Search This Blog

Showing posts with label Phishing and Spam. Show all posts

What is Email Spoofing? How Hackers Impersonate Legitimate Senders

 

Email spoofing is easily the most commonly employed way by threat actors for initiating phishing and spam attacks. Normally, hackers use this technique to trick users by making them believe that the email that is being sent to them is either coming from someone they know or a trustworthy source  

In Email spoofing attacks, the hacker creates an email header so that victims’ software unveils the illegal sender address. Unless they examine the header firmly, users see the fraud sender in the message. If the user acknowledges the given name, he will be more likely to trust it and click on malicious links or file attachments to send personal credentials and even financial information. 

Email spoofing attacks are achievable because the Simple Mail Transfer Protocol (SMTP) or the core email protocols do not facilitate any authentication mechanism for checking on such spam or phishing attacks that allow hackers to mislead or even prank the recipient about the origin of the message. 

However, email address authentication protocols and mechanisms have been developed to combat such spam attacks; adoption of those mechanisms has been slow. 
 

Besides the common  purposes behind ‘phishing or spam attacks, there are several others as mentioned below:

  • Hiding the sender’s true identity
  • Pretending to be someone 
  • Avoiding spam blocklists
  • Pretending to be from a business 
  • Sending messages in someone’s name 
  • Tarnishing the image of the assumed sender
 
Since the email protocol SMTP (Simple Mail Transfer Protocol) does not provide a strong authentication mechanism that made things easy for malicious actors, several frameworks have been developed to allow authentication of incoming messages including SPF (Sender Policy Framework), DKIM (Domain Key Identified Mail), and DMARC (Domain-Based Message Authentication, Reporting, and Conformance). 

To avoid becoming a victim of email spoofing attacks, it is imperative to have an updated anti-malware software. Additionally, when you feel unsure about the email, contact the sender directly  

Group-IB revealed a distributed network of fraudulent sites imitating WHO

Group-IB, an international company specializing in preventing cyberattacks and investigating high-tech crimes, revealed a distributed network of 134 fraudulent sites imitating the World Health Organization (WHO). The attackers promised users a reward for taking a fake Health Awareness Day survey.

"However, instead of the promised €200, users were redirected to dating sites, paid subscriptions or fraudulent resources," the report said.

It is noted that in early April, the UN International Computing Center (UNICC) alerted Group-IB about a fake website using the WHO brand.

"After answering simple questions, the user was offered to share the link to the survey with his friends and colleagues in his WhatsApp contact base. Group-IB researchers found that when a victim clicked the "Share" button and unknowingly involved their friends in the scam, instead of the promised reward they were redirected to third-party scams offering to participate in another raffle, install a browser extension or sign up for paid services. In the worst case users could end up on a malicious or phishing site," explains the company.

During the investigation, the Group-IB Digital Risk Protection team uncovered a complex distributed fraud infrastructure that included a network of 134 virtually identical linked domains that hosted World Health Day-themed pages. Group-IB blocked all fraudulent domains within 48 hours of detection, after which the fraudsters completely stopped using the WHO brand on their network.

Further investigation revealed that all of these domains identified and blocked by Group-IB were part of a larger network controlled by a group of scammers codenamed DarkPath Scammers. Fake resources created under the WHO were linked to at least 500 other fraud and phishing resources mimicking more than 50 international brands from the food, sports gear, e-commerce, software, energy and auto industries.

More than one hundred Russian companies were subjected to a cyber attack

Kaspersky Lab, which specializes in developing systems to protect against cyber threats, reported a fraudulent mailing on behalf of The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), which has become widespread in Russia

In April, Kaspersky Lab uncovered a series of cyber attacks on system administrators of sites in Russia. By April 23, the company detected about 4 thousand emails containing fraudulent messages sent to more than 2 thousand e-mail addresses. The mailing peaked on April 16-17, but the messages are still coming in.

The purpose of the cyber attack is to infect web resources managed by sysadmins and gain access to the site management. If successful, hackers will be able to create pages, post any information and download files.

Under the guise of a regulatory authority, intruders are sending fraudulent notifications about the need to confirm the fact of domain name management.

The letter contains instructions according to which it is necessary to create a file with specified content in the root directory of the site. In reality, the sysadmin runs a Trojan program with his own hands to remotely control the victim's computer.

"To confirm that you have the actual ability to manage the domain name, create a file (with the .php extension) in the root directory of the site", says the text of the fraud letter.

"In order not to give the recipient time to suspect something wrong, he was required to execute the instruction in a short time - within three days", said Alexander Liskin, head of Kaspersky Lab's antivirus research laboratory.

"Site administrators are often subjected to attacks, for example, hackers extorted money from them by sending fake notifications about the approaching deadline for completing the site lease. But this time the goal of the attack is to gain access to site management. Attackers are doing everything to convince recipients that the letter is authentic: the sender is listed as a regulatory agency and an appropriate emblem is added to enhance the effect", said Liskin.

The expert recommended remaining vigilant when receiving messages from unknown senders in emails and messengers and to double-check the information supposedly from official bodies. It is still unknown who was behind the attack, the company's specialists are investigating the cyberattack.

Hackers Attack Users With Malware Using Underground Call Centres

 

BazarLoader malware actors have started working with underground call centres to fool targets of their spamming campaign by making them open corrupted Office files and corrupting their devices with malware. It's not the first time when underground call centres and the hacking group have come up to work together, however, it's the first time when the likes of the BazarLoader gang, a major Malware distributer, have used this technique on such a massive scale. 

How it took place?

The recent attacks have been very unique from the general malware scenario of today, the attackers have their own identities, normally known as BazaCall or BazarCall, the reason being they depend upon telephone calls to conduct their infiltration. Currently, the attack techniques that these hackers use are simple and yet effective. The group (BazarLoader) initiates the malware campaign by sending spam campaigns to specific targets. To attract the attention of the users, the email baits the victims through offers, subscriptions, free trials, etc. 

The email also consists of details for users to call a specific number that is mentioned in the mail to know more about the offer. If the victim dials the mentioned number, they are redirected to a call centre, here, a supposed operator tells directs the victim into downloading an office file, tells the user to disable the office security features, and run an excel or word file which allows hackers to run macros (automated scripts), that is used to download and install the malware in victims' device. Thanks to cybersecurity expert Brad Duncan, the phone recordings of one of the call centres involved are available. 

Targets include high profile accounts 

A cybersecurity expert that goes by the name Analyst said that these attack campaigns started in January 2021. The analyst is the same person that termed the attack as BazarCall, says that most of the targets use .edu or corporate email address, never target home users that use free emails like Gmail, Yahoo, or Hotmail. The Record reports, "the security researcher says the classic endgame for these attacks is to infect corporate networks, where the BazarLoader malware can then turn around and rent access to ransomware gangs, such as the Ryuk crew, with which they’ve collaborated before.

Cyber Criminals trying to hack Russian popular Telegram channels using ads from GeekBrains

 The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.

" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains. 

GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.

Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus. 

"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.

Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.

"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.

Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.

Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.

Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.


Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

UK Finance Body: Beware of Parcel Delivery Scam, Especially During Christmas Season

 


After months of lockdown, this Christmas season has become even more special to people but fraudsters are also beginning to capitalize on the much-delayed excitement of the users. The banking trade body UK Finance has warned the public against parcel delivery scams getting popular during the Christmas shopping season. 

The banking trade body said that this Christmas, more people across the nation are expected to shop online than ever before and there are high chances that con men will take advantage of this.
 
According to Intelligences from UK Finance Trade body, malicious actors’ are sending purportedly phishing emails from genuine delivery companies, claiming that companies have been unable to deliver parcels, large letters or packages and later requesting recipients to send their personal and financial information such as their date of birth, address, bank details, and mobile numbers along with a fee in order to rearrange the delivery. 

It also has been observed that in certain cases, bank customers are also receiving a phone call from the fraudsters as their bank’s fraud team, suggesting them to move their money to a safe account or reveal their passcodes. 

Katy Worobec, managing director of economic crime at UK Finance said, "We are urging people not to give gift to fraudsters this Christmas and to follow the advice of the Take Five to Stop Fraud campaign. Criminals will stop at nothing to commit fraud and that includes exploiting the festive season to target their victims". 

Steps to Prevent Fraud Campaign:

• According to intelligence, people must be vigilant against phishing emails with fake links which can lead people to fake platforms and will ask them to fill in important data, particularly personal and financial. It can be seen that these emails may appear more genuine and trusted but be aware of any fraud scam like this which can cost you more than you expect. 

• People are advised to check their delivery notification attentively to ensure that they are genuine. Criminals are employing the same pattern as genuine companies use for their customers. 

• Customers should always remember that they are about to claim and hence, they should ask questions to the authorities or companies before sending information and money. 

• If one feels that the company is not genuine then he is advised to contact the company directly before sending any form of information. 

• Last and also the most important step to take is to report and register a complaint on a genuine platform if you are being attacked by any fraud or scam.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

Hackers Stole $2.3M, Wisconsin Republicans Claims

 

Wisconsin: Republican officials said that hackers stole $2.3m from the party's account being used to support Donald Trump's re-election. 

Following the discovery of the suspicious activity on 22nd October, the FBI has been contacted to investigate the matter, as per the statements given by the state party chairman Andrew Hitt. He also that the state was warned regarding such cyberattacks in August during the party's national convention. 
 
The campaign invoices from four vendors were manipulated by hackers to steal the funds, as per the reports by the Associated Press. These vendors were being paid to send out direct mail and handing out pro-Trump material like hats to support the Trump campaign. 
 
Seemingly, the attackers began from a phishing scam and proceeded with altering the invoices to direct payments from vendors to themselves, Mr. Hitt said. A party spokesman added that no data seemed to be stolen. However, millions were stolen from the Wisconsin Republicans' federal account. 
 
According to Joe Tidy, BBC cyber-security reporter, "The information security world is tense right now waiting and watching for cyberattacks that could affect the US election." 
 
"It sounds like an almost standard case of something called Business Email Compromise (BEC). Effectively the hackers have either gained access to or spoofed an email address to put themselves between the Wisconsin Republican party HQ and one of their suppliers. The party then transferred the money to the hackers instead of its campaign partner," he said. 
 
"The reported hack comes as Mr. Trump and Democratic rival Joe Biden are both making a final push this week to secure Wisconsin ahead of the 3 November election." 
 
"There have also been hundreds of attempted attacks on the Wisconsin Democratic campaign, a spokeswoman told the Associated Press." 
 
"The Midwestern state is one of a handful of core battleground states - areas which could realistically go to the Republicans or Democrats - this election season. Candidates will need to win in several states like Wisconsin in order to win the presidency." He further added.


Numerous fraudulent sites disguised as well-known brands have appeared on the Runet


In autumn, experts recorded mass registration of domain names with the names of well-known brands in the .RU zone

Specialists at Infosecurity, a Softline company, recorded mass domain registration in Runet with the name of well-known brands and the ending –off, which can be used for sales.

As an example, the company cited the domain names familiya-off.ru, detskiy-mir-off.ru, tele2-off.ru, rosneft-off.ru and citilink-off.ru. According to the head of the Infosecurity special server Sergey Trukhachev, on October 20, the Ethic threat detection service detected the registration of 192 such domains. All of them are registered through the same Russian structure with servers at ISPIRIA Networks Ltd, located in Belize (Central America). As Trukhachev noted, the company is often used for hosting malicious sites.

At the end of September, the appearance of hundreds of similar domains in Runet was noticed by SearchInform. According to Alexey Drodd, head of the company's information security department, it’s about very diverse brands (furniture companies, clothing stores, jewelry stores, mobile retail).

According to Kirill Kirillov, co-founder of BrandMonitor, domains with the names of major brands are registered every day, and the earnings of scammers depend on the method of monetization. For example, according to Kirillov, counterfeit dealers can earn 3-10 million rubles ($39,000 - $117,000) annually.

Such a site can be blocked in a day if it is obvious that it is phishing or distributes malicious software. There are also cases when it is technically impossible to block access to a resource: if their servers are located in a country where hosting providers do not block sites (for example, in Belize).

The companies surveyed said they monitor domain registrations with similar names and fight them when signs of fraud appear.

U.S Elections: Spammers Use Fake Voter Registration Forms To Steal User Data and Banking Credentials

 

As the U.S. presidential elections are approaching, the hacking and spamming attacks related to it are rising. In a similar incident, hackers use fake voter registration forms to steal data of the users who access the fake government sites. The voter registration links work as bait, and if the user clicks it, he is redirected to a fake government website. The hacker then steals personal user data, along with banking credentials sometimes. 

"Whatever the intent behind this particular phishing attack, it should serve as a reminder that human beings -- users, employees, citizens, and voters -- are "soft targets" for malicious actors. This is especially true in turbulent times such as the present -- when fear, confusion, and doubt are surging in the run-up to a historic election that happens to fall in the middle of a catastrophic pandemic," says KnowBe4. These phishing campaigns started in September and are still active. 

Cybersecurity firms KnowBe4 and Proofpoint identified the attacks; they say that these attacks are trying to undermine the U.S. government agency's credibility (U.S. Election Assistance Commission (EAC), which is responsible for generating the voter list. The phishing emails have a simple subject line, and it works because citizens feel that they might be left out from the voting list. The phishing campaign uses hacked WordPress websites to host fake websites operated for luring the users. The sites contain incorrect URLs, and if the user fails to notice it, his data can be susceptible to hackers. According to experts, the hackers use a simple template for phishing attacks, and the fake website looks exactly as same as the original government website. 

According to Proofpoint, these spammers have become more aggressive in their recent attacks. They have changed their strategies and now ask for user's data and along with his banking credentials. "Now, as the U.S. election draws closer, many individuals are confirming their voter registration status. Using messages that suggest voter registration is invalid drives user urgency and uncertainty in an election season. We observed the last news from this actor using voter registration themes sent on October 7, 2020. This suggests that the actor may have already shifted to another type of lure," says Proofpoint.

Criminals sending malicious emails claiming to be from the rector of Moscow State University

A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.

The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.

"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.

The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.

The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.

All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.

"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.

According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.

Russians were warned about phishing emails on behalf of the tax service

Experts of the company Group-IB, specializing in the prevention of cyberattacks, together with the Federal Tax Service (FTS), identified the activity of fraudsters in the Network. Criminals send emails to legal entities and state institutions allegedly on behalf of the tax authorities.

All emails of attackers looked the same. They said that the recipient must appear at the Federal Tax Service to "give evidence about the flow of funds”. Before visiting the institution, the recipient of the letter was required to fill out a special form, which was attached in the letter as an archive with a password. The password was also attached in the email. This scheme allowed bypassing antivirus protection. When the archive was opened, a program for remote access to it was installed on the user's computer.

"The Federal Tax Service of Russia does not send letters to taxpayers about the existence of debt and offers to pay the debt online,” reported the press service of the FTS.

The mailing started at the end of July and continues to this day. Emails are sent to employees of oil and mining companies, airports, Telecom operators, and other organizations.

Experts are discussing the possibility of introducing a new article "Tax fraud” into the criminal code of the Russian Federation.

Moreover, according to Igor Bederov, General Director of the Internet Search company, in total, there are more than 1 million fake websites in Russia, up to 1 million messages are sent per day. He added that the share of phishing messages today can be up to 10% of the total volume of e-mail messages.

It is difficult to calculate the total amount of damage to organizations caused by phishing attacks, but one such successful attack can cost an average of 2,000 to 50,000 rubles ($27-680).

Earlier, E Hacking News reported that Kaspersky Lab experts described a discovered method of corporate phishing. Phishing attacks claiming to be from HR steals bank employees credentials.

Russians began to click on scam sites 10 times more often


According to the study of Kaspersky Lab, at the beginning of 2020, the number of attacks on Russians through scam resources increased 10 times to 15 million, and the number of such pages doubled to 10 thousand. The rapid increase is associated with the spread of the coronavirus. Fraudsters actively exploit the theme of the pandemic: from fake promises to pay benefits or refunds for a small cash contribution to the sale of personal protective equipment.

If every click to a scam page entailed deception of at least one user, then the potential amount of damage in the first quarter of 2020 could exceed 3 billion rubles ($40,5 million). Experts did not say how much money the Russians lost on scam resources during this period.

Senior content analyst at Kaspersky Lab Tatyana Sidorina believes that the popularity of scam resources has increased, as Russians have begun to spend more time at home, on the Internet. In addition, users are offered various big money compensations, for the withdrawal of which they need to pay a small commission.

She stressed that the scam resources disguised as state lotteries began to be actively used at the beginning of 2020, 219 resources were discovered. Kaspersky Lab noted that last year, separate statistics on lotteries were not even kept.

In order to minimize the damage from fraud, the Stoloto state lottery is already actively cooperating with law enforcement agencies and conducting an information campaign, said Varvara Basanovich, the organization's operating Director. She stressed that it is impossible to win the lottery without buying a ticket, and the tax is paid after receiving the money, and not in advance.

The head of Analytics and Special Projects at InfoWatch, Andrey Arsentiev, expects that after exiting the self-isolation regime, mass frauds with tourist trips to Russian resorts can start, as well as sellers of drugs for restoring strength, immunity and mental health can become active.

Why Hackers are Taking Advantage of COVID-19?


Cybersecurity threats have seen a massive upsurge since the outbreak of the COVID-19 pandemic that forced a majority of people to work from home which now is leading to attacks on remote workforces. Amid the anxiety it created, hackers have devised multiple ways to take advantage of the coronavirus and continued to exploit the fear amongst people in a number of ways, one being the distribution malware in the facade of Covid-19 or Corona related emails.

The threat posed by the Coronavirus has been seen to be scaling beyond human health, job losses and the collapsing global economy as it also set the stage for hackers to scam people for monetary and other gains. The urgency revolving around the novel biological virus robbed tech vendors and corporate systems of their ability to effectively tackle the risks. Scammers are well aware of the overwhelmed state of cybersecurity groups that led to a dramatic rise in phishing attempts and cyberattacks. Notably, hackers are exploiting the Covid-19 charged environment in various ways such as malicious infiltration of organizations, voice phishing, WhatsApp phishing, email phishing, social media, fake apps, and websites. As per the warnings given by WHO, criminals are also acting as WHO officials in order to scam people for financial gains or sensitive data.

Problems Arising with Security Operation Centers (SOC)? 

Security Operation Center is a centralized function set up across a company's IT infrastructure. The objective of the security operation team here is to detect and then respond to cybersecurity risks in order to safeguard important assets such as business systems, employee data, and intellectual property. Upon detecting a confirm threat, the SOC immediately isolates endpoints in an attempt to terminate harmful actions such as execution or deletion. It does do while ensuring no disruption is faced by the business continuity or lessening the impact to the best of its ability.

However, as the process of strengthening an organization's security requires sophisticated infrastructure (SIEM system), coordinated efforts and continuous monitoring by people and technology-with limited staff and people made to work from home, it has become difficult to prevent, detect, analyze and respond to cybersecurity incidents.

The SOC relies upon cybersecurity tools whose operations require complete understanding and expertise making the overall workflow complex, therefore the prevention and security can not take place whilst being at home.

Adverse Impact on IT Sector

IT sector is the lifeline of almost every global economy, it plays a vital role in the functioning of nearly every other major sector including human resources, manufacturing, finance, security, and health care. It's a well-known fact how heavily IT organizations rely on manpower to function, however, due to the lockdowns, quarantine periods and stringent curbs in the movement of people, many businesses are being shut down as the global supply chains of manufacturing are being heavily disrupted. IT professionals are not able to deliver on the projects, as a result of which production dropped by a significant margin and is expected to drop even further.

The coronavirus situation worsens with the security vendors not being paid timely and as a result of halted work, gates are being left unmanned providing potential hackers with an opening. Companies are advised to stay prepared for security breaches and individuals should consider sticking to strong passwords and keeping their systems updated as the number of scams is expected to rise amid the tremendous uncertainty of the crisis.

Group-IB informed about the distribution of fake news about 20 thousand coronaviruses infected in Moscow


A fake audio recording appeared on the Internet, where the girl reports about 20 thousand cases of coronavirus COVID-19 in Moscow and asks to spread this information as much as possible. This was announced on March 2 by the Chairman of the Commission of the Public Chamber of the Russian Federation for the development of the information community, Alexander Malkevich.

Group-IB's cyberattack prevention team urge not to trust information from unconfirmed sources.
This information is distributed in the social networks Vkontakte and Facebook from different users but in identical formulations. The audience that took this news seriously became mainly female groups in messengers at kindergartens and schools. Group-IB specialists recorded more than 9500 publications with this news and started searching for performers and customers of this information attack.

This is not the first time such fake news about the coronavirus has appeared since the beginning of 2020. In some regions of Russia, rumors spread that "because of the high level of danger, the whole family had to leave the city", "official sources report hundreds of deaths". Moreover, fakes about coronavirus are spread not only in Russia but also around the world. In particular, more than 40 media reported false information that the Pope became infected with the coronavirus.

According to experts, information about 20 thousand cases in Moscow may be the result of the work of the information forces of Ukraine.

In addition, information security experts of Group-IB have already identified the fact of artificial distribution of voice messages.

Official authorities have repeatedly noted that only a few cases of coronavirus infection have been confirmed throughout Russia: two in Chinese citizens, as well as three Russians evacuated to Kazan from the Diamond Princess liner.

Group-IB spottted new fake messages about the coronavirus during the day


Group-IB, a company that specializes in preventing cyberattacks has revealed new fake messages about the spread of coronavirus over the past day.

Company Group-IB reported that information about accounts spreading fakes about the coronavirus was transmitted to law enforcement agencies.

"The data obtained by Group-IB specialists about the accounts involved in the distribution of fake audio messages about the coronavirus was transmitted to law enforcement agencies. The bots were focused on the active distribution of a specific fake, although some bots were registered a couple of years ago with the same creation date," reported press service of the company.

In addition, Group-IB experts have identified new fake messages about the coronavirus over the past day and warned that there is still a possibility of new fakes. "It is important to use information from trusted sources and be critical of rumors and possible misinformation," added the press service said.
Group-IB works closely with the administration of social networks, including Facebook and VKontakte, and with forum moderators to remove misinformation about the spread of a new type of coronavirus.

Group-IB launched an investigation into the spread of information about a large-scale infection of Moscow residents with coronavirus in early March. By March 2, the company's experts had recorded 9500 posts, reposts, and publications that broadcast fake news about allegedly 20,000 sick Russians.
On March 4, Roskomnadzor began blocking access to resources that spread fake information about the coronavirus in Russia. The Agency has already entered several messages in social networks in the register of information prohibited in Russia at the request of the Prosecutor General's office.

It is worth noting that Russian President Vladimir Putin at a meeting with the government said that false reports of coronavirus in Russia are spread from abroad. According to Putin, in fact, nothing critical in terms of the coronavirus is happening.

According to Putin, "the purpose of such fakes is clear - to spread panic among the public", and this can only be countered by timely and reliable information of the country's citizens.

The official representative of the Russian Foreign Ministry responded to the US accusations about Russian fakes about the coronavirus


Russian Foreign Ministry spokeswoman Maria Zakharova commented on the US statement that Russia is spreading fakes about the coronavirus. The diplomat called such accusations "deliberate stuffing".

Earlier, the Straits Times reported that the US State Department suspected Russia of spreading fakes about the coronavirus. U.S. officials said that thousands of Russian-related accounts have spread false information about the disease on social networks, undermining global efforts to fight the epidemic. In addition, such users promote the idea that the US government is behind the COVID-2019 epidemic, thus damaging the country's reputation, according to the State Department.

According to media reports, the State Department intends to deal with fake accounts on Twitter, Facebook and Instagram.

The First Deputy Chairman of the State Duma Committee on International Affairs Dmitry Novikov said that there are different accounts on the network, including those that are trying to gain subscribers at any cost. Also, a politician did not rule out US involvement in the coronavirus epidemic in China. The politician noted that Washington has succeeded in creating biological weapons.

He also said that everything secret becomes clear sooner or later, and today's assumptions may be confirmed in the future.

Andrey Suzdaltsev, Deputy Dean of the faculty of World Economics and World Politics at the Higher School of Economics, explained the US accusations of disinformation against Russia as attempts to take a convenient media position.

At the same time, he called the evidence base, which is supposed to confirm Russia's guilt in disinformation, strange. He said that the statement saying that some millions of user accounts in social networks were specifically sponsored by the Kremlin for an information war against the White House, is unfounded.

At the same time, the very accusations against Russia indicate that Moscow is perceived as a threat in the West, the expert concluded.

Security Experts warn about threats before Black Friday


Experts of the antivirus company Kaspersky Lab reported that in the discount season, also known as Black Friday, the number of threats from cyber fraudsters has grown significantly.

"According to Kaspersky Lab, the number of phishing threats related to Black Friday has increased significantly over the past two weeks. On the eve of big sales and the upcoming holiday shopping season, cybercriminals are increasingly trying to attack users who prefer to shop online," said the antivirus company.

So, in the period from 18 to 24 November, the company recorded almost twice as many fraudulent resources, compared to the previous week.

The number of phishing attacks on online stores has also increased.“This growth is especially noticeable in Russia: if approximately every 20th phishing attack was sent to the e-commerce section in Runet two weeks ago, last week phishers tried to attack Russian online stores in every 11th case,” concluded company.

As Kaspersky Lab content analyst Tatyana Sidorina noted, an increase in the percentage of phishing attacks is also expected in the upcoming New Year's sales. In addition, there are about 12% more such attacks in the fourth quarter than at other times of the year.

It is interesting to note that earlier, Roskomnadzor warned about the appearance on the eve of Black Friday fraudulent sites that illegally collect personal data under the guise of sales.

"Roskomnadzor experts note that the main purpose of collecting such data (name, phone number, email address, bank details, etc.) is to use them later as spammer databases and to steal bank card data,” stated the regulator.

To avoid identity theft, Roskomnadzor recommends checking the originality of the domain of the online store and checking the presence of an SSL certificate. If the site address begins with http://, and not with https://, this is a reason to doubt the originality of the page.

Cyber Criminals Stealing Customer Data By Tricking Bank Employees


Kaspersky Lab experts described a recently discovered method of corporate phishing. Attackers send an employee or organization email inviting them to pass an assessment of knowledge and skills on the fake HR portal. To do this, the victim is asked to log in to the site using a working username and password. The potential victim has the impression that it is a mandatory procedure, for the successful passage of which he will receive a monetary reward.

According to the senior content analyst of Kaspersky Lab Tatyana Shcherbakova, in this way, fraudsters get access to corporate mail, which may contain personal data of customers.

Employees of large banks are regularly trained, tested and certified, so they can take a fake invitation for a real one. For this reason, the new phishing method threatens to take on a massive scale.

According to analyst Anton Bykov, at the moment several thousand corporate accounts could already be hacked.

Sergey Terekhov, director of the Technoserv information security competence center, noted that in this case, the employees of the credit departments of banks, in whose mailbox client profiles are stored, are in the risk zone.

At the same time, Denis Kamzeev, head of the information security department of Raiffeisenbank, stressed that all emails in the financial institution are checked through anti-spam and anti-virus and blocked in case of suspicion.

VTB, in turn, said that they delimit access to customer information for employees and keep records of employees who have access to confidential information.

Arseniy Shcheltsin, CEO of Digital Platforms, noted that this type of social engineering is tied directly to a person, not to technology. "Therefore, regardless of security systems, a person can always give a login and password from the mail to attackers."