiPhishing Addon(ex: FirePhish)
  • Don't forget to read our Security Tips Blog: http://www.breakthesecurity.com