Search This Blog

Showing posts with label Phishing Attack. Show all posts

Medical Data of 12,000 Patients Exposed Following Revere Health Phishing Attack


A healthcare employee of Revere Health, the largest healthcare firm in Utah, was targeted in a phishing email attack that exposed some medical records for approximately 12,000 patients, including patients of cardiology practice in St. George. 

According to a breach notification sent out by Revere Health on Friday, the employee’s mailbox was exposed for roughly 45 minutes on June 21 and leaked some private details about patients of the Heart of Dixie Cardiology Department in St. George. The phishing attack was rapidly identified by Revere Health IT team, which immediately secured the mailbox to prevent unauthorized access. 

After a two-month investigation, Revere Health believes the aim of the attacker was not to secure access to patient data but to use the email account to launch more sophisticated phishing email attacks on other Revere employees. The company found the patients’ data wasn’t being shared online and deemed the breach to be a “low-level risk” to affected patients. 

“From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information Our security logs suggest that the attacker had three objectives: (1) to spread phishing emails, (2) to gather active usernames and passwords and (3) to attempt financial fraud against Revere Health," stated the healthcare company. 

The exposed data included medical record numbers, dates of birth, provider names, procedures, and insurance provider names. According to Bob Freeze, the director of marketing and communications for Revere Health, no financial information such as credit card information was exposed by this breach of date. The company has informed the impacted patients about the situation and advised them to remain vigilant.

According to the FBI’s 2020 Internet Crime Report, there were 241,342 victims and over $54 million were lost due to these attacks. In 2020 phishing attacks increased by 99.8% from 2019 when there were 114,702 reported attacks. In 2018 there were only 26,379 phishing attacks.

Freeze says Revere Health has further strengthened its tech security protocols and will now send test-phishing emails to employees to prevent more attacks. If they click on the test emails, they will have to undergo awareness training from the group’s IT department. The company also advised its employees to review all aspects of an email before engaging with it. 

According to the Federal Trade Commission (FTC), a phishing email address often looks legitimate, but when clicked, a more sophisticated email address appears. The FTC has recommended several common techniques to avoid phishing attempts including keeping up with software updates on devices, installing security software, using multi-factor identification so it takes more than a password to log in, and backing up data regularly. Alongside, users were advised to not open any links from suspicious email addresses or phone numbers.

Google Docs Scam Still Pose a Risk


A phishing attack known as the "Google Docs worm" proliferated over the internet in May 2017. It impersonated Google Docs and requested full access to Gmail accounts' emails and contact lists via specific web apps. Since the requests seemed to emerge from people the target knew, the scam worked so well. If they gave permission, the software would send the identical fake email to the victim's contacts, spreading the worm further. It affected over a million accounts before Google fixed the situation. 

However, a new study suggests that the company's solutions are insufficient. Another Google Docs phishing fraud might strike at any time. 

According to independent security researcher Matthew Bryant, Google Workspace phishing and scams draw most of their efficacy from abusing legal features and services. Targets are bound to succumb to the assaults since they trust Google's services. To a great extent, the strategy puts the action outside the domain of antivirus instruments or other security scanners since it's online and controls a legitimate framework. 

In research presented at the Defcon security meeting this month, Bryant found that attackers might actually use to move beyond Google's upgraded Workspace insurances. Recent scams utilized a similar general methodology of modifying genuine Google Workspace warnings and provisions to make phishing connections or pages look more real and interesting to targets. 

All of these problems, according to Bryant, arise from Workspace's conceptual design. The same qualities that make the platform versatile, adaptive, and sharing-friendly also make it vulnerable to misuse. The risks are significant, with over 2.6 billion Google Workspace users. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed—most of them are not magical one-off fixes. Google has made an effort, but these risks come from specific design decisions. A fundamental improvement would involve the painful process of potentially re-architecting this stuff,” he added. 

Following the 2017 incident, Google strengthened the rules for applications that interact with Google Workspace, particularly those that require essential data like emails or contacts. These “Apps Script” apps can be used by individuals, although Google mainly enables them so that corporate users can modify and enhance Workspace's features. With the additional restrictions in place, if an app has more than 100 users, the developer must submit it to Google for a thorough assessment before it can be released. Meanwhile, if people try to launch an app that hasn't been approved and has less than 100 users, Workspace will display a comprehensive warning page. 

Even with those safeguards in place, Bryant discovered a flaw. Such small applications can run without notifications if a user gets one attached to a document from someone in their Google Workspace organization. The notion is that users trust their coworkers sufficiently that they don't need to bother with strict cautions and notifications. These kinds of design decisions, on the other hand, leave possible attack points. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed.” 

Bryant discovered that by sharing a link to a Google Doc with one of these applications connected and modifying the word "edit" at the end of the URL to "copy," the user who accesses the link would get a visible "Copy document" popup. One can dismiss the tab, but if a user believes a document is genuine and clicks to create a copy, they become the creator and owner of that copy. They're also identified as the "developer" of the app, which is still there in the document. The victim would see their own email address in the popup when the program seeks permission to start and acquire their Google account data without any warnings.

Although not all of an app's elements would copy over with the document, Bryant found a method around this as well. An attacker can embed lost elements in Google Workspace's version of a task automation "macro," which is quite identical to the Microsoft Office macros that are frequently exploited. 

Finally, an attacker might persuade someone inside a company to take ownership of and provide access to a malicious app, seeking access to other people's Google accounts inside the same company without notice. 

A Google spokesperson told WIRED, "We’re appreciative of the researcher’s work in identifying and reporting these risks. We are actively making further product improvements based on this research.” 

None of these flaws, according to Bryant, are exclusive to Google Workspace. He also adds that the possibility of future Google Docs phishing attacks shouldn't be a reason to worry. The classic piece of advice applies: Users should only open files they expect, and if not sure why they're getting a specific document, they should verify with the claimed sender. 

On the other hand, the findings highlight the difficulty of preventing misuse on omnipresent platforms designed for flexibility and simplicity. Even something seemingly harmless like Google Docs may rapidly become a launchpad for an attack, possibly affecting billions of people.

Kaspersky Lab detected 1,500 phishing resources targeting crypto investors

Since the beginning of the year, Kaspersky Lab has detected more than 1,500 fraudulent resources around the world aimed at potential crypto investors or users who are interested in mining cryptocurrency

Specialists of the Kaspersky Lab antivirus company warned about an increase in the volume of fraud, the potential victims of which may be crypto investors. Since the beginning of 2021, experts have identified more than 1,500 such fraudulent resources.

In addition, Kaspersky reported on its success: this year the company blocked more than 70 thousand attempts of users to go to fraudulent sites.

Criminals create phishing pages whose task is to steal private keys that allow access to all digital assets and crypto-wallets. Such web resources are usually located in popular domain zones like .com, .net, .org, .info or in cheap zones — .site, .xyz, .online, .top, .club, .live.

Kaspersky Lab noted the high level of detail of malicious sites. As an example, experts cite the loading of real data from existing cryptocurrency exchanges. This is easily explained by the higher level of technical knowledge that people interested in investing in digital currencies must have. Attackers understand this and try to improve their techniques.

Also, scammers often send notifications about fictitious sales of video cards and other digital currency mining equipment. In this case, the victim is persuaded to buy the hardware, which requires an advance payment.

As noted by experts, the topic of investing in cryptocurrencies is willingly used by cybercriminals in conjunction with the names of famous people. For example, people in the U.S. have recently lost several million dollars by being "hooked" on a scheme with the name of Elon Musk. Investors were promised a generous return on investment on behalf of the head of SpaceX.

According to the InfoWatch expert, the first wave of interest in cryptocurrencies in Russia began in 2016-2017. At the same time, fraudulent schemes aimed at deceiving people who were just beginning to get interested in digital assets, mining and blockchain platforms, as well as at deceiving the first investors became widespread.

Hacker Employ Milanote App for Spreading Phishing Email


The usage of collaborative applications had been a major victory with the pandemic. That incorporates Microsoft Teams, Google Meets, Zoom, and many others. Indeed, the software on the web makes brainstorming, designing, and collaborating with team members easier for all kinds of concepts. 

Milanote is among the most popular apps used in this period. It is recognized as an application for creators to note, compile and collaborate. It is used for sorting notes, gathering ideas, structuring activities - workflows, and much more. Companies mentioned, among many others, like Uber, Facebook, Google, and Nike, use it for their office routine. 

According to analysts, the Milanote app, also designated by reviewers as "the Evernote for creatives," has gained the attention of cybercriminals, that further abuse it to conduct credential-stealing campaigns that glide past secure email gateways (SEGs). 

The report compiled and published on Thursday by Avanan indicates that the hackers look to hack the victims using a simple email. The mail sent has the line of the subject as, "Project Proposal Invoice". The email body is rather explicit, only saying, “Hello. See attached invoice for the above-referenced project. Please contact me if you have questions or need additional information. Thank you.” There have been no customization, branding, or other characteristics of social engineering in the mail. 

“The email itself is pretty standard issue,” Gil Friedrich, CEO, and co-founder of Avanan stated. “It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote.” 

If the attachment link in the email is opened by the destination, a single-line document opens ("I shared a file with you. Click on the "Download" link (see below) with a clickable "Open Docs" button. 

Lately, the volume of these slippery phishing attacks has increased "dramatically," according to Avanan researchers. In the communication network, 1,430 e-mails were analyzed that contained a link to Milanote, and 1367 were part of the phishing campaigns (a whopping 95.5%). 

“[Most] use static scanners to scan attachments or links for malicious payloads,” according to the writeup. “In response, hackers are bypassing those detection mechanisms by nesting the payloads in deeper layers within legitimate services, fooling the static scanners. This is part of a larger trend of hackers utilizing legitimate services to host malicious content. Because the scanner doesn’t go that deep, hackers can leverage these services to host their content and easily send it to users.” 

Friedrich told that the scammers have been increasingly employing this technique in a large number of services. Another part of the development is that malicious hackers have resorted to them with the advent of collaborative platforms to create new techniques for social engineers and escape defenses. 

“We’re talking to people on Zoom, sharing thoughts on Slack, using whiteboards on Jamboard and thousands of other services. Email is still incredibly important, of course, but there are other places where information is transmitted,” he added. 

Cybercriminals may bring dangerous links to where they have been, rather than just email. It enables hackers with simple access to many of these collaboration apps. Since they did not get the same phishing training at these sites, users may have their guard down. It's an easy approach for con men to realize many of their malicious goals. Users are advised to stay alert to the Milanote attack and other similar rocketing attacks, by following the best safety practices available. 

Email Fatigue Elevates Cyber Crime Rates


According to research, email is indeed the most preferred medium of communication by almost 86 percent of professionals. Whilst the average office employee gets 121 e-mails a day and sends roughly 40 business e-mails, Radicati Group's 2017 study reports that 269 billion e-mails are sent daily to just over 3.7 billion e-mail users worldwide. Consequently, cyber-attacks based on email are also sky-rocketing. 

Furthermore, because of the broad shift to work from home culture due to the pandemic, more vital data is communicated through email than ever. Users can get hundreds of E-Mails every day, and it takes time and effort to screen them. 

Given the rising volume, it is no surprise that email fatigue is growing. Unfortunately, this exhaustion will make it easier for people to click a harmful e-mail, which explains why 94 percent of malware is currently sent by email. 

Email fatigue is a word used to describe a condition where email users feel overwhelmed with the emails they receive. This can often lead to unsubscriptions, low commission rates, or even a large number of spam reports. 

However, while spam is an old-school approach, it is still being used for nefarious reasons by hackers. Fake spam withdrawal is a strategy that cybercriminals employ to improve their mailing lists and validate email addresses. Whenever a user clicks on a false link in a spam email, the spammer will check for the correct emails, active, and regularly checking the email address. From there the user can receive additional malicious payloads in an email. 

Notable phishing attack includes the Five Rivers Health Centers in Dayton, Ohio where 155,000 patients details were exposed for 2 months owing to an e-mail phishing attack. And over 10,000 phishing scams exploiting common coronavirus concerns were investigated in 2020 by Her Majesty Revenue and Customs (HMRC) from the UK. 

The successful spear phishing resulted in 95 percent of the attacks on enterprise networks. The Australian hedge fund co-founder, Levitas Capital, was a target of a whaling attack in November 2020, which is a form of spear phishing. Although it cost the corporation $800,000 – a little below the initially anticipated 8 million dollars – it also resulted in a loss of the largest customer for the hedge fund. Finally, the company had to close permanently. 

In 2019, an investigation of cybersecurity indicated that 26 percent of global firms have compromised by one to ten BEC attacks (business e-mail compromise). Recent attacks by the BEC include: 

  • Barbara Corcoran's Shark Tank Host that lost $380,000, 
  • The Puerto Rican government, which amounted to $4 million; 
  • Japan's media powerhouse, Nikkei, sent $29 million in a bogus email, according to instructions.

Cyber-crime members constantly improve their email methods by playing with the emotions of a victim: causing fear, manipulating greed, benefiting from the curiosity of the individual, asking for help, or encouraging users to feel comfortable. This strategy is frequently employed by ransomware-as-a-service attackers. 

A one-and-a-done strategy never works whenever it comes to email security. Malware is passed through a single defense, hence a solution must include several protective layers. In this method, a subsequent layer stops if malware defeats a defense. 

Using a multi-layered method paired with Acronis Cyber Protect technologies, including URL filtering, may prevent harmful domains and malware downloads from being the first affected systems.

FedEx and DHL Express Hit with Phishing Attacks


Researchers reported on Tuesday that they discovered two email phishing assaults targeting at least 10,000 mailboxes at FedEx and DHL Express that hope to extract client's work email account. In a blog published by Armorblox, the researchers said one assault impersonates a FedEx online document share, and the other claims to share shipping details from DHL. The phishing pages were facilitated on free services like Quip and Google Firebase to deceive security technologies and clients into thinking the links were legitimate.

“The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” 

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent. This email contained some data about the document to make it seem legitimate – like its ID, the number of pages, and kind of document – alongside a link to see the supposed document. On the off chance that the recipients clicked on the email, they would be taken to a file facilitated on Quip. Quip, which comes in a free form, is a tool for Salesforce that offers documents, spreadsheets, slides, and chat services. 

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses towards the end of the title. The email told recipients that a package couldn't be conveyed to them because of incorrect delivery details – and that the parcel is rather ready for pickup at the post office. The email provoked recipients to look at appended “shipping documents” if they want to receive their delivery. The attached document was an HTML file (named “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.

Hacking Group Earth Wendigo Exploits Emails via Spear-phishing Attacks

As per the cybersecurity experts, the cyberattacks are related to Earth Wendigo, a cyber criminal currently not linked to any of the hacking groups. At the start of May 2019, Trend Micro reported that multiple organizations were attacked by Earth Wendigo. The targets include research institutions, government organizations and universities. The cyberattack used spear-phishing mails to exploit its victims, which include activists and politicians based in Hong Kong, Tibet and Uyghur region. 

Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.” 

Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro. 

The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.

PayPal Phishing Scam 2021, Here's How to Stay Guarded


Another PayPal phishing campaign attempts to take account logins and other personal data. Noxious individuals are sending clients instant messages warning them that their accounts are permanently "limited" and urging them to sign in and verify their identity and account via a given link. Just as it is run of the mill with PayPal phishing messages, this trick likewise incorporates all the vital parts to deceive clients – a short claim that threatens with the outcome and a phony link that diverts clients to a caricaturing site. 

Cybercriminals abuse clients' inexperience and lack of experience by employing infamous social engineering techniques. They create emails or messages that resemble those from real organizations, which persuades victims to give away their details readily. 

The given hyperlink in the new PayPal phishing campaign diverts telephone clients to a spoofing webpage that appears to be indistinguishable from that of PayPal, however, the web address is observably different. Also, prospective victims are quickly approached to sign in to their accounts. Along these lines, they are diverted to a page where a couple of clarifications on why their accounts have been limited are shown, and they are encouraged to secure their accounts. At that point, PayPal clients see another page where they are approached to give their data, such as complete name, date of birth, and billing address. When clients fill in these details, every one of them is then shipped off to the operators behind the scam. They could utilize them to abuse users' PayPal account, open new bank accounts, or utilize the individual's data for future phishing campaigns. 

On the off chance that you've been fooled into filling these fields, at that point the following steps should be taken to avoid becoming a cyber victim: 

 • Sign in to your PayPal account and change the password right away. 

 • On the off chance that a similar password is utilized for signing in to some other accounts, visit them and change it also. 

 • Inform PayPal regarding such a scam and that you might have got influenced. 

 • To ensure no false accounts are made in your name – issue a temporary freeze on your credit report.

To ensure safe, stay wary of such malicious links and stick to the terms and conditions of the organization. Additionally, please note that PayPal could never send its clients any instant messages or force them to visit and sign in to their system immediately, only cybercriminals operate that way. The organization just sends emails that incorporate such data, and it generally contains a clarification for the constraint.

6.15 Lakh Facebook Users' Account Compromised by Facebook Ad Phishing Campaign


A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub. 
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.  
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom". 
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook. 
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign. 
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.

Credential Phishing Attack Impersonating USPS Targets Consumers Over the Holidays


As the year is coming to a wrap, the 2020 holiday season is being actively attacked by malicious actors.  In recent months, a steady upsurge has been witnessed in cybercrime related to online shopping as people have increasingly shopped online this year. Security experts have predicted a further spike in cyber scams during the holiday season, especially throughout the month of December. 

On Wednesday, Abnormal Security Corporation disclosed that its email security platform has blocked a credential phishing attack that was imitating the U.S. postal service for victims’ credit card credentials. The attack was pursuing recipients for special delivery charges so they can get their delivery within three days. 

Companies reported that peoples are approaching fast order delivery and online orders are continuing to pour in, because of this, courier services are facing more pressure from consumers. It's mainly due to the pandemic that online shipping demand has increased and the rise in online shipping is turning out to be vicious for inexperienced customers of USPS, Amazon, FedEx, and UPS. In a related blog post, Abnormal Security said that the hackers were taking advantage of those customers who were looking for fast delivery over the holidays. 

Recent research by CheckPoint revealed that shipping-related phishing emails have increased 440 percent in November 2020, in comparison to the previous month of October. Furthermore, more phishing scams are being anticipated this holiday season. 

Abnormal Security Platform said on its blog post that they managed to block the attacker before it could hack 15,000 to 50,000 mailboxes of the customers. 

According to intelligence, this attack itself imitates delivery notification emails from the USPS, notifying delivery payment confirmation to the customers that their parcel cannot be delivered until their payment gets confirmed. Although the platform has been hacked, emails were appeared as originating from real US postal service as it was using all official features of the US Postal Service. The email carried some link that leads the customer to a fake USPS tracking site asking for special shipping charges for their fast delivery; this page was ultimately leading recipients to share their credit card information. 

Hank Schless, Senior Manager, Security Solutions at Lookout said, "an attack like this can be even more effective if the target accesses it from a mobile device. It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity. In this particular case, if the targeted individual doesn’t know how to preview a link on mobile, they are at higher risk of falling for the scam."

As suggested by Jamie Hart, Cyber Threat Intelligence Analyst at Digital Shadows, users and security teams can follow the steps mentioned below to ensure the prevention of phishing attacks. 

• Install antivirus software 
• Frequently update all the systems which include the latest security patches and updates 
• Use a web filter that blocks suspected websites 
• Offer more often security training that includes when and where users should report suspected phishing emails.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested


In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

A Provider of Cyber Security Training Loses 28,000 Items of Personally Identifiable Information (PII) In a Data Breach

A provider of cybersecurity training and certification services, 'The Sans Institute', lost roughly 28,000 items of personally identifiable information (PII) in a data breach that happened after a solitary staff part succumbed to a phishing attack. 

The organization discovered the leak on 6 August 2020, when it was leading a systematic review of its email configuration and rules. 

During this process, its IT group identified a dubious forwarding rule and a malignant Microsoft Office 365 add-in that together had the option to forward 513 emails from a particular individual's account to an unknown external email address before being detected. 

While the majority of these messages were innocuous, however, a number included files that contained information including email addresses, first and last names, work titles, company names and details, addresses, and countries of residence. 

Sans is currently directing a digital forensics investigation headed up by its own cybersecurity instructors and is working both to ensure that no other data was undermined and to recognize areas in which it can harden its systems. 

When the investigation is complete, the organization intends to impart all its findings and learnings to the extensive cybersecurity community. 

Lastly, Point3 Security strategy vice-president, Chloé Messdaghi, says that "Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses." 

And hence she concluded by adding that "The final takeaway is that we all need to stay aware and humble – if a phishing attack can snag someone at the Sans Institute, it can happen to any of us who let our guard down."

Android Malware, FakeSpy Spying on Users' Banking Information Acting as Postal Services

A new Android malware, FakeSpy that can potentially steal an individual's banking details, read contact lists, application, and account information along with other personal data, is seen to be spreading across the globe. Earlier, the Android malware was targeting limited regions; the new campaign propagating the malware spreads itself using SMS phishing attacks.

The Android malware was originally discovered in 2017 while it was attacking users in Japan and South Korea, however, now security researchers have identified more potent variants of the malware attacking users in various countries like United States, Germany, France, Taiwan, United Kingdom, and China to name a few.

FakeSpy, labeled as 'the information stealer', is evolving rapidly, undergoing active development that can be seen in the weekly release of new variants of malware with different levels of potential and evasion capabilities.

"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will
see the next wave," Security researchers at Cybereason told.

The tailored attacks are being found to be linked with a financially motivated Korean-or Chinese-speaking cybercriminal group known as 'Roaming Mantis' that had been involved in other similar operations, according to the research carried out by researchers at Cybereason.

FakeSpy is operating with the agenda of making financial gains through stolen credentials and banking information of users, the campaign includes sending postal-themed messages to the targeted user's contacts.

While giving insights into the attack, Assaf Dahan, senior director and head of threat research at Cybereason told ZDNet, "We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead, the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite."

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he further added.

Email Phishing Scam: Scammers Impersonate LogMeIn to Mine Users' Account Credentials

A Boston, Massachusetts based company, LogMeIn that provides software as a service and cloud-based remote connectivity services for collaboration, IT management and customer engagement has fallen prey to the scammers targeting companies' work from home schemes set up due to the ongoing pandemic, the campaign impersonates the remote access tool (RAT) LogMeIn and mines the unsuspecting users' account credentials.

As the number of people working from home increased rapidly, scammers saw it as a golden opportunity to carry out impersonations of remote tools such as Zoom and LogMeIn more blatantly than ever; the first incident being spotted in the month of May confirms the attributions made by the researchers in regard to COVID-19.

In this particular attack, the phishing email appears to be coming from LogMeIn, cautioning the user at the receiving end, of a zero-day exploit present in the LogMeIn Central and LogMeIn Pro- two of the company's products. It goes unsaid that in reality there exists no such vulnerability and victims' are made to follow a link that claims to be LogMein URL but takes the user to a phishing page where they would enter the credentials that would be obtained by the scammers behind the attack. Additionally, the threat actors are also exploiting the security issues that already existed in remote access platforms as a part of this phishing campaign.

While giving further insights, Abnormal Security said “Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic,”

“Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”

In order to avoid being scammed by such phishing campaigns, Ken Liao, vice president of Cybersecurity Strategy at Abnormal, alerted users, "Many of the recent attacks have masqueraded as updates--even more specifically--security updates,"

"As always, users should default to updating applications via the application itself and not via links in emails to prevent not only credential loss but the potential introduction of malware onto their machines."

Users May Risk Losing their Passwords on Dark Web For Sale

In April, Zoom became one of the many victims of the companies that lost their user data to the hackers. Zoom, which is one of the top online video conference platforms, lost more than half a million of account logins on the dark web. The leaked passwords could be bought either for free or for a minimal amount of money. Understandably, the users are blaming the Zoom company for losing its accounts, and they have every right to do so. It is, however, a part of much bigger trouble that includes hackers, some criminal niches on the Internet, and the fault of our own to set very weak user passwords.

How passwords end up on the dark web? 

Every year, more than hundreds of millions of user accounts end up getting exposed to the dark web, either through malware or phishing attacks. According to a report by Privacy Rights Clearinghouse, a non for profit organization in California, around 11.6 Billion user accounts have been hacked since the year 2005. The hacked accounts are then either uploaded on hacker websites or posted on the dark web for sale.

These websites and dark web can be accessed only through a specific browser called Tor. "Then there's Tor, the darkest corner of the Internet. It's a collection of secret websites (ending in .onion) that require special software to access them. People use Tor so that their Web activity can't be traced -- it runs on a relay system that bounces signals among different Tor-enabled computers around the world," says Jose Pagliery from CNN Business.] The hackers use these purchased passwords and try logging in with them to several other websites until they are successful, a technique known as credential stuffing.

The hackers used credential stuffing to steal more than 500,000 Zoom user accounts and uploaded them later on the dark web. In response to this, Zoom spokesperson has confirmed that they suspect the hackers used credential stuffing to breach the accounts. "You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing," says Microsoft's security website on "how to prevent your company from web attacks."

Cisco “critical security advisory” part of a phishing campaign ?

Amidst the coronavirus pandemic, there is an influx of telecommuters who, have come to heavily depend on online conferencing tools like Webex, Zoom and a few others.

With this rise in online meetings and ongoing phishing campaign is affecting more and more users with a recycled Cisco security advisory that cautions of a critical vulnerability and further urges the victims to "update," with the sole aim to steal their credentials for Cisco's Webex web conferencing platform.

Ashley Tran in a recent analysis said with Cofense's phishing defense center stated, “Targeting users of teleconferencing brands is nothing new, but with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote work phishing in the months to come.”

Researchers are of the view that phishing emails are being sent with various 'attention-grabbing subject lines', for example, "Critical Update" or "Alert!" and originate from the spoofed email address, "meetings@webex[.]Com".

They said to Threatpost, this was a mass "spray and pray" phishing campaign with "numerous end-users" accepting and reporting the email from a few several industries, including the healthcare and financial ones. The body of the email installs content from a real Cisco Security Advisory from December 2016, alongside Cisco Webex branding.

The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco's management tool for applications in numerous data-center, private-cloud and open cloud environments.

This critical flaw permitted unauthenticated, remote attackers to install Docker containers with high benefits on the influenced system; at the hour of disclosure in 2016, it was being exploited extensively. Notwithstanding, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch discharge (likewise in 2016).

The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and directs them to a "Join" button to become familiar with the "update."

The attackers behind this campaign focus explicitly on the details, right down to the URL linked to the "Join" button. On the off chance that cautious email beneficiaries hover over the button to check the URL, they'll discover the URL [hxxps://globalpagee-goad webex[.]com/signin] to be strikingly like the authentic Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

Victims who click on the "Join" button are then diverted onto the phishing landing page, which is identical to the real Cisco WebEx login page.

Researchers said that there is one tiny difference is that when email addresses are typed into the authentic Webex page, entries are checked to confirm if there are associated accounts. On the phishing page, in the meantime, any email format entry takes the beneficiary straightforwardly to the following page to request a password.

Researchers, therefore, caution users to remain on the watch for bad actors 'spoofing' web conferencing and virtual collaboration applications on the grounds that in general.

The attackers are exploiting the frenzy around the coronavirus with phishing messages and emails around financial relied, guarantees of a cure and symptom data subtleties thus the users are advised to be on the lookout.

Mobile Banking Malware On The Rise, 50% Hike In Attacks! WhatsApp a Dependable Medium?

According to studies, with an increase of 50% malware attacks have known no bounds in the past year. Most common of all happen to be malware that steals users’ financial data and bank funds.

The banking malware is on the rise in India. According to several sources, over 35% of organizations and institutions in India have been affected by such attacks in 2019 alone.

Among the most common types of malware that India often faces, that steal photographs and contact details from the phone, Adware is a big name as it generates ads on your phone to make money for some other party.

Another variant that isn’t all that trendy in India is a malware that kicks off surveillance on the target’s phone, tracks its GPS location and snips their personal data. What’s more, they could even control your microphone and other mobile phone operations.

What makes banking malware scary is its ability to steal data while the target’s on their phone making payments. Unaware of any malicious activity, the user would have let some cyber-con know all their bank credentials.

WhatsApp is becoming an accessory in the procedures of banking malware. Despite the hefty encryption that’s done on the chat app, hackers keep finding creative ways to exploit even the most minute of vulnerabilities.

In a recent zero-vulnerability case, the malware which was on the video-file message got transmitted as it is onto the receiver’s device.

To make sure that you don’t get malware installed on your device via WhatsApp, keep cleaning all the data and do not open any doubtful files and links.

Phishing attacks are among other common tactics of hackers to attack users and their devices. Suspicious emails, if opened could help the hackers kick off malware in the mailbox and then the attack goes in a way that takes the target to a website and asks them to fill in their personal information.

Downloading apps from third-party stores and straight from the internet is a strict no! Do not open any suspicious files and treat each link and file with equal distrust. If you’re not sure who the sender is, do not consider the file at all, be it on text message or on email.

Connecting to unauthorized or unknown Wi-Fi networks could also pose security issues. With the tag of free networks to lure you in, “man-in-the-middle” attacks could easily be launched.

Mobile phone security is as paramount as the security of your house or any other electronic device. There has got to be a set of security measures in place to work if anything goes south.

Phishing Attack Alert! Los Angeles County Says No Harm Done!

A Phishing attack last month surfaced over the LA County which was immediately contained before any devices got compromised.

The attack was discovered by the staff, last month. The containment of the attack was done by the staff instantaneously before much damage was done.

The hackers were apparently after the county’s residential data.

Per sources, it all began when the Los Angeles County received a phishing email which extended malicious activities. The malicious campaign was aimed at stealing the receiver’s personal data.

The hackers’ plan was to get the recipient to click on the links/attachment in the email. Reportedly, the email had come from a “third-party account”. Allegedly, the distribution list of the third party got leaked and was sent to more than 25 county employees.

Per website sources, The LA County happens to be the most populated area in the US. It has over 35,000 personal computers, 12,000+ cell phones and 800+ government network locations.

According to reports the “Internal Services Department” happens to support the “Countrywide Integrated Radio System” which extends essential services during emergencies.

Most local governments have faced attacks along the same lines including Los Angeles County as well. Per sources, in the Minnesota case where the phishing attack targeted over 100 LA County employees, the personal data including targets’ names, social security numbers, dates of birth, card details and other personal data was compromised.

It is evident that the phishing attack could have taken a gigantic form if it hadn’t been for the prompt skills of the employees and staff of the LA County.

Given that such a humongous number of devices and networks could have been jeopardized this attack must necessarily be taken as a serious warning.

The already existing and well-established security controls of the county also had a lot to contribute to this successful aversion of the accident.

Reportedly, the county’s Chief Executive Officer had taken this incident as quite a forewarning and mentioned that they would work stalwartly towards improving the security provisions and strengthening them.

The overall incident is still under investigation by the county along with help from a few private participants.

Same Phishing Risks Faced By Start-Ups and Big Corporations

Reports of a near-perfect phishing attempt have surfaced after a large number of remote employees with health and work environment benefits through human resources giant TriNet received such emails.

The emails were shared with TechCrunch, an American online publisher, in order to 'verify their authenticity' and when two independent security researchers were approached to offer their evaluations, both were of the view that it was a phishing email indeed contrived to steal usernames and passwords.

Furthermore, even a $3.7 billion corporation like TriNet, let alone the other big giants are not doing what's needed to counteract such phishing attack on the grounds that had they proactively utilized basic email security techniques, it would have been significantly simpler to identify that the email was not in actuality a phish, but an authentic company email.

Anyway, the issue isn't even a new one for TriNet or for that matter any other big company.

For instance just the previous year, security firm Agari discovered that only 14% of all Fortune 500 companies were utilizing DMARC, a domain security feature that prevents 'email spoofing' and effectively implements it and the new data provided by Agari to TechCrunch shows that figure has risen to just a single percentage point in the last year, bringing it to a small 15%.

Nonetheless, it’s safe to assume that both phishing and impersonation are 'fundamentally' human issues with the intent to attempt to fool clueless victims into turning over their usernames, email addresses and passwords to hackers who at that point login and steal data or money. On that account, it is recommended for the users to always be vigilant when they are at the receiving end of such emails.

Cyber Criminals Stealing Customer Data By Tricking Bank Employees

Kaspersky Lab experts described a recently discovered method of corporate phishing. Attackers send an employee or organization email inviting them to pass an assessment of knowledge and skills on the fake HR portal. To do this, the victim is asked to log in to the site using a working username and password. The potential victim has the impression that it is a mandatory procedure, for the successful passage of which he will receive a monetary reward.

According to the senior content analyst of Kaspersky Lab Tatyana Shcherbakova, in this way, fraudsters get access to corporate mail, which may contain personal data of customers.

Employees of large banks are regularly trained, tested and certified, so they can take a fake invitation for a real one. For this reason, the new phishing method threatens to take on a massive scale.

According to analyst Anton Bykov, at the moment several thousand corporate accounts could already be hacked.

Sergey Terekhov, director of the Technoserv information security competence center, noted that in this case, the employees of the credit departments of banks, in whose mailbox client profiles are stored, are in the risk zone.

At the same time, Denis Kamzeev, head of the information security department of Raiffeisenbank, stressed that all emails in the financial institution are checked through anti-spam and anti-virus and blocked in case of suspicion.

VTB, in turn, said that they delimit access to customer information for employees and keep records of employees who have access to confidential information.

Arseniy Shcheltsin, CEO of Digital Platforms, noted that this type of social engineering is tied directly to a person, not to technology. "Therefore, regardless of security systems, a person can always give a login and password from the mail to attackers."