Search This Blog

Showing posts with label Phishing Campaign. Show all posts

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

Mackenzie Scott Scam: Fraudsters asking Fake Donations in Billionaire's name

 

A major phishing campaign that reached tens of thousands of inboxes impersonated as MacKenzie Bezos-Scott grant foundation promising monetary advantages to recipients of the e-mail in exchange for a processing fee. 

The processing fee is referred to as an "advance fee," and it has been used since before the internet, with the "Nigerian prince" version popularising it. But this phishing campaign took advantage of the charitable acts last year from author MacKenzie Scott, ex-wife of Amazon founder Jeff Bezos. 

The scam surfaced after Mackenzie Scott revealed in December that she had donated $4.2 billion of her fortune to over 300 organizations, including food banks and other charities that assist the people in need. Ironically, one food bank in Arkansas, which had received an authentic email from Scott about a legitimate donation, initially mistook it for a hoax. 

Eyal Benishti, the CEO of tech security company Ironscales said, “That may have primed fraudsters to develop a phishing scam based on Scott's donations in the hope that some organizations would believe that they, too, are receiving valid emails”. About 200 of its customers have received the bogus Mackenzie Scott emails, although none have fallen for the bait, he added. 

Fraudsters initiated the scam by sending out spoofed emails that claimed, MacKenzie Bezos-Scott grant foundation is distributing funds from their foundation. In fact, the emails were sent not to distribute billions to charity, but fleece victims. 

However, the fake Mackenzie Scott emails had a few tip-offs that hints they weren't real: 

1. Sender’s title appeared as “Mackenzie Scott Grant” but the return email address was to the domain ‘@mintme.com’ 
2. Multiple grammatical errors in the email body 
3. Sender’s name and signature were different 

The fraudsters alleged that they are from the "MacKenzie Bezos-Scott foundation" and have chosen a recipient for a grant. Further, they ask for the recipients' full name and address, and if they answer, recipients are required to submit a small processing fee to unlock the grant. Of course, there's no grant; it's just a tactic to extort money from the victims.

Scams have escalated as a result of large-scale relief programs such as stimulus checks and the Paycheck Protection Program, which has drawn out fraudsters trying to trick people into giving away sensitive data, such as Social Security numbers. With the ongoing levels of hardship due to the coronavirus pandemic, people are more susceptible to scams at the moment.

Medical Professionals of U.S. and Israel Targeted in a 'BadBlood' Phishing Campaign

 

Email security firm, Proofpoint has exposed a hacking group linked with the Iranian government targeting nearly two-dozen medical researchers in Israel and U.S. The targeted medical professionals particularly work in the oncology, genetics, and neurology fields in both U.S. and Israel. Proofpoint described the phishing campaign as ‘BadBlood’ due to its nature of targeting medical professionals.

According to Proofpoint, the Iranian hacking group operates with different names such as TA453, Charming Kitten, Phosphorus, APT35, ITG18, Ajax Security Team, NewsBeef, and Newscaster. The hacking group that has been operating since 2011, is specifically targeting medical professionals, activists, and journalists in the Middle East, the U.K., and the U.S. 

To lure the victims into their trap, the Iranian hacking group employed a Gmail account in the name of prominent Israeli physicist, Daniel Zaifman. The attackers sent a series of malicious emails from the Zaifman account to the medical professionals claiming to contain sensitive information on Israel’s nuclear program. 

The malicious emails contained a link that directed the victims to a fake Microsoft login page and once opened, the malicious links extracted the users’ email credentials. Although the motives of this attack is not yet clear, many researchers believe the operation was conducted to acquire medical research or private health data on intelligence targets of interest to Tehran. 

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453. While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint stated.

India's Top 5 Banks Targeted in a Phishing Scam

 

The customers of State Bank of India (SBI), ICICI, HDFC, Axis Bank, and Punjab National Bank (PNB) have been alerted regarding a serious security vulnerability. Threat actors are trying to lure Indian users into revealing important private information using the mobile apps of the aforementioned banks. The report suggests that suspicious messages prompted users to submit an application for disbursement of the income tax refund. 

The threat actors are attaching a link with these texts that looks like an income tax e-filing web page. The suspicious links originate from the US and France without a domain name and are not linked with the Indian government, as per the revelation made in an investigation by New Delhi-based think tank CyberPeace Foundation along with cybersecurity services firm Autobot Infosec. 

Furthermore, the report claims that all IP addresses associated with the campaign belong to some third-party cloud hosting providers. The entire campaign uses the normal or plain HTTP protocol instead of the secure https. This means that anyone on the network or the internet can intercept traffic and obtain confidential information in normal text format to misuse against the victim.

How do threat actors exploit vulnerabilities?

Threat actors install malware in these banking apps and then lure the users in downloading an application from a third-party source instead of the Google Play Store. This application then asks the administrator to provide all rights and permit unnecessary use of the device. 

On opening the link http://204.44.124[.]160/ITR, users are redirected to a landing page, which looks similar to the official government income tax e-filing websites. Now, the users are asked to click on the 'green color' and proceed to the verification steps. Users are further asked to submit private information such as their full name, PAN number, Aadhaar number, address, PIN code, date of birth, mobile number, email address, gender, marital status, and banking. 

Apart from this, they are also asked to fill in information such as account number, IFSC code, card number, expiration date, CVV, and card PIN. All of this information is being finally transferred to the threat actors.

Hacked SendGrid Accounts used In Phishing Attacks To Steal Logins

 

A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid. 

The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies. 

The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology. 

Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator. 

Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials. 

WMC Global stated that “Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages”. 

WMC believes “that the switch to a different service was determined by their collaboration with SendGrid to restore compromised accounts to the legitimate owners. Also, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became life…”

 “…We found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be for Office 365 login”, the company added. 

Searching the website source code, the researchers were able to steal locations and credential logs in text files. The attackers behind the Compact campaigns had created the exfiltration code on various compromised legal websites. 

While analyzing log data researchers noticed that employees who are working at notable companies had fallen for the Compact phishing campaign. At present, the Compact operators are using an Office 365 theme that continues to be active and is the most prevalent. 

WMC Global stated that “the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes (Excel, OWA, Outlook Web Access Exchange, 1&1 Ionos, Rackspace)”.

Tibetan Organizations Targeted in a Chinese Sponsored Phishing Campaign

 

Cybersecurity experts from Proofpoint have unearthed a Chinese-sponsored phishing campaign and published a report on Thursday; as per the findings, Chinese state hackers targeted several Tibetan organizations in a low-volume phishing campaign using malicious malware on the systems of Tibetan organizations. The campaign was designed to hijack Gmail accounts via a malicious Firefox browser extension.

According to Proofpoint, Chinese sponsored phishing campaign started in January and continued throughout February and was managed by the TA413 APT group, a threat group that’s aligned with the Chinese Communist Party’s state interests.

Hackers Modus Operandi 

TA413 attackers targeted the organizations by sending a fraudulent email, once the victim opened the email it redirected the victim to the attacker-controlled you-tube[.] domain that displays a fake Adobe Flash Player Update landing page.

Threat actors specifically targeted the Firefox users and users with an active Gmail session were prompted to download the malicious add-on. If the potential target used any other web browser, they would get redirected to the legitimate YouTube login page.

According to Proofpoint, threat actors could exploit the following functions on infected browsers:

 Gmail:

• Search emails 
• Archive emails 
• Receive Gmail notifications 
• Read emails 
• Alter Firefox browser audio and visual alert features 
• Label emails • Marks emails as spam 
• Delete messages 
• Refresh inbox 
• Forward emails 
• Perform function searches 
• Delete messages from Gmail trash 
• Send mail from the compromised account

 Firefox (based on browser permissions): 

• Access user data for all websites 
• Display notifications 
• Read and modify privacy settings 
• Access browser tabs

Proofpoint stated that “the use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”

The Chinese state hackers also infected the victims with the Scanbox malware. A PHP and Java-script-based reconnaissance framework; this malware is an old tool used by Chinese cyber-criminal groups.

“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint further stated.

Threat Actors Targeting British Users in a Facebook Phishing Campaign

 

After targeting the German users in the ongoing Facebook phishing campaign threat actors have shifted their focus onto the British users, nearly 75% of the new victims are based in the UK. Cybernews exposed the phishing campaign on Facebook named “Is that you” after it tricked nearly 4.5 lakh users in Germany since its beginning on January 26.

It seemed like threat actors have abandoned their campaign after getting exposed but they were planning to launch their phishing campaign in another country. The new phishing campaign was launched on February 11 in the UK and since then it has targeted more than 20,000 British users. Cybernews has shared the details of their investigation regarding the ongoing phishing campaign in Germany and the UK with Facebook, CERT UK, Dominican Republic’s cyber police, and wal. ee (the URL shortener service used by the threat actor).

Threat actors are using the same legitimate third-party web statistics service to track the growth of the latest phishing campaign in the UK as they used in Germany. Their methodology of operating is also identified as it was in Germany, threat actors are sending a personal Facebook text to the unsuspected users and are claiming to have discovered a video or image with the victim featured in it. This text then directs the victim through a chain of websites that have been compromised with malicious scripts that accumulate the victim’s credentials and are infected with adware or other malware, depending on the victim’s device.

The two things which are unidentical from the previous phishing campaign in Germany are tracking code and campaign name. Cybernews managed to gain access to the threat actor’s dashboard in order to learn the scale of the campaign and it appears that over 20,000 users are trapped in the net laid by the threat actors. Due to the access to the threat actor’s dashboard, Cyber news was able to spot the devices and browsers predominantly used by the victims.

Three steps to protect yourself against phishing campaign

 1) Your passwords should be unique and complex for all the online accounts and the password manager will suggest you to generate strong passwords.

 2) Enable the multi-factor authentication option (MFA) and try to remain vigilant while using any social media platform and beware of any suspicious text sent to you even from your Facebook contact.

 3) Threat actors usually apply social engineering to tempt you to click on the malicious links or download infected files, think twice before clicking on such suspicious links and report to the cyber cell for the potential cyber fraud.

Fraudsters Target US Tax Experts in Ongoing Phishing Campaign

 

Scammers are targeting US tax professionals in ongoing series of phishing attacks to steal Electronic Filling identification Numbers (EFINs). The International Revenue Service (IRS) has alerted US tax experts regarding the phishing campaign and suggested taking precautionary measures to avoid any loss.

The ongoing series of phishing attacks was started right before the US tax season with the target of stealing both users’ data and tax professionals’ identity. Scammers trick tax preparers by sending phishing emails and asking them to email their copies of “EFIN (e-file identification number) verification and Driver’s license” as a part of the fake verification process.

To make the verification process more authentic scammers threaten the potential victims to freeze their accounts they use to file tax documents online. Due to lack of knowledge or fear the victims hand over their information to the scammers. Once the scammers receive the information, they can file tax returns illegally for refunds by acting as tax professionals. 

IRS Tax E-Filling’ is used as the sender name by scammers in emails and ‘Verifying your EFIN before e-filing as a subject line followed by the content mentioned below:
“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file."

“Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed to complete the verification process. If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.”

Tax experts targeted by this ongoing phishing campaign are recommended not to respond to suspicious emails and to send the emails (as file attachments) to phishing@irs.gov. Tax professionals can also report to the Treasury Inspector General for Tax Administration for further analysis by the IRS Criminal Investigation division.

Threat Actors are Targeting Users Via New Phishing Campaign

 

Threat actors are using Morse code – ‘the novel obfuscation technique’ for targeted phishing campaigns. This technique is known for the code language for Army and security services, by this technique, threat actors are able to hide the email attachment containing malicious URLs.

Last week hackers used the morse code in the phishing emails to bypass secure mail gateways and mail filters. Bleeping Computer discovered the strike on various samples which were uploaded on 2nd February 2021 to VirusTotal. Threat actors targeted the company by sending a malicious email posing to be an invoice for the company. 

This mail looks like – “Revenue_payment_invoice February_Wednesday 02/03/2021” including the HTML attachment for the invoice as [company_name] _ invoice _ [number]._xlsx.html.

The attachment contains mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is inserted into the code holding assets to provide a fake file asking users for the password permitting threat actors to gain access.

Threat actors are tricking users by using the logo-clearbit.com service to make the form look more convincing, in case the logo is not available then the logo of generic Office 365 is used. The other companies which have suffered due to this phishing attack are Dimensional, Metrohm, SBS, Nuovo IMAIE, ODDO BHF Asset Management, SGS, Dimensional, SBI (Mauritius) Ltd., Bridgestone, Cargeas, Equinti, Capital Four, and Dea Capital.

Morse code was invented by the American artist and inventor Samuel F.B. Morse during the 1830s for electrical telegraphy and further upgraded by American scientist and businessman Alfred Lewis Vail. It is a technique used in telecommunication to encode text characters by an arrangement of dots, dashes, and spaces.

Scammers are Tricking Consumers via QR Code Phishing Campaign

 

QR codes - the little Digi squares, an effective tool for contactless transactional activities especially during the Covid-19 pandemic. Quick Response (QR) codes were originally developed back in the mid-nineties for utilization in the Japanese auto-making industry as a swift, machine-readable technique to reserve information regarding a specific item, whether for production, inventory, or eventual scale. 

QR code is the most convenient method to pay or receive money and this tool has seemed to grow exponentially in the last 5 years, mainly due to the explosion in the popularity of smartphones over the past decade. Most of the modern-day Android and iOS camera apps read the codes naturally unlike the previous years where the users have to download a particular QR code-scanning apps to access the information programmed into the tiny squares.

The biggest concern begins when fraudsters start to use QR codes as a doorway to secure consumers' private information regarding bank details, private messages, etc. So how to identify what’s hidden in the QR codes and gain the necessary knowledge to identify a fraudulent one?

The popular method used by the fraudsters is to send texts to the consumers like – ‘Congratulations! You have won 2000 Rs.’ along with the picture of the QR code. This text will prompt the consumers to scan the QR code, enter the amount which will redirect the consumers to the UPI PIN page to receive the money in their account. Most of the consumers with less awareness are trapped in the net laid by the scammers and end up paying the scammer the amount.

The next popular method used by scammers to trick the consumers is to embed a fake QR code into a phishing email, text, or via social media platform. If the consumer scans the fake code which will redirect the consumer to the website with realistic-looking landing pages and the consumer will prompt the consumer to login via PII (personally identifiable information). A fabricated QR code has the ability to take the consumer to the websites where malware can be automatically installed and used to steal critical information from the consumers’ device or even share spyware or viruses.

Three methods to prevent yourself from QR code scam 

1.) Read the message carefully and pay attention to the small details while making transactions via QR code. 

2.) The device used for making payments should be updated frequently and install security software. If any suspicion arises immediately get in touch with your bank and request them to alter your login credentials.

 3.) If the problem is severe you can contact the police and register a formal complaint with the cyber cell, the consumer can also register an online complaint on the National Cybercrime Reporting Portal – cybercrime.gov.in.

Trickbot- A Banking Trojan Returns With Latest Phishing Campaigns and Attacks

 

Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.

Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.

Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.

Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.

Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.

UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.