Search This Blog

Showing posts with label Phishing Campaign. Show all posts

Scammers Use 'IT Support-Themed Email' to Target Organizations

 

Cybersecurity researchers at Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign that uses 'information technology (IT) support-themed email' to lure users to update their passwords. 

The email appears legitimate because it’s a common practice within organizations to send security updates to their employees on a weekly or monthly basis. IT team deploys a reset password communication mail to strengthen the employee’s email security. Therefore, it’s a smart move by the attackers to target organizations via phishing email. 

Researchers first suspected the email because the domain was only a few months old. However, the domain address “realfruitpowernepal[.]com” was identical to an organization’s internal IT department, yet a further examination of the domain led to a free web design platform. The second red flag was the opening of the email that doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly suggesting the mass-email attack.

When the user proceeds further by clicking on the “Continue” button, a Mimecast link appears, along with the now censored user email address toward the end of the URL. The users might not feel anything dubious because scammers have used the correct spelling and name, which directs users to a Mimecast web security portal that gives them two options: block the malicious link or ignore it. 

Choosing either option directs the user to the same phishing landing page that displays the session as expired. The motive of the scammers was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during the investigation, it was discovered that the URL provided does not match the authentic Mimecast URL and the footer detail was missing, researchers explained.

Scammers have employed very powerful social engineering to trick the users. The phishing page is designed in such a way that the user providing true login credentials or a random string of credentials, would still be redirected to the page displaying a successful login message.

How to safeguard against phishing emails?


• Installing security software is the first line of defense against phishing attacks. Antivirus programs, spam filters, and firewall programs are quite effective against phishing attacks. 
• Monitor: use phishing simulation tools to evaluate employee knowledge regarding phishing attacks. 
• Organizations should incorporate cyber security awareness campaigns, training, support, education, and project management as a part of their corporate culture. 
• Businesses should deploy multi-factor authentication to prevent hackers from gaining access to their systems.

Cofense Report Analysis on Phishing Campaign Utilizing Vzwpix

 

Researchers at the Cofense Phishing Defense Center (PDC) have been able to dig further into the addressing characteristics of one of the phishing attempt that used Verizon's multimedia messaging service - Vzwpix – employing Cofense Vision. 

Verizon's Vzwpix is a genuine multimedia messaging service. It allows users to send emails from mobile phones, which often include the sender's contact number. Fraudsters exploit the popularity of this service by faking an original email address via spoofing. 

Cyber attackers could use these services to mass deliver SMS that comes from a mobile number but does not include the sender's name and identity. If somehow the recipient does not recognize the mobile number, then they might be left speculating who had sent these emails. 

Hundreds of complaints about Verizon's Vzwpix service domain have been obtained by the Cofense PDC over the last week. 

A majority of these messages would be texts or pictures, but investigators are continuously on the lookout for potential risks. Malicious actors used Vzwpix to target potential audiences in a range of sectors throughout the last week. 

According to Cofense PDC, the message received by the users were all in plain text and without any formatting or pictures. It leads to a new voicemail and employs a monetary enticement via ACH transfers.

The link is provided as plain text, informing users of where they will be redirected. It was smart enough to avoid the first assessment from the secure email gateway (SEG) by employing a valid survey application; nevertheless, certain SEGs would've been able to verify the content of the survey via link click. 

The cyber attackers employed Alchemer, a survey form generator that makes it very convenient to design a survey form for users to answer. 

Further research shows that the survey is erroneously designed as a OneDrive login page, although most of the consumers were probably able to assume that this isn't a genuine Microsoft OneDrive login page. 

The continue button is likewise off to the side, giving the impression that the site wasn't intended to be read with a PC web browser. 

While using it from a smartphone, the form layouts are noticeably different. The modified phishing page is displayed within a white box, as well as the button is placed between the entry fields. 

Utilizing Cofense Vision, Researchers were easily able to detect several individuals who received a similar email at their organization. Even though each email originated from the very same phone number, the message IDs were all unique. All the message IDs were indeed associated with the Verizon phone number which sent messages. Each message ID correlates to a separate group of recipients which was listed in the email's "To" address section. 

In the analysis, every group appeared to have a minimum of 10 email accounts, comprising PDC customers and other external domains as well. After excluding the unique domains, researchers were able to ascertain that 50% of all recipients worked in the food production industry. 

The PDC client in these groups worked in the manufacturing industry, however, one of the major subsidiaries in the food manufacturing industry. Another 25% of the targeted domains are in the supply chain and media industries.

Phishing Attackers Spotted Using Morse Code to Avoid Detection

 

Microsoft has revealed details of a deceptive year-long social engineering campaign in which the operators changed their obfuscation and encryption mechanisms every 37 days on average, including using Morse code, in an attempt to hide their tracks and steal user credentials. 

One of numerous tactics employed by the hackers, who Microsoft did not name, to disguise harmful software was Morse Code, a means of encoding characters with dots and dashes popularised by telegraph technology. It serves as a reminder that, despite their complexity, modern offensive and defensive cyber measures are generally based on the simple principle of hiding and cracking code. 

The phishing attempts take the shape of invoice-themed lures that imitate financial-related business transactions, with an HTML file ("XLS.HTML") attached to the emails. The ultimate goal is to collect usernames and passwords, which are then utilized as an initial point of access for subsequent infiltration attempts. 

The attachment was compared to a "jigsaw puzzle" by Microsoft, who explained that individual pieces of the HTML file are designed to appear innocuous and slip by the endpoint security software, only to expose their true colors when decoded and joined together. The hackers that carried out the attack were not identified by the company.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. “On their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions." 

When you open the attachment, a counterfeit Microsoft Office 365 credentials dialogue box appears on top of a blurred Excel document in a browser window. The dialogue box displays a message requesting recipients to re-sign in since their access to the Excel document has allegedly expired. When a user types in a password, the user is notified that the password is incorrect, while the virus stealthily collects the information in the background. Since its discovery in July 2020, the campaign is reported to have gone through ten iterations, with the adversary occasionally changing up its encoding methods to hide the harmful nature of the HTML attachment and the many assault segments contained within the file. 

According to Christian Seifert, lead research manager at Microsoft's M365 Security unit, the hackers have yet to be linked to a known group. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

Crime-as-a-Service Makes Advanced Phishing Attacks Easier For Amateurs

 

CaaS (Crime as a Service) is a practice where veteran hackers sell tools and knowledge required to perform a cybercrime. Generally, CaaS is used for executing phishing attacks. Phishing is one of the easiest ways to hack into any organization for any hacker. Earlier, to perform a phishing attack needed an experienced threat actor's technical proficiency and knowledge of social engineering. But, with the rise of CaaS, any normal individual with no prior knowledge of cyberattacks can become a hacker. 

CaaS provides an amateur attacker with anything required to perform their personal phishing attack, varying from branded email templates to detailed target lists. There is also an option for hackers to pay for already compromised servers, it saves them from the fear of getting tracked. By minimizing risks to get caught, the trend has made it simple to carry out a cyberattack. However, it has become a major inconvenience for organizations that are becoming targets. Besides this, CaaS offers technical advantages, with the help of downloaded templates, noob attackers can execute safe attacks that will safely land in any employee's inbox. 

By using sophisticated methods like inspection blocking, content encryption, and hidden URL's in attachments to avoid detection. This enables hackers to perform high-level advanced attacks, which has become a serious issue for organizations. Besides being easy to execute, phishing campaigns are also highly effective. Phishing attacks carried out using CaaS tools are built to target employees, which makes it difficult for organizations. The attacker uses social engineering techniques to exploit end-users, by gaining trust and creating a feeling of immediacy to reply. 

Hackers can use open-source intelligence to steal data from organization websites, past breaches, and social media to execute successful spear-phishing campaigns. HelpNetSecurity says "Crime-as-a-Service has made phishing an even more attractive method of attack for cybercriminals, by making it more accessible and less labor-intensive. Why spend months looking for an organization’s security vulnerabilities when you can hit them with a ready-made phishing attack? It’s also made phishing campaigns more easily scalable because it takes criminals takes less time and effort to execute their attacks."

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

Ukraine Suspects Russia Behind a Spear Phishing Campaign

 

Three of the many Ukrainian cybersecurity organizations – the Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine - cautioned last week that Russia-linked cybercriminals were conducting "massive" spear-phishing campaigns against the Ukrainian government and private sector businesses. 

Also, one of the three agencies, the Ukrainian Secret Service has ascribed the attack to the Russian Federation's 'Special Service,' attributing this year's third cyber attack by Russian hackers. 

The spear-phishing campaign occurred at the beginning of June last week, following the Ukrainian Secret Service, Cyber Police, and CERT Ukraine warnings. 

The attackers sent out emails to the Police Department in Kyiv Patrol Police Department, cautioning recipients for the failure to pay local taxes. 

“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of several government agencies.” reads the alert published by the Ukrainian Secret Service. 

Recipients of the email were encouraged to install a RAR archive included within the E-mail, that would drop a double extension EXE file (filename.pdf.exe) to appear as a PDF file. 

Victims using the suspicious program would download a modified remote access software, RemoteUtilities, which would revert to remote command servers in Russia, Germany, and the Netherlands. “This allows the foreign intelligence service to remotely exercise full control over the PC,” the Ukrainian Secret Service said on Friday. 

Officials of CERT also noted that the operation last week used tactics similar to other attacks that happened in January and March this year. 

In February, the Government of Ukraine blamed an APT organization, a Russia - based gang, for the attacks on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB). The hackers were designed to disseminate malicious documents to government authorities, according to Ukrainian officials. The SEI EB servers are used to communicate documents with Ukrainian government entities. 

The Ukrainian Security and Defense National Council reported that the attackers were conducting “the mass contamination of information resources of public authorities.” 

At the very same time, Ukraine accused Russia of significant offenses targeting Ukrainian security and defense sites on unspecified Russian Internet networks. However, the Ukrainian authorities have not provided any information regarding the attacks or the damage inflicted.

This Entertainment-Themed Campaign Installs Malware in User Computer System

 

A popular phishing campaign tries to somehow get users to believe that they've enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazaLoader malware that harms the computer. 

BazaLoader is a C++ downloader for installing and performing other modules. In April 2020, BazaLoader was first observed by Proofpoint. 

BazaLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks - even ransomware. Ryuk Ransomware is generally delivered through BazaLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazaLoader demands important human contact in the implementation and installation of the BazaLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazaLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from 'BravoMovies,' a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month - but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the "customer service" professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a "Subscription" website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazaLoader to the system if it is activated, spreading malware on the victim's PC. 

"Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

"Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target's machine," said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user's credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.

BazarBackdoor Campaigns in Attempts to Avoid Detection

 

In two recent projects, threat actors using BazarBackdoor used an unusual combination of lures, tactics, and networks to target corporate customers. Threat perpetrators use the victims' own initiative to get through security barriers and reach a consensus in these initiatives. These methods may also be used to combat phishing awareness training. 

BazarBackdoor is a modern malware that has the potential to infect machines and run a variety of malicious programmes. It is thought to have been developed by the same people who created the TrickBot Trojan, a banking Trojan that infects Windows computers. This is due to the fact that BazarBackdoor shares coding and other characteristics with the TrickBot Trojan. 

Threat actors using the BazarBackdoor ransomware have been playing with roundabout ways to get consumers to self-infect, according to a blog post published this week by Cofense. A fake invoice was used in one campaign, with a reference to a malicious website but no direct link to it. Instead, the attackers hope that users can type or paste the URL into their browsers. A second campaign involved a phone number that, when dialed, connects the customer to a phony business official that would attempt to persuade them to access an attacker-controlled website. 

“The notable part about this is that we don’t usually see this sort of thing,” said Joseph Gallop, an intelligence analysis manager at Cofense, in an interview with SC Media. “Usually, threat actors try to make the path to compromise as simple as they can for the victim to follow.”

“There is an increase in fileless, linkless attacks that are engineered toward luring users to do something they are not supposed to do outside of the scope of clicking on links or opening attachments,” said Ironscales CEO Eyal Benishti. “Most of these attacks are BEC attacks, impersonating a known internal or external sender trying to lure users into wiring money, paying fake invoices, changing bank account details records, buying gift cards or other goods, and the defenders’ challenge now is to detect and block communications with malicious intent and not necessarily malicious content.” 

The circuitous road to infection used by the BazarBackdoor campaigns depends on the victim's willingness to put in a little extra effort, but there's a tactic behind this risk: According to the Cofense report, “More and more, corporate network users are being conditioned to recognize malicious links and attachments." Thus, “the absence of apparently malicious links and attachments may lull potential recipients into complacency. Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed.”

Researchers Found Three New Malware Strains in a Phishing Campaign

 

A global phishing program used never-before-seen malware strains distributed by specially-tailored lures to attack global organizations across a broad range of industries. According to a Mandiant report released today, the attacks targeted at least 50 organizations from a diverse range of sectors in two waves, on December 2nd and between December 11th and 18th. 

UNC2529 is the name of the threat actors behind the malware, who are identified as "experienced and well-resourced." Organizations in the United States, the EMEA zone, Asia, and Australia have been attacked in two waves so far. 

Threat actors would also pose as account executives touting services suitable for various industries, such as security, medication, transportation, the military, and electronics, in phishing messages sent to prospective victims. 

The global phishing scheme was controlled by over 50 domains in total. UNC2529 hacked a domain owned by a US heating and cooling services company, tampered with its DNS data, and used this structure to conduct phishing attacks against at least 22 entities in one successful attack. The lure emails included links to URLs that led to malicious.PDF payloads and a JavaScript file stored in a.zip folder. The records, which were obtained from public databases, were compromised to the point that they were unreadable, prompting victims to double-click the.js file in an effort to read the content. 

"The threat actor made extensive use of obfuscation and file-less malware to complicate detection to deliver a well-coded and extensible backdoor," Mandiant said. 

The threat group used phishing emails with links to a JavaScript-based downloader (labeled DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (labeled DOUBLEDROP) from attackers' command-and-control (C2) servers during the two waves of attacks. The DOUBLEDROP dropper includes 32-bit and 64-bit versions of the DOUBLEBACK backdoor, which is implemented as a PE dynamic library. 

"The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them," Mandiant notes. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

Mackenzie Scott Scam: Fraudsters asking Fake Donations in Billionaire's name

 

A major phishing campaign that reached tens of thousands of inboxes impersonated as MacKenzie Bezos-Scott grant foundation promising monetary advantages to recipients of the e-mail in exchange for a processing fee. 

The processing fee is referred to as an "advance fee," and it has been used since before the internet, with the "Nigerian prince" version popularising it. But this phishing campaign took advantage of the charitable acts last year from author MacKenzie Scott, ex-wife of Amazon founder Jeff Bezos. 

The scam surfaced after Mackenzie Scott revealed in December that she had donated $4.2 billion of her fortune to over 300 organizations, including food banks and other charities that assist the people in need. Ironically, one food bank in Arkansas, which had received an authentic email from Scott about a legitimate donation, initially mistook it for a hoax. 

Eyal Benishti, the CEO of tech security company Ironscales said, “That may have primed fraudsters to develop a phishing scam based on Scott's donations in the hope that some organizations would believe that they, too, are receiving valid emails”. About 200 of its customers have received the bogus Mackenzie Scott emails, although none have fallen for the bait, he added. 

Fraudsters initiated the scam by sending out spoofed emails that claimed, MacKenzie Bezos-Scott grant foundation is distributing funds from their foundation. In fact, the emails were sent not to distribute billions to charity, but fleece victims. 

However, the fake Mackenzie Scott emails had a few tip-offs that hints they weren't real: 

1. Sender’s title appeared as “Mackenzie Scott Grant” but the return email address was to the domain ‘@mintme.com’ 
2. Multiple grammatical errors in the email body 
3. Sender’s name and signature were different 

The fraudsters alleged that they are from the "MacKenzie Bezos-Scott foundation" and have chosen a recipient for a grant. Further, they ask for the recipients' full name and address, and if they answer, recipients are required to submit a small processing fee to unlock the grant. Of course, there's no grant; it's just a tactic to extort money from the victims.

Scams have escalated as a result of large-scale relief programs such as stimulus checks and the Paycheck Protection Program, which has drawn out fraudsters trying to trick people into giving away sensitive data, such as Social Security numbers. With the ongoing levels of hardship due to the coronavirus pandemic, people are more susceptible to scams at the moment.

Medical Professionals of U.S. and Israel Targeted in a 'BadBlood' Phishing Campaign

 

Email security firm, Proofpoint has exposed a hacking group linked with the Iranian government targeting nearly two-dozen medical researchers in Israel and U.S. The targeted medical professionals particularly work in the oncology, genetics, and neurology fields in both U.S. and Israel. Proofpoint described the phishing campaign as ‘BadBlood’ due to its nature of targeting medical professionals.

According to Proofpoint, the Iranian hacking group operates with different names such as TA453, Charming Kitten, Phosphorus, APT35, ITG18, Ajax Security Team, NewsBeef, and Newscaster. The hacking group that has been operating since 2011, is specifically targeting medical professionals, activists, and journalists in the Middle East, the U.K., and the U.S. 

To lure the victims into their trap, the Iranian hacking group employed a Gmail account in the name of prominent Israeli physicist, Daniel Zaifman. The attackers sent a series of malicious emails from the Zaifman account to the medical professionals claiming to contain sensitive information on Israel’s nuclear program. 

The malicious emails contained a link that directed the victims to a fake Microsoft login page and once opened, the malicious links extracted the users’ email credentials. Although the motives of this attack is not yet clear, many researchers believe the operation was conducted to acquire medical research or private health data on intelligence targets of interest to Tehran. 

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453. While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint stated.

India's Top 5 Banks Targeted in a Phishing Scam

 

The customers of State Bank of India (SBI), ICICI, HDFC, Axis Bank, and Punjab National Bank (PNB) have been alerted regarding a serious security vulnerability. Threat actors are trying to lure Indian users into revealing important private information using the mobile apps of the aforementioned banks. The report suggests that suspicious messages prompted users to submit an application for disbursement of the income tax refund. 

The threat actors are attaching a link with these texts that looks like an income tax e-filing web page. The suspicious links originate from the US and France without a domain name and are not linked with the Indian government, as per the revelation made in an investigation by New Delhi-based think tank CyberPeace Foundation along with cybersecurity services firm Autobot Infosec. 

Furthermore, the report claims that all IP addresses associated with the campaign belong to some third-party cloud hosting providers. The entire campaign uses the normal or plain HTTP protocol instead of the secure https. This means that anyone on the network or the internet can intercept traffic and obtain confidential information in normal text format to misuse against the victim.

How do threat actors exploit vulnerabilities?

Threat actors install malware in these banking apps and then lure the users in downloading an application from a third-party source instead of the Google Play Store. This application then asks the administrator to provide all rights and permit unnecessary use of the device. 

On opening the link http://204.44.124[.]160/ITR, users are redirected to a landing page, which looks similar to the official government income tax e-filing websites. Now, the users are asked to click on the 'green color' and proceed to the verification steps. Users are further asked to submit private information such as their full name, PAN number, Aadhaar number, address, PIN code, date of birth, mobile number, email address, gender, marital status, and banking. 

Apart from this, they are also asked to fill in information such as account number, IFSC code, card number, expiration date, CVV, and card PIN. All of this information is being finally transferred to the threat actors.

Hacked SendGrid Accounts used In Phishing Attacks To Steal Logins

 

A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid. 

The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies. 

The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology. 

Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator. 

Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials. 

WMC Global stated that “Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages”. 

WMC believes “that the switch to a different service was determined by their collaboration with SendGrid to restore compromised accounts to the legitimate owners. Also, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became life…”

 “…We found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be for Office 365 login”, the company added. 

Searching the website source code, the researchers were able to steal locations and credential logs in text files. The attackers behind the Compact campaigns had created the exfiltration code on various compromised legal websites. 

While analyzing log data researchers noticed that employees who are working at notable companies had fallen for the Compact phishing campaign. At present, the Compact operators are using an Office 365 theme that continues to be active and is the most prevalent. 

WMC Global stated that “the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes (Excel, OWA, Outlook Web Access Exchange, 1&1 Ionos, Rackspace)”.

Tibetan Organizations Targeted in a Chinese Sponsored Phishing Campaign

 

Cybersecurity experts from Proofpoint have unearthed a Chinese-sponsored phishing campaign and published a report on Thursday; as per the findings, Chinese state hackers targeted several Tibetan organizations in a low-volume phishing campaign using malicious malware on the systems of Tibetan organizations. The campaign was designed to hijack Gmail accounts via a malicious Firefox browser extension.

According to Proofpoint, Chinese sponsored phishing campaign started in January and continued throughout February and was managed by the TA413 APT group, a threat group that’s aligned with the Chinese Communist Party’s state interests.

Hackers Modus Operandi 

TA413 attackers targeted the organizations by sending a fraudulent email, once the victim opened the email it redirected the victim to the attacker-controlled you-tube[.] domain that displays a fake Adobe Flash Player Update landing page.

Threat actors specifically targeted the Firefox users and users with an active Gmail session were prompted to download the malicious add-on. If the potential target used any other web browser, they would get redirected to the legitimate YouTube login page.

According to Proofpoint, threat actors could exploit the following functions on infected browsers:

 Gmail:

• Search emails 
• Archive emails 
• Receive Gmail notifications 
• Read emails 
• Alter Firefox browser audio and visual alert features 
• Label emails • Marks emails as spam 
• Delete messages 
• Refresh inbox 
• Forward emails 
• Perform function searches 
• Delete messages from Gmail trash 
• Send mail from the compromised account

 Firefox (based on browser permissions): 

• Access user data for all websites 
• Display notifications 
• Read and modify privacy settings 
• Access browser tabs

Proofpoint stated that “the use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”

The Chinese state hackers also infected the victims with the Scanbox malware. A PHP and Java-script-based reconnaissance framework; this malware is an old tool used by Chinese cyber-criminal groups.

“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint further stated.

Threat Actors Targeting British Users in a Facebook Phishing Campaign

 

After targeting the German users in the ongoing Facebook phishing campaign threat actors have shifted their focus onto the British users, nearly 75% of the new victims are based in the UK. Cybernews exposed the phishing campaign on Facebook named “Is that you” after it tricked nearly 4.5 lakh users in Germany since its beginning on January 26.

It seemed like threat actors have abandoned their campaign after getting exposed but they were planning to launch their phishing campaign in another country. The new phishing campaign was launched on February 11 in the UK and since then it has targeted more than 20,000 British users. Cybernews has shared the details of their investigation regarding the ongoing phishing campaign in Germany and the UK with Facebook, CERT UK, Dominican Republic’s cyber police, and wal. ee (the URL shortener service used by the threat actor).

Threat actors are using the same legitimate third-party web statistics service to track the growth of the latest phishing campaign in the UK as they used in Germany. Their methodology of operating is also identified as it was in Germany, threat actors are sending a personal Facebook text to the unsuspected users and are claiming to have discovered a video or image with the victim featured in it. This text then directs the victim through a chain of websites that have been compromised with malicious scripts that accumulate the victim’s credentials and are infected with adware or other malware, depending on the victim’s device.

The two things which are unidentical from the previous phishing campaign in Germany are tracking code and campaign name. Cybernews managed to gain access to the threat actor’s dashboard in order to learn the scale of the campaign and it appears that over 20,000 users are trapped in the net laid by the threat actors. Due to the access to the threat actor’s dashboard, Cyber news was able to spot the devices and browsers predominantly used by the victims.

Three steps to protect yourself against phishing campaign

 1) Your passwords should be unique and complex for all the online accounts and the password manager will suggest you to generate strong passwords.

 2) Enable the multi-factor authentication option (MFA) and try to remain vigilant while using any social media platform and beware of any suspicious text sent to you even from your Facebook contact.

 3) Threat actors usually apply social engineering to tempt you to click on the malicious links or download infected files, think twice before clicking on such suspicious links and report to the cyber cell for the potential cyber fraud.

Fraudsters Target US Tax Experts in Ongoing Phishing Campaign

 

Scammers are targeting US tax professionals in ongoing series of phishing attacks to steal Electronic Filling identification Numbers (EFINs). The International Revenue Service (IRS) has alerted US tax experts regarding the phishing campaign and suggested taking precautionary measures to avoid any loss.

The ongoing series of phishing attacks was started right before the US tax season with the target of stealing both users’ data and tax professionals’ identity. Scammers trick tax preparers by sending phishing emails and asking them to email their copies of “EFIN (e-file identification number) verification and Driver’s license” as a part of the fake verification process.

To make the verification process more authentic scammers threaten the potential victims to freeze their accounts they use to file tax documents online. Due to lack of knowledge or fear the victims hand over their information to the scammers. Once the scammers receive the information, they can file tax returns illegally for refunds by acting as tax professionals. 

IRS Tax E-Filling’ is used as the sender name by scammers in emails and ‘Verifying your EFIN before e-filing as a subject line followed by the content mentioned below:
“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file."

“Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed to complete the verification process. If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.”

Tax experts targeted by this ongoing phishing campaign are recommended not to respond to suspicious emails and to send the emails (as file attachments) to phishing@irs.gov. Tax professionals can also report to the Treasury Inspector General for Tax Administration for further analysis by the IRS Criminal Investigation division.

Threat Actors are Targeting Users Via New Phishing Campaign

 

Threat actors are using Morse code – ‘the novel obfuscation technique’ for targeted phishing campaigns. This technique is known for the code language for Army and security services, by this technique, threat actors are able to hide the email attachment containing malicious URLs.

Last week hackers used the morse code in the phishing emails to bypass secure mail gateways and mail filters. Bleeping Computer discovered the strike on various samples which were uploaded on 2nd February 2021 to VirusTotal. Threat actors targeted the company by sending a malicious email posing to be an invoice for the company. 

This mail looks like – “Revenue_payment_invoice February_Wednesday 02/03/2021” including the HTML attachment for the invoice as [company_name] _ invoice _ [number]._xlsx.html.

The attachment contains mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is inserted into the code holding assets to provide a fake file asking users for the password permitting threat actors to gain access.

Threat actors are tricking users by using the logo-clearbit.com service to make the form look more convincing, in case the logo is not available then the logo of generic Office 365 is used. The other companies which have suffered due to this phishing attack are Dimensional, Metrohm, SBS, Nuovo IMAIE, ODDO BHF Asset Management, SGS, Dimensional, SBI (Mauritius) Ltd., Bridgestone, Cargeas, Equinti, Capital Four, and Dea Capital.

Morse code was invented by the American artist and inventor Samuel F.B. Morse during the 1830s for electrical telegraphy and further upgraded by American scientist and businessman Alfred Lewis Vail. It is a technique used in telecommunication to encode text characters by an arrangement of dots, dashes, and spaces.