Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Theft. Show all posts
Temu
Credential Theft Fake Domains Phishing scam Privacy Temu

More than 800 False "Temu" Domains Trick Customers Into Losing Their Credentials

Credential Theft

Cybersecurity experts caution against falling for Temu phishing scams since they use phony freebies to obtain passwords. In the last three months, more than 800 new "Temu" domains have been registered.

The most recent company that con artists have used for their phishing schemes is Temu. With over 800 new domains registered as "Temu" in the last three months, cybersecurity researcher Jeremy Fuchs of Checkpoint's Harmony Email has observed that hackers are taking advantage of Temu's giveaway offers to persuade users to divulge their passwords.

Just so you know, Temu is an international e-commerce site with 40% of its users residing in the United States. It provides customers with direct shipping of discounted goods. Launched in 2022, Temu is accessible in 48 nations, encompassing Australia, Southeast Asia, Europe, and the Middle East.

It ranks second in the Apple App Store and first in the Google Play Store for shopping apps as of February 7, 2024. The majority of app users are older folks, aged 59 and up.

The Scam

According to analysts, Temu Rewards is the source of the example phishing email. On closer inspection, though, you'll see that it was received from an unconnected onmicrosoft.com email account. The email has a link to a page that harvests credentials and a blank image. By telling recipients they have won, the threat actors hope to draw in receivers.

Phishing and Brand Names

Threat actors have previously used popular brands and current trends to their advantage to obtain sensitive data, including credentials, from unsuspecting consumers.

Cyjax researchers uncovered a sophisticated phishing campaign that was aimed at over 400 firms in a variety of industries. To spread malware and get money from advertisements, the con artists—who most likely have Chinese ties—used 42,000 domains, and at least 24,000 survey and landing pages to advertise the scheme.

Bloster AI cybersecurity experts have uncovered a USPS Delivery phishing campaign that employs sophisticated tactics to target victims in the United States. CheckPhish from Bolster found more than 3,000 phishing domains that imitated Walmart. Customers were misled by the advertising into believing they had failed delivery and unpaid bills. Threat actors have refined their attack strategies, moving from misleading messaging to enticing victims to download apps that steal banking or financial data.

In January 2024, it was found that business owners of Meta Platforms, Inc. were the target of a phishing scam that attempted to obtain their email addresses and passwords to gain control of their Facebook page, profile, and financial information. The hoax created a sense of urgency and authenticity by leveraging Meta Platforms' authority.

Cybersecurity and Temu

Temu has experienced several cybersecurity-related problems, including claims that it was gathering data from users and devices, including SMS messages and bank account details.

A class-action lawsuit was launched in November 2023 in the United States, claiming that the corporation had obtained its customers' data illegally. Moreover, an additional revelation emerged that implicated Temu in the unapproved release of customer information, specifically concerning data that allegedly surfaced for sale on the dark web following transactions made by users of the app.


Read more »
malware
Credential Theft Data Leak Hacker Forum Infostealer malware

Infostealer Malware Exposes Over 100K Accounts From Hacking Forums

 

Security experts identified over 140,000 compromised passwords linked to accounts on hacker forums after their owners were infected with data-stealing malware.

Hudson Rock searched its cybercrime intelligence database for infected computers with credentials connected with the top 100 cybercrime sites. It discovered 120,000 identical computers, claiming that many of them belonged to hackers.

When a machine is infected with information-stealing malware, a "substantial" amount of data, including emails and account usernames, auto-fill data containing personal information such as addresses and phone numbers, and system information such as IP addresses, can be retrieved, security firm explained.

“Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organisations and execute cyber-attacks, including ransomware, data breaches, account overtakes, and corporate espionage,” the company added.

Redline, Raccoon, and Azorult accounted for the majority of the info-stealer malware that was discovered throughout the research. The analysis found that the majority of those exposed were from Tunisia, then Malaysia, Belgium, the Netherlands, and Israel.

The cybercrime forum "Nulled.to," which was followed by "Cracked.io" and "Hackforums.net," had the most users who had been exposed to malware. 

It's interesting that the research team discovered that a large portion of the credentials used on hacking sites were more robust than those employed on government and military websites. 

“By analyzing passwords of users from the various forums, Hudson Rock determined that the forum with the strongest user passwords is Breached.to, while the one with the weakest user passwords is the Russian site Rf-cheats.ru,” the vendor concluded. 

The cybercrime underground frequently sees a high number of usernames and passwords in circulation. SpyCloud detected billions more pieces of personal information (PII) and almost 1.5 billion compromised log-in combinations online in 2021.

SpyCloud discovered that 60% of credentials for users who had multiple passwords exposed were shared across accounts, and that number rose to 87% for US.gov emails, leaving them vulnerable to brute force attacks and credential stuffing. 

Prevention tips 

Having strong, dependable antivirus software installed on your device and keeping it updated on a regular basis is the best preventative measure you can take.

You should also use antivirus software that has dark web monitoring technologies so that you'll be immediately informed if your information is compromised. You can either do this by changing your login details or by warning your friends and family to be on the lookout for scammers impersonating as you.
Read more »
User Privacy
Credential Theft Data Leak Healthcare Privacy User Privacy

Data of 4,000 Patients at VCU Health Exposed

 

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System. 

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring. 

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated. 


Read more »
User Privacy
Credential Theft Cyber Attacks MFA Phishing Attacks Security Breach User Privacy

84% of US Businesses Experienced Identity-Related Breaches

 

According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 
Read more »
Ukraine
Credential Theft Credentials Harvesting Cyber Attacks Data Hacking Email Fraud Microsoft Spam Mails Ukraine

Microsoft Accounts Attacked by Russian-Themed Credential Theft

 

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis. 

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:  

“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
Country/region: Russia/Moscow
IP address:
Date: Sat, 26 Feb 2022 02:31:23 +0100
Platform: Kali Linux
Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats. 

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.” 

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event. 

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers. 

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”
Read more »
phishing kit
Credential Theft Cyber Security Multi-factor authentication phishing kit

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits

 

People have been concerned about information security since the first password was included in the Compatible Time-Sharing System at MIT in 1961. While multi-factor authentication (MFA) did not arrive on the scene until years later, in 1986, with the first RSA tokens, it has recently achieved broad consumer acceptance. According to the annual State of the Auth Report from MFA digital authenticator firm Duo, 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021, up from 28% in 2017.   

While several organisations, including Duo and RSA, have contributed to making MFA more widespread and user-friendly, threat actors have not been sitting on their laurels, preferring to attack MFA as well as seeking for ways to circumvent MFA with changing phishing kits. 

 Phishing kits are software created to assist threat actors acquire credentials and swiftly capitalise on them. Many of these kits, which are either installed on a dedicated server owned by the threat actor or secretly put on a hacked server owned by an unlucky user, may be purchased for less than a cup of coffee. 

Proofpoint threat researchers have seen a wide range of MFA phishing kits, from simple open-source kits with human-readable code and no-frills functionality to sophisticated kits with multiple layers of obfuscation and built-in modules that allow for the theft of usernames, passwords, MFA tokens, social security numbers, and credit card numbers. These kits, at their heart, use the same mechanisms for credential harvesting as conventional kits that steal only usernames and passwords. 

 Proofpoint researchers have witnessed the introduction of a new sort of kit in recent years that does not rely on duplicating a target website. Instead, these kits use a transparent reverse proxy to provide the victim with the actual website. A reverse proxy is a computer network application that sits in front of back-end applications and forwards client (e.g., browser) requests to those apps. Scalability, performance, resilience, and security are all improved by using reverse proxies. 

 Modern web pages are dynamic and constantly change. As a result, providing the actual site rather than a copy considerably improves the perception that an individual is logging in safely. Another advantage of using a reverse proxy is that it allows a threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords, but also the session cookie in real-time.

 In a recent publication, researchers from Stony Brook University and Palo Alto Networks investigated MitM phishing kits and uncovered an industry blind spot. The researchers created Phoca, a machine learning tool, to scan suspected phishing pages and identify if they were utilising a transparent reverse proxy to access MitM credentials. They discovered over 1200 MitM phishing sites.
Read more »
Phishing Campaign
Credential Theft Middle East Mobile Security Phishing Campaign

Hackers Exploit Glitch Platform to Host Malicious URLs

 

Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East. 

The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content. 

Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.

 Exploiting Glitch 

According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.

“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.

“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.” 

The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools. A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page. 

The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.
Read more »
Marvel Movie
Black Widow Credential Theft Cyber Criminals malware Marvel Movie

Threat Actors Use Marvel's Black Widow Movie To Spread Malware

 

Marvel's Black Widow film has finally been released in theatres and online streaming platforms after being delayed for over a year due to the COVID-19 epidemic. Unfortunately, Marvel Universe fans aren't the only ones who are enthusiastic, as the launch of the Black Widow film has sparked the interest of several fraudsters and hackers. 

According to research conducted by cybersecurity firm Kaspersky, threat actors have been unlawfully monetizing interest in the upcoming film for months. 

Kaspersky warns of Black Widow movie-themed malware: The film was released on July 9th in the United Kingdom, however, it's yet to be aired in many other countries. Researchers have discovered malware downloads posing as the new Black Widow film that is already spreading on the internet. 

Several Black Widow-themed phishing sites are running, according to the company, with the motives of obtaining user credentials. One of the websites examined by researchers promised viewers an early screening of the film in exchange for registering on the site. Users were requested to provide their banking card information during the registration procedure to validate their residency region. However, they later discovered that money had been deducted from their account and they still didn’t get access to the movie. 

According to Kaspersky experts, there has been an increase in attempts to infect users who are keenly awaiting the new film's release. They first saw the rise in infection attempts following the film's formal announcement in May 2020, then again around its original November 2020 release date, and finally in May 2021. 

Since the movie's release date was pushed back to July 2021, hackers have tried to take advantage of the misunderstanding by infecting 13 percent of streaming services and even launching the movie's downloadable files. 

Kaspersky security expert Anton V. Ivanov wrote, “Right now, we have observed intensified scamming activities around Black Widow, the release of which, fans all over the world have been eagerly anticipating for a long time. In their excitement to watch the long-awaited movie, viewers have become inattentive to the sources they use, and this is exactly what fraudsters benefit from.” 

Precautionary Measures: 

Scammers are not only utilizing phishing websites to deceive innocent users, but they are also redirecting executable files disguised as movie downloads. To remain safe, avoid files that have a . EXE or .MSI extension, because movie files generally have .MP4, .AVI, .MOV, .WMV, or .M4P extensions. 

Furthermore, pay special attention to the website URL you visit in order to see or download the film. Scammers frequently make minor modifications to the domain or movie name, so double-check the address to rule out any bad activity. 

Finally, use anti-malware software that has a phishing site detection capability.
Read more »
Vulnerabilities and Exploits
Credential Theft Email Bug Message Snooping Patch Fix Vulnerabilities and Exploits

Email Bug Permits Message Snooping, Credential Theft

 

Researchers warned that hackers may snoop on email communications by attacking a flaw in the underlying technology used by most of the email servers that run the Internet Message Access Protocol or known as IMAP. 

The flaw was initially reported in August 2020 and was fixed on 21st June 2021. According to the Open Email Survey, it is linked to the email server software Dovecot, which is used by nearly three-quarters of IMAP servers. 

According to a paper by researchers Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences in Germany, the vulnerability allows for a meddle-in-the-middle (MITM) attack. 

In accordance with research linked to a bug bounty page, dated August 2020, “the vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker.” 

Dovecot version v2.3.14.1, a patch for the vulnerability is rated -severity by the vendor and critical by the third-party security firm Tenable, is available for download. According to a technical analysis provided by Anubisnetworks, the flaw revolves around the execution of the START-TLS email instruction, which is a command issued between an email program and a server that is used to protect the delivery of email messages. 

“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers stated. 

According to an OWASP description, a session fixation attack permits an adversary to take over a client-server connection once the user logs in. As per researchers, due to a START-TLS implementation issue in Dovecot, the intruder can log in to the session and transfer the entire TSL traffic from the targeted victim's SMTP server as part of its own session. 

“The attacker obtains the full credentials from its own inbox. At no point was TLS broken or certificates compromised,” the researchers wrote. 

For Dovecot operating on Ubuntu, a Linux version based on Debian, a fix for the issue, dubbed CVE-2021-33515, is now available. Ising and Poddebniak have provided workaround fixes for the vulnerability. Disabling START-TLS and configuring Dovecot to accept only “pure TLS connections” on port 993/465/995 is one solution. 

The researchers stated, “Note that it is not sufficient to reconfigure a mail client to not use START-TLS. The attack must be mitigated on the server, as any TLS connection is equally affected.” 
Read more »
Subscribe to: Posts (Atom)