Search This Blog

Showing posts with label Spam. Show all posts

Financial Conduct Authority of UK Hit by 2,40,000 Spam Mails, Some Contain Malware

 

Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers." 

The firm says that FCA was spammed with around 240,000 malicious emails (also unsolicited) during the course of the last three months of 2020, an average of 80,000 emails per month. November observed the highest mails-84,723, whereas October had 81,799 and December 72,288. Most of the mails were listed as "spams" whereas more than 2400 mails had malware containing trojans, bugs, worms, and spyware, says the report. Fortunately, the FCA had blocked all the malicious emails that it received, however, the main threat isn't from these mails but from targeted spear-phishing campaigns. Tim Saddler, CEO, Tessian, emphasizes that phishing emails have become a persistent threat today because it is easy to target humans than to hack machines. 

Tim said, "cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it." He further says, "it just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials." 

This is not the first time when the Regulator has sidelined its cybersecurity issue. In February last year, Regulator had to apologize on public forums when it accidentally posted personal information (including name and address) of the few users who had lodged complaints against the agency. The irony is, the data leak happened as a Regular's solution to an FOI request.

Cyber Criminals trying to hack Russian popular Telegram channels using ads from GeekBrains

 The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.

" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains. 

GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.

Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus. 

"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.

Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.

"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.

Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.

Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.

Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.


Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

Russian Speaking Hacker Compromises and Gains the Full Control of the Government Network Systems



Another rush of cyber-attacks from a Russian speaking hacker has been recently discovered by researchers and distinguished as one who utilizes the weaponized TeamViewer, the most mainstream and popular device used for remote desktop control, desktop sharing, online gatherings, web conferencing as well as record exchange between computers, to compromise and deal with the Government network systems.

This malignant campaign ceaselessly utilizes TeamViewer by adding TeamViewer DLL in order to deliver powerful malware that steals sensitive data and money from the various governments with addition to the financial systems.

In view of the whole infection chain, the tools created and utilized in this attack, the underground activity influences the analysts to believe that the attack was led by a financially inspired Russian speaking hacker.

The underlying phase of this infection chain begins by delivering a spam email under the subject of "Military Financing Program" with the attached malevolent XLSM document with installed macros.

A well-crafted malevolent document acted like the U.S Department of State which is marked as "top secret” persuading the victims to open it. When the victims open that 'decoy document' and empower the macro, there are two files extricated from the hex encoded cells in the XLSM document.



The first one is a legitimate AutoHotkeyU32.exe program, the second one on the other hand is an AutoHotkeyU32.ahk which is also an AHK script to communicate with C&C server to download the additional script and execute it.

By means of using this strategy, attackers concealing the TeamViewer interface from the users view, sparing the current TeamViewer session credentials to a text file and allows the exchange and execution of extra EXE o DLL documents 

In light of the Telemetry record, this attack is said to be focusing on nations including Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebano public financial sector in addition to the government officials.