Search This Blog

Showing posts with label Phishing Attacks. Show all posts

COVID-19 used as a lure for Cyber Attacks: Report suggest massive increase in Phishing Trends


Since the starting of the year, 2020 has been a bearer of bad news and Covid seems like a bad punch line. With 14 Million cases, the pandemic has wreaked havoc not only on human life but other sectors of business and economy as well; especially impacting cybersecurity, giving a sweet opportunity for hackers and scammers to con people.


According to recent research by Positive Technologies, there has been a 25% increase in phishing attacks in quarter one (Q1)of this year as compared to Q4 of 2019 and 13% of these phishing attacks were related to COVID-19. One of the analysts at Position Technologies said, “Hackers were quick to use common concerns about coronavirus as lures in phishing emails. One out of every five emails was sent to government agencies.”

The researchers also noted that 23 of the tenacious and active APT (Advanced Persistent Threat) groups targeted financial and medical institutions, government agencies, and industries. Around 34% of the attacks on organizations were ransomware ( malware attackers demanding money ransom in order to decrypt files and to not reveal stolen data). One out of every 10 ransomware was targeted at an organization.

This year has seen ransomware evolving into much-feared threat with Maze ransomware collaborating with other ransomware groups and publishing the stolen data on their website. Another ransomware Snake released in the beginning of this year, even deletes backups and snapshots.

Many security analysts discourse that the report from the research isn't all that surprising as COVID-19 has been used as a lure and click-bait to trap users desperate for info on the pandemic.

Jamie Akhtar, CEO of CyberSmart says, “enormous spike in phishing campaigns, fake websites and social profiles that were deliberately impersonating COVID-19 and healthcare-related authorities as hackers exploited the unprepared public.”

 Adding, “Many of these phishing emails can be extremely convincing and are not likely to end soon.

“Businesses and their employees can protect themselves against these attacks in the future by using email filtering that will detect and flag suspicious email addresses and malicious links or attachments, but these often don't catch everything. Training employees on how to spot suspicious and phishing emails is the best way to prevent these kinds of attacks.”

Cyberattacks in the U.S. Hit an All-Time High due to Covid-19, Says Black Hat Report.


Due to the coronavirus pandemic, cybersecurity experts suspect a rise in cyberattacks and cybercrimes, says a survey by Black Hat earlier this week. Around 275 cybersecurity professionals (respondents in the study) have expressed concerns about potential breaches in the U.S. infrastructure and the I.T. industry. More than 90% of these experts believe that due to coronavirus, there has been a jump in cyber threats in the U.S., resulting in data leaks and privacy breaches. Around 24% of experts believe that the current danger is very severe and critical.


Among the cybersecurity threats, work from vulnerabilities in the remote access systems tops the list, accounting for 57% of the attacks. Meanwhile, phishing scams and spam attacks account for a hefty 51%. Around 85% of these experts claim that there might be a targeted cyberattack on the U.S. infrastructure in the next two years. The threat figures went up from 69% in 2018 to 77% in 2019. Among these, around 15% of the respondents believe that the government and the private sector is ready to face these attacks. These percentage figures went down from about 20% in 2019.

The majority of the cybersecurity experts believe that their firms would have to take care of the upcoming cybersecurity challenges. More than half of these believe that they currently lack the required staff force to combat cyber threats. Besides this, the budget required to protect their organization's data from cyberattacks is also low. Besides the concerns about the lack of resources to defend against cybercriminals, experts also say that they lack proper technology. According to the survey results, only half of the technology tools could be termed effective.

"The survey results suggest that the world's top cybersecurity professionals are more concerned than ever about cybersecurity risk at the global, national, enterprise, and consumer levels. While cyber threats have been growing in volume and sophistication in recent years, most security professionals believe that the radical shift toward remote access creates unprecedented risk for sensitive data," says the 2020 Black Hat USA report.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.

The lifespan of Phishing Attacks Recorded a Tremendous Growth in H2 2019


Phishing attacks recorded a remarkable surge in H2 2019, the growth has been alarming with the number of phishing websites blockages soaring by 230 percent per year. Earlier, phishers would terminate the fraudulent campaign once their webpages were blocked, however, now they are immediately mobilizing the phishing attack onto other brands. It serves as the main reason as to why the number grew so rampantly.

As the lifespan of phishing attacks increased tremendously, attackers became specific about their target pool and have increasingly targeted online services and cloud storage providers, the primary reason being the huge chunks of sensitive data stored in them that can be downloaded by the attackers to later threaten the victims for a ransom.

Turning towards a diligent attacking method, phishers have improved upon the ways they choose their campaigns and targets – preferring quantity over quality. Client software, e-commerce, online streaming, and delivery services were some online services that contributed to 29.3 percent of the phishers' targets, cloud storages amounted to 25.4 percent while financial organizations made for a total of 17.6 percent, as per the statistics for the last year.

While spotting and preventing the distribution of threats online, a total of 8,506 phishing web resources were blocked by Group-IB's Computer Emergency Response Team (CERT-GIB).

While providing insights on the matter to Help Net Security, Yaroslav Kargalev, CERT-GIB deputy head said, “Several years ago, creators of phishing pages were likely to have some technical background, they created phishing pages, putting much effort into the launch of their campaigns, preventing them from being detected and relentlessly supporting their sustainability....”

“This industry has changed its face — those pioneers no longer create phishing pages, they create tools for operators of web phishing campaigns who do not necessarily have any programming skills, and last year became the culmination of this trend. Since this new generation of phishers is not that experienced in maintaining the web resources viable, the phishing community’s focus has shifted toward the number of scam resources,” he added.

Banking Trojans and cryptocurrency projects have seen a steep decline in their preference amongst cybercriminals. As the functionality of backdoors has continued to expand, spyware and backdoors have stolen the show to reach the number one spot in the popularity rankings with a whopping 35 percent share.

Hackers Exploit Ad Networks to Launch Phishing Attacks against Android Users


The hackers are exploiting mobile ad networks that take the android users to malicious websites. After this, hackers can either steal personal user information or attack the victim's Android device with spams. The Google play store has more than 400 apps that come with ads as a means to generate money for app developers. But recently, the hackers are exploiting these ad networks with the help of an SDK (Software Development Kit). The SDKs help app developers earn money, and the hackers are inserting code to attack the ad network.


According to the research done by Wandera, which is a mobile security firm, the hackers send domain and URLs to the users via the ads. The distribution systems are called Startapp, that allows the hackers to swamp the android device with spams and malicious websites. Startapp isn't responsible for any of the malicious content distributed. However, it is funded by a few agencies that distribute its malicious content. Startapp hasn't responded to the questions of its involvement in this cyberattack. "Our researchers wanted to explore a service that wasn't associated with a single well-known advertiser, such as Google or Facebook, so they took a closer look at the framework from StartApp, which would presumably provide app developers with ads from a wider variety of advertising networks," says Wandera' research report.

It also says that more than 90% of the distributed through the Startapp framework originate from a single ad provider.  Wandera, however, didn't identify the provider's name, but Cyberscoop has identified it as "AdSalsa." AdSalsa is a digital marketing firm that operates from Spain and is responsible for ads that direct users to these malicious websites.

"We help app publishers and developers turn their apps into successful businesses by using advanced data insights to identify relevant campaigns across direct and programmatic channels for each publisher's unique users. Over 400,000 apps have already integrated our lightweight, easy to incorporate advertising SDK. When combined with our mediation options, you can begin earning revenue from your apps in minutes," says StartApp on its website.  Experts at Wandera found 700 apps on Google play store using StartApp's SDK feature. Google, however, has removed 47% of these SDKs, according to Wandera. The exploitation of this advertising, which has now become malvertising, is creating problems for the app developers to secure their apps.

Coronavirus Themed Phishing Attacks Continue to Rise


New data by researchers has demonstrated that cybercriminals are preying on people's concerns regarding the COVID-19 pandemic and carrying out sophisticated phishing, malware and email attacks. The sudden upsurge in the related attacks imply that attackers were quick to adapt to the new global health crisis environment and exploit it in their favor.

As per Barracuda Networks, an American IT security company, the number of email attacks associated with the new Coronavirus has seen a steady surge since January, the type of attack has recorded a 667% spike by the end of February. As per the data, January recorded a total of 137 attacks only, while in the month of February the number spiked to a whopping 1,188 and between March 1st to 23rd, there were as many as 9,116 email attacks in the regard.

Another notable kind of attack is the one where victims are receiving malicious emails with the promises of offering financial relief during the COVID-19 pandemic, researchers warned. Users are being tricked into believing that they will be receiving payments from global institutions, businesses and governments working with a common objective of providing economic aid to common people during the ongoing pandemic, as soon as the user clicks on the links or proceed to download files, the attacker gets illicit access to his credentials, card data, and other sensitive information.

One such campaign is found to be specifically attacking U.S. healthcare, IT sector and higher-education organizations, the emails sent in relation to this campaign contain a message titled "General Payroll!"

"The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” it says.

“All staff/faculty & employee include students are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.” The message further reads.

Users receiving the email are asked to access a malicious link that will direct them to a phishing page in order to verify their email account, they will be required to enter their usernames, email addresses, and passwords linked with their employee benefits. By doing so, the user will provide his personal data to the page controlled by the attackers.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers told.

Betting and Gambling Websites under Cyberattack from Chinese Hackers


Since last year's summers, Chinese hackers have been targeting South Asian companies that own online gambling and betting websites. The gambling companies in South Asia have confirmed the hacks, whereas rumors of cyberattacks on betting websites have also emerged from Europe, and the Middle East, however, the rumors are yet to confirm, says the reports of cybersecurity group Trend Micro and Talent-Jump. Cybersecurity experts claim that no money was stolen in these hacks against the gambling websites. However, hackers have stolen source codes and databases. The motive of the attack was not a cybercrime, but rather espionage intended attack to gain intelligence.


According to the experts, a group named 'DRBControl' is responsible for the cyberattack. According to the reports of Trend Micro, the hacking techniques used in this particular cyberattack incident is similar to methods done by Emissary Panda and Winnti. All of these hacking groups are from China that has launched cyberattack campaigns in the benefits of the Chinese state. As of now, it is not confirmed whether DRBControl is launching these cyberattacks in the interests of the Chinese government. According to the cybersecurity group FireEye, not all the attacks have been state-sponsored, as a side business, hackers have been launching these attacks for profits and money.

How did the attacks happen?

The techniques used by DRBControl is not very uncommon or unique. Rather, the attacking techniques used to target victims and steal their data were pretty simple. The hackers send phishing emails that contain backdoor entries malware, and if the user is lured into opening these mails, the system gets infected with backdoor Trojans. However, these backdoor Trojans are not the same as the others.

This kind of Trojan relies on Dropbox file service for hosting and sharing to be used as C&C (control-and-command), to store stolen data and 2nd level payloads. Hence the name, DropBox Control. The Chinese hackers usually use the backdoor Trojans to install other hacking malware and tools so that they can roam through the network and trace the path to the source codes and databases to steal the user data.

Email Server of Special Olympics of New York Hacked; Later Used To Launch a Phishing Campaign


A nonprofit organization committed towards competitive athletes with intellectual inabilities, The Special Olympics of New York as of late at the Christmas holidays had their email server hacked which was later utilized to dispatch a phishing campaign against past donors.

Promptly as the issue surfaced a notification was sent by the nonprofit to reveal the security episode to the people influenced, asking the donors to dismiss the last message received and clarifying that the hack just affected the "communications system" that stores just contact information and no financial information.

"As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies," email notification from Special Olympics New York told donors.


The phishing messages conveyed by the attackers were 'camouflaged' as an alert of an approaching donation transaction that would consequently debit $1, 942, 49 from the target's account within two hours.

Utilizing such a brief span outline enabled the phishers to initiate a 'sense of urgency' intended to make the Special Olympics NY donors click on one of the two installed hyperlinks, links that would, as far as anyone knows, divert them to a PDF rendition of the transaction statement.

The phishing email used a Constant Contact tracking URL that redirected to the attackers' landing page. This page has since been brought down, however, it was in all likelihood used to steal the donors' credit card subtleties.


"Please review and confirm that all is correct if you have any questions, please find my office ext number in the statement and call me back," the phishing emails said. "It is not a mistake, I verified all twice. Thank you, have a great weekend."

Shockingly so, this isn't the first, historically speaking, episode where such a ‘mishappening’ was recorded, as the Tokyo 2020 Summer Olympics staff additionally gave an admonition cautioning of a phishing campaign that conveyed emails intended to look like they had originated from the Tokyo Organizing Committee of the Olympic and Paralympic Games (Tokyo 2020).

And additionally said that the malignant emails probably diverted the beneficiaries to landing phishing sites or tainted the victim's PCs with malware whenever opened.

Security Experts warn about threats before Black Friday


Experts of the antivirus company Kaspersky Lab reported that in the discount season, also known as Black Friday, the number of threats from cyber fraudsters has grown significantly.

"According to Kaspersky Lab, the number of phishing threats related to Black Friday has increased significantly over the past two weeks. On the eve of big sales and the upcoming holiday shopping season, cybercriminals are increasingly trying to attack users who prefer to shop online," said the antivirus company.

So, in the period from 18 to 24 November, the company recorded almost twice as many fraudulent resources, compared to the previous week.

The number of phishing attacks on online stores has also increased.“This growth is especially noticeable in Russia: if approximately every 20th phishing attack was sent to the e-commerce section in Runet two weeks ago, last week phishers tried to attack Russian online stores in every 11th case,” concluded company.

As Kaspersky Lab content analyst Tatyana Sidorina noted, an increase in the percentage of phishing attacks is also expected in the upcoming New Year's sales. In addition, there are about 12% more such attacks in the fourth quarter than at other times of the year.

It is interesting to note that earlier, Roskomnadzor warned about the appearance on the eve of Black Friday fraudulent sites that illegally collect personal data under the guise of sales.

"Roskomnadzor experts note that the main purpose of collecting such data (name, phone number, email address, bank details, etc.) is to use them later as spammer databases and to steal bank card data,” stated the regulator.

To avoid identity theft, Roskomnadzor recommends checking the originality of the domain of the online store and checking the presence of an SSL certificate. If the site address begins with http://, and not with https://, this is a reason to doubt the originality of the page.

Phishing attacks against Hedge Funds and Financial Firms




The International hedge funds have become a victim of a new phishing campaign called "Beyond the Grave" that alter data confidentiality of the funds.

A member of the attacking group has posted a statement on  BleepingComputer with a title of "Beyond The Grave Virus infecting Hedge Funds". It is not clear whether the attack was purposely done to take the financial advantage or to cause market instability for political reasons.

"A large number of U.S. and international hedge funds were targeted. We know that the following companies have already been infected by the virus: Elliot Advisors, Capital Fund Management, AQR, Citadel, Baupost Group, Marshall Wace," the statement said.

The attackers included a sample of the phishing campaign email as proof. It contains an open window that the hijackers wanted to show the executable command in the phishing kit.

The phishing emails used in the attack looked perfectly legitimate coming from a financial research company named Aksia and it pretended to be for research purpose related to ESMA (European Securities and Markets Authority) halting short selling during Brexit.


The emails "contain links to the alleged research located at the www.aksia.co site, which attempts to impersonate the real Aksia.com site."

A Marshall Wace spokesman stated: "We are aware that Marshall Wace, alongside other asset managers, was recently targeted by a phishing campaign, but the potential intrusion was picked up by our cybersecurity systems and we are confident there was no breach of our environment. We remain vigilant."

Microsoft, Netflix and PayPal Emerge As the Top Targets for Phishing Attacks



Email security provider Vade Secure released another phishing report following the 25 most 'spoofed' brands in North America that are imitated in phishing attacks. Amongst them the top three are Microsoft, Netflix and PayPal.

Out of all the 86 brands that were tracked, 96% of them all were done so by the company as per their Q3 2018 report.

Bank of America and Wells Fargo are not so far behind Microsoft and the other top 2 targets in this case as there has been an increase in these phishing attacks by approximately 20.4% as reported by Vade Secure. As the attackers attempt to access Office 365, One Drive, and Azure credentials their focus has been towards cloud based services as well as financial companies.



Vade Secure's report states - "The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, One Drive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization."

The attackers, through a feeling of urgency endeavor to show that the recipient's account has been suspended or so thus inciting them to login in order to determine the issue, this happens in the case of Office 365 phishing emails. By doing this though they expect for the victims to be less wary when entering their credentials.

Exceptionally compelling is that attackers have a tendency to pursue a pattern with respect to what days they send the most volume of phishing mails. As per the report, most business related attacks tend to happen amid the week with Tuesday and Thursday being the most popular days. For Netflix though, the most focused on days are Sunday because that is the time when users' are taking a backseat and indulge in some quality television.

As these attacks become more targeted Vade Secure’s report further states – "What should be more concerning to security professionals is that phishing attacks are becoming more targeted. When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools."

For the users' however , it is advised to dependably examine a site before entering any login details and if there are any occurrences of the URL seeming abnormal or even something as minor as a language blunders then they should report the issue directly to either the administrator or the company itself.