Search This Blog

Showing posts with label phishing. Show all posts

The lifespan of Phishing Attacks Recorded a Tremendous Growth in H2 2019


Phishing attacks recorded a remarkable surge in H2 2019, the growth has been alarming with the number of phishing websites blockages soaring by 230 percent per year. Earlier, phishers would terminate the fraudulent campaign once their webpages were blocked, however, now they are immediately mobilizing the phishing attack onto other brands. It serves as the main reason as to why the number grew so rampantly.

As the lifespan of phishing attacks increased tremendously, attackers became specific about their target pool and have increasingly targeted online services and cloud storage providers, the primary reason being the huge chunks of sensitive data stored in them that can be downloaded by the attackers to later threaten the victims for a ransom.

Turning towards a diligent attacking method, phishers have improved upon the ways they choose their campaigns and targets – preferring quantity over quality. Client software, e-commerce, online streaming, and delivery services were some online services that contributed to 29.3 percent of the phishers' targets, cloud storages amounted to 25.4 percent while financial organizations made for a total of 17.6 percent, as per the statistics for the last year.

While spotting and preventing the distribution of threats online, a total of 8,506 phishing web resources were blocked by Group-IB's Computer Emergency Response Team (CERT-GIB).

While providing insights on the matter to Help Net Security, Yaroslav Kargalev, CERT-GIB deputy head said, “Several years ago, creators of phishing pages were likely to have some technical background, they created phishing pages, putting much effort into the launch of their campaigns, preventing them from being detected and relentlessly supporting their sustainability....”

“This industry has changed its face — those pioneers no longer create phishing pages, they create tools for operators of web phishing campaigns who do not necessarily have any programming skills, and last year became the culmination of this trend. Since this new generation of phishers is not that experienced in maintaining the web resources viable, the phishing community’s focus has shifted toward the number of scam resources,” he added.

Banking Trojans and cryptocurrency projects have seen a steep decline in their preference amongst cybercriminals. As the functionality of backdoors has continued to expand, spyware and backdoors have stolen the show to reach the number one spot in the popularity rankings with a whopping 35 percent share.

Meghan Markle and Prince Harry's Names Used for Fake Celebrity Endorsement of Bitcoins?


While the Coronavirus pandemic has practically driven people to stay locked up in their homes and spend a lot more (in some cases almost all) of their time online, the possibilities for cyber-criminals have only flourished.

Cyber-security experts have realized this and made a note out of it that everyone knows the kind of danger is lurking in their cyber-world.

From elaborate scams to phishing attacks that target the victim’s personal information, there is a lot of people who need to be cautious about it.

The Cryptocurrency industry is going through a lot due to the current crisis the world is in. The 'crypto-partakers" are being particularly on the hit list with something as attention-grabbing as purportedly “celebrity endorsement”. The latest bait names for this attempt happen to be that of charming Meghan Markle and Prince Harry.

Well-known personalities’ names like Bill Gates, Lord Sugar and even Richard Branson have been misused to lure people in as a part of similar scams. It is not necessary for the people mentioned to belong to a particular industry. They could be anyone famous for that matter.

The scams are so elaborate that once fooled the victims can’t even trace the mal-agent and. The latest scam, per sources, employs a fake report from the “BBC” mentioning how Prince Harry and Meghan Markle found themselves a “wealth loophole”.
Per sources, they also assure their targets that in a matter of three to four months they could convert them into millionaires. Further on, allegedly, it is also mentioned that the royals think of the Cryptocurrency auto-trading as the “Bitcoin Evolution”. It reportedly also includes a fake statement to have been made by Prince Harry.

The overconfident scammers also declare that there is no other application that performs the trading with the accuracy like theirs. Reportedly, on their website, there are banners with “countdowns” forcing people to think that there are limited period offers.

According to researchers this is one of the many schemes desperate cyber-criminals resort to. People not as used to the Cryptocurrency industry and the trading area, in particular, are more vulnerable to such highly bogus scams and tricks that the cyber-criminals usually have up their sleeves.

BEC Scams Cost American Companies Billions!


Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.

Phishing Scam: Puerto Rico Government Loses More than $2.6 million



Puerto Rico's government fell for an email phishing scam and unintentionally lost over $2.6 million to cyber-criminals behind the scam, as per a senior Puerto Rico official. It is a government-owned agency whose mission is to drive economic development on the island while working with local as well as foreign investors.

These days, scammers launch thousands of phishing scams like these which resulted in it being a top reported crime to the Federal Bureau of Investigation (FBI), in the past year, as per the IC3 annual report released recently. Some top victims of a similar kind of attack from last year include a Texas school district being scammed for $2.3m, a British community housing non-profit being scammed for $1.2m and Nikkei for a whopping $29m.

On Wednesday a complaint was filed to police, in which Rubén Rivera, finance director of the island's Industrial Development Company confirmed that the money has been sent to a fraudulent account by an unsuspecting employee from Puerto Rico's Industrial Development Company. The officials discovered the incident earlier this week and it was immediately reported to the FBI, according to the statements given by the executive director of the agency, Manuel Laboy to the Associated Press.

However, Laboy did not comment on how the officials came to know about the phishing scam and the aftermath of the incident involving employees being dismissed or how this incident affected the overall operations when the funds went missing. He further told that an internal investigation has been instigated to find out if someone disregarded the set standards and were negligent about the laid out procedures, he also added that the officials at the corporation are attempting to recover the lost funds.

The agency received a fraudulent email claiming that the bank account used by them for remittance payments should not be used anymore for that purpose and it also told the agency that they should transfer the money to a new account that belonged to the criminals operating the scam which agency was oblivious to.

Acknowledging the seriousness of the matter and addressing the criticism from the Puerto Ricans Laboy told, “This is a very serious situation, extremely serious, we want it to be investigated until the last consequences,” “I cannot speculate about how these things might happen,” “It’s a big responsibility.”

The Ascent of Gift Card Scams Leads in the Rise of Amount of Money Being Lost


With the rise of phishing attacks, business email compromise (BEC) campaigns and gift scams bring along with it the rise in the amount of money being lost.

Investigation by researchers at Agari, an email security enterprise, published in the cybersecurity organization's most recent 'Quarterly Fraud and Identity Deception' trends report – found that gift card cheats picked up footing especially during the end of 2019, accounting 62% of all BEC attacks, up from 56% during the previous quarter.

These attacks frequently include cybercriminals assuming control over business email accounts and utilizing a 'stolen identity' to email others in the association to demand the acquisition of gift cards. A common tactic is to act like somebody in the management requesting an employee to help them out – in light of the fact that by and large, the employee won't scrutinize a solicitation that is apparently coming from their boss.

The 'run-up' to the holiday season simply presented the criminals with the ideal chance to go ahead with their gift- card attacks, as they could easily do with the solicitation being framed as that for Christmas presents. The normal sum mentioned in gift-card attacks has risen somewhat to $1,627, with the base sum tending to come in at $250. In some progressively ambitious cases, cybercriminals have requested gift cards worth $10,000 to be transferred – by focusing on employees over different departments simultaneously.

Criminals are pulled in to BEC attacks since they end up being fruitful and they're easy to carry out. In any case, associations can go far to forestalling phishing and other email-based attacks from being successful by implementing additional security on accounts, very much like the multi-factor authentication, as well as human-level 'checks- and balances'.

As per, Crane Hassold, senior director of threat research at Agari, "Gift cards have become the preferred method of cashing out for a number of reasons. First, it makes everyone at any company the potential target of a BEC attack, not just the finance and HR departments. We've seen campaigns that have targeted 30-40 employees at a single company at one time in gift-card BEC scams,"

The value of the gift cards mentioned may show up small when considered individually, yet the total costs add up, particularly given how the attacks remain so fruitful and simple to cash out.

The most widely recognized solicitations are for gift cards for Google Play and eBay, very closely followed by Target, iTunes, and Walmart. Best Buy, Amazon, Steam and the Apple Store additionally make for some very well-known requests.

Cyber Criminals Stealing Customer Data By Tricking Bank Employees


Kaspersky Lab experts described a recently discovered method of corporate phishing. Attackers send an employee or organization email inviting them to pass an assessment of knowledge and skills on the fake HR portal. To do this, the victim is asked to log in to the site using a working username and password. The potential victim has the impression that it is a mandatory procedure, for the successful passage of which he will receive a monetary reward.

According to the senior content analyst of Kaspersky Lab Tatyana Shcherbakova, in this way, fraudsters get access to corporate mail, which may contain personal data of customers.

Employees of large banks are regularly trained, tested and certified, so they can take a fake invitation for a real one. For this reason, the new phishing method threatens to take on a massive scale.

According to analyst Anton Bykov, at the moment several thousand corporate accounts could already be hacked.

Sergey Terekhov, director of the Technoserv information security competence center, noted that in this case, the employees of the credit departments of banks, in whose mailbox client profiles are stored, are in the risk zone.

At the same time, Denis Kamzeev, head of the information security department of Raiffeisenbank, stressed that all emails in the financial institution are checked through anti-spam and anti-virus and blocked in case of suspicion.

VTB, in turn, said that they delimit access to customer information for employees and keep records of employees who have access to confidential information.

Arseniy Shcheltsin, CEO of Digital Platforms, noted that this type of social engineering is tied directly to a person, not to technology. "Therefore, regardless of security systems, a person can always give a login and password from the mail to attackers."

Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.

Amazon Prime Day A Cyber Attack Target?




Researchers discover that the upcoming Amazon Prime Day sale is said to bring about hackers setting up a variety of Prime Day-related tricks intended to fool users into giving up their sensitive data.

Utilizing an 'Amazon Phishing Kit' the hackers can ship out malignant emails that have all the earmarks of being sent from Amazon, consisting of links that direct the victims to a fake Amazon login page.

As reported by Wired, shopping occasions like Prime Day stand for an easy-to-access opportunity for scamsters hoping to hoodwink victims into forking over their own information.

Crane Hassold, threat intelligence manager at the digital fraud defense firm Agari told Wired, 'Cybercriminals take advantage of popular, highly visible events when consumers are expecting an increased frequency of emails, when their malicious emails can hide more easily in the clutter,'

As indicated by security researchers from McAfee, scammers can make an email that seems like it's originating from a real organization, while utilizing a pack called 16Shop.

The biggest risk for the users is their credit card information, birthdays, addresses, and even social security numbers. The kit was initially intended to target Apple users, however as indicated by researchers, Prime Day appears, by all accounts, to be hackers' current target.

To avoid from being misled, analysts suggest investigating emails sent by Amazon with additional thoroughness and ceasing from following links to enter login data sent through email.

Just making a decision about an email by whether the address it's sent from is never again adequate state security analysts, since even emails can be faked. Instead, it's ideal to go legitimately to an organization's page by entering a URL into your address bar and afterward continue from that point.

Amazon Prime Day takes will take place on July 15 and 16.

Gamers’ Google and Facebook Credentials Unsafe; Android’s “Scary Granny ZOMBYE Mod: The Horror Game” To Blame!






A horror game from Android which has more than 50,000 downloads to its name. The Scary Granny ZOMBYE Mod: The Horror Game showed malicious behavior and is allegedly stealing users’ credentials after they log into their accounts.

The game is specifically designed to hoard downloads from the success of another Android game dubbed “Granny” with 100 million installs as of now.

After the researchers informed Google about the game’s phishing and siphoning abilities, the fully functional game was taken down from the Google Play Store.

A prominent research team realized that the game wouldn’t exhibit any malicious activity up to 2 days to steer clear of security checks.

It would turn in its data-stealing modules lest it were being used on older Android versions with users with new devices which run up to date.

Quite obviously it starts asking for permissions to launch itself on the smartphone or tablet and tries to gain the trust of the users.

Even after the Android users reboot their systems the game still shows full-screen phishing overlays.

Firstly it shows “a notification telling the user to update Google Security Services” and the moment they hit ‘update’ a fake Google Login page appears which looks almost legitimate except for the incorrectly spelled “Sign in”.


Scary Granny, after stealing the users’ credentials it will go on to try to harvest account information like recovery emails, phone numbers, verification codes, DOBs and cookies.

Obfuscated packages are other ways of mimicking official components of the Android apps. For example, com.googles.android.gmspackage attempts to pass itself as the original com.google.android.gms

The Scary Granny would also display some really legitimate looking ads from other prominent applications like Messenger, Pinterest, SnapChat, Zalo or TikTok.

The malicious horror game would make it appear that apps like Facebook and Amazon were actually open when actually they are only ads pretending to be actual applications.

In one of the cases the researchers tried out, the ad directed the user to a page which Google blocked flagging it as being deceptive which clearly implies that it hosts malware or a phishing attack.

After connecting with an ad network by way of com.coread.adsdkandroid2019 package, the ads would get distributed to the compromised Android devices.

At the end, to maximize the profit for its creators, the Scary Granny would try to wrest money form the users by asking them to pay for their playing privileges via a “pre-populated PayPal payment page”.

Yet Another Phishing Campaign by Hackers That Abuses QR Codes To Redirect Targets to Phishing Landing Pages



 Attackers come up with yet another phishing campaign that misuses QR codes to divert the targets to phishing landing pages. Researchers responsible for discovering this crusade distinguished that it quite effectively evades security solutions and controls intended to stop such attacks in their tracks.

The attackers previously utilized a URL encoded in a QR code target on the French Cofense customers to dodge the security software which dissects and accordingly blocks  suspicious or 'blacklisted areas' .

They even included a GIF image containing the QR code which would redirect them to the hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-school/Sharepoint/sharepoint/index.php domain intended to act like a SharePoint-related site.

The phishing mails were disguised as a SharePoint email with a "Review Important Document" headline and a message body which would welcome potential victims to  "Scan Bar Code to View Document."
Phishing Email

Removing the victims from the overall safety of their computers thusly enables the cybercriminals to adequately sidestep any link protection services ,secure email portals, sandboxes, or web content filters set up by the targets' corporate information security department.

To make the attack considerably progressively fruitful against mobile users, the attackers have likewise upgraded their landing pages for smartphones with the phishing page and thus providing a custom view on the mobile devices.

Phishing landing page
Researchers from Cofense, the leading provider of human-driven phishing defense solutions world-wide, state that QRishing is a fairly notable technique utilized by cybercriminals to abstain from phishing filters and security solutions build especially to block such attacks before the pernicious emails reach the targets' inboxes.

Phishing landing page on a mobile

Along these lines , a conceivable protection against them named QRCS (Quick Response Code Secure), which would be "a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently the integrity of QR code by using digital signatures, “was proposed in a paper from the Carnegie Mellon University's CyLab Study , which could perhaps prove to be valuable later on in the future.

Cybercrime goes out of control in India



Phishing, data theft, identity theft, online lottery, cyber attacks, job frauds, banking frauds, cyberbullying, online blackmailing, morphing, revenge porn, cyber hacking, child pornography, cyber grooming, cyberstalking, data diddling, software piracy, online radicalisation — the dark web of cybercrimes is spreading across the world and India is one of the hotspots of this digital crime.

With increasing mobile coverage and cheaper data, more and more Indians now access the internet even while on the move. This has exposed unsuspecting ones to fall prey to online fraudsters. Many become victims of sexual exploitation after being made to share personal details while some others use the new media like WhatsApp to spread fake news to create trouble for political and other gains. There have been several lynching incidents in the country in the past couple of years after fake messages about child lifting and cow slaughter were spread through social media.

In spite of an alarming rise in cybercrime in the country, the most recent Government statistics available on this is from 2016. Cybercrimes touched 12,317 cases in 2016 which was an increase from 9,622 reported in 2014. The National Crimes Record Bureau is yet to release the statistics for 2017 and 2018.

The data available is just a tip of the iceberg and the numbers might be much more, says a senior government official. “Many even do not report loss of money or honour out of shame. Many cannot even tell their families that they have lost money in online frauds,” the official said.

Officials say the problem is that common people are not aware of the risks involved while dealing with the internet. Many are unaware, they say, and exercise no caution while using the net. They click unwanted links, unknowingly give the cyber fraudster their personal details and get cheated.

Beware of new phishing scam that’s attacking Google Calendar

No matter which corner of the internet you visit, you'll find scammers trying to take advantage of you. You may already know to be skeptical of emails, Facebook posts, and dating profiles that seem too good to be true. And some times they even try to take control of our data - primarily the financial data - using the alleged calls from customer care executives. Quite frankly, no one is immune to receiving such unsolicited messages or emails. But thanks to their popularity, everyone knows the drill to safeguard themselves. Just don't click on suspicious emails or links and don't reveal your financial information to anyone and you are good to go. You know this. I know this and even scammers know this. And so now, reports are that there's a new type of security threat that targets your Google Calendar.

Scammers are using Google Calendar and other calendar apps to target innocent users in a new type of phishing scam, according to a global security firm.

Findings from the threat intelligence firm Kaspersky show there's been a recent wave of scam artists using hyperlink-embedded events to gain access to people's sensitive information. They start by spamming Google Calendar users with seemingly benign calendar invites. Anyone can accept the invitations, but the real targets are users with the default setting that automatically adds every event they're invited to to their Google Calendar. Once it's been added, Google sends notifications related to the event, making it seem more trustworthy.

The scam is thought to have happened throughout May this year.

The fake invitations contained a malicious website link that encouraged users to input their personal details, often in the form of a simple questionnaire that promised the chance to win money or other prizes if completed.

Kaspersky researchers say that users can safeguard themselves by turning off the automatic adding of invites to your Google Calendar app.

Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.

Don't Dare Cancel Movie Tickets Online; You Could Be Subject To Fraud, "Vishing" To Blame!




A woman got scammed and was fraudulently ripped off of Rs.40,000 after she decided to cancel her movie tickets online. This is what exactly happened.


Reportedly a resident of Jankipuram, Lucknow, the aforementioned lady cancelled her movie tickets that she had booked via a popular website.

Things went sideways, when she called a "customer care executive" to claim a refund. 

This is a classic paradigm for "Vishing". The call version of Phishing, wrests money during the duration of the call.

Despite having cancelled her tickets within the stipulated period, the amount wasn't credited to her account.

She called the "customer care executive" and after he irritably answered she had to file a TOI report.

Furthermore she got a call from someone pretending to be from the ticket booking website she'd used.

The person lured her into giving away the details of her credit cards, putting up an act of helping her.

Pretty soon after the call was hung up, the woman noticed Rs. 40,000 missing from her account.


As customary to a "Vishing" fraud, the victim receives a call where the caller pretends to be a representative of a company.

To keep up the pretense, the caller would ask for the victim's details like name, date of birth and mobile number. Furthermore, the call's made from a landline.

The next step is pretty cliche. The victim ill be asked to reveal the details like their customer ID of online banking or credit/debit cards details.

Then come the bank account details followed by asking for the OTP on the victim's phone.

The main motive behind "Vishing" is hijacking the victim's online bank account and trying to harvest the money on it.

Cyber Tip:  No Legit Bank/Company Representative Would Ever Ask For Your Personal Details. Ever!

Phishing Attacks on Microsoft and Outlook; By Way of Microsoft’s Azure Blob Storage




Two major phishing campaigns have been discovered by the researchers which uses Microsoft’s Azure blob to steal details from Outlook and Microsoft accounts.


Both the campaigns employ real-looking landing pages which make use of SSL certificates and the windows.net domain to seem authentic.

The first phishing email goes around asking the receivers to log into their office 365 account to update the information.

The emails happened to have “Action Required: (email address) information is outdated-Re-validate now!!” in their subject boxes.

The moment a user clicks on the link provided in the mail, they will be directed to a landing page which fake-acts as the organization’s Outlook Web App.

This landing page is what does the main task of stealing the credentials from the user.

The second one works on stealing users’ Microsoft account details and credentials.

The process to lure in the user starts from Facebook’s workplace service and ends up taking the user to a Microsoft’s landing page.

This could either be s single-sign-on approach or a mixed up campaign for luring victims in.

The Microsoft account the users are brought to, is fairly legit looking as it uses the same form and the same background for that matter.

Both the landing pages make use of Azure Blog Storage to make them look convincing and as far as possible, legitimate.

All Microsoft Azure does is that is adds legitimacy to the landing pages used by the phishing-cons to target the Microsoft services.

The Azure Blob storage URLs use the windows.net domain making the landings look fairly legitimate.

One of the phishing links which is not in use anymore had the URL-  https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/ and the domain name seemed to do the trick.

Also, every URL on Azure Blob Storage happens to be using a wildcard SSL certificate from Microsoft, making every landing page get a “lock symbol”.

This would exhibit a Microsoft certificate every time a user would try to click on the certificate to check who signed, making the entire sham all the more believable.

To steer clear of such phishing attack one thing need to be kept in mind that the original login forms from Outlook and Microsoft could indubitably have outlook.com, live.com, and Microsoft.com as their domain names.

Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”