The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.
" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains.
GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.
Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus.
"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.
Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.
"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.
Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.
Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.
Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.
The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol
A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.
To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.
The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.
Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.
Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.
"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.
In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.
The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.
In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol.
Wisconsin: Republican officials said that hackers stole $2.3m from the party's account being used to support Donald Trump's re-election.
In autumn, experts recorded mass registration of domain names with the names of well-known brands in the .RU zone
Specialists at Infosecurity, a Softline company, recorded mass domain registration in Runet with the name of well-known brands and the ending –off, which can be used for sales.
As an example, the company cited the domain names familiya-off.ru, detskiy-mir-off.ru, tele2-off.ru, rosneft-off.ru and citilink-off.ru. According to the head of the Infosecurity special server Sergey Trukhachev, on October 20, the Ethic threat detection service detected the registration of 192 such domains. All of them are registered through the same Russian structure with servers at ISPIRIA Networks Ltd, located in Belize (Central America). As Trukhachev noted, the company is often used for hosting malicious sites.
At the end of September, the appearance of hundreds of similar domains in Runet was noticed by SearchInform. According to Alexey Drodd, head of the company's information security department, it’s about very diverse brands (furniture companies, clothing stores, jewelry stores, mobile retail).
According to Kirill Kirillov, co-founder of BrandMonitor, domains with the names of major brands are registered every day, and the earnings of scammers depend on the method of monetization. For example, according to Kirillov, counterfeit dealers can earn 3-10 million rubles ($39,000 - $117,000) annually.
Such a site can be blocked in a day if it is obvious that it is phishing or distributes malicious software. There are also cases when it is technically impossible to block access to a resource: if their servers are located in a country where hosting providers do not block sites (for example, in Belize).
The companies surveyed said they monitor domain registrations with similar names and fight them when signs of fraud appear.
As the U.S. presidential elections are approaching, the hacking and spamming attacks related to it are rising. In a similar incident, hackers use fake voter registration forms to steal data of the users who access the fake government sites. The voter registration links work as bait, and if the user clicks it, he is redirected to a fake government website. The hacker then steals personal user data, along with banking credentials sometimes.
A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.
The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.
"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.
The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.
The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.
All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.
"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.
According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.
Experts of the company Group-IB, specializing in the prevention of cyberattacks, together with the Federal Tax Service (FTS), identified the activity of fraudsters in the Network. Criminals send emails to legal entities and state institutions allegedly on behalf of the tax authorities.
All emails of attackers looked the same. They said that the recipient must appear at the Federal Tax Service to "give evidence about the flow of funds”. Before visiting the institution, the recipient of the letter was required to fill out a special form, which was attached in the letter as an archive with a password. The password was also attached in the email. This scheme allowed bypassing antivirus protection. When the archive was opened, a program for remote access to it was installed on the user's computer.
"The Federal Tax Service of Russia does not send letters to taxpayers about the existence of debt and offers to pay the debt online,” reported the press service of the FTS.
The mailing started at the end of July and continues to this day. Emails are sent to employees of oil and mining companies, airports, Telecom operators, and other organizations.
Experts are discussing the possibility of introducing a new article "Tax fraud” into the criminal code of the Russian Federation.
Moreover, according to Igor Bederov, General Director of the Internet Search company, in total, there are more than 1 million fake websites in Russia, up to 1 million messages are sent per day. He added that the share of phishing messages today can be up to 10% of the total volume of e-mail messages.
It is difficult to calculate the total amount of damage to organizations caused by phishing attacks, but one such successful attack can cost an average of 2,000 to 50,000 rubles ($27-680).
Earlier, E Hacking News reported that Kaspersky Lab experts described a discovered method of corporate phishing. Phishing attacks claiming to be from HR steals bank employees credentials.