Search This Blog

Showing posts with label phishing. Show all posts

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Pay Attention: These Unsubscribe Emails Only Lead to Further Spam

 

Scammers send out fake 'unsubscribe' spam emails to validate legitimate email addresses for future phishing and spam campaigns. 

Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don't specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient's email address is real and vulnerable to phishing scams and other nefarious activity. 

If they get the needed confirmation, they’ll bombard it with various spam emails. The campaign is simple in design - the victim will get a basic email with this call to action in it asking whether the consumer wants to unsubscribe or subscribe: 

“Please confirm your Subscribe (sic) or Unsubscribe. Confirm Subscribe me! Unsubscribe me! Thank you!” 

If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer. 

After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance. 

BleepingComputer created a new email account for testing purposes, which they never used on any website or service. When they responded to multiple confirmation emails received on another email account using the new email address. After sending unsubscribe/subscribe responses from the new account, their new account was bombarded with spam emails within a few days. 

This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds. 

It was also stated that these attacks aren't restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop. 

Consumers should never click any links they receive in an email unless they are fully certain of the sender's validity and the link's integrity, according to security experts. No credible company will ever send an email with only the alternatives to "Subscribe or Unsubscribe" and without any information.

RevengeRAT is Targeting the Aerospace and Travel Sectors with Spear-Phishing Emails

 

Microsoft has released a warning about a remote access tool (RAT) called RevengeRAT, which it claims has been used to send spear-phishing emails to the aerospace and travel industries.

RevengeRAT is a remote access trojan (RAT) that is classified as a high-risk computer infection. This malware aims to give cybercriminals remote access to infected computers so they can manipulate them. According to research, cybercriminals spread this infection through spam email campaigns (malicious MS Office attachments). Having a trojan-type infection on your device, such as RevengeRAT, can cause a slew of problems. 

They can use RevengeRAT to monitor system services/processes/files, edit the Windows Registry and hosts file, log keystrokes, steal account passwords, access hardware (such as a webcam), run shell commands, and so on. As a result, these individuals have the potential to cause serious harm. 

RevengeRAT, also known as AsyncRAT, is spread by carefully designed email messages that instruct recipients to open a file that appears to be an Adobe PDF attachment but actually installs a malicious visual basic (VB) file. 

The two RATs were recently identified by security company Morphisec as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. The phishing emails, according to Microsoft, transmit a loader, which then delivers RevengeRAT or AsyncRAT. Morphisec claims it is also able to supply the RAT Agent Tesla. 

"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said. 

Morphisec called the cryptor service "Snip3" after a username it discovered in earlier malware variants. If Snip3 detects that a RAT is being executed inside the Windows Sandbox – a virtual machine security feature Microsoft launched in 2018 – it will not load it. Advanced users can use the Windows Sandbox to run potentially malicious executables in a secure sandbox that won't harm the host operating system.

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes. "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations

 

Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.

In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries. 

BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities. 

"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said. 

Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.  

To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.

 
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email." 

Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.

Qakbot Malware is Targeting the Users Via Malicious Email Campaign

 

Qakbot, also known as QBot or Pinkslipbot, is a banking trojan that has been active since 2007. It has been primarily used by financially motivated actors, initially it was known as a banking Trojan and a loader using C2 servers for payload delivery; however, over time as the scope widened, its use also expanded beyond strictly being a banking trojan. 

Security researchers at Alien Labs have noticed a newly emerged campaign in which victims are targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties. 

The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.

The malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital documents. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that download the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. 

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as Antivirus products or common security researcher tools. 

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers

 

LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and Pantheon.io, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.

Microsoft Office Phishing Attack Hosted on Google Firebase

 

A phishing campaign set on stealing Microsoft login credentials is utilizing Google Firebase to bypass email security efforts in Microsoft Office 365, researchers said. 

Researchers at Armorblox revealed invoice-themed emails sent off to at least 20,000 mailboxes that indicate to share data about an electronic funds transfer (EFT) payment. The emails convey a genuinely vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking on that link starts a progression of redirects that at last takes targets to a page with Microsoft Office branding that is facilitated on Google Firebase. That page is obviously a phishing page, designed to collect Microsoft log in data, secondary email addresses, and phone numbers. “Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” as indicated by Armorblox. 

Impersonating Microsoft to phish for account credentials continues being an incredible method since it's a way for attackers to embed themselves into typical business work processes, said Rajat Upadhyaya, head of engineering at Armorblox. “Viewing documents via Office 365 is something we do every day, so victims might think it’s not unusual to enter login credentials in this situation,” Upadhyaya added. “Plus, hosting the final phishing page on Google Firebase lends the domain inherent legitimacy and allows it to bypass email security blocklists and filters.” 

The email assault bypassed native Microsoft email security controls. Microsoft appointed a Spam Confidence Level (SCL) of '1' to this email, which implies that the tech giant didn't decide the email as dubious and conveyed it to end-user mailboxes. Strangely, by facilitating the phishing page HTML on Google Firebase, an inherently trusted domain, the emails had the option to nip past underlying Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

For better protection against email-borne threats, employees ought to be prepared to engage with emails identified with cash and information with an "eye test" that incorporates investigating the sender name, sender email address, language inside the email, and any legitimate irregularities inside the email, as per Armorblox.

Financial Conduct Authority of UK Hit by 2,40,000 Spam Mails, Some Contain Malware

 

Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers." 

The firm says that FCA was spammed with around 240,000 malicious emails (also unsolicited) during the course of the last three months of 2020, an average of 80,000 emails per month. November observed the highest mails-84,723, whereas October had 81,799 and December 72,288. Most of the mails were listed as "spams" whereas more than 2400 mails had malware containing trojans, bugs, worms, and spyware, says the report. Fortunately, the FCA had blocked all the malicious emails that it received, however, the main threat isn't from these mails but from targeted spear-phishing campaigns. Tim Saddler, CEO, Tessian, emphasizes that phishing emails have become a persistent threat today because it is easy to target humans than to hack machines. 

Tim said, "cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it." He further says, "it just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials." 

This is not the first time when the Regulator has sidelined its cybersecurity issue. In February last year, Regulator had to apologize on public forums when it accidentally posted personal information (including name and address) of the few users who had lodged complaints against the agency. The irony is, the data leak happened as a Regular's solution to an FOI request.

National Crime Agency Detained the Operator of SMS Bandits for Phishing Message Services

 

The National Crime Agency of the United Kingdom has announced the arrest of the Service 'SMS Bandits' operator. However NCA did not disclose the suspected fraudster's identity, the cybercrime department of the Metropolitan Police has announced the detention of a Birmingham citizen who is linked to the company offering illicit phishing services. The aforementioned platform was used to send large amounts of phishing SMS. The fraudster had sent out a humungous number of fake messages by spoofing organizations like PayPal, some telecom providers, COVID-19 pandemic relief organizations, etc. 

SMS Bandits, including the man detained, got access to account credentials from numerous popular web pages, offered on dark web platforms that they controlled by sending fake SMSs by millions. Among other pseudonyms, Bamit9, Gmuni, and Uncle Munis are also used by the fraudulent service providers on the dark web. For mass transmission of texts intended to collect account credentials on various common websites and to steal personal and financial information, SMS bandits supplied an SMS phishing service for the mass transmission of text messages. 

Angus, a researcher at the Scylla Intel, a cyber intelligence firm, stated that the SMS Bandits sent phish lures that always made it possible to detect a fake message uncommonly, well done, and clean of syntax or orthographer's errors. “Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most,” Angus further added. 

According to Scylla Intel, the SMS Bandits made a variety of organizational security errors that made it relatively easy to figure out who they are in actuality. Scylla Intel further collected evidence against the SMS Bandits' and figured out that the SMS Bandits used the email addresses and passwords stolen from its services to validate the credentials. 

According to the sources, the SMS Bandits are also related to a dark web criminal program named, “OTP Agency”, a service that is designed to intercept the one- time- password which is required while logging into various websites. The modus operandi involves the customer entering the target’s phone number and name, and then the OTP Agency initiating an automated phone call to the target that alerts them about unauthorized activity on their account. 

SMS Bandits has also offered its patented "bulletproof hosting," which has been marketed as a "freedom of communications" portal, where clients can "host any content without restrictions." The content inevitably shapes the sites on which users of different web platforms are entitled to phish credentials.

According to a new survey, the amount of SMS phishing grew by over 328% in 2020. As a consequence of this, we do not see any feeling of terror among the fraudsters.

Users on Alert as Text Scamming Attack on The Rise


The fear of scam messages may seem far now, and even distant.  With the rise of well-engineered and sophisticated attacks in recent time,  the threat of scam messaging attacks may seem low, however, they are still a persistent danger. SMS (short message service) scams are similar to email phishing attacks, they work through social engineering attacks. Popular as "Smishing" (SMS and phishing), the attacks try to lure victims into providing information and user access, which benefits the hacker.  

Present SMS hacking techniques 
The SMS scam warns users of a new, packaging delivery, which is considered to be better and effective than before. If the user replies, the hacker steals user data for money theft, identity theft, or stealing sensitive organization data.  In one particular attack, the message leads the victim to a website and then rewards with a small gift (a smartphone, for instance) in return, for filling a survey. The attackers ask for credit card credentials for shipping and then steals the money.  Similarly, another SMS scam variant uses fake bank messages for its attack. The hacker lures the victim to give away their banking credentials, and if the victim does so, the attacker uses Emotet malware to infect their devices.  Whereas in some scams, the victim is threatened with violence if he doesn't pay the ransom. The approaches in all these attacks may be different, but they all share a common goal, which is to gain access to personal information. In all these attacks, the victim is asked to open a link or go to a website, the hackers use these malicious links and websites to steal user data.  Some other scam campaigns use relief funds, food aids, bank, covid-19, or jury duty to fool the victim. It is quite difficult to grasp the content of these attacks, however, in the future, these attacks would be even more sophisticated and dangerous, with brand new content.   

Why these attacks are successful. 
Scammers are constantly striving to attack smartphone users, which is a part of a larger threat campaign series. The hackers here have the upper hand, first, they always come up with new techniques to attack users, secondly, in most of cases, victims are not even aware of these attacks. About social engineering, the initial stage is misdirection, where the user is excited and they become assured about whatever texts they receive.  For example, "you've got a text but there's a problem with your credit card."  A different variant of this theme delves into people's likes or interests to get their attention.  An attacker might use an emotional text to trigger user action.  This is why people often receive scam texts which have- Fire! Politics! Lottery! Crime! Hackers use these event references to trigger user action and make them click on a link, or open a website.  

How to protect yourself from scams.  
It is crucial for users to know how to stay safe from these scams and attacks. Application security, mobile data protection, and mobile phone security are the key components here.  Here's what a user can do: 

1. Avoid responding to suspicious messages, especially texts that ask you to click a link. Contact the source to confirm whether the information is authentic.  You may get a text from the delivery service, asking you to click the link to confirm, visit the website instead.  

2. Do not get tricked by messages or brands that seem to be genuine. Fake branding is one of the most common ways of fooling users.  

3. If possible, always report a scam text to be safe in the future. Most importantly, do not think that scamming is a threat of the past. 

In reality, these attacks are on the rise, evolving daily with new techniques. As an organization, staff must undergo training to identify and report scam texts and to be always prepared for the challenges.

LogoKit Can Manipulate Phishing Pages in Real Time

 

A recently uncovered phishing kit, named LogoKit, eliminates headaches for cybercriminals via automatically pulling victims' organization logos onto the phishing login page. This gives assailants the tools expected to effectively emulate organization login pages, a task that can now and again be intricate. Cybercriminals have depended on LogoKit to dispatch phishing assaults on in excess of 700 unique domains in the course of 30 days (including 300 in the past week). These focused on services range from generic login portals to bogus SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals. 

“With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates,” said Adam Castleman, security researcher with RiskIQ on Wednesday. 

Phishing kits, which can be bought by cybercriminals for anything in the range of $20 and $880, require minimal technical knowledge to work past modest programming skills. These kits are used to steal various information from victims – including usernames, passwords, credit card numbers, social security numbers, and more.

In some cases, for instance, attackers have been noticed facilitating their phishing pages on Google Firebase as a feature of the LogoKit assault. While LogoKit has been discovered utilizing these authentic facilitating services, researchers have likewise noticed compromised sites – many running WordPress — to have LogoKit variations. Cybercriminals send victims a specially created URL containing their email address. An illustration of a crafted URL that contains the email would be: "phishingpage[.]site/login.html#victim@company.com." 

On the off chance that the victim clicks on the URL, LogoKit at that point brings the organization logo from a third-party service, for example, marketing data engine Clearbit or Google's database for favicons (the graphic icons associated with particular webpages). 

Besides, since LogoKit is a collection of JavaScript files, its assets can likewise be facilitated on public trusted services like Firebase, GitHub, Oracle Cloud, and others, the greater part of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee's browser. RiskIQ said it is following this new threat intently because of the kit's simplicity, which the security firm accepts improves its odds of an effective phish.

DMV Warns New Yorkers of Text Phishing Schemes

 

The New York State Department of Motor Vehicles cautioned New Yorkers of progressing text message phishing schemes. These counterfeit text messages request that recipients update their driver's license contact data, with the messages connecting to a fake DMV site. Utilizing the progressing adoption of the REAL ID Act of 2005 trying to make the scam sound authentic, the attackers have utilized three explicit text phishing messages, said the New York State Department of Motor Vehicles (DMV). 

The New York DMV released three sorts of text phishing messages that fill in as the initial salvo in this attack.

 • The primary assault message illuminates the recipient in broken English that anybody holding a driver's license must "update their contact to compliance regulation agreements.” 

• The following text phishing message accomplishes something similar, advising the recipient they need to change their mailing and contact data to accelerate compliance with new ID guidelines. This rendition of the plan refers to REAL ID by name.

 • The last text message parrots the past two iterations however utilizes the most broken grammar of the three. 
Each three of the driver's license phishing messages diverts to a phony DMV site intended to steal data. 

New York State DMV cautioned of a similar text phishing assault in October 2020. In that case, threat actors were utilizing scam text messages to divert clients to a phony DMV site. On the off chance that somebody clicked on it, the attackers could target them with identity fraud or malware. In another situation, a text phishing scam utilized a pandemic alleviation payment as a cover story. The assault message informed the recipient, they were qualified for $600 on the off chance that they clicked on the embedded link. These attackers utilized caricaturing strategies to mask their message as true correspondence from New York's Department of Labor. 

These assaults feature the requirement for employers to protect themselves against phishing assaults professing to be government messages. They can do such by putting resources into making a security awareness training program. Seeing phishing assaults in a test setting can teach representatives about some of the most common types of scams being used today, as well as emerging campaigns. Employers can likewise consider utilizing phishing prevention technical controls.

6.15 Lakh Facebook Users' Account Compromised by Facebook Ad Phishing Campaign

 



A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub. 
 
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.  
 
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom". 
 
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook. 
 
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign. 
 
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.

Acronis reports India to be third highest in terms of Malware attacks, after US and Japan

Acronis, a Switzerland based IT and cybersecurity company surveyed 3,400 IT managers from 17 countries across four continents: Australia, Bulgaria, Canada, France, Germany, India, Italy, Japan, Netherlands, Singapore, South Africa, Spain, Sweden, Switzerland, UAE, UK, and the US from both private and public sector. Their report investigates the increase/decrease of cyber attacks and cyber readiness of companies during covid-19 as in their own words, "the COVID-19 pandemic has crippled businesses worldwide".

According to their report, India was the third highest country in the number of malware attacks, after the U.S and Japan between the months' March to November. Of 1000 clients, 1168 attacks were detected in India in a month. 

 Acronis found that during the switch from office to remote work, weak points in cybersecurity were revealed, mainly 1) exposed servers (RDP, VPN, Citrix, DNS, etc.), 2) weak authentication techniques, and 3) insufficient monitoring.

 The companies increased their expenditure on IT (72% of organizations reported increases in their IT expenditure) but still faced difficulties with adjustments from office to remote work. 

 When it comes to security concerns vast vulnerabilities were noticed in monitoring phishing problems, lack of expertise in a cloud solution, and video conferencing attacks as the cybersecurity protocols placed are just up to par but not really updated with the latest threats and needs. 

 “The cyber threat landscape has changed dramatically during the past few years, and in the last six months in particular. Traditional stand-alone antivirus and backup solutions are unable to protect against modern cyberthreats,” said Serguei “SB” Beloussov, founder and CEO of Acronis. 

 Most of the attacks faced by organizations were phishing (53.4%), DDoS (44.9%), Video Conferencing (39.5%), and Malware (22.2%). The rate of phishing attacks, the reports say is because of the lack of active action taken against them as only 2% of organizations use URL filtering protocols, and India, Switzerland, Canada, and the UK were among the most affected by video conferencing attacks.

Phishing Campaigns Evolving Rapidly; Using Innovative Tactics to Avoid Detection

 

In the past few months, Microsoft Office 365 phishing campaigns have evolved drastically, using innovative tricks like inverted login pages, sub-domains, and pre-detecting sandboxes to evade detection. Some of these notorious but ingenious tricks observed by security researchers are: 

 Detecting Sandboxes 

Microsoft recently discovered a phishing campaign that could avoid automated analysis by detecting security sandboxes (automated analysis). The campaign uses URLs that could spot sandboxes and switch the redirected URL to a legitimate page or website instead of the phishing landing page.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," said Microsoft. 

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."

This method makes sure that only real people or to say potential victims reach the landing page and not security researchers and automated security scans. Thereby reducing their chance of being blocked. 

These emails are also very well crafted and obscure - another way to dupe email gateways. 

 Inserting Custom Sub-domains 

Another way these attackers have found to make phishing URLs more legitimate is by inserting custom subdomains for each user with their name and their organization's name. 

"This unique subdomain is added to a set of base domains, typically compromised sites," Microsoft explained. 

"Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient." 

"The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection."

 Inverting Images of Webpages

  This particular campaign uses inverted images (as the landing page) of the webpage they are trying to imitate. The security defenses receive this page thereby escaping detection. 

 The phishing kit reverses the inverted page to look like the original (using Cascading Style Sheets (CSS) ) for the user. 

 Google Ads

 A pretty neat trick used by phishing campaigns is by misusing Google Ads and Google Cloud Services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud to host phishing pages that look legitimate and surpass secure email gateways.

Android Malware, FakeSpy Spying on Users' Banking Information Acting as Postal Services


A new Android malware, FakeSpy that can potentially steal an individual's banking details, read contact lists, application, and account information along with other personal data, is seen to be spreading across the globe. Earlier, the Android malware was targeting limited regions; the new campaign propagating the malware spreads itself using SMS phishing attacks.

The Android malware was originally discovered in 2017 while it was attacking users in Japan and South Korea, however, now security researchers have identified more potent variants of the malware attacking users in various countries like United States, Germany, France, Taiwan, United Kingdom, and China to name a few.

FakeSpy, labeled as 'the information stealer', is evolving rapidly, undergoing active development that can be seen in the weekly release of new variants of malware with different levels of potential and evasion capabilities.

"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will
see the next wave," Security researchers at Cybereason told.

The tailored attacks are being found to be linked with a financially motivated Korean-or Chinese-speaking cybercriminal group known as 'Roaming Mantis' that had been involved in other similar operations, according to the research carried out by researchers at Cybereason.

FakeSpy is operating with the agenda of making financial gains through stolen credentials and banking information of users, the campaign includes sending postal-themed messages to the targeted user's contacts.

While giving insights into the attack, Assaf Dahan, senior director and head of threat research at Cybereason told ZDNet, "We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead, the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite."

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he further added.

The lifespan of Phishing Attacks Recorded a Tremendous Growth in H2 2019


Phishing attacks recorded a remarkable surge in H2 2019, the growth has been alarming with the number of phishing websites blockages soaring by 230 percent per year. Earlier, phishers would terminate the fraudulent campaign once their webpages were blocked, however, now they are immediately mobilizing the phishing attack onto other brands. It serves as the main reason as to why the number grew so rampantly.

As the lifespan of phishing attacks increased tremendously, attackers became specific about their target pool and have increasingly targeted online services and cloud storage providers, the primary reason being the huge chunks of sensitive data stored in them that can be downloaded by the attackers to later threaten the victims for a ransom.

Turning towards a diligent attacking method, phishers have improved upon the ways they choose their campaigns and targets – preferring quantity over quality. Client software, e-commerce, online streaming, and delivery services were some online services that contributed to 29.3 percent of the phishers' targets, cloud storages amounted to 25.4 percent while financial organizations made for a total of 17.6 percent, as per the statistics for the last year.

While spotting and preventing the distribution of threats online, a total of 8,506 phishing web resources were blocked by Group-IB's Computer Emergency Response Team (CERT-GIB).

While providing insights on the matter to Help Net Security, Yaroslav Kargalev, CERT-GIB deputy head said, “Several years ago, creators of phishing pages were likely to have some technical background, they created phishing pages, putting much effort into the launch of their campaigns, preventing them from being detected and relentlessly supporting their sustainability....”

“This industry has changed its face — those pioneers no longer create phishing pages, they create tools for operators of web phishing campaigns who do not necessarily have any programming skills, and last year became the culmination of this trend. Since this new generation of phishers is not that experienced in maintaining the web resources viable, the phishing community’s focus has shifted toward the number of scam resources,” he added.

Banking Trojans and cryptocurrency projects have seen a steep decline in their preference amongst cybercriminals. As the functionality of backdoors has continued to expand, spyware and backdoors have stolen the show to reach the number one spot in the popularity rankings with a whopping 35 percent share.

Meghan Markle and Prince Harry's Names Used for Fake Celebrity Endorsement of Bitcoins?


While the Coronavirus pandemic has practically driven people to stay locked up in their homes and spend a lot more (in some cases almost all) of their time online, the possibilities for cyber-criminals have only flourished.

Cyber-security experts have realized this and made a note out of it that everyone knows the kind of danger is lurking in their cyber-world.

From elaborate scams to phishing attacks that target the victim’s personal information, there is a lot of people who need to be cautious about it.

The Cryptocurrency industry is going through a lot due to the current crisis the world is in. The 'crypto-partakers" are being particularly on the hit list with something as attention-grabbing as purportedly “celebrity endorsement”. The latest bait names for this attempt happen to be that of charming Meghan Markle and Prince Harry.

Well-known personalities’ names like Bill Gates, Lord Sugar and even Richard Branson have been misused to lure people in as a part of similar scams. It is not necessary for the people mentioned to belong to a particular industry. They could be anyone famous for that matter.

The scams are so elaborate that once fooled the victims can’t even trace the mal-agent and. The latest scam, per sources, employs a fake report from the “BBC” mentioning how Prince Harry and Meghan Markle found themselves a “wealth loophole”.
Per sources, they also assure their targets that in a matter of three to four months they could convert them into millionaires. Further on, allegedly, it is also mentioned that the royals think of the Cryptocurrency auto-trading as the “Bitcoin Evolution”. It reportedly also includes a fake statement to have been made by Prince Harry.

The overconfident scammers also declare that there is no other application that performs the trading with the accuracy like theirs. Reportedly, on their website, there are banners with “countdowns” forcing people to think that there are limited period offers.

According to researchers this is one of the many schemes desperate cyber-criminals resort to. People not as used to the Cryptocurrency industry and the trading area, in particular, are more vulnerable to such highly bogus scams and tricks that the cyber-criminals usually have up their sleeves.