Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credential Phishing. Show all posts

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.

American and Southwest Airlines Witness Data Breach


This Friday, two of the world’s largest airlines, American Airlines and Southwest Airlines confirmed a data breach where their Pilot Credentials, a third-party software that controls the pilot recruitment and application for numerous airlines, were compromised.

Apparently, the incident took place on May 3, targeting primarily the third-party vendor. No impact on the airlines’ own network or systems has been reported.

What Transpired?

On April 30, the threat actor gained unauthorized access to the Pilot Credentials’ systems and stole files comprising data supplied by a few candidates in the pilot and cadet recruiting process.

According to the official information shared with Maine’s Office of the Attorney General, the breach impacted 5745 pilots and applicants of American Airlines, whereas Southwest reported that around 3009 individuals’ information was compromised.

"Our investigation determined that the data involved contained some of your personal information, such as your name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s)," says the American Airline.

The airlines will now drive all pilot and cadet candidates to self-managed internal portals, even though there is no proof that the pilots' personal information was intentionally targeted or exploited for fraudulent or identity theft purposes.

"We are no longer utilizing the vendor, and, moving forward, Pilot applicants are being directed to an internal portal managed by Southwest," Southwest Airlines stated. Both Airlines further notified law enforcement pertaining to its authorities in case of data breaches and are cooperating with the ongoing investigation of the issue.

Recent Years Have Seen More Such Cases

Another case of a data breach that came to light was when American Airlines was targeted back in September 2022. This breach impacted around 1,708 customers and airline employees.

Prior to this, the airline was a victim of a phishing attack that resulted in the compromise of the email accounts of numerous of its employees. The breach included employees’ and customers’ credentials like their names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and/or certain medical information.

Further investigation on the matter indicated that the threat actors involved in these breaches may as well have utilized the employees’ compromised accounts to launch more phishing attacks.

'BEC 3.0' Is Here With Tax-Season QuickBooks Cyberattacks

Researchers from Avanan, a Check Point company, have identified a new wave of business email compromise (BEC) attacks, which they refer to as "BEC 3.0." 

In these attacks, cybercriminals sign up for free accounts with legitimate services and use email addresses from domains that are unlikely to be flagged by scanning tools. This evolution in phishing tactics demonstrates how cybercriminals continue to adapt and evade security measures as detection improves. 

The Researchers have discovered evidence of similar attacks coming from PayPal and Google, as well as previous attacks from legitimate QuickBooks accounts. 

These attacks are coupled with carefully written and socially engineered emails that lack the typical bad grammar or typos found in phishing emails. This makes them more difficult for users to spot, as the sender's address, links, spelling, and grammar are all legitimate, deviating from typical phishing hygiene tricks. 

Phishing attacks remain a primary initial access vector due to attackers' increasing use of legitimate SaaS and cloud offerings, such as LinkedIn, Google Cloud, AWS, etc., to host malicious content or direct users to it. 

In the recent QuickBooks attack, victims are informed about the renewal of Norton LifeLock subscriptions and are prompted to call a phone number for verification or cancellation. This detail may not raise suspicion even among savvy email users, as Norton LifeLock is commonly used by both consumers and businesses. 

The phishing campaign in question not only harvests payment credentials but also victims' phone numbers for future attacks via chat apps like WhatsApp. The attackers are adept at creating messages that are convincing to end users and difficult for security protections to detect, as they come from legitimate sources like QuickBooks. 

By placing malicious content within a safe receptacle, such as a legitimate website, the attackers can easily evade detection by security services. Standard checks like domain, SPF, and DMARC may not be effective in detecting these attacks, making them highly deceptive and challenging to prevent. 

To counter the evolving tactics of attackers in phishing attacks, organizations need to enhance their security protections and educate employees about new types of phishing attacks, such as BEC 3.0. This may involve changing the approach to employee education, such as being cautious of all links and verifying phone numbers through Google searches. 

Implementing policies for independent verification of actions requested in BEC emails and data-protection policies can also help detect suspicious activities. Additionally, utilizing browser security that traces links through their intended actions can be beneficial in preventing compromise from advanced phishing attacks.

Sophos 2023 Threat Report: Cryptocurrency Will Fuel Cyberattacks

The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.

Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.

A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.

Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.

Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.

Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.

Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.

Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.

In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.

As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.

Millions of Facebook Users' Credentials Were Stolen via Authentic App Services

 

The phishing effort used Facebook and Messenger to deceive millions of consumers into visiting advertising pages and websites where personal account information was exposed. 

The phishing campaign used messages through messenger to entice users to open the link, thus the pop-up requested for account credentials, which unsuspecting consumers provided by filling out the phishing form with their login and password. The campaign operators used the hacked accounts to send more hacker messages to their friends, earning a lot of money through internet advertising fees.

The effort peaked in April-May 2022 but has been active since at least September 2021, as per PIXM, a New York-based AI-focused cybersecurity business. Since one of the identified phishing pages included a link to a publicly accessible traffic monitoring app (whos.amung.us) without authentication, PIXM was able to track down the threat actor and map the campaign. 

Over 405 different usernames were uncovered by PIXM, each of which was linked to a distinct phishing landing page. In 2022, one username, teamsan2val, got 6.3 million views, up 128 percent from 2021. All of these usernames had a total of 399,017,673 sessions. The phishers also informed an OWASP researcher who claimed they made roughly $150 for every thousand visitors from the United States. This equates to $59.85 million in total revenue.

These 405 usernames, as per the researchers, are merely a small portion of the total number of accounts employed in the effort. The second wave of redirections begins after the victim inputs the credentials on the phishing landing page, bringing visitors to advertising pages, survey forms, and so on. These redirects provide referral revenue for the threat actors, which is believed to be in the millions of dollars at this scale. One may deduce three things about the malicious attacks going on based on these new discoveries and disclosures. These are the attacks: 
  • Software-based
  • Growing at an exponential rate 
  • Vulnerable populations are targeted

On all landing pages, PIXM discovered a common code snippet that contained a reference to a website that had been seized as part of an investigation against a Colombian individual named Rafael Dorado. It's unclear who took control of the domain and posted the message.

A reverse whois search turned up links to a real web development company in Colombia, as well as ancient websites selling Facebook "like bots" and hacking services. 

The results of PIXM's inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, although many of the identified URLs have been offline.

Even When Switched Off, iPhones are Vulnerable to Attack

 

The way Apple combines autonomous wireless technology such as Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) in the device, researchers determined that it could be exploited by attackers to target iPhones even when they are turned off. 

Such features—which have access to the iPhone's Secure Element (SE), which stores sensitive information—stay on even when modern iPhones are turned off, as per a team of researchers from Germany's Technical University of Darmstadt. This allows attackers to "load malware onto a Bluetooth chip that is performed when the iPhone is off," according to a research study titled "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone."

As per Jiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick of the university's Secure Mobile Networking Lab, attackers can gain access to secure information such as a user's credit card data, banking details, or even digital car keys on the device by compromising these wireless features. Researchers noted that while the risk is real, exploiting the circumstance is not that simple for would-be attackers. Threat actors will still need to load malware onto the iPhone when it is turned on for subsequent execution when it is turned off. This would require system-level access or remote code execution (RCE), which they might gain by exploiting known weaknesses like BrakTooth. 

The main cause of the problem is the existing implementation of low power mode (LPM) for wireless chips on iPhones. The experts distinguished between the LPM which these processors employ and the power-saving program that iPhone users can use to save battery life. Because LPM support is built into the iPhone's hardware, it cannot be deleted with system upgrades, and has "a long-term impact on the broader iOS security paradigm," according to the researchers.

Analysts disclosed their findings to Apple before publishing the study, but they claim the company did not respond to the difficulties revealed by their findings. It is recommended that one possible solution would be for Apple to implement "a hardware-based switch to disconnect the battery" so that these wireless parts would not have power while an iPhone is turned off.

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

WhatsApp Voice Message Phishing Campaign

 

Recently Armorblox researchers have discovered that the new WhatsApp phishing campaign is targeting users by impersonating WhatsApp's voice message feature, in one of their latest researches.

At least 27,655 email addresses have been targeted by a phishing campaign spoofing WhatsApp's voice message attempting to spread information-stealing malware. This phishing campaign is designed to lead the users through a series of steps that will ultimately end with the installation of an information-stealing malware infection which further will open the way to credential theft. 

Following the incident, researchers released a statement in which they have explained the entire fraudulent process and also warned to identify signs of fraudulent activity for users to better protect themselves from phishing attempts. 

The researchers said that the malicious actors are using the "Whatsapp Notifier" service with an address owned by the Center for Road Safety of the Moscow Region, which notifies recipients regarding a new private message, with the email including a "Play" button, as well as the duration of the audio clip and details regarding the creation of the message. 

Clicking on the "Play" button will redirect recipients to a website that will trigger an allow/block prompt for JS/Kryptic trojan installation, with users lured to click "Allow" to confirm that they are not a robot. Selecting "Allow" would then prompt the installation of the information-stealing malware.

Looking into the issue for Digital Journal Josh Rickard, Security Automation Architect at Swimlane said “Phishing attacks are one of the most common methods of cyberattacks and, unfortunately, have become all too easy for cybercriminals to leverage.” In terms of how this form of attack works, he continues: “ These types of social engineering attacks that exploit human error are highly effective and well-masked. In this case, WhatsApps’s voice message feature was manipulated in an attempt to spread information-stealing malware to over 27,000 email addresses associated with the app.”

FBI Warns Election Officials of Credential Phishing Attacks

 

Recently, on Tuesday the Federal agency of United states FBI has released a warning report regarding the US election officials being targeted in an ongoing and widespread phishing campaign by unidentified malicious actors in an attempt to steal their credentials since at least October 2021. 

FBI revealed that the group of hackers has used various methods to redirect their targets to phishing pages and trick them into entering their login credentials. Reportedly, hackers used compromised email addresses of US government leaders to spoof US businesses. 

"If successful, this activity may provide cyber actors with sustained, undetected access to a victim's systems," the FBI said in a private industry notification.

"…As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials." 

According to the FBI intelligence, the threat actors have targeted the officials in the three separate "coordinated" phishing attacks and breached accounts of elected officials across at least nine states, Additionally, representatives of the National Association of Secretaries of State were also impacted in October. 

The first attack came to light on 5 October when unrecognized hackers used two email addresses, one from the compromised account of a government official, in an attempt to steal the login data of elected leaders. Less than two weeks later, two identical phishing attacks had been seen from the email addresses linked to US businesses. 

It has been noticed that in each phishing attack, the group of attackers sent an email recognized as "INVOICE INQUIRY.PDF,” which once opened, redirected users to a credential-harvesting website.

Following the incident, the FBI and the US federal law enforcement agency said that the threat “is still very real” and is heading into the 2022 election season. The group of hackers who are behind this phishing campaign will likely continue the attacks against US election officials with new phishing emails as the 2022 midterm elections are closing in. 

The threat intelligence asked network defectors to educate officials against these attacks on how to identify phishing, social engineering, and spoofing attempts and how to protect their systems against such common threats.

Threat Actors Use QR Codes to Steal Login Credentials

 

Hackers are distributing phishing mails having QR codes in a cyberattack campaign built to extract login details of Microsoft 365 cloud apps. Passwords and usernames for cloud services of entreprises have become a main target for hackers, exploiting these to launch ransomware and malware attacks, or by selling stolen login details to other threat actors, who exploit it for their own campaigns. 

Threat Actors are finding sneaky opportunities to scam victims into opening malicious links that lead to phishing websites built to look like genuine Microsoft login webpages, and smartly selling the login credentials. 

Cybersecurity experts at Abnormal Security analyzed a recent campaign, the researchers sent various phishing mails which tried to use QR codes built to evade mail protections and steal login details. QR codes are useful when it comes to attempts malicious tasks, as standard mail security regulations like URL scanners don't detect any hint of suspected links or attachments in the email. 

The campaign is operated via email accounts hacked earlier, which allows hackers to send mails from authentic user accounts of companies to give a look of authenticity to these mails, and users believe it to be legitimate. As of now, experts are yet to confirm how threat actors are able to get control of these accounts used for sending phishing mails. 

As per experts, these phishing mails contain a voicemail message from the email account admin sending the mail, the target is requested to scan a QR code for listening to the voice mail. The QR codes sent to the victims were also created the same day. An earlier variant of the campaign tried to scam users into opening a malicious link by hiding it in an audio file. 

But, antivirus softwares were able to find and identify the malicious files, which made threat actors turning to QR codes. "While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen," ZDNet reports.

Credential Phishing and Brute Force Attacks Continue to Surge



Financial and reputational aspects of organizations across the globe are taking a severe hit as they witness advanced email threats from unprecedented email attacks that continue to escalate, as per a recent report by Abnormal Security. Unsuspecting victims fall prey to the schemes which are devised to make the malicious emails land directly into their inboxes evading security mechanisms. 

As threat actors continue to work around various phishing techniques, cyber-attacks via credential phishing and brute force continue to remain effective attack vectors. Advanced email threats such as 'Business Email Compromise' attacks are designed to safely bypass secure email gateways and other conventional security infrastructure allowing the operators to steal in billions each year.  

After gaining access to email accounts, attackers can leverage these accounts to target other associated employees including business partners, vendors, and co-workers. Consequently, it allows them to infiltrate other parts of the compromised organization. Cybercriminals use these credential phishing and brute force attacks to obtain sensitive information such as usernames, passwords, and passphrases. 

The report enlists in its key findings that 5% of all organizations fell prey to brute force attacks in early June 2021, while 73% of all sophisticated threats were credential phishing attacks. 

Since Q4 2020, business email compromise attacks underwent a rise by 22% whereas 61% of companies witnessed a vendor email compromise attack this quarter. Alongside, the experts also made a prediction that there is a 60% probability of an account takeover attack being successful each week for firms having over 50,000 employees. 

While commenting on the matter, Evan Reiser, CEO, Abnormal Security, said, “Socially-engineered attacks are dramatically rising within enterprises worldwide, creating unprecedented financial and reputational risks. These never-before-seen attacks are becoming more sophisticated with every passing day. They don’t contain indicators of compromise, such as links, attachments, and reputational risks, so they evade secure email gateways and other traditional email infrastructure, landing in inboxes where unsuspecting employees fall victim to their schemes, which include ransomware. To effectively protect against these attacks, we can no longer rely only upon established threat intelligence. To baseline good behavior, we need to look further to comprehensively understand employee and vendor identities and their relationships, all with deep context, including content and tone. Any subtle deviations from this baseline expose the possibility of a threat or attack.” 

Furthermore, the report highlights the rise of impersonation, and how cybercriminals are employing it to trick users into submitting sensitive data. Experts remark that the impersonation of internal systems namely IT Support and IT Help Desk has risen 46% in the last two quarters. 

Socially engineered credential phishing and account takeover attacks are surfacing as a major concern for enterprises worldwide because these attacks could potentially provide the access required to carry out other ransomware and malware-based attacks.

Hacker Uses Credential Phishing to Gain Access Into PayPal Account

 

Analysts from Cofense Phishing Defense Center recently found a unique PayPal credential phishing attack. Phishing is a harmful technique that hackers use to steal sensitive information like banking information, credit card data, usernames, and passwords. The actors pretend to be genuine individuals to lure victims by gaining their trust and stealing their personal information. Even worse, the confidential data stolen through phishing attacks can be used for identity theft, financial theft to gain illegal access into victim accounts, or use this account access to blackmail the victims. 

Because credential phishing is generally conducted through a simple URL link, it is easy to ignore exaggerated or subtle tactics that hackers use to steal credentials from innocent victims. As per the experts, the attack isn't very sophisticated and doesn't seem suspicious. Cybersecurity Analyst Alex Geoghagan said that the email may compel the victim to try finding the solution to the problem quickly. The hacker didn't even bother hiding 'from' email address, which was later identified as not actually being from PayPal. But, the e-mail was very well put together and no one would've thought it as a fraud. 

Alex Geoghagan says "There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it." 

After a fake live chat has been accessed, hacker uses automated scripts to start communication with the victims and tries to steal user data, e-mail address, credit card information etc. In other words, hacker takes this information to appear as genuine and store enough information for authentication. Once the information is acquired, hacker tries to steal victim's PayPal credentials. After that, a verification code is sent to target via SMS to make him think an authorised person has access to his device. "This attack demonstrates the complexity of phishing attacks that go beyond the typical “Forms” page or spoofed login. In this case, a carefully crafted email appears to be legitimate until a recipient dives into the headers and links, which is something your average user will most likely not do," says Alex Geoghagan.