Search This Blog

Showing posts with label Phishing and Spam. Show all posts

Driver's License Exploitation Scams Surge

 

The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

Experts have revealed the cost of hacking accounts in social networks

 The most popular social networks and messengers for hacking attempts are VKontakte (VK), Instagram, Telegram and WhatsApp, while the price can vary from $10 to $2,300. This is stated in a study conducted by Bi.Zone.

"We analyzed ads on the darknet from May 2020 to August 2021. In different months, the cost of hacking varied dramatically. This could be due to a situation where some sellers are not actually providing a service but are simply scamming people. They are the ones who can actively dump on the market. Real hackers set their prices based on the time spent. Sometimes they can search for a password in a leak which will significantly reduce the search price. If there is an insider attacker from the developer company, then most likely the high price will be due to the usual risk for the criminal", said Evgeniy Voloshin, director of BI.ZONE expert services block.

The analysis showed that the price of the offer to hack an account in VK varies from $10 to $160. Scammers most often offer to hack this social network.

According to experts, the social network Instagram remains in second place in popularity among hackers. The scammers estimate the cost of their services at $540.

Among messengers, Telegram and WhatsApp hacking offers are leading in popularity. For violating the privacy of these applications, scammers charge from $410 to $2,300 and from $270 to $1,770.

Hacking a personal mailbox, according to analysts, remains another popular service among scammers, the cost of which ranges from $40 to $1,500, respectively.

Voloshin recommends using long passphrases, password managers and a two-factor authentication system to avoid hacking personal accounts. Also, in his opinion, it is important not to store data in cloud services and not to send it in messengers, connecting to an unknown Wi-Fi source.

Kaspersky Lab detected 1,500 phishing resources targeting crypto investors

Since the beginning of the year, Kaspersky Lab has detected more than 1,500 fraudulent resources around the world aimed at potential crypto investors or users who are interested in mining cryptocurrency

Specialists of the Kaspersky Lab antivirus company warned about an increase in the volume of fraud, the potential victims of which may be crypto investors. Since the beginning of 2021, experts have identified more than 1,500 such fraudulent resources.

In addition, Kaspersky reported on its success: this year the company blocked more than 70 thousand attempts of users to go to fraudulent sites.

Criminals create phishing pages whose task is to steal private keys that allow access to all digital assets and crypto-wallets. Such web resources are usually located in popular domain zones like .com, .net, .org, .info or in cheap zones — .site, .xyz, .online, .top, .club, .live.

Kaspersky Lab noted the high level of detail of malicious sites. As an example, experts cite the loading of real data from existing cryptocurrency exchanges. This is easily explained by the higher level of technical knowledge that people interested in investing in digital currencies must have. Attackers understand this and try to improve their techniques.

Also, scammers often send notifications about fictitious sales of video cards and other digital currency mining equipment. In this case, the victim is persuaded to buy the hardware, which requires an advance payment.

As noted by experts, the topic of investing in cryptocurrencies is willingly used by cybercriminals in conjunction with the names of famous people. For example, people in the U.S. have recently lost several million dollars by being "hooked" on a scheme with the name of Elon Musk. Investors were promised a generous return on investment on behalf of the head of SpaceX.

According to the InfoWatch expert, the first wave of interest in cryptocurrencies in Russia began in 2016-2017. At the same time, fraudulent schemes aimed at deceiving people who were just beginning to get interested in digital assets, mining and blockchain platforms, as well as at deceiving the first investors became widespread.

Experts warned about the risk of hacking and obtaining a loan on the Public Services Portal of the Russian Federation

Experts warn that scammers have begun to hack the accounts of citizens on the site of state services and using them to take loans and microloans.

"This is already a serious problem, and in the near future, it will only get worse. Hacking an account, password matching or data leakage can lead to an attacker gaining access to an account on the Public Services Portal and, of course, trying to monetize this access," said Vladimir Ulyanov, head of the Zecurion analytical center.

According to the expert, it is possible to increase the level of protection by enabling two-factor authentication of logging into the personal account, as well as setting your own complex password. However, it will not help to be completely safe from fraudsters.

Anatoly Lebedev, Deputy Head of the Department of Information Security at Bauman Moscow State Technical University, also warned about the high risk of fraudulent actions with loans and microloans, which were taken through a profile on the Public Services Portal. Mr. Lebedev also noted that online services today, although convenient, are not safe.

Dmitry Morozov, Development Director of 3DiVi Inc, said that he was not aware of the facts of hacking profiles on the Public Services Portal, but allowed such a possibility. He hopes that biometrics, such as FaceID or retinal scans, can improve account security.

Messages about the hacking of personal accounts in public services began to appear on social networks in July. Users reported that the criminals changed the phone number linked to Public Services Portal, e-mail and sent applications for loans and microloans on behalf of the user.

Earlier E Hacking News reported that details of passport, social security number and employment data of 2.24 million Russian citizens from the Public Services Portal were publicly available. The error occurred due to the illiteracy of developers and inaccuracies in the legislation.

Cyber Criminals Sending Phishing Mails Pretending to be from Russian Government Domain

The administration of RSNet (Russian State Network) recommended not to open letters from unknown senders, not to click on links from emails of legitimate users of the RSNet, including from the administration of the RSNet, and also not to open attachment files contained in such emails.

According to Andrey Kovtun, the head of the mail threat protection group at Kaspersky Lab, scammers set up phishing mailings allegedly from a domain gov.ru. He explained that the attackers use a fake sender's address webmaster@gov.ru.

"Such attacks are usually more complicated than mass attacks, even the real names and phone numbers of employees of the organization can be used," added the expert.

In turn, Alexey Drozd, the head of the information security department of SearchInform, warned against using links from emails even from legitimate users because of the possibility of hacking their accounts.

The expert also noted that recently, scammers sent phishing emails allegedly from the tax authorities.

"People trust domains that look like government domains. In addition, if any letter comes from a government agency, we consider it important," he added.

Earlier, the Ministry of Internal Affairs of Russia reported on the arrest of a group that published ads for the sale of real estate and premium cars and stole money from the accounts of Russians. The attackers asked potential buyers to confirm their solvency by transferring a certain amount to friends or relatives through certain payment systems, and then to provide the potential seller with a receipt for a financial transaction.

Thus, the attackers found out the personal data of the recipients of the transfers and made fake passports in their names, with which they visited credit and financial organizations and withdrew money from the accounts of citizens.

What is Email Spoofing? How Hackers Impersonate Legitimate Senders

 

Email spoofing is easily the most commonly employed way by threat actors for initiating phishing and spam attacks. Normally, hackers use this technique to trick users by making them believe that the email that is being sent to them is either coming from someone they know or a trustworthy source  

In Email spoofing attacks, the hacker creates an email header so that victims’ software unveils the illegal sender address. Unless they examine the header firmly, users see the fraud sender in the message. If the user acknowledges the given name, he will be more likely to trust it and click on malicious links or file attachments to send personal credentials and even financial information. 

Email spoofing attacks are achievable because the Simple Mail Transfer Protocol (SMTP) or the core email protocols do not facilitate any authentication mechanism for checking on such spam or phishing attacks that allow hackers to mislead or even prank the recipient about the origin of the message. 

However, email address authentication protocols and mechanisms have been developed to combat such spam attacks; adoption of those mechanisms has been slow. 
 

Besides the common  purposes behind ‘phishing or spam attacks, there are several others as mentioned below:

  • Hiding the sender’s true identity
  • Pretending to be someone 
  • Avoiding spam blocklists
  • Pretending to be from a business 
  • Sending messages in someone’s name 
  • Tarnishing the image of the assumed sender
 
Since the email protocol SMTP (Simple Mail Transfer Protocol) does not provide a strong authentication mechanism that made things easy for malicious actors, several frameworks have been developed to allow authentication of incoming messages including SPF (Sender Policy Framework), DKIM (Domain Key Identified Mail), and DMARC (Domain-Based Message Authentication, Reporting, and Conformance). 

To avoid becoming a victim of email spoofing attacks, it is imperative to have an updated anti-malware software. Additionally, when you feel unsure about the email, contact the sender directly  

Group-IB revealed a distributed network of fraudulent sites imitating WHO

Group-IB, an international company specializing in preventing cyberattacks and investigating high-tech crimes, revealed a distributed network of 134 fraudulent sites imitating the World Health Organization (WHO). The attackers promised users a reward for taking a fake Health Awareness Day survey.

"However, instead of the promised €200, users were redirected to dating sites, paid subscriptions or fraudulent resources," the report said.

It is noted that in early April, the UN International Computing Center (UNICC) alerted Group-IB about a fake website using the WHO brand.

"After answering simple questions, the user was offered to share the link to the survey with his friends and colleagues in his WhatsApp contact base. Group-IB researchers found that when a victim clicked the "Share" button and unknowingly involved their friends in the scam, instead of the promised reward they were redirected to third-party scams offering to participate in another raffle, install a browser extension or sign up for paid services. In the worst case users could end up on a malicious or phishing site," explains the company.

During the investigation, the Group-IB Digital Risk Protection team uncovered a complex distributed fraud infrastructure that included a network of 134 virtually identical linked domains that hosted World Health Day-themed pages. Group-IB blocked all fraudulent domains within 48 hours of detection, after which the fraudsters completely stopped using the WHO brand on their network.

Further investigation revealed that all of these domains identified and blocked by Group-IB were part of a larger network controlled by a group of scammers codenamed DarkPath Scammers. Fake resources created under the WHO were linked to at least 500 other fraud and phishing resources mimicking more than 50 international brands from the food, sports gear, e-commerce, software, energy and auto industries.

More than one hundred Russian companies were subjected to a cyber attack

Kaspersky Lab, which specializes in developing systems to protect against cyber threats, reported a fraudulent mailing on behalf of The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), which has become widespread in Russia

In April, Kaspersky Lab uncovered a series of cyber attacks on system administrators of sites in Russia. By April 23, the company detected about 4 thousand emails containing fraudulent messages sent to more than 2 thousand e-mail addresses. The mailing peaked on April 16-17, but the messages are still coming in.

The purpose of the cyber attack is to infect web resources managed by sysadmins and gain access to the site management. If successful, hackers will be able to create pages, post any information and download files.

Under the guise of a regulatory authority, intruders are sending fraudulent notifications about the need to confirm the fact of domain name management.

The letter contains instructions according to which it is necessary to create a file with specified content in the root directory of the site. In reality, the sysadmin runs a Trojan program with his own hands to remotely control the victim's computer.

"To confirm that you have the actual ability to manage the domain name, create a file (with the .php extension) in the root directory of the site", says the text of the fraud letter.

"In order not to give the recipient time to suspect something wrong, he was required to execute the instruction in a short time - within three days", said Alexander Liskin, head of Kaspersky Lab's antivirus research laboratory.

"Site administrators are often subjected to attacks, for example, hackers extorted money from them by sending fake notifications about the approaching deadline for completing the site lease. But this time the goal of the attack is to gain access to site management. Attackers are doing everything to convince recipients that the letter is authentic: the sender is listed as a regulatory agency and an appropriate emblem is added to enhance the effect", said Liskin.

The expert recommended remaining vigilant when receiving messages from unknown senders in emails and messengers and to double-check the information supposedly from official bodies. It is still unknown who was behind the attack, the company's specialists are investigating the cyberattack.

Hackers Attack Users With Malware Using Underground Call Centres

 

BazarLoader malware actors have started working with underground call centres to fool targets of their spamming campaign by making them open corrupted Office files and corrupting their devices with malware. It's not the first time when underground call centres and the hacking group have come up to work together, however, it's the first time when the likes of the BazarLoader gang, a major Malware distributer, have used this technique on such a massive scale. 

How it took place?

The recent attacks have been very unique from the general malware scenario of today, the attackers have their own identities, normally known as BazaCall or BazarCall, the reason being they depend upon telephone calls to conduct their infiltration. Currently, the attack techniques that these hackers use are simple and yet effective. The group (BazarLoader) initiates the malware campaign by sending spam campaigns to specific targets. To attract the attention of the users, the email baits the victims through offers, subscriptions, free trials, etc. 

The email also consists of details for users to call a specific number that is mentioned in the mail to know more about the offer. If the victim dials the mentioned number, they are redirected to a call centre, here, a supposed operator tells directs the victim into downloading an office file, tells the user to disable the office security features, and run an excel or word file which allows hackers to run macros (automated scripts), that is used to download and install the malware in victims' device. Thanks to cybersecurity expert Brad Duncan, the phone recordings of one of the call centres involved are available. 

Targets include high profile accounts 

A cybersecurity expert that goes by the name Analyst said that these attack campaigns started in January 2021. The analyst is the same person that termed the attack as BazarCall, says that most of the targets use .edu or corporate email address, never target home users that use free emails like Gmail, Yahoo, or Hotmail. The Record reports, "the security researcher says the classic endgame for these attacks is to infect corporate networks, where the BazarLoader malware can then turn around and rent access to ransomware gangs, such as the Ryuk crew, with which they’ve collaborated before.

Cyber Criminals trying to hack Russian popular Telegram channels using ads from GeekBrains

 The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.

" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains. 

GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.

Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus. 

"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.

Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.

"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.

Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.

Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.

Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.


Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

UK Finance Body: Beware of Parcel Delivery Scam, Especially During Christmas Season

 


After months of lockdown, this Christmas season has become even more special to people but fraudsters are also beginning to capitalize on the much-delayed excitement of the users. The banking trade body UK Finance has warned the public against parcel delivery scams getting popular during the Christmas shopping season. 

The banking trade body said that this Christmas, more people across the nation are expected to shop online than ever before and there are high chances that con men will take advantage of this.
 
According to Intelligences from UK Finance Trade body, malicious actors’ are sending purportedly phishing emails from genuine delivery companies, claiming that companies have been unable to deliver parcels, large letters or packages and later requesting recipients to send their personal and financial information such as their date of birth, address, bank details, and mobile numbers along with a fee in order to rearrange the delivery. 

It also has been observed that in certain cases, bank customers are also receiving a phone call from the fraudsters as their bank’s fraud team, suggesting them to move their money to a safe account or reveal their passcodes. 

Katy Worobec, managing director of economic crime at UK Finance said, "We are urging people not to give gift to fraudsters this Christmas and to follow the advice of the Take Five to Stop Fraud campaign. Criminals will stop at nothing to commit fraud and that includes exploiting the festive season to target their victims". 

Steps to Prevent Fraud Campaign:

• According to intelligence, people must be vigilant against phishing emails with fake links which can lead people to fake platforms and will ask them to fill in important data, particularly personal and financial. It can be seen that these emails may appear more genuine and trusted but be aware of any fraud scam like this which can cost you more than you expect. 

• People are advised to check their delivery notification attentively to ensure that they are genuine. Criminals are employing the same pattern as genuine companies use for their customers. 

• Customers should always remember that they are about to claim and hence, they should ask questions to the authorities or companies before sending information and money. 

• If one feels that the company is not genuine then he is advised to contact the company directly before sending any form of information. 

• Last and also the most important step to take is to report and register a complaint on a genuine platform if you are being attacked by any fraud or scam.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

Hackers Stole $2.3M, Wisconsin Republicans Claims

 

Wisconsin: Republican officials said that hackers stole $2.3m from the party's account being used to support Donald Trump's re-election. 

Following the discovery of the suspicious activity on 22nd October, the FBI has been contacted to investigate the matter, as per the statements given by the state party chairman Andrew Hitt. He also that the state was warned regarding such cyberattacks in August during the party's national convention. 
 
The campaign invoices from four vendors were manipulated by hackers to steal the funds, as per the reports by the Associated Press. These vendors were being paid to send out direct mail and handing out pro-Trump material like hats to support the Trump campaign. 
 
Seemingly, the attackers began from a phishing scam and proceeded with altering the invoices to direct payments from vendors to themselves, Mr. Hitt said. A party spokesman added that no data seemed to be stolen. However, millions were stolen from the Wisconsin Republicans' federal account. 
 
According to Joe Tidy, BBC cyber-security reporter, "The information security world is tense right now waiting and watching for cyberattacks that could affect the US election." 
 
"It sounds like an almost standard case of something called Business Email Compromise (BEC). Effectively the hackers have either gained access to or spoofed an email address to put themselves between the Wisconsin Republican party HQ and one of their suppliers. The party then transferred the money to the hackers instead of its campaign partner," he said. 
 
"The reported hack comes as Mr. Trump and Democratic rival Joe Biden are both making a final push this week to secure Wisconsin ahead of the 3 November election." 
 
"There have also been hundreds of attempted attacks on the Wisconsin Democratic campaign, a spokeswoman told the Associated Press." 
 
"The Midwestern state is one of a handful of core battleground states - areas which could realistically go to the Republicans or Democrats - this election season. Candidates will need to win in several states like Wisconsin in order to win the presidency." He further added.


Numerous fraudulent sites disguised as well-known brands have appeared on the Runet


In autumn, experts recorded mass registration of domain names with the names of well-known brands in the .RU zone

Specialists at Infosecurity, a Softline company, recorded mass domain registration in Runet with the name of well-known brands and the ending –off, which can be used for sales.

As an example, the company cited the domain names familiya-off.ru, detskiy-mir-off.ru, tele2-off.ru, rosneft-off.ru and citilink-off.ru. According to the head of the Infosecurity special server Sergey Trukhachev, on October 20, the Ethic threat detection service detected the registration of 192 such domains. All of them are registered through the same Russian structure with servers at ISPIRIA Networks Ltd, located in Belize (Central America). As Trukhachev noted, the company is often used for hosting malicious sites.

At the end of September, the appearance of hundreds of similar domains in Runet was noticed by SearchInform. According to Alexey Drodd, head of the company's information security department, it’s about very diverse brands (furniture companies, clothing stores, jewelry stores, mobile retail).

According to Kirill Kirillov, co-founder of BrandMonitor, domains with the names of major brands are registered every day, and the earnings of scammers depend on the method of monetization. For example, according to Kirillov, counterfeit dealers can earn 3-10 million rubles ($39,000 - $117,000) annually.

Such a site can be blocked in a day if it is obvious that it is phishing or distributes malicious software. There are also cases when it is technically impossible to block access to a resource: if their servers are located in a country where hosting providers do not block sites (for example, in Belize).

The companies surveyed said they monitor domain registrations with similar names and fight them when signs of fraud appear.

U.S Elections: Spammers Use Fake Voter Registration Forms To Steal User Data and Banking Credentials

 

As the U.S. presidential elections are approaching, the hacking and spamming attacks related to it are rising. In a similar incident, hackers use fake voter registration forms to steal data of the users who access the fake government sites. The voter registration links work as bait, and if the user clicks it, he is redirected to a fake government website. The hacker then steals personal user data, along with banking credentials sometimes. 

"Whatever the intent behind this particular phishing attack, it should serve as a reminder that human beings -- users, employees, citizens, and voters -- are "soft targets" for malicious actors. This is especially true in turbulent times such as the present -- when fear, confusion, and doubt are surging in the run-up to a historic election that happens to fall in the middle of a catastrophic pandemic," says KnowBe4. These phishing campaigns started in September and are still active. 

Cybersecurity firms KnowBe4 and Proofpoint identified the attacks; they say that these attacks are trying to undermine the U.S. government agency's credibility (U.S. Election Assistance Commission (EAC), which is responsible for generating the voter list. The phishing emails have a simple subject line, and it works because citizens feel that they might be left out from the voting list. The phishing campaign uses hacked WordPress websites to host fake websites operated for luring the users. The sites contain incorrect URLs, and if the user fails to notice it, his data can be susceptible to hackers. According to experts, the hackers use a simple template for phishing attacks, and the fake website looks exactly as same as the original government website. 

According to Proofpoint, these spammers have become more aggressive in their recent attacks. They have changed their strategies and now ask for user's data and along with his banking credentials. "Now, as the U.S. election draws closer, many individuals are confirming their voter registration status. Using messages that suggest voter registration is invalid drives user urgency and uncertainty in an election season. We observed the last news from this actor using voter registration themes sent on October 7, 2020. This suggests that the actor may have already shifted to another type of lure," says Proofpoint.

Criminals sending malicious emails claiming to be from the rector of Moscow State University

A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.

The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.

"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.

The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.

The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.

All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.

"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.

According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.

Russians were warned about phishing emails on behalf of the tax service

Experts of the company Group-IB, specializing in the prevention of cyberattacks, together with the Federal Tax Service (FTS), identified the activity of fraudsters in the Network. Criminals send emails to legal entities and state institutions allegedly on behalf of the tax authorities.

All emails of attackers looked the same. They said that the recipient must appear at the Federal Tax Service to "give evidence about the flow of funds”. Before visiting the institution, the recipient of the letter was required to fill out a special form, which was attached in the letter as an archive with a password. The password was also attached in the email. This scheme allowed bypassing antivirus protection. When the archive was opened, a program for remote access to it was installed on the user's computer.

"The Federal Tax Service of Russia does not send letters to taxpayers about the existence of debt and offers to pay the debt online,” reported the press service of the FTS.

The mailing started at the end of July and continues to this day. Emails are sent to employees of oil and mining companies, airports, Telecom operators, and other organizations.

Experts are discussing the possibility of introducing a new article "Tax fraud” into the criminal code of the Russian Federation.

Moreover, according to Igor Bederov, General Director of the Internet Search company, in total, there are more than 1 million fake websites in Russia, up to 1 million messages are sent per day. He added that the share of phishing messages today can be up to 10% of the total volume of e-mail messages.

It is difficult to calculate the total amount of damage to organizations caused by phishing attacks, but one such successful attack can cost an average of 2,000 to 50,000 rubles ($27-680).

Earlier, E Hacking News reported that Kaspersky Lab experts described a discovered method of corporate phishing. Phishing attacks claiming to be from HR steals bank employees credentials.

Russians began to click on scam sites 10 times more often


According to the study of Kaspersky Lab, at the beginning of 2020, the number of attacks on Russians through scam resources increased 10 times to 15 million, and the number of such pages doubled to 10 thousand. The rapid increase is associated with the spread of the coronavirus. Fraudsters actively exploit the theme of the pandemic: from fake promises to pay benefits or refunds for a small cash contribution to the sale of personal protective equipment.

If every click to a scam page entailed deception of at least one user, then the potential amount of damage in the first quarter of 2020 could exceed 3 billion rubles ($40,5 million). Experts did not say how much money the Russians lost on scam resources during this period.

Senior content analyst at Kaspersky Lab Tatyana Sidorina believes that the popularity of scam resources has increased, as Russians have begun to spend more time at home, on the Internet. In addition, users are offered various big money compensations, for the withdrawal of which they need to pay a small commission.

She stressed that the scam resources disguised as state lotteries began to be actively used at the beginning of 2020, 219 resources were discovered. Kaspersky Lab noted that last year, separate statistics on lotteries were not even kept.

In order to minimize the damage from fraud, the Stoloto state lottery is already actively cooperating with law enforcement agencies and conducting an information campaign, said Varvara Basanovich, the organization's operating Director. She stressed that it is impossible to win the lottery without buying a ticket, and the tax is paid after receiving the money, and not in advance.

The head of Analytics and Special Projects at InfoWatch, Andrey Arsentiev, expects that after exiting the self-isolation regime, mass frauds with tourist trips to Russian resorts can start, as well as sellers of drugs for restoring strength, immunity and mental health can become active.

Why Hackers are Taking Advantage of COVID-19?


Cybersecurity threats have seen a massive upsurge since the outbreak of the COVID-19 pandemic that forced a majority of people to work from home which now is leading to attacks on remote workforces. Amid the anxiety it created, hackers have devised multiple ways to take advantage of the coronavirus and continued to exploit the fear amongst people in a number of ways, one being the distribution malware in the facade of Covid-19 or Corona related emails.

The threat posed by the Coronavirus has been seen to be scaling beyond human health, job losses and the collapsing global economy as it also set the stage for hackers to scam people for monetary and other gains. The urgency revolving around the novel biological virus robbed tech vendors and corporate systems of their ability to effectively tackle the risks. Scammers are well aware of the overwhelmed state of cybersecurity groups that led to a dramatic rise in phishing attempts and cyberattacks. Notably, hackers are exploiting the Covid-19 charged environment in various ways such as malicious infiltration of organizations, voice phishing, WhatsApp phishing, email phishing, social media, fake apps, and websites. As per the warnings given by WHO, criminals are also acting as WHO officials in order to scam people for financial gains or sensitive data.

Problems Arising with Security Operation Centers (SOC)? 

Security Operation Center is a centralized function set up across a company's IT infrastructure. The objective of the security operation team here is to detect and then respond to cybersecurity risks in order to safeguard important assets such as business systems, employee data, and intellectual property. Upon detecting a confirm threat, the SOC immediately isolates endpoints in an attempt to terminate harmful actions such as execution or deletion. It does do while ensuring no disruption is faced by the business continuity or lessening the impact to the best of its ability.

However, as the process of strengthening an organization's security requires sophisticated infrastructure (SIEM system), coordinated efforts and continuous monitoring by people and technology-with limited staff and people made to work from home, it has become difficult to prevent, detect, analyze and respond to cybersecurity incidents.

The SOC relies upon cybersecurity tools whose operations require complete understanding and expertise making the overall workflow complex, therefore the prevention and security can not take place whilst being at home.

Adverse Impact on IT Sector

IT sector is the lifeline of almost every global economy, it plays a vital role in the functioning of nearly every other major sector including human resources, manufacturing, finance, security, and health care. It's a well-known fact how heavily IT organizations rely on manpower to function, however, due to the lockdowns, quarantine periods and stringent curbs in the movement of people, many businesses are being shut down as the global supply chains of manufacturing are being heavily disrupted. IT professionals are not able to deliver on the projects, as a result of which production dropped by a significant margin and is expected to drop even further.

The coronavirus situation worsens with the security vendors not being paid timely and as a result of halted work, gates are being left unmanned providing potential hackers with an opening. Companies are advised to stay prepared for security breaches and individuals should consider sticking to strong passwords and keeping their systems updated as the number of scams is expected to rise amid the tremendous uncertainty of the crisis.