Search This Blog

Showing posts with label Phishing Campaign. Show all posts

Ukraine Suspects Russia Behind a Spear Phishing Campaign

 

Three of the many Ukrainian cybersecurity organizations – the Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine - cautioned last week that Russia-linked cybercriminals were conducting "massive" spear-phishing campaigns against the Ukrainian government and private sector businesses. 

Also, one of the three agencies, the Ukrainian Secret Service has ascribed the attack to the Russian Federation's 'Special Service,' attributing this year's third cyber attack by Russian hackers. 

The spear-phishing campaign occurred at the beginning of June last week, following the Ukrainian Secret Service, Cyber Police, and CERT Ukraine warnings. 

The attackers sent out emails to the Police Department in Kyiv Patrol Police Department, cautioning recipients for the failure to pay local taxes. 

“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of several government agencies.” reads the alert published by the Ukrainian Secret Service. 

Recipients of the email were encouraged to install a RAR archive included within the E-mail, that would drop a double extension EXE file (filename.pdf.exe) to appear as a PDF file. 

Victims using the suspicious program would download a modified remote access software, RemoteUtilities, which would revert to remote command servers in Russia, Germany, and the Netherlands. “This allows the foreign intelligence service to remotely exercise full control over the PC,” the Ukrainian Secret Service said on Friday. 

Officials of CERT also noted that the operation last week used tactics similar to other attacks that happened in January and March this year. 

In February, the Government of Ukraine blamed an APT organization, a Russia - based gang, for the attacks on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB). The hackers were designed to disseminate malicious documents to government authorities, according to Ukrainian officials. The SEI EB servers are used to communicate documents with Ukrainian government entities. 

The Ukrainian Security and Defense National Council reported that the attackers were conducting “the mass contamination of information resources of public authorities.” 

At the very same time, Ukraine accused Russia of significant offenses targeting Ukrainian security and defense sites on unspecified Russian Internet networks. However, the Ukrainian authorities have not provided any information regarding the attacks or the damage inflicted.

This Entertainment-Themed Campaign Installs Malware in User Computer System

 

A popular phishing campaign tries to somehow get users to believe that they've enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazaLoader malware that harms the computer. 

BazaLoader is a C++ downloader for installing and performing other modules. In April 2020, BazaLoader was first observed by Proofpoint. 

BazaLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks - even ransomware. Ryuk Ransomware is generally delivered through BazaLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazaLoader demands important human contact in the implementation and installation of the BazaLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazaLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from 'BravoMovies,' a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month - but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the "customer service" professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a "Subscription" website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazaLoader to the system if it is activated, spreading malware on the victim's PC. 

"Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

"Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target's machine," said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user's credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.

BazarBackdoor Campaigns in Attempts to Avoid Detection

 

In two recent projects, threat actors using BazarBackdoor used an unusual combination of lures, tactics, and networks to target corporate customers. Threat perpetrators use the victims' own initiative to get through security barriers and reach a consensus in these initiatives. These methods may also be used to combat phishing awareness training. 

BazarBackdoor is a modern malware that has the potential to infect machines and run a variety of malicious programmes. It is thought to have been developed by the same people who created the TrickBot Trojan, a banking Trojan that infects Windows computers. This is due to the fact that BazarBackdoor shares coding and other characteristics with the TrickBot Trojan. 

Threat actors using the BazarBackdoor ransomware have been playing with roundabout ways to get consumers to self-infect, according to a blog post published this week by Cofense. A fake invoice was used in one campaign, with a reference to a malicious website but no direct link to it. Instead, the attackers hope that users can type or paste the URL into their browsers. A second campaign involved a phone number that, when dialed, connects the customer to a phony business official that would attempt to persuade them to access an attacker-controlled website. 

“The notable part about this is that we don’t usually see this sort of thing,” said Joseph Gallop, an intelligence analysis manager at Cofense, in an interview with SC Media. “Usually, threat actors try to make the path to compromise as simple as they can for the victim to follow.”

“There is an increase in fileless, linkless attacks that are engineered toward luring users to do something they are not supposed to do outside of the scope of clicking on links or opening attachments,” said Ironscales CEO Eyal Benishti. “Most of these attacks are BEC attacks, impersonating a known internal or external sender trying to lure users into wiring money, paying fake invoices, changing bank account details records, buying gift cards or other goods, and the defenders’ challenge now is to detect and block communications with malicious intent and not necessarily malicious content.” 

The circuitous road to infection used by the BazarBackdoor campaigns depends on the victim's willingness to put in a little extra effort, but there's a tactic behind this risk: According to the Cofense report, “More and more, corporate network users are being conditioned to recognize malicious links and attachments." Thus, “the absence of apparently malicious links and attachments may lull potential recipients into complacency. Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed.”

Researchers Found Three New Malware Strains in a Phishing Campaign

 

A global phishing program used never-before-seen malware strains distributed by specially-tailored lures to attack global organizations across a broad range of industries. According to a Mandiant report released today, the attacks targeted at least 50 organizations from a diverse range of sectors in two waves, on December 2nd and between December 11th and 18th. 

UNC2529 is the name of the threat actors behind the malware, who are identified as "experienced and well-resourced." Organizations in the United States, the EMEA zone, Asia, and Australia have been attacked in two waves so far. 

Threat actors would also pose as account executives touting services suitable for various industries, such as security, medication, transportation, the military, and electronics, in phishing messages sent to prospective victims. 

The global phishing scheme was controlled by over 50 domains in total. UNC2529 hacked a domain owned by a US heating and cooling services company, tampered with its DNS data, and used this structure to conduct phishing attacks against at least 22 entities in one successful attack. The lure emails included links to URLs that led to malicious.PDF payloads and a JavaScript file stored in a.zip folder. The records, which were obtained from public databases, were compromised to the point that they were unreadable, prompting victims to double-click the.js file in an effort to read the content. 

"The threat actor made extensive use of obfuscation and file-less malware to complicate detection to deliver a well-coded and extensible backdoor," Mandiant said. 

The threat group used phishing emails with links to a JavaScript-based downloader (labeled DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (labeled DOUBLEDROP) from attackers' command-and-control (C2) servers during the two waves of attacks. The DOUBLEDROP dropper includes 32-bit and 64-bit versions of the DOUBLEBACK backdoor, which is implemented as a PE dynamic library. 

"The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them," Mandiant notes. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

Mackenzie Scott Scam: Fraudsters asking Fake Donations in Billionaire's name

 

A major phishing campaign that reached tens of thousands of inboxes impersonated as MacKenzie Bezos-Scott grant foundation promising monetary advantages to recipients of the e-mail in exchange for a processing fee. 

The processing fee is referred to as an "advance fee," and it has been used since before the internet, with the "Nigerian prince" version popularising it. But this phishing campaign took advantage of the charitable acts last year from author MacKenzie Scott, ex-wife of Amazon founder Jeff Bezos. 

The scam surfaced after Mackenzie Scott revealed in December that she had donated $4.2 billion of her fortune to over 300 organizations, including food banks and other charities that assist the people in need. Ironically, one food bank in Arkansas, which had received an authentic email from Scott about a legitimate donation, initially mistook it for a hoax. 

Eyal Benishti, the CEO of tech security company Ironscales said, “That may have primed fraudsters to develop a phishing scam based on Scott's donations in the hope that some organizations would believe that they, too, are receiving valid emails”. About 200 of its customers have received the bogus Mackenzie Scott emails, although none have fallen for the bait, he added. 

Fraudsters initiated the scam by sending out spoofed emails that claimed, MacKenzie Bezos-Scott grant foundation is distributing funds from their foundation. In fact, the emails were sent not to distribute billions to charity, but fleece victims. 

However, the fake Mackenzie Scott emails had a few tip-offs that hints they weren't real: 

1. Sender’s title appeared as “Mackenzie Scott Grant” but the return email address was to the domain ‘@mintme.com’ 
2. Multiple grammatical errors in the email body 
3. Sender’s name and signature were different 

The fraudsters alleged that they are from the "MacKenzie Bezos-Scott foundation" and have chosen a recipient for a grant. Further, they ask for the recipients' full name and address, and if they answer, recipients are required to submit a small processing fee to unlock the grant. Of course, there's no grant; it's just a tactic to extort money from the victims.

Scams have escalated as a result of large-scale relief programs such as stimulus checks and the Paycheck Protection Program, which has drawn out fraudsters trying to trick people into giving away sensitive data, such as Social Security numbers. With the ongoing levels of hardship due to the coronavirus pandemic, people are more susceptible to scams at the moment.

Medical Professionals of U.S. and Israel Targeted in a 'BadBlood' Phishing Campaign

 

Email security firm, Proofpoint has exposed a hacking group linked with the Iranian government targeting nearly two-dozen medical researchers in Israel and U.S. The targeted medical professionals particularly work in the oncology, genetics, and neurology fields in both U.S. and Israel. Proofpoint described the phishing campaign as ‘BadBlood’ due to its nature of targeting medical professionals.

According to Proofpoint, the Iranian hacking group operates with different names such as TA453, Charming Kitten, Phosphorus, APT35, ITG18, Ajax Security Team, NewsBeef, and Newscaster. The hacking group that has been operating since 2011, is specifically targeting medical professionals, activists, and journalists in the Middle East, the U.K., and the U.S. 

To lure the victims into their trap, the Iranian hacking group employed a Gmail account in the name of prominent Israeli physicist, Daniel Zaifman. The attackers sent a series of malicious emails from the Zaifman account to the medical professionals claiming to contain sensitive information on Israel’s nuclear program. 

The malicious emails contained a link that directed the victims to a fake Microsoft login page and once opened, the malicious links extracted the users’ email credentials. Although the motives of this attack is not yet clear, many researchers believe the operation was conducted to acquire medical research or private health data on intelligence targets of interest to Tehran. 

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453. While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint stated.

India's Top 5 Banks Targeted in a Phishing Scam

 

The customers of State Bank of India (SBI), ICICI, HDFC, Axis Bank, and Punjab National Bank (PNB) have been alerted regarding a serious security vulnerability. Threat actors are trying to lure Indian users into revealing important private information using the mobile apps of the aforementioned banks. The report suggests that suspicious messages prompted users to submit an application for disbursement of the income tax refund. 

The threat actors are attaching a link with these texts that looks like an income tax e-filing web page. The suspicious links originate from the US and France without a domain name and are not linked with the Indian government, as per the revelation made in an investigation by New Delhi-based think tank CyberPeace Foundation along with cybersecurity services firm Autobot Infosec. 

Furthermore, the report claims that all IP addresses associated with the campaign belong to some third-party cloud hosting providers. The entire campaign uses the normal or plain HTTP protocol instead of the secure https. This means that anyone on the network or the internet can intercept traffic and obtain confidential information in normal text format to misuse against the victim.

How do threat actors exploit vulnerabilities?

Threat actors install malware in these banking apps and then lure the users in downloading an application from a third-party source instead of the Google Play Store. This application then asks the administrator to provide all rights and permit unnecessary use of the device. 

On opening the link http://204.44.124[.]160/ITR, users are redirected to a landing page, which looks similar to the official government income tax e-filing websites. Now, the users are asked to click on the 'green color' and proceed to the verification steps. Users are further asked to submit private information such as their full name, PAN number, Aadhaar number, address, PIN code, date of birth, mobile number, email address, gender, marital status, and banking. 

Apart from this, they are also asked to fill in information such as account number, IFSC code, card number, expiration date, CVV, and card PIN. All of this information is being finally transferred to the threat actors.

Hacked SendGrid Accounts used In Phishing Attacks To Steal Logins

 

A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid. 

The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies. 

The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology. 

Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator. 

Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials. 

WMC Global stated that “Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages”. 

WMC believes “that the switch to a different service was determined by their collaboration with SendGrid to restore compromised accounts to the legitimate owners. Also, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became life…”

 “…We found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be for Office 365 login”, the company added. 

Searching the website source code, the researchers were able to steal locations and credential logs in text files. The attackers behind the Compact campaigns had created the exfiltration code on various compromised legal websites. 

While analyzing log data researchers noticed that employees who are working at notable companies had fallen for the Compact phishing campaign. At present, the Compact operators are using an Office 365 theme that continues to be active and is the most prevalent. 

WMC Global stated that “the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes (Excel, OWA, Outlook Web Access Exchange, 1&1 Ionos, Rackspace)”.

Tibetan Organizations Targeted in a Chinese Sponsored Phishing Campaign

 

Cybersecurity experts from Proofpoint have unearthed a Chinese-sponsored phishing campaign and published a report on Thursday; as per the findings, Chinese state hackers targeted several Tibetan organizations in a low-volume phishing campaign using malicious malware on the systems of Tibetan organizations. The campaign was designed to hijack Gmail accounts via a malicious Firefox browser extension.

According to Proofpoint, Chinese sponsored phishing campaign started in January and continued throughout February and was managed by the TA413 APT group, a threat group that’s aligned with the Chinese Communist Party’s state interests.

Hackers Modus Operandi 

TA413 attackers targeted the organizations by sending a fraudulent email, once the victim opened the email it redirected the victim to the attacker-controlled you-tube[.] domain that displays a fake Adobe Flash Player Update landing page.

Threat actors specifically targeted the Firefox users and users with an active Gmail session were prompted to download the malicious add-on. If the potential target used any other web browser, they would get redirected to the legitimate YouTube login page.

According to Proofpoint, threat actors could exploit the following functions on infected browsers:

 Gmail:

• Search emails 
• Archive emails 
• Receive Gmail notifications 
• Read emails 
• Alter Firefox browser audio and visual alert features 
• Label emails • Marks emails as spam 
• Delete messages 
• Refresh inbox 
• Forward emails 
• Perform function searches 
• Delete messages from Gmail trash 
• Send mail from the compromised account

 Firefox (based on browser permissions): 

• Access user data for all websites 
• Display notifications 
• Read and modify privacy settings 
• Access browser tabs

Proofpoint stated that “the use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”

The Chinese state hackers also infected the victims with the Scanbox malware. A PHP and Java-script-based reconnaissance framework; this malware is an old tool used by Chinese cyber-criminal groups.

“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint further stated.

Threat Actors Targeting British Users in a Facebook Phishing Campaign

 

After targeting the German users in the ongoing Facebook phishing campaign threat actors have shifted their focus onto the British users, nearly 75% of the new victims are based in the UK. Cybernews exposed the phishing campaign on Facebook named “Is that you” after it tricked nearly 4.5 lakh users in Germany since its beginning on January 26.

It seemed like threat actors have abandoned their campaign after getting exposed but they were planning to launch their phishing campaign in another country. The new phishing campaign was launched on February 11 in the UK and since then it has targeted more than 20,000 British users. Cybernews has shared the details of their investigation regarding the ongoing phishing campaign in Germany and the UK with Facebook, CERT UK, Dominican Republic’s cyber police, and wal. ee (the URL shortener service used by the threat actor).

Threat actors are using the same legitimate third-party web statistics service to track the growth of the latest phishing campaign in the UK as they used in Germany. Their methodology of operating is also identified as it was in Germany, threat actors are sending a personal Facebook text to the unsuspected users and are claiming to have discovered a video or image with the victim featured in it. This text then directs the victim through a chain of websites that have been compromised with malicious scripts that accumulate the victim’s credentials and are infected with adware or other malware, depending on the victim’s device.

The two things which are unidentical from the previous phishing campaign in Germany are tracking code and campaign name. Cybernews managed to gain access to the threat actor’s dashboard in order to learn the scale of the campaign and it appears that over 20,000 users are trapped in the net laid by the threat actors. Due to the access to the threat actor’s dashboard, Cyber news was able to spot the devices and browsers predominantly used by the victims.

Three steps to protect yourself against phishing campaign

 1) Your passwords should be unique and complex for all the online accounts and the password manager will suggest you to generate strong passwords.

 2) Enable the multi-factor authentication option (MFA) and try to remain vigilant while using any social media platform and beware of any suspicious text sent to you even from your Facebook contact.

 3) Threat actors usually apply social engineering to tempt you to click on the malicious links or download infected files, think twice before clicking on such suspicious links and report to the cyber cell for the potential cyber fraud.

Fraudsters Target US Tax Experts in Ongoing Phishing Campaign

 

Scammers are targeting US tax professionals in ongoing series of phishing attacks to steal Electronic Filling identification Numbers (EFINs). The International Revenue Service (IRS) has alerted US tax experts regarding the phishing campaign and suggested taking precautionary measures to avoid any loss.

The ongoing series of phishing attacks was started right before the US tax season with the target of stealing both users’ data and tax professionals’ identity. Scammers trick tax preparers by sending phishing emails and asking them to email their copies of “EFIN (e-file identification number) verification and Driver’s license” as a part of the fake verification process.

To make the verification process more authentic scammers threaten the potential victims to freeze their accounts they use to file tax documents online. Due to lack of knowledge or fear the victims hand over their information to the scammers. Once the scammers receive the information, they can file tax returns illegally for refunds by acting as tax professionals. 

IRS Tax E-Filling’ is used as the sender name by scammers in emails and ‘Verifying your EFIN before e-filing as a subject line followed by the content mentioned below:
“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file."

“Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed to complete the verification process. If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.”

Tax experts targeted by this ongoing phishing campaign are recommended not to respond to suspicious emails and to send the emails (as file attachments) to phishing@irs.gov. Tax professionals can also report to the Treasury Inspector General for Tax Administration for further analysis by the IRS Criminal Investigation division.

Threat Actors are Targeting Users Via New Phishing Campaign

 

Threat actors are using Morse code – ‘the novel obfuscation technique’ for targeted phishing campaigns. This technique is known for the code language for Army and security services, by this technique, threat actors are able to hide the email attachment containing malicious URLs.

Last week hackers used the morse code in the phishing emails to bypass secure mail gateways and mail filters. Bleeping Computer discovered the strike on various samples which were uploaded on 2nd February 2021 to VirusTotal. Threat actors targeted the company by sending a malicious email posing to be an invoice for the company. 

This mail looks like – “Revenue_payment_invoice February_Wednesday 02/03/2021” including the HTML attachment for the invoice as [company_name] _ invoice _ [number]._xlsx.html.

The attachment contains mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is inserted into the code holding assets to provide a fake file asking users for the password permitting threat actors to gain access.

Threat actors are tricking users by using the logo-clearbit.com service to make the form look more convincing, in case the logo is not available then the logo of generic Office 365 is used. The other companies which have suffered due to this phishing attack are Dimensional, Metrohm, SBS, Nuovo IMAIE, ODDO BHF Asset Management, SGS, Dimensional, SBI (Mauritius) Ltd., Bridgestone, Cargeas, Equinti, Capital Four, and Dea Capital.

Morse code was invented by the American artist and inventor Samuel F.B. Morse during the 1830s for electrical telegraphy and further upgraded by American scientist and businessman Alfred Lewis Vail. It is a technique used in telecommunication to encode text characters by an arrangement of dots, dashes, and spaces.

Scammers are Tricking Consumers via QR Code Phishing Campaign

 

QR codes - the little Digi squares, an effective tool for contactless transactional activities especially during the Covid-19 pandemic. Quick Response (QR) codes were originally developed back in the mid-nineties for utilization in the Japanese auto-making industry as a swift, machine-readable technique to reserve information regarding a specific item, whether for production, inventory, or eventual scale. 

QR code is the most convenient method to pay or receive money and this tool has seemed to grow exponentially in the last 5 years, mainly due to the explosion in the popularity of smartphones over the past decade. Most of the modern-day Android and iOS camera apps read the codes naturally unlike the previous years where the users have to download a particular QR code-scanning apps to access the information programmed into the tiny squares.

The biggest concern begins when fraudsters start to use QR codes as a doorway to secure consumers' private information regarding bank details, private messages, etc. So how to identify what’s hidden in the QR codes and gain the necessary knowledge to identify a fraudulent one?

The popular method used by the fraudsters is to send texts to the consumers like – ‘Congratulations! You have won 2000 Rs.’ along with the picture of the QR code. This text will prompt the consumers to scan the QR code, enter the amount which will redirect the consumers to the UPI PIN page to receive the money in their account. Most of the consumers with less awareness are trapped in the net laid by the scammers and end up paying the scammer the amount.

The next popular method used by scammers to trick the consumers is to embed a fake QR code into a phishing email, text, or via social media platform. If the consumer scans the fake code which will redirect the consumer to the website with realistic-looking landing pages and the consumer will prompt the consumer to login via PII (personally identifiable information). A fabricated QR code has the ability to take the consumer to the websites where malware can be automatically installed and used to steal critical information from the consumers’ device or even share spyware or viruses.

Three methods to prevent yourself from QR code scam 

1.) Read the message carefully and pay attention to the small details while making transactions via QR code. 

2.) The device used for making payments should be updated frequently and install security software. If any suspicion arises immediately get in touch with your bank and request them to alter your login credentials.

 3.) If the problem is severe you can contact the police and register a formal complaint with the cyber cell, the consumer can also register an online complaint on the National Cybercrime Reporting Portal – cybercrime.gov.in.

Trickbot- A Banking Trojan Returns With Latest Phishing Campaigns and Attacks

 

Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.

Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.

Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.

Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.

Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.

UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.