Search This Blog

Showing posts with label phishing. Show all posts

Cyber Criminals Stealing Customer Data By Tricking Bank Employees


Kaspersky Lab experts described a recently discovered method of corporate phishing. Attackers send an employee or organization email inviting them to pass an assessment of knowledge and skills on the fake HR portal. To do this, the victim is asked to log in to the site using a working username and password. The potential victim has the impression that it is a mandatory procedure, for the successful passage of which he will receive a monetary reward.

According to the senior content analyst of Kaspersky Lab Tatyana Shcherbakova, in this way, fraudsters get access to corporate mail, which may contain personal data of customers.

Employees of large banks are regularly trained, tested and certified, so they can take a fake invitation for a real one. For this reason, the new phishing method threatens to take on a massive scale.

According to analyst Anton Bykov, at the moment several thousand corporate accounts could already be hacked.

Sergey Terekhov, director of the Technoserv information security competence center, noted that in this case, the employees of the credit departments of banks, in whose mailbox client profiles are stored, are in the risk zone.

At the same time, Denis Kamzeev, head of the information security department of Raiffeisenbank, stressed that all emails in the financial institution are checked through anti-spam and anti-virus and blocked in case of suspicion.

VTB, in turn, said that they delimit access to customer information for employees and keep records of employees who have access to confidential information.

Arseniy Shcheltsin, CEO of Digital Platforms, noted that this type of social engineering is tied directly to a person, not to technology. "Therefore, regardless of security systems, a person can always give a login and password from the mail to attackers."

Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.

Amazon Prime Day A Cyber Attack Target?




Researchers discover that the upcoming Amazon Prime Day sale is said to bring about hackers setting up a variety of Prime Day-related tricks intended to fool users into giving up their sensitive data.

Utilizing an 'Amazon Phishing Kit' the hackers can ship out malignant emails that have all the earmarks of being sent from Amazon, consisting of links that direct the victims to a fake Amazon login page.

As reported by Wired, shopping occasions like Prime Day stand for an easy-to-access opportunity for scamsters hoping to hoodwink victims into forking over their own information.

Crane Hassold, threat intelligence manager at the digital fraud defense firm Agari told Wired, 'Cybercriminals take advantage of popular, highly visible events when consumers are expecting an increased frequency of emails, when their malicious emails can hide more easily in the clutter,'

As indicated by security researchers from McAfee, scammers can make an email that seems like it's originating from a real organization, while utilizing a pack called 16Shop.

The biggest risk for the users is their credit card information, birthdays, addresses, and even social security numbers. The kit was initially intended to target Apple users, however as indicated by researchers, Prime Day appears, by all accounts, to be hackers' current target.

To avoid from being misled, analysts suggest investigating emails sent by Amazon with additional thoroughness and ceasing from following links to enter login data sent through email.

Just making a decision about an email by whether the address it's sent from is never again adequate state security analysts, since even emails can be faked. Instead, it's ideal to go legitimately to an organization's page by entering a URL into your address bar and afterward continue from that point.

Amazon Prime Day takes will take place on July 15 and 16.

Gamers’ Google and Facebook Credentials Unsafe; Android’s “Scary Granny ZOMBYE Mod: The Horror Game” To Blame!






A horror game from Android which has more than 50,000 downloads to its name. The Scary Granny ZOMBYE Mod: The Horror Game showed malicious behavior and is allegedly stealing users’ credentials after they log into their accounts.

The game is specifically designed to hoard downloads from the success of another Android game dubbed “Granny” with 100 million installs as of now.

After the researchers informed Google about the game’s phishing and siphoning abilities, the fully functional game was taken down from the Google Play Store.

A prominent research team realized that the game wouldn’t exhibit any malicious activity up to 2 days to steer clear of security checks.

It would turn in its data-stealing modules lest it were being used on older Android versions with users with new devices which run up to date.

Quite obviously it starts asking for permissions to launch itself on the smartphone or tablet and tries to gain the trust of the users.

Even after the Android users reboot their systems the game still shows full-screen phishing overlays.

Firstly it shows “a notification telling the user to update Google Security Services” and the moment they hit ‘update’ a fake Google Login page appears which looks almost legitimate except for the incorrectly spelled “Sign in”.


Scary Granny, after stealing the users’ credentials it will go on to try to harvest account information like recovery emails, phone numbers, verification codes, DOBs and cookies.

Obfuscated packages are other ways of mimicking official components of the Android apps. For example, com.googles.android.gmspackage attempts to pass itself as the original com.google.android.gms

The Scary Granny would also display some really legitimate looking ads from other prominent applications like Messenger, Pinterest, SnapChat, Zalo or TikTok.

The malicious horror game would make it appear that apps like Facebook and Amazon were actually open when actually they are only ads pretending to be actual applications.

In one of the cases the researchers tried out, the ad directed the user to a page which Google blocked flagging it as being deceptive which clearly implies that it hosts malware or a phishing attack.

After connecting with an ad network by way of com.coread.adsdkandroid2019 package, the ads would get distributed to the compromised Android devices.

At the end, to maximize the profit for its creators, the Scary Granny would try to wrest money form the users by asking them to pay for their playing privileges via a “pre-populated PayPal payment page”.

Yet Another Phishing Campaign by Hackers That Abuses QR Codes To Redirect Targets to Phishing Landing Pages



 Attackers come up with yet another phishing campaign that misuses QR codes to divert the targets to phishing landing pages. Researchers responsible for discovering this crusade distinguished that it quite effectively evades security solutions and controls intended to stop such attacks in their tracks.

The attackers previously utilized a URL encoded in a QR code target on the French Cofense customers to dodge the security software which dissects and accordingly blocks  suspicious or 'blacklisted areas' .

They even included a GIF image containing the QR code which would redirect them to the hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-school/Sharepoint/sharepoint/index.php domain intended to act like a SharePoint-related site.

The phishing mails were disguised as a SharePoint email with a "Review Important Document" headline and a message body which would welcome potential victims to  "Scan Bar Code to View Document."
Phishing Email

Removing the victims from the overall safety of their computers thusly enables the cybercriminals to adequately sidestep any link protection services ,secure email portals, sandboxes, or web content filters set up by the targets' corporate information security department.

To make the attack considerably progressively fruitful against mobile users, the attackers have likewise upgraded their landing pages for smartphones with the phishing page and thus providing a custom view on the mobile devices.

Phishing landing page
Researchers from Cofense, the leading provider of human-driven phishing defense solutions world-wide, state that QRishing is a fairly notable technique utilized by cybercriminals to abstain from phishing filters and security solutions build especially to block such attacks before the pernicious emails reach the targets' inboxes.

Phishing landing page on a mobile

Along these lines , a conceivable protection against them named QRCS (Quick Response Code Secure), which would be "a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently the integrity of QR code by using digital signatures, “was proposed in a paper from the Carnegie Mellon University's CyLab Study , which could perhaps prove to be valuable later on in the future.

Cybercrime goes out of control in India



Phishing, data theft, identity theft, online lottery, cyber attacks, job frauds, banking frauds, cyberbullying, online blackmailing, morphing, revenge porn, cyber hacking, child pornography, cyber grooming, cyberstalking, data diddling, software piracy, online radicalisation — the dark web of cybercrimes is spreading across the world and India is one of the hotspots of this digital crime.

With increasing mobile coverage and cheaper data, more and more Indians now access the internet even while on the move. This has exposed unsuspecting ones to fall prey to online fraudsters. Many become victims of sexual exploitation after being made to share personal details while some others use the new media like WhatsApp to spread fake news to create trouble for political and other gains. There have been several lynching incidents in the country in the past couple of years after fake messages about child lifting and cow slaughter were spread through social media.

In spite of an alarming rise in cybercrime in the country, the most recent Government statistics available on this is from 2016. Cybercrimes touched 12,317 cases in 2016 which was an increase from 9,622 reported in 2014. The National Crimes Record Bureau is yet to release the statistics for 2017 and 2018.

The data available is just a tip of the iceberg and the numbers might be much more, says a senior government official. “Many even do not report loss of money or honour out of shame. Many cannot even tell their families that they have lost money in online frauds,” the official said.

Officials say the problem is that common people are not aware of the risks involved while dealing with the internet. Many are unaware, they say, and exercise no caution while using the net. They click unwanted links, unknowingly give the cyber fraudster their personal details and get cheated.

Beware of new phishing scam that’s attacking Google Calendar

No matter which corner of the internet you visit, you'll find scammers trying to take advantage of you. You may already know to be skeptical of emails, Facebook posts, and dating profiles that seem too good to be true. And some times they even try to take control of our data - primarily the financial data - using the alleged calls from customer care executives. Quite frankly, no one is immune to receiving such unsolicited messages or emails. But thanks to their popularity, everyone knows the drill to safeguard themselves. Just don't click on suspicious emails or links and don't reveal your financial information to anyone and you are good to go. You know this. I know this and even scammers know this. And so now, reports are that there's a new type of security threat that targets your Google Calendar.

Scammers are using Google Calendar and other calendar apps to target innocent users in a new type of phishing scam, according to a global security firm.

Findings from the threat intelligence firm Kaspersky show there's been a recent wave of scam artists using hyperlink-embedded events to gain access to people's sensitive information. They start by spamming Google Calendar users with seemingly benign calendar invites. Anyone can accept the invitations, but the real targets are users with the default setting that automatically adds every event they're invited to to their Google Calendar. Once it's been added, Google sends notifications related to the event, making it seem more trustworthy.

The scam is thought to have happened throughout May this year.

The fake invitations contained a malicious website link that encouraged users to input their personal details, often in the form of a simple questionnaire that promised the chance to win money or other prizes if completed.

Kaspersky researchers say that users can safeguard themselves by turning off the automatic adding of invites to your Google Calendar app.

Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.

Don't Dare Cancel Movie Tickets Online; You Could Be Subject To Fraud, "Vishing" To Blame!




A woman got scammed and was fraudulently ripped off of Rs.40,000 after she decided to cancel her movie tickets online. This is what exactly happened.


Reportedly a resident of Jankipuram, Lucknow, the aforementioned lady cancelled her movie tickets that she had booked via a popular website.

Things went sideways, when she called a "customer care executive" to claim a refund. 

This is a classic paradigm for "Vishing". The call version of Phishing, wrests money during the duration of the call.

Despite having cancelled her tickets within the stipulated period, the amount wasn't credited to her account.

She called the "customer care executive" and after he irritably answered she had to file a TOI report.

Furthermore she got a call from someone pretending to be from the ticket booking website she'd used.

The person lured her into giving away the details of her credit cards, putting up an act of helping her.

Pretty soon after the call was hung up, the woman noticed Rs. 40,000 missing from her account.


As customary to a "Vishing" fraud, the victim receives a call where the caller pretends to be a representative of a company.

To keep up the pretense, the caller would ask for the victim's details like name, date of birth and mobile number. Furthermore, the call's made from a landline.

The next step is pretty cliche. The victim ill be asked to reveal the details like their customer ID of online banking or credit/debit cards details.

Then come the bank account details followed by asking for the OTP on the victim's phone.

The main motive behind "Vishing" is hijacking the victim's online bank account and trying to harvest the money on it.

Cyber Tip:  No Legit Bank/Company Representative Would Ever Ask For Your Personal Details. Ever!

Phishing Attacks on Microsoft and Outlook; By Way of Microsoft’s Azure Blob Storage




Two major phishing campaigns have been discovered by the researchers which uses Microsoft’s Azure blob to steal details from Outlook and Microsoft accounts.


Both the campaigns employ real-looking landing pages which make use of SSL certificates and the windows.net domain to seem authentic.

The first phishing email goes around asking the receivers to log into their office 365 account to update the information.

The emails happened to have “Action Required: (email address) information is outdated-Re-validate now!!” in their subject boxes.

The moment a user clicks on the link provided in the mail, they will be directed to a landing page which fake-acts as the organization’s Outlook Web App.

This landing page is what does the main task of stealing the credentials from the user.

The second one works on stealing users’ Microsoft account details and credentials.

The process to lure in the user starts from Facebook’s workplace service and ends up taking the user to a Microsoft’s landing page.

This could either be s single-sign-on approach or a mixed up campaign for luring victims in.

The Microsoft account the users are brought to, is fairly legit looking as it uses the same form and the same background for that matter.

Both the landing pages make use of Azure Blog Storage to make them look convincing and as far as possible, legitimate.

All Microsoft Azure does is that is adds legitimacy to the landing pages used by the phishing-cons to target the Microsoft services.

The Azure Blob storage URLs use the windows.net domain making the landings look fairly legitimate.

One of the phishing links which is not in use anymore had the URL-  https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/ and the domain name seemed to do the trick.

Also, every URL on Azure Blob Storage happens to be using a wildcard SSL certificate from Microsoft, making every landing page get a “lock symbol”.

This would exhibit a Microsoft certificate every time a user would try to click on the certificate to check who signed, making the entire sham all the more believable.

To steer clear of such phishing attack one thing need to be kept in mind that the original login forms from Outlook and Microsoft could indubitably have outlook.com, live.com, and Microsoft.com as their domain names.

Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”