Search This Blog

Showing posts with label fake websites. Show all posts

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Russian Man Convicted of $7 Million Digital Advertising Scam

 

A Russian person was found guilty in the United States of using a bot farm and hiring servers to create fraudulent internet traffic on media sites, causing businesses to pay inflated advertising rates. 

Prosecutors said Aleksandr Zhukov, 41, was the brains of the Methbot operation, in which 1,900 servers were used to generate millions of bogus online ad views on websites such as the New York Times and the Wall Street Journal. According to the US, Zhukov gained $7 million from the scheme and channeled the money into offshore accounts around the world, citing a text in which he referred to himself as the "King of Fraud." 

The group allegedly called their plan "Metan," which is the Russian term for methane, while the FBI and prosecutors referred to it as Methbot, and later as Media Methane, which was the name of Zhukov's company with operations in Russia and Bulgaria. 

Zhukov and his colleagues negotiated deals with advertising networks to display their ads on websites, then received a commission for each ad that was viewed. According to prosecution filings, Zhukov and his collaborators instead established bogus sites and manipulated data centres to produce false users to make it appear like actual people were viewing the ads from September 2014 to December 2016.

"Zhukov represented to others that he ran a legitimate ad network that delivered advertisements to real human internet users accessing real internet web pages," according to a superseding indictment filed on February 12, 2020. 

"In fact, Zhukov faked both the users and the webpages: he and his co-conspirators programmed computers that they had rented from commercial data centers in the United States and elsewhere to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," it says. 

Victims of the scheme "included The New York Times, The New York Post, Comcast, Nestle Purina, the Texas Scottish Rite Hospital for Children, and Time Warner Cable," the Department of Justice said in a news release. 

On a temporary US arrest order, Zhukov was arrested in Bulgaria in November 2018. In January 2019, he was extradited to the United States and pleaded not guilty to the accusations against him.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Bengaluru: Passport offices alerts public against fake websites


Bengaluru: Passport offices throughout the country are apprehensive about the increase in fake websites that masquerade as official portals for passport related services and siphon off applicant's data and money.

The ministry has been issuing advisories and alerts on its social media handles to caution the public against such fraudulent websites. The crime branch, working with the ministry has also started awareness drives in order to prevent passport applicants from being duped by bogus.

 The fake websites that the offices caught were-
 www.indiapassport.org,
 www.online-passportindia.com,
 www.passport-seva.in,
 www.passport-india.in,
 www.passportindiaporlal.in and www.applypassport.org. (Sc.TOI)

Whereas, the official website to apply for a passport is- "www.passportindia.gov.in" and the official mobile application to avail passport related services is - "mPassport Seva".

Victims who were cheated by these bogus websites and mobile applications approached the passport office and filed complaint at the local police station, said Officials at the Regional Passport Office, Bengaluru. Not only websites but mobile applications and brokers outside the passport offices also demand more payment and could be stealing personal data like Adhaar Card, Voter Id, resident proof and birth certificate to partake in more serious crimes like identity theft or selling the data to immigrants.

The officials said they came across websites that charged unwarranted prices for filling up online forms for a new passport and other services and even people who were highly educated fell victim to the fraud. Where the real cost for a passport is Rs.1,500 for normal and Rs.3, 500 for tatkal, these fraudsters are charging from Rs. 4,500 to Rs. 6,000. And money is the lighter concern, the bigger threat is the theft of personal data like Adhar Number, Voter ID and phone connections.

These websites used logos of other government schemes like Swachh Bharat Abhiyan to appear more genuine and true. Even on Google Play Store, at least eight unauthenticated and false applications were found.

This problem is not centrist to Karnataka, as cases from all over the country have been popping up, for instance, NCR and Bhuvaneshwar being two of the areas. Bharath Kumar Kuthati, regional passport officer, Bengaluru, says "they are creating awareness by issuing warnings on social media. It is a pan-India problem and the department is taking steps to counter it."