Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Advanced Social Engineering. Show all posts
ETH Cyber Attacks
Advanced Social Engineering AI Phishing Attacks Cyber Security Cyberattacks DNS DNS attacks DNS Hijacking ETH Cyber Attacks

eth.limo DNS Hijack Thwarted By DNSSEC After Social Engineering Attack On EasyDNS

 

Unexpectedly, the ENS gateway known as eth.limo revealed a DNS hijack stemming from a social engineering scheme aimed at EasyDNS, its domain provider. Though settings shifted temporarily under unauthorized access, safeguards held firm throughout. Protection layers blocked harm, keeping user activity untouched during the episode. Compromise occurred at the registrar level - yet defenses prevented escalation beyond domain redirection. Hours after the incident started, a person pretending to be part of the eth.limo group tricked EasyDNS support into starting an account reset. 

Because of that mistaken trust, the intruder gained entry and altered where the domain pointed, shifting it first through servers at Cloudflare, then moving again toward Namecheap systems. Right away, automatic warnings went off once those shifts happened, which gave the real eth.limo members time to react fast. Their quick actions reversed the breach soon afterward. A single point of failure in eth.limo allowed it to act like a bridge, routing requests from regular browsers to data hosted on networks such as IPFS, Arweave, and Swarm. Because its DNS setup uses wildcards, countless .eth addresses rely on the same infrastructure - making them vulnerable when one part fails. 

Traffic meant for legitimate decentralized sites might instead flow toward harmful servers under attacker control. Notable resources, even those tied to figures like Vitalik Buterin, faced potential exposure should deception tactics have taken hold. Stopping the damage came down to DNS Security Extensions - called DNSSEC by many. Not through speed, but through verification: it checks DNS replies with digital signatures. Without access to the correct private keys, the hacker's fake entries could not pass these tests. Because validation failed, devices refused the corrupted data, showing failures rather than loading harmful pages. 

Though eth.limo and EasyDNS saw interference, they noted minimal reach due to this layer. To date, no individuals have faced consequences from the attempt. Surprisingly, EasyDNS spoke out after the event, calling it their initial customer-targeted social engineering success in almost thirty years. Following this, improvements to internal procedures are underway. Instead of old methods, eth.limo will shift to a tighter system - one without recovery pathways. That change aims to block repeat incidents. 

Over time, weaker entry points may fade. Security evolves differently now. Most recent cases show similar patterns across decentralized services. Though blockchains themselves stay distributed and protected, the websites people actually visit run on standard domain setups. These entry points open doors hackers are now using more frequently. Instead of breaking encryption, they shift traffic by manipulating DNS records. Users get sent elsewhere without noticing - sometimes losing assets quickly. Security layers matter more than ever, shown clearly by what happened with eth.limo. 

Even when human manipulation tricks succeed, safeguards such as DNSSEC often stop further damage. Because digital dangers keep changing shape, companies - especially in cryptocurrency - now pay closer attention to protecting not just blockchain networks but also the traditional services people rely on to reach them.
Read more »
Vishing
Advanced Social Engineering Cyber Crime IT Help Desk phishing Scattered Spider SIM swap Vishing

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

 



A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.

The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.

SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.

A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.

To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.

Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.

Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.

Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.

Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing

In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”

Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.

ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneously, mobile-oriented phishing lures may reduce visibility within enterprise network monitoring systems. The firm also noted signs of outsourced criminal labor to scale phone, email, and SMS outreach.

While the impersonation style resembles earlier Scattered Spider techniques, ReliaQuest attributed the recent subdomain activity primarily to ShinyHunters based on victim targeting patterns and operational behavior. The company stated it has no independently verifiable evidence confirming that the broader SLH collective is responsible for the subdomain campaign, though partial collaboration among groups remains possible. It also observed Telegram discussions indicating that the actors sometimes “unite” for specific social engineering operations, though the structure and scope of such collaboration remain unclear.

Security experts increasingly warn that help desks represent a critical weak point in modern enterprise defense. As organizations strengthen technical controls such as MFA and endpoint detection, attackers are redirecting efforts toward human intermediaries capable of overriding safeguards. Industry reporting throughout 2024 and 2025 has shown a consistent rise in vishing-led intrusions tied to cloud identity compromise.

Defensive recommendations include implementing stricter identity verification workflows, eliminating SMS-based authentication where possible, enforcing conditional access policies, and conducting post-call audits for new administrative accounts or privilege changes. Continuous monitoring of cloud logs and abnormal single sign-on activity is also considered essential.

The recruitment-driven expansion of scripted vishing operations signals an ongoing professionalization of social engineering. Rather than relying solely on technical exploits, threat actors are scaling psychologically informed tactics to accelerate high-volume, low-cost account compromise across enterprise environments.

Read more »
North Korea
Advanced Social Engineering Blockchain Google malware North Korea

Hackers Exploit Blockchain Networks to Hide and Deliver Malware, Google Warns

 



Google’s Threat Intelligence Group has uncovered a new wave of cyberattacks where hackers are using public blockchains to host and distribute malicious code. This alarming trend transforms one of the world’s most secure and tamper-resistant technologies into a stealthy channel for cybercrime.

According to Google’s latest report, several advanced threat actors, including one group suspected of operating on behalf of North Korea have begun embedding harmful code into smart contracts on major blockchain platforms such as Ethereum and the BNB Smart Chain. The technique, known as “EtherHiding,” allows attackers to conceal malware within the blockchain itself, creating a nearly untraceable and permanent delivery system.

Smart contracts were originally designed to enable transparent and trustworthy transactions without intermediaries. However, attackers are now exploiting their immutability to host malware that cannot be deleted or blocked. Once malicious code is written into a blockchain contract, it becomes permanently accessible to anyone who knows how to retrieve it.

This innovation replaces the need for traditional “bulletproof hosting” services, offshore servers that cybercriminals once used to evade law enforcement. By using blockchain networks instead, hackers can distribute malicious software at a fraction of the cost, often paying less than two dollars per contract update.

The decentralized nature of these systems eliminates any single point of failure, meaning there is no authority capable of taking down the malicious data. Even blockchain’s anonymity features benefit attackers, as retrieving code from smart contracts leaves no identifiable trace in transaction logs.


How the Attacks Unfold

Google researchers observed that hackers often begin their campaigns with social engineering tactics targeting software developers. Pretending to be recruiters, they send job offers that require the victims to complete “technical tasks.” The provided test files secretly install the initial stage of malware.

Once the system is compromised, additional malicious components are fetched directly from smart contracts stored on Ethereum or BNB Smart Chain. This multi-layered strategy enables attackers to modify or update their payloads anytime without being detected by conventional cybersecurity tools.

Among the identified actors, UNC5342, a North Korea-linked hacking collective, uses a downloader called JadeSnow to pull secondary payloads hidden within blockchain contracts. In several incidents, the group switched between Ethereum and BNB Smart Chain mid-operation; a move possibly motivated by lower transaction fees or operational segmentation. Another financially driven group, UNC5142, has reportedly adopted the same approach, signaling a broader trend among sophisticated threat actors.


The findings stress upon how cybercriminals are reimagining blockchain’s purpose. A tool built for transparency and trust is now being reshaped into an indestructible infrastructure for malware delivery.

Analysts also note that North Korea’s cyber operations have become more advanced in recent years. Blockchain research firm Elliptic estimated earlier this month that North Korean-linked hackers have collectively stolen over $2 billion in digital assets since early 2025.

Security experts warn that as blockchain adoption expands, defenders must develop new strategies to monitor and counter such decentralized threats. Traditional takedown mechanisms will no longer suffice when malicious data resides within a public, unchangeable ledger.



Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Data Exfilteration data security Ransom Demands ransom payments ransomware attacks Ransomwares

Ransom Payouts Hit Record Levels Amid Social Engineering and Data Exfiltration Attacks

 

Ransomware payouts surged to unprecedented levels in the second quarter of 2025, driven largely by the rise of highly targeted social engineering schemes. According to new data from Coveware by Veeam, the average ransom payment skyrocketed to $1.13 million, representing a 104% jump compared to the previous quarter. The median ransom also doubled to $400,000, highlighting how even mid-tier victims are now facing significantly higher costs. Analysts attribute this spike to larger organizations paying ransoms in incidents where data was stolen rather than encrypted, marking a significant shift in extortion tactics.  

The study found that data exfiltration has now overtaken file encryption as the primary method of extortion, with 74% of attacks involving theft of sensitive information. Multi-extortion techniques, including delayed release threats, are also on the rise. Bill Siegel, CEO of Coveware by Veeam, described the findings as a pivotal moment for ransomware, explaining that threat actors are no longer focused solely on disrupting backups or locking systems. Instead, they increasingly exploit people, organizational processes, and the reputational value of stolen data. 

The report identified the leading ransomware variants for the quarter as Akira, responsible for 19% of incidents, followed by Qilin at 13% and Lone Wolf at 9%. Notably, Silent Ransom and Shiny Hunters entered the top five variants for the first time, reflecting the growing influence of newer threat groups. Among the most concerning trends was the heavy reliance on social engineering by groups such as Scattered Spider, Silent Ransom, and Shiny Hunters, who have shifted from broad, opportunistic attacks to precise impersonation schemes. By targeting help desks, employees, and third-party service providers, these actors have refined their ability to gain initial access and execute more lucrative attacks.  

Exploitation of known vulnerabilities in widely used platforms including Ivanti, Fortinet, VMware, and Microsoft services remains a common entry point, often taking place immediately after public disclosure of security flaws. At the same time, “lone wolf” cybercriminals armed with generic, unbranded ransomware toolkits are increasing in number, allowing less sophisticated actors to successfully infiltrate enterprise systems. Insider risks and third-party vulnerabilities also rose during the quarter, particularly through business process outsourcing firms, contractors, and IT service providers. Researchers warned that these external partners often hold privileged credentials but lack direct oversight, making them an attractive avenue for attackers. 

The professional services sector was hit hardest, accounting for 20% of all incidents, followed closely by healthcare and consumer services at 14% each. Mid-sized companies with between 11 and 1,000 employees represented 64% of victims, a range that attackers consider optimal for balancing ransom potential against weaker defenses. Before executing data theft or encryption, many attackers are spending additional time mapping networks, identifying high-value assets, and cataloging sensitive systems. This reconnaissance phase often blends in with normal administrative activity, using built-in system commands that are difficult to detect without contextual monitoring. Experts note, however, that detection can be improved by monitoring unusual enumeration activity or deploying deception techniques such as honeyfiles, decoy credentials, or fake infrastructure to trigger early alerts. 

Siegel emphasized that organizations must now treat data exfiltration as an immediate and critical risk rather than a secondary concern. Strengthening identity controls, monitoring privileged accounts, and improving employee awareness against social engineering were highlighted as essential steps to counter evolving ransomware tactics. With attackers increasingly blending technical exploits and psychological manipulation, businesses face mounting pressure to adapt their defenses or risk becoming the next high-value target.
Read more »
Personal Data
Advanced Social Engineering Customer Data Customer Data Exposed Data Breach Data Leak Data Privacy data security Malware. Scattered Spider Personal Data

Allianz Life Data Breach Exposes Personal Information of 1.4 Million Customers

 

Allianz Life Insurance has disclosed a major cybersecurity breach that exposed the personal details of approximately 1.4 million individuals. The breach was detected on July 16, 2025, and the company reported the incident to the Maine Attorney General’s office the following day. Initial findings suggest that the majority of Allianz Life’s customer base may have been impacted by the incident. 

According to Allianz Life, the attackers did not rely on exploiting technical weaknesses but instead used advanced social engineering strategies to deceive company employees. This approach bypasses system-level defenses by manipulating human behavior and trust. The cybercriminal group believed to be responsible is Scattered Spider, a collective that recently orchestrated a damaging attack on UK retailer Marks & Spencer, leading to substantial financial disruption. 

In this case, the attackers allegedly gained access to a third-party customer relationship management (CRM) platform used by Allianz Life. The company noted that there is no indication that its core systems were affected. However, the stolen data reportedly includes personally identifiable information (PII) of customers, financial advisors, and certain employees. Allianz SE, the parent company, confirmed that the information was exfiltrated using social engineering techniques that exploited human error rather than digital vulnerabilities. 

Social engineering attacks often involve tactics such as impersonating internal staff or calling IT help desks to request password resets. Scattered Spider has been known to use these methods in past campaigns, including those that targeted MGM Resorts and Caesar’s Palace. Their operations typically focus on high-profile organizations and are designed to extract valuable data with minimal use of traditional hacking methods. 

The breach at Allianz is part of a larger trend of rising cyberattacks on the insurance industry. Other firms like Aflac, Erie Insurance, and Philadelphia Insurance have also suffered similar incidents in recent months, raising alarms about the sector’s cybersecurity readiness.  

Industry experts emphasize the growing need for businesses to bolster their cybersecurity defenses—not just by investing in better tools but also by educating their workforce. A recent Experis report identified cybersecurity as the top concern for technology firms in 2025. Alarmingly, Tech.co research shows that nearly 98% of senior leaders still struggle to recognize phishing attempts, which are a common entry point for such breaches. 

The Allianz Life breach highlights the urgent need for organizations to treat cybersecurity as a shared responsibility, ensuring that every employee is trained to identify and respond to suspicious activities. Without such collective vigilance, the threat landscape will continue to grow more dangerous.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
PowerShell
Advanced persistent threat (APT) Advanced Social Engineering Cyber Attacks cyber espionage espionage Fake Website Phishing emails PowerShell

ClickFix Attacks: North Korea, Iran, Russia APT Groups Exploit Social Engineering for Espionage

ClickFix attacks are rapidly becoming a favored tactic among advanced persistent threat (APT) groups from North Korea, Iran, and Russia, particularly in recent cyber-espionage operations. This technique involves malicious websites posing as legitimate software or document-sharing platforms. Targets are enticed through phishing emails or malicious advertising and then confronted with fake error messages claiming a failed document download or access issue. 


To resolve the supposed problem, users are instructed to click a “Fix” button that directs them to run a PowerShell or command-line script. Executing this script allows malware to infiltrate their systems. Microsoft’s Threat Intelligence division highlighted earlier this year that the North Korean group ‘Kimsuky’ utilized a similar approach through a fake “device registration” page. 

A new report from Proofpoint now confirms that Kimsuky, along with Iran’s MuddyWater, Russia’s APT28, and the UNK_RemoteRogue group, deployed ClickFix techniques between late 2024 and early 2025. Kimsuky’s campaign, conducted between January and February 2025, specifically targeted think tanks involved in North Korean policy research. The attackers initially contacted victims using spoofed emails designed to appear as if they were sent by Japanese diplomats. After gaining trust, they provided malicious PDF attachments leading to a counterfeit secure drive. Victims were then asked to manually run a PowerShell command, which triggered the download of a second script that established persistence with scheduled tasks and installed QuasarRAT, all while distracting the victim with a harmless-looking PDF. 

In mid-November 2024, Iran’s MuddyWater launched its campaign, targeting 39 organizations across the Middle East. Victims received phishing emails disguised as urgent Microsoft security alerts, prompting them to run PowerShell scripts with administrative rights. This led to the deployment of ‘Level,’ a remote monitoring and management (RMM) tool used to conduct espionage activities. Meanwhile, Russian group UNK_RemoteRogue focused on two organizations tied to a leading arms manufacturer in December 2024. Attackers used compromised Zimbra servers to send fake Microsoft Office messages. Clicking the embedded links directed victims to fraudulent Microsoft Word pages featuring Russian-language instructions and a video tutorial. 

Victims executing the provided script unknowingly triggered JavaScript that ran PowerShell commands, connecting their systems to a server managed through the Empire C2 framework. Proofpoint also found that APT28, an infamous Russian cyber-espionage unit, used ClickFix tactics as early as October 2024. In that instance, phishing emails mimicked Google Spreadsheet notifications, including a fake reCAPTCHA and a prompt to execute PowerShell commands. Running these commands enabled attackers to create an SSH tunnel and activate Metasploit, providing them with covert access to compromised machines. 

The growing use of ClickFix attacks by multiple state-sponsored groups underscores the method’s effectiveness, primarily due to the widespread lack of caution when executing unfamiliar commands. To avoid falling victim, users should be extremely wary of running scripts or commands they do not recognize, particularly when asked to use elevated privileges.
Read more »
Phishing Campaign
Advanced Social Engineering cyber attack Cyber Attacks Phishing Attacks Phishing Campaign

Worldwide Tailor-Made Massive Phishing Campaign

The spotlight turned towards a worldwide phishing campaign when an incident unfolded involving an Imperva staff member who was singled out and almost ensnared by a social engineering assault.

Imperva, situated in San Mateo, California, operates as a cybersecurity company. It specializes in offering protective solutions for corporate data and application software, ensuring that businesses are shielded from potential threats. 

It all began when he (an Imperva staff member) tried to sell a car seat on Yad2, a website for used items. Someone interested in buying messaged him on WhatsApp and introduced a fake payment service, using Yad2's look, and sent a link (hxxps://yad2[.]send-u[.]online/4765567942451). 

The fake site had the Yad2 logo and an orange button to get paid. Subsequently, the target was led to a payment page, which then transmitted the credit card information to the fraudsters. The website also featured a customer support chat feature that enabled the individual to communicate with Yad2. 

This expansive operation encompassed over 800 distinct fraudulent domains, taking on the guise of approximately 340 reputable global enterprises. Among these were prominent financial institutions, postal and courier services, and social media and e-commerce platforms. 

Renowned names like Facebook, Booking.com, and other frequently visited websites were among the imitated entities, all of which attract substantial user traffic. 

A campaign originating from Russian IP addresses has been detected, and it has been linked to around 800 distinct scam domains, all of which are outlined in the Indicators of Compromise (IOCs). The campaign's origins can be traced back to May 2022, and it continues to remain active, undergoing periodic updates. The comprehensive analysis uncovered phishing websites in over 48 languages, all engaged in the impersonation of more than 340 different companies. 

At its core, social engineering exploits the power of human interaction as an attack vector. Its primary objective revolves around influencing, manipulating, or deceiving individuals to disclose crucial information or obtain entry within an organization. 

This type of manipulation often capitalizes on people's willingness to help or their apprehensions of potential repercussions. For instance, an attacker might assume the role of a coworker grappling with an immediate problem, seeking permission for additional network resources.
Read more »
Data Theft
'Muddled Libra' Advanced Social Engineering cyber attack Cyber Attacks Data Theft

'Muddled Libra' Targets BPO Sector with Advanced Social Engineering

 

The BPO industry is facing a persistent threat from a malicious actor called Muddled Libra. This threat actor employs advanced social engineering tactics to launch repeated attacks and gain unauthorized entry into BPO systems. 

Business process outsourcing (BPO) is the act of delegating specific business functions or processes to an external service provider. Frequently known as information technology-enabled services (ITES), BPO relies on the use of IT to enable and streamline outsourced operations within the contemporary business environment. 

The cybersecurity company has categorized cybercrime groups using the designation "Libra," which is inspired by the constellation theme. The threat actor referred to as "Muddled Libra" received this name due to the uncertainty surrounding its utilization of the 0ktapus framework. 

The intrusion set known as 0ktapus, or Scatter Swine, emerged in August 2022 and gained attention for its involvement in smishing attacks against numerous organizations. Prominent targets included Twilio and Cloudflare. 

Additionally, in the same year, CrowdStrike disclosed a series of cyberattacks that targeted telecom and BPO companies, starting as early as June 2022. These attacks employed a combination of credential phishing and SIM-swapping techniques. 

The incident cluster is currently under observation and referred to as Roasted 0ktapus, Scattered Spider, and UNC3944. The group initiates their attacks by utilizing smishing and the 0ktapus phishing kit to gain initial access. These attacks typically culminate in data theft and the establishment of long-term persistence. 

Another notable characteristic of their operations involves leveraging compromised infrastructure and stolen data to launch subsequent attacks on the victims' customers. In some cases, they even target the same victims repeatedly to replenish their dataset. 

Unit 42, which extensively investigated multiple Muddled Libra incidents between June 2022 and early 2023, described the group as persistent, methodical, and highly adaptable in its pursuit of objectives.  They swiftly adapt their attack strategies in response to obstacles encountered. 

"Unit 42 decided to name Muddled Libra because of the confusing muddled landscape associated with the 0ktapus phishing kit, since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone doesn't necessarily classify a threat actor as what Unit 42 calls Muddled Libra," senior threat researcher Kristopher Russo reported. 

Additionally, Muddled Libra demonstrates a preference for utilizing various legitimate remote management tools to maintain continuous access. They also manipulate endpoint security solutions to evade detection and exploit tactics such as MFA (multi-factor authentication) notification fatigue to pilfer credentials.
Read more »
Subscribe to: Posts (Atom)