Search This Blog

Showing posts with label Cyber Fraud. Show all posts

China-Based Sophisticated Phishing Campaign Utilizes 42K Domains


In a widespread phishing campaign, a Chinese hacking group known as "Fangxiao" is using thousands of imposter domains to target victims. Thousands are at risk from the Fangxiao phishing campaign. Thousands of people are at risk as a result of a massive phishing campaign run by the Chinese hacking group "Fangxiao." 

To facilitate phishing attacks, this campaign used 42,000 imposter domains. These bogus domains are intended to direct users to adware (advertising malware) apps, giveaways, and dating websites. The 42,000 phony domains used in this campaign were discovered by Cyjax, a cybersecurity and threat solutions company. The scam was described as sophisticated in a Cyjax blog post by Emily Dennison and Alana Witten, with the ability to "exploit the reputation of international, trusted brands in multiple verticals including retail, banking, travel, pharmaceuticals, travel, and energy".

The scam commences with a nefarious WhatsApp message impersonating a well-known brand. Emirates, Coca-Cola, McDonald's, and Unilever are examples of such brands. This message contains a link to a webpage that has been enticingly designed. The redirection site is determined by the target's IP address as well as their user agent.

For example, McDonald's may advertise a free giveaway. When the victim completes their registration for the giveaway, the Triada Trojan malware can be downloaded. Malware can also be installed through the download of a specific app, which victims are instructed to install in order to continue participating in the giveaway.

Fangxiao's infrastructure is mostly protected by CloudFlare, an American Content Delivery Network, according to Cyjax's blog post about this campaign (CDN). It was also discovered that the imposter domains were registered on GoDaddy, Namecheap, and Wix, with their names shifting on a regular basis.

The majority of these phishing domains were registered, with the rest mostly,.cyou,.xyz,.tech,

The Fangxiao Group Is Not a New Concept

The Fangxiao hacking collective has been active for some time. The domains used in this campaign were discovered by Cyjax in 2019 and have been increasing in number since then. Fangxiao added over 300 unique domains in just one day in October 2022.

.The group's location in China is not 100% confirmed, but Cyjax has determined it with high confidence. The use of Mandarin in one of the group's exposed control panels is one indication of this. Cyjax also speculated that the campaign's goal is most likely monetary gain.
Phishing is one of the most common cybercrime tactics today, and it can take many different forms. Phishing attacks, especially those that are highly sophisticated, can be difficult to detect. Although spam filters and antivirus software can help to reduce phishing attacks, it's still important to trust your instincts and avoid any communications that don't seem quite right.

Scammers are Targeting Black Friday and Cyber Monday Shoppers


As Black Friday and Cyber Monday (BFCM) approach, hackers are plotting new tricks to spoil the party of shoppers. 

Last year, US shoppers spent USD 10.90 billion on Cyber Monday and another USD 9.03 billion on Black Friday. At the same time, merchants also hope to cash in on any additional traffic that BFCM brings to their ecommerce sites. 

But, while more traffic often brings more opportunities, it also directs to increased rates of online fraud. According to the UK's National Cyber Security Centre (NCSC), victims of online shopping frauds lost an average of ($1,176) each during the holiday shopping period last year – and the figure is rising. 

Sophisticated Technique 

To understand the patterns of cyber fraud, threat analysts at Bitdefender Antispam Lab have examined the fraudulent activities associated with Black Friday and Cyber Monday. 

During their study of fraud patterns between October 26 and November 9, the analysts detected that rate of unverified Black Friday emails peaked on Nov 9, when reached 26% of all Black Friday-related mail. The fraudsters employed multiple email subjects in an attempt to lure the recipients into visiting the fake websites to receive huge discounts. 

The researchers also identified a widespread online campaign inviting recipients to claim gift cards from popular retailers like Home Depot. In this case, the malicious emails include links to bogus online survey pages that have nothing to do with the retailer’s gift card. 

Once the victims have completed the survey, they were directed to another page where they could choose the ‘prize.’ To receive the prize at their doorstep, recipients were requested to pay for the shipment by providing private and banking details. 

“We scored an iPhone 13, though. The displayed page uses the recipients’ IP address to display a localized version of the scam – in our case Romania. We need to pay 15 RON (roughly 3.06 USD) for shipping and enter our name and address,” one of the recipients of fraud mail stated. “After entering our shipping details, we were prompted to enter our payment information, including cc number and CVV code.” 

Prevention Tips 

  1. Always scan the sender’s email address and look for typos 
  2. Never interact with unsolicited giveaway correspondence 
  3. Always shop on verified websites you already know 
  4. Research properly before providing details to a new vendor 
  5. Avoid accessing links or attachments from unverified sources

Faux Kerala Lottery Tickets Are Now Being Sold on Google Play


The Directorate of Kerala State's lotteries are being impersonated in the Google Play Store by dubious apps namely 'Kerala Lottery Online' and the 'India Kerala Lotter', cybersecurity researchers warned on Tuesday at the Kerala Lottery Online conference. 

The two Google Play Store applications have been downloaded over one million times. They were found to be impersonating the offline Kerala lottery which operates in an online mode. This is why they exist in the Google Play Store. 

In a recent report, the AI-driven cyber-security firm CloudSEK reported that the vast majority of campaigns were spread via referral links. 

It is evident on the referral link's landing page that threat actors mention that 5 percent of the winning amount will be shared among all the users of the referral link as well as a free entry into the prize draw for the referral link there. 

Kerala lottery has become one of the most popular lottery games in the world. Threat actors have taken advantage of its popularity by creating apps and websites offering lottery tickets and conducting lotteries. However, these lotteries were outlawed by the Kerala government, according to researchers at CloudSEK. 

During the fraudulent campaign, threat actors impersonated government agencies and created fake ads appearing on major social media platforms from accounts with a following of more than 200,000 followers to prove legitimacy. 

In addition, the makers of the dubious apps used the logos of Kerala State Lotteries, Kerala State, and the National Informatics Centre, in addition to Kerala State. The Kerala Lottery Department states that the state only sells paper lottery tickets and prohibits online sales, security researchers reported. 

It was discovered, both Kerala Lottery Online and India Kerala Lottery apps displayed the same privacy policy, however, they operated under different names, displaying similar information. 

The CloudSEK researcher's analysis explained that the application's contact section contains the following email addresses listed in the developer's contact section: and Consequently, CloudSEK pointed out that these emails indicate that the government entity is not operating the apps, as they indicate that the government entity is not operating them. 

There are several permissions that the applications ask for, and among them is permission to install packages. 

There were numerous Telegram groups, YouTube videos, Facebook posts, and Twitter posts promoting scam apps that were being spread by Telegram groups. 

The researchers stated, "Several websites have also been created to give legitimacy to these apps and promote them to make them appear legitimate".

'Washing Checks' and 'Mailbox Phishing' Emerge as Popular Crimes


Fraudsters attempt to steal paper checks from mailboxes, "washing" them with nail polish remover and filling in new amounts and payees, causing victims and their banks, which usually foot the bill, to suffer indefinitely. The black market for "glass" — pilfered checks sold online with the assurance that they will clear at the bank — is becoming more widespread and sophisticated. 

Criminals are diversifying into the sale of stolen account numbers and identity theft, as well as the "arrow keys" used by mail carriers to open multiple boxes. Following the theft of the checks, a large amount of mail, including mail-in voter ballots, is dumped. Thieves either "fish" letters out of the mail slot or rob postal workers of their mail and arrow keys. 

"We see [sellers] offering $1,000 to $7,000 a key, depending on the number of mailboxes in the ZIP code," states David Maimon, a cybercrime expert at Georgia State University who has been tracking the surge.

As per Maimon, personal checks now "go up to $250" apiece, up from $125 to $175 previously this year. Washed business checks can now fetch up to $650, up from $250.
"It's gone berserk," says Frank McKenna, a banking fraud consultant who traces the phenomenon back to the pandemic-era surge in stolen stimulus checks and unemployment benefits.

Maimon's Evidence-Based Cybersecurity Research Group has been monitoring 60 black-market communication channels to study the online fraud ecosystem for more than two years. He claims that most illegal activity occurs on Telegram, though how-to videos on check-washing can also be found on YouTube.
While California, New York, New Jersey, and Florida are among the most affected, Maimon tells Axios that "we're seeing this spreading to distant states." And the data sold with a check has changed significantly: fraudsters now offer the check-Social writer's Security number as well as account balances obtained from the dark web.

"We're talking about a very sophisticated supply chain at this point. It's just mind-boggling how things have evolved."The United States Postal Service has placed warning signs on blue mailboxes, advising people to use online bill pay or bring their letters to a post office," he further added.

Because checks written in indelible ink cannot be washed, gel pens are marketed as "fraud prevention." Congress recently held a hearing on "rampant" mail theft, the scope of which is unknown. Banks are staffing up in check processing to combat fraud while blaming staffing cuts at the US Postal Inspection Service, the USPS' law enforcement arm.

"Check fraud has become so widespread due to brazen criminality and mail theft that many banks are struggling to collect on bad checks from other banks," the American Banker reports." Though fraud losses are skyrocketing at all banks, small banks appear to be bearing the brunt of check fraud," the news site said. 

"Banks typically reimburse their customers when a fraudulent or stolen check gets posted against their account, but getting repaid for a bad check has become a long, drawn-out affair."

The Postal Inspection Service is on the hot seat over the issue. The Postal Inspection Service, for its part, claims that it has made "significant security enhancements" to mailboxes and that postal inspectors made 1,511 arrests for mail theft in 2021, with 1,263 convictions.

"It's really frustrating that banks are being held liable because the Postal Service can't secure the mail," says Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association." These numbers may seem impressive at first blush, but they are not," he said in congressional testimony.

The bottom line is that "much more systematic data on this type of fraud is needed to better understand how it works, crack down on the activity, and prevent it from occurring in the first place," according to Maimon.

The Twitter Blue Scandal Caused Eli Lilly to Lose Billions of Dollars

It seems that Twitter Inc. has suspended its recently announced $8 blue check subscription following a proliferation of fake accounts on its platform. However, the decision to suspend the service came too late for one pharmaceutical company due to how fast online accounts proliferated. 

American pharmaceutical giant Eli Lilly (LLY) lost billions of dollars after its stock plummeted on Friday due to a false tweet claiming "insulin is free now" sent on Thursday by a fake account, verified with a blue tick. 

A fake account impersonating Eli Lilly on social media promised free insulin as part of its promotion on Friday, according to The Star newspaper. However, the stock of the company dropped 4.37 percent, wiping out over $15 billion in market capitalization. 

In a tweet posted from its official Twitter account, Eli Lilly provided clarification regarding the matter.

A flood of fake Twitter accounts has sprung up since Elon Musk's revised subscription guidelines for Twitter Blue were announced. Eli Lilly is only one of the victims. 

Twitter's Blue Saga

It was reported on Friday by AFP that Twitter took action on Friday to curb the proliferation of fake accounts. This has been seen since Elon Musk took over the company. There has been a suspension of new sign-ups for the newly introduced paid checkmark system on Twitter, and some accounts have been restored to their gray badges. 

Before the new law, the coveted blue tick used to be available only to politicians, famed personalities, journalists, and other public figures. It was also available to government organizations and private organizations. 

The official Twitter account @twittersupport tweeted on Friday about restoring the "official" label on accounts to stop the flood of fake accounts. The tweet stated "To combat impersonation, we have added an "official" label to some accounts." 

There is evidence that Twitter has temporarily disabled the feature as documented by a memo sent internally to its employees, obtained by US media including The Washington Post, to address "impersonation issues."

A Glitch in Ballot Tabulation Machines, an Opportunity for Election Deniers


Earlier this week, former American president Donald Trump and his followers seized on technical issues with ballot tabulation machines in the battleground state of Arizona and falsely claimed it was evidence of an election scam by the Democrats. 

The false claims were made after video emerged of voters being turned away from polling stations in Maricopa, Arizona’s largest county, and officials asking them to head to a different voting center. 

The elections officials also flagged printer issues with ballot tabulators in nearly 20% of the county’s polling locations but made clear that voters can cast ballots without concerns. 

"We also have redundancy in place. If you can't put the ballot in the tabulator, then you can simply place it here where you see the number three and this is a secure box where those ballots will be kept for later this evening, where we'll bring them in here to central count to tabulate them," Maricopa official explained. 

There is nothing fishy regarding the voting process. The issues in a handful of places around the US are well within the normal range of glitches to be expected in thousands of jurisdictions with millions of people voting, a senior official at the US Cybersecurity and Infrastructure Security Agency stated.

However, Trump contradicted state officials claims who said that the paper ballots will be tabulated later and posted on his social media platform, Truth Social, telling voters to stay in line. 

The state's Republican candidate for governor, Kari Lake, also seized on the machine glitches, tweeting out a quote "voter alert". 

She has previously echoed Trump's false claims that the 2020 elections were stolen from him. When election results were announced, she nodded toward the issues with the machines. "We had a big day today. And don't let those cheaters and crooks think anything different. Don't let them doubt. Don't let them put doubt in you." 

Arizona was central in the false claims by Trump and his followers that the 2020 presidential election was rigged against him, after his narrow loss to Joe Biden in the state. The state was ground zero for Trump’s attempts to overturn his White House loss and in this year’s midterms, it’s the only state where all four major statewide candidates are election deniers. 

An election official in Arizona said that the malfunctions in ballot tabulation machines were "disappointing" and correctly predicted that election deniers such as Trump would "exploit" the issue.

UPI Frauds led to 15.3% Rise in Cybercrime Complaints Between Q1, Q2 in 2022: MHA


The unified payments interface (UPI) was a huge success. On the other hand, people are increasingly being cheated when conducting online transactions. UPI frauds contributed significantly to a 15.3% increase in the overall number of complaints reported on the National Cybercrime Reporting Portal (NCRP) between the first and second quarters of 2022, according to data from the Ministry of Home Affairs.

While the total number of registered complaints in the first quarter of 2022 was 206,198, it increased by 15.3 percent to 237,658 in the second quarter. The number of 'UPI fraud complaints,' a cyber crime category under NCRP, increased from 62,350 in Q1 2022 to 84,145 in Q2 2022.

When compared to other NCRP cyber crime categories such as debit/credit card fraud, internet banking-related fraud, and others, this represents a 34% increase.
These overall figures correspond to an increase in the number of cybercrime complaints registered on the NCRP portal since 2021.

This rise can be attributed to the expansion of digital payment systems since the Covid-19 pandemic, which has allowed small businesses to enter the ecosystem. UPI payments increased by more than 1,200 percent in the six months ending in September, according to an RBI report.

According to the MHA report, "Online financial fraud, a cyber crime category under NCRP is the most prevalent among others, as 67.9 percent of the total reported cyber crime were 'online financial frauds. However, no actual figures for this category were provided in the report.

Debit/credit card/sim swap fraud increased from Q1 to Q2 of 2022, which falls under financial fraud. In Q2, the figures were 26,793 compared to 24,270 in Q1. Nevertheless, complaints about internet banking decreased in the second quarter of 2022. While the figure was 20,443 in the first quarter of 2022, it fell to 19,267 in the second quarter.

UPI transactions are increasing

Unified Payments Interface (UPI) transactions hit a new high of Rs 12,11 lakh crore in October, six months after surpassing Rs 10 lakh crore in May.

This figure is expected to rise, with the RBI's Payment Vision 2025 projecting that UPI will grow by 50% on an annualized basis. This increased adoption of UPI will unintentionally contribute to an increase in UPI fraud.

In response, the National Payments Corporation of India (NPCI) launched 'UPI-Help' on the Bharat Interface for Money (BHIM) UPI last year to provide a simple grievance resolution mechanism.

One can view their transaction history in the BHIM UPI application by selecting the 'raise a complaint option. The user can then choose which transaction requires a complaint to be filed. They can raise a concern by clicking "raise concern," describing the issue in an online complaint and submitting it.

NPCI also launched the Safety Shield campaign earlier this year to assist users with online payments via UPI.

U.S. Charged Eight in $45 Million Cyber Crime Scheme

The United States Department of Justice charged eight people on Wednesday in connection with a racketeering (RICO) conspiracy. 

Following a multimillion-dollar fraud that took place, threat actors stole money from hacked accounts at banks and financial institutions, laundered it, and sent it overseas. 

The defendants, Dickenson Elan, Andi Jacques, Jenkins, Louis Noel Michel, Monika Shauntel Jeff Jordan Propht-Francisque, Vladimyr Cherelus, Michael Jean Poix, and Louisaint Jolteus, allegedly worked together to perform computer fraud and scams. 

According to the Department of Justice, the campaign was started in 2011 when threat actors began to gain access to accounts at 15 big financial institutions including Citibank, E-Trade, PayPal and TD Ameritrade, JP Morgan Chase, payroll processor Automated Data Processing (ADP), and niche organizations including the U.S. military's Defense Finance and Accounting Service. 

As per the data, the defendants along with others from 2015 and 2019, including a now-deceased conspirator referred to as Rich4Ever4430, banded together in a cybercrime and fraud scheme involving tax returns. 

The indictment claims, Jenkins, Michel, Propht-Francisque, Cherelus, and Rich4Ever4430, purchased on the dark web server credentials for Certified Public Accounting (CPA) and tax preparation firms and used the data to gain access and exfiltrate the tax returns of thousands of people. 

"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland. 

Overall, they have stolen more than $36 million in false tax refunds. The estimated loss surpasses $4 million however, the exact amount is yet to be confirmed. 

The eight defendants have been charged with conspiracy to commit wire fraud, conspiracy to commit identity theft, and conspiracy to commit money laundering. According to the law, defendants could face fines and up to 20 years in prison on each of the first two charges, and 15 years on the third. 

The case is referred as "United States of America v. Oleksiy Sharapka, Leonid Yanovitsky, Oleg Pidtergerya, Richard Gundersen, Robert Dubuc, Lamar Taylor, Andrey Yarmoltskiy and Ilya Ostapyuk," number 13-06089, at the U.S. District Court for the District of New Jersey.

The Four Major Types of Spoofing Attacks and How to Avoid Them


Spoofing is the act of concealing a communication or identity so that it appears to be from a reliable, authorized source. Spoofing attacks can take many forms, ranging from the common email spoofing attacks used in phishing campaigns to caller ID spoofing attacks used to commit fraud. 

As part of a spoofing attack, attackers may also target more technical elements of an organization's network, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service. 

Spoofing attacks typically prey on trusted relationships by impersonating a person or organization known to the victim. These messages may even be personalized to the victim in some cases, such as whale phishing attacks that use email spoofing or website spoofing. there are various types of spoofing attacks. Here are three of the most common.
  • IP spoofing attack
An IP spoofing attack occurs when an attacker attempts to impersonate an IP address in order to pretend to be another user. The attacker sends packets from a false source address during an IP address spoofing attack. These IP packets are sent to network devices and function similarly to a DoS attack. To overwhelm a device with too many packets, the attacker uses multiple packet addresses.
IP spoofing attacks, which are one of the more common types of spoofing attacks, can be detected using a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and detect abnormal traffic. This alerts  that something isn't right and allows you to investigate further.

If looking for IP addresses and flow data in particular that can lead you to illegal internet traffic. Detecting IP spoofing attacks early is critical because they frequently occur as part of DDoS (Direct Denial of Service) attacks, which can bring the entire network down.
  • Email Spoofing Attacks
Email spoofing attacks occur when an attacker sends an email that appears to be from another sender. The sender field is spoofing in these attacks to display bogus contact information. The attacker pretends to be this entity and then sends you an email asking for information. These attacks are frequently used to impersonate administrators and request account information from other members of staff.
Email spoofing attacks are perhaps the most dangerous because they directly target employees. Responding to the wrong email can give an attacker access to sensitive information. If you receive a spoofed email, your first line of defense should be to be skeptical of email display names.

Attackers frequently spoof display names, so double-check the email address. If the email contains any links, you can open them in a new window to see if they are legitimate. It's also a good idea to look for spelling mistakes and other inaccuracies that could indicate the sender isn't legitimate.
  • DNS Spoofing Attacks
DNS, or domain name system, attacks jumble up the list of public IP addresses. DNS servers maintain a database of public IP addresses and hostnames that are used to aid in network navigation. When a DNS attack occurs, the attacker alters domain names, causing them to be rerouted to a new IP address.

One example is when you enter a website URL and are directed to a spoofed domain rather than the website you intended to visit. This is a common method for attackers to introduce worms and viruses into networks.

It is a good idea to use a tool like dnstraceroute to detect a DNS spoofing attack. DNS spoofing attacks rely on an attacker spoofing the DNS response. Using dnstraceroute, you can see where the DNS request was answered. You'll be able to see the DNS server's location and whether someone spoofed the DNS response.

Hong Kong: 43 Suspects Arrested For Defrauding HK$12 Million From Victims Via Online Shopping Scams and Love Frauds


As a part of the attempts to combat cybercrimes and frauds, Hong Kong has reportedly detained 43 people, with suspicion of being involved in a series of citywide raids during a week-long operation.
According to the police force, the arrested suspects between the age of 17 and 75 include waiters, technicians, workers, and unemployed people. During the operation, code-named Skyrocket, police officers seized the suspect’s mobile phones and bank cards.
The accused, involving 28 men and 15 women arrested between October 20 to 26, were allegedly deceiving victims of HK$12 million (1.5 million USD) in a total of 37 cases including internet love scams and shopping frauds, the police force reported on Friday.
The victims compromised between several hundred Hong Kong to about HK$900,000, says Senior Inspector Thomas Anthony Lo of the Wan Chai district crime squad.
The suspects were arrested for acquiring property by deceiving victims, particularly via money laundering. They included bank account holders, who were used to collect and launder crime proceeds.
As announced by the force, all the detained suspects were later released on bail, with none of them being charged. Although they are required to report back to the police next month.
Money laundering, in Hong Kong, is a punishable offense, involving a maximum sentence of 14 years and a fine of HK$5 million, while obtaining property via fraud carried a maximum sentence of up to 10 years behind the bars.
In a similar case, detectives from the Yau Tsim district crime squad detained two men, suspected of being involved in an online shopping scam. Reportedly, the suspects impersonated online buyers, befooling at least 10 victims into selling them valuables worth more than HK$1.5 million, but used cheques that bounced to pay for the goods.
The police were introduced to the case after one of the victims, a 41-year-old man reported to them on October 10, it was after he was tricked into falling for the scam and losing a HK$7,000 bracelet.
The two suspects aged 34 and 40 were later arrested from their flats in Hong Konk, on Wednesday. Additionally, the police recovered a HK$70,000 handbag from one of the flats, that belonged to one of the victims. While the investigation is still ongoing, more arrests are possible, the police force states.

DHL: Most-Spoofed Brand in Phishing


DHL is the most spoofed brand in phishing emails, according to Check Point. Between July and September 2022, crooks most frequently used the brand name in their attempts to steal personal and payment information from marks, with the shipping giant accounting for 22% of all global phishing attempts intercepted by the cybersecurity firm. 

On June 28, DHL informed customers that it was the victim of a "major global scam and phishing attack," and that it was "working hard to block the fraudulent websites and emails." In the phishing attempts, criminals used a tried-and-true phony message, falsely alerting customers that their package could not be delivered and requesting personal and payment information to proceed with the delivery.

These types of urgent requests — to change a password or, in this case, delivery or payment information — are especially effective at stealing credentials, as we saw with the recent Oktapus cybercrime spree.

Check Point discovered one phishing email that attempted to impersonate DHL and was sent from the address "info@lincssourcing[.]com." The report stated that crooks altered it to appear as if the sender was "DHL Express."

The subject line of the email, "Undelivered DHL(Parcel/Shipment)," as well as the message, attempted to dupe the victim into clicking on a malicious link claiming that they needed to update their delivering address in order to receive the package. Of course, the URL does not actually lead to DHL's website. Instead, it redirects them to a bogus, attacker-controlled website with a form asking the victim to enter their name and password, which the crooks then steal.

These stolen credentials can then be used to obtain additional account information, such as payment information, or simply sold to other identity thieves on dark-web forums. While DHL tops the list of stolen brands, Check Point reports that Microsoft is in second place for third-quarter phishing scams, accounting for 16% of all campaigns based on brand recognition. LinkedIn, which topped the list in both the first and second quarters of this year, fell to third place with 11 percent.

Victims are more likely to click on a malicious link that appears to be sent from a trusted brand, which feeds the phishing pool. It is a low-cost crime with a high return on investment for criminals. Last year, phishing attacks were by far the most commonly reported cybercrime, with 323,972 reported to the FBI and victims losing $44.2 million.

Check Point detailed another brand-spoofing phish example in which criminals used a fake OneDrive email to try to steal a user's Microsoft account information. The message was sent from "websent@jointak[.]com[.]hk," with "OneDrive" as a bogus sender name, and the subject: "A document titled 'Proposal' has been shared with you on Onedrive."

The Microsoft-brand phish, like the DHL spoof, attempts to trick the victim into clicking on a malicious link that spoofs a Microsoft web app login page and then enter their account password. As a general rule, users should avoid emails that request personal information or credit card information.

New Phishing Campaign Targets Saudi Government Service Portal


Multiple phishing domains imitating Absher, the Saudi government service portal, have been set up to provide citizens with fraudulent services and steal their credentials. CloudSEK cybersecurity researchers made the discovery and published an advisory about the threat on Thursday. 

"The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal," wrote the security experts. "The phishing website presents users with a fake login portal, compromising the login credentials." 

According to CloudSEK, after the bogus 'login,' a pop-up appears on the site requesting a four-digit one-time password (OTP) sent to the registered mobile number, which is most likely used to bypass multifactor authentication (MFA) on the legitimate Absher Portal. 

"Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal," CloudSEK clarified. 

After completing the bogus login process, the user is prompted to fill out a registration form, revealing sensitive personally identifiable information (PII), before being redirected to a new page where they are asked to select a bank. They are then taken to a bogus bank login portal designed to steal their credentials. 

"After submitting the internet banking login details, a loading icon pops up, and the page gets stuck, while the user banking credentials have already been compromised," the security researchers wrote.

According to CloudSEK, government services in the Saudi region have recently become a prime target for cyber-criminals looking to compromise user credentials and use them to launch additional cyber-attacks.

"Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia," the company wrote.

To lessen the impact of these attacks, CloudSEK urged government organizations to monitor phishing campaigns targeting citizens and to inform and educate them about the dangers, such as not clicking on suspicious links. The warning comes just weeks after CloudSEK discovered a separate phishing campaign targeting Saudi KFC and McDonald's customers.

Hyderabad Police Exposes Rs 903 Crore Chinese Investment Fraud Campaign


Hyderabad Cyber Crime Police this week disclosed they have busted a Chinese investment scam of Rs 903 crore with the arrest of 10 individuals including a Chinese resident. 
The arrested accused from Mumbai, Delhi and Hyderabad include Sahil Bajaj, Sunny, Virender Singh, Sanjay Yadav, Navneeth Kaushik, Md. Parvez, Syed Sultan, Mirza Nadeem Baig, Lec alis Li Zhongjun and Chu Chun-yu. 

According to Police Commissioner C.V. Anand, the fraudsters employed online investment apps to trap investors. The money collected from the victims was moved via virtual route till it reached the AMCs bank account, from where the currency was exchanged, and finally, the value was transferred out to Chinese operators via a hawala route. So far, Rs 1.91 crore has been frozen in various bank accounts in this case. 

The fraud campaign was unraveled after a Hyderabad citizen who lost Rs 1.6 lakh after investing in an app named LOXAM approached the police in July. 

In the investigation, police identified that the complainant's money was deposited in the bank account of Indusind Bank in the name of Xindai Technologies Pvt Ltd. This bank account was opened by the accused, Virender Singh, who disclosed that he opened a bank account in the name of Xindai Technologies Pvt Ltd on the orders of Jack, a Chinese national who used to operate the account. 

Another firm involved in the same scam, Betench Networks Pvt Ltd, shared the same phone as Xindai’s, and further investigation led to the account holder Sanjay Yadav of Delhi, who allegedly opened on the instruction of Lec and Pei of China. Yadav opened 15 other bank accounts and sent their details to Taiwan’s Chu Chun-yu, who was arrested in Mumbai. 

The local account holders received a commission of ₹1.2 lakh for opening fake accounts. Identical accounts were also unearthed from Hyderabad with instructions and commission from Dubai, the police added.

From Xindai Technologies, money was transferred to 38 bank accounts and finally landed with authorized money change companies Ranjan Money Corp and KDS Forex Pvt Ltd, owned by Naveen Kaushik. “The AMCs flouted all exchange and anti-money laundering rules mandated by the RBI. It is also a clear case of negligence on part of the banking system,” Mr. Anand concluded.

UK Residents Warned to Watch out for Purchase Scams when Buying Gifts this Christmas


Christmas shopping can be a headache for UK residents as hackers continue to ramp up their efforts to siphon money on online shopping sites. The prospect of long queues and the rising cost of living have persuaded many to scan for lucrative deals in order to manage their bank account this Christmas. 

A huge spike in energy bills has already put millions of households on the verge of fuel poverty and the situation can be much worse by the end of this year. Hence, Britons will choose to shop online for their presents this year, but Christmas could be ruined if you fall victim to the thousands of online scams. 

Over the last three months, there has been an 86% surge in reports of victims being conned while shopping online, as reported to the cyber helpline. 

A recent victim, who requested anonymity, explained how he was trapped in an online scam: “I was shopping online and found some good deals on a site I found on social media. I spent £179, but my items didn’t turn up. I contacted the customer care number and they advised me that the order had failed to go through even though the money had been deducted from my account.” 

“They sent me an email with a form to fill in to help them process my order. The form asked for the card details I had used for my order and without thinking I also shared my PIN. Over the next few days over £200 has been taken from my bank account.” 

In some cases, the items are delivered but they are faulty or completely different from the description. Additionally, the fraudsters are targeting sellers by sending the product before payment or buying an item and then returning a fake item, but getting their money back. 

Prevention strategies 

Here are some simple tips to help you and your family enjoy a secure online shopping experience this festive season. 

Question product availability: Carry out some research first, or ask a friend or family member if they’ve used the site and regarding their experiences before completing the purchase. 

Check where you are sending your money: Be cautious while paying for your items, and scan if there’s a ‘closed padlock’ icon in the browser’s address bar. Use a credit card when shopping online, if you have one. The majority of credit card providers protect online purchases. 

Employ strong passwords: Make sure that your really important accounts (such as your email account or online shopping accounts) are protected by strong passwords that you don’t use anywhere else. 

“Be extremely careful when you are shopping online this Christmas. The internet is awash with fake shopping sites, fake items for sale, and criminals trying to scam you,” Founder & CEO of The Cyber Helpline, Rory Innes, stated. There will be a lot of valid offers and deals over the coming weeks, but before you buy, check if the website is legitimate, if the offer looks reasonable, search online for reviews and check if the company really exists. If you received the offer in a message or email, don’t click any links and visit the official website directly to check if the offer exists.”

Phishing Attack Spoofs Zoom to Steal Microsoft User Credentials


Phishing attacks work by imitating a well-known or trusted brand, product, or company, with the aim of duping recipients into disclosing sensitive account information. That was the case in a recent phishing campaign investigated by security firm Armorblox, in which the attacker impersonated Zoom in an attempt to compromise Microsoft user credentials. 

The phishing email, which was sent to over 21,000 users at a national healthcare company, had the subject line "For [name of recipient] on Today, 2022," with each user's actual name listed as the recipient. The email, which displayed the Zoom name and logo, stated that the person had two messages awaiting their response. The recipient had to click on the main link to read the alleged messages.

The main button would have directed users to a bogus landing page impersonating a Microsoft login page. The victims were directed at the site to enter their Microsoft account password in order to verify their identity before they could obtain the messages. To further silence them into a false sense of security, the landing page pre-populated the username field with the person's actual email address. Any Microsoft passwords entered on the page would, of course, be captured by the attackers.

The initial phishing email, sent from a valid domain, bypassed Microsoft Exchange email security controls because it passed the usual email authentication checks, such as DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication Reporting and Conformance. Instead, the emails were barred from being sent from reaching user inboxes by Armorblox security.

How to Protect Your Company from Phishing

Armorblox makes the following recommendations to help you protect your organisation and employees from these types of phishing attackers:

The email described in the report evaded Microsoft security measures, indicating that you should supplement your native email security with stronger and more layered tools. Consult Gartner's Market Guide for Email Security and Armorblox's 2022 Email Security Threat Report to find the right product.

Users are advised to:
  • Be wary of social engineering ploys.
  • Adopt proper password hygiene
  • Use multi-factor authentication

Operation Chakra: CBI Searches 105 Locations, Targeting Cyber Crimes


The CBI, on Tuesday, has launched ‘Operation Chakra’ in order to debunk “cyber-enabled financial crimes,” carrying out raids at 105 locations across numerous states and Union Territories. The operations have been put to force in coordination with Interpol, the Federal Bureau of Investigation (FBI) along with state police forces. 
The action was taken after CBI busted two call centres in Pune and Ahmedabad, that allegedly targeted unsuspecting American citizens. The centres consisted of nearly 150 people, who would make fraudulent calls to prospective targets in the United States, enticing the victims into making transactions on various pretexts. The calls were allegedly made via Voice over Internet Protocol technology to dodge detection. The initial information regarding the scam was briefed by the FBI with the CBI, a few months ago. 
The raids were conducted in association with police forces of the six states and Union Territories, namely Andaman and Nicobar (raids at four locations), New Delhi (five locations), Chandigarh (three locations) and two locations each in the states of Punjab, Karnataka, and Assam. 
According to the sources, “Of all the locations, CBI alone has conducted searches at around 80 locations spread states. The agency also received inputs from the raids from the Royal Canadian Mounted Police.” 
“From one location in Rajasthan, CBI uncovered Rs. 1.5 crores cash and 1.5 Kg gold. The accused person had been running an illegal call centre. Two such call centres were also busted in Ahemdabad and Pune. They were involved in call centre fraud in the US. The FBI has been informed and they are taking follow up action,” stated the CBI official. 
CBI has also retrieved digital evidence, including details pertaining to bank transactions and dark web cybercrime activity. In this regard, “a person of interest has also been identified in Punjab in this connection” the official added. 
The agency has carried on with the operation, seizing digital proofs including mobile phones, laptops and hard disks, for further investigation.

Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks


Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.

Fake CISO Profiles of Corporate Giants swamps LinkedIn


LinkedIn has recently been flooded with fake profiles for the post of Chief Information Security Officer (CISO) at some of the world’s largest organizations. 

One such LinkedIn profile is for the CISO of the energy giant, Chevron. One might search for the profile, and find the profile for Victor Sites, stating he is from Westerville, Ohio, and is a graduate of Texas A&M University. When in reality, the role of Chevron is currently occupied by Christopher Lukas, who is based in Danville, Calif. 

According to KrebsOnSecurity, upon searching the profile of “Current CISO of Chevron” on Google, they were led to the fake CISO profile, for it is the first search result returned, followed by the LinkedIn profile of the real Chevron CISO, Christopher Lukas. It was found that the false LinkedIn profiles are engineered to confuse search engine results for the role of CISOs at major organizations, and the profiles are even considered valid by numerous downstream data-scraping sources. 

Similar cases could be seen in the LinkedIn profile for Maryann Robles, claiming to be the CISO of another energy giant, ExxonMobil. LinkedIn was able to detect more such fabricated CISO profiles since the already detected fake profile suggested 1 view a number of them in the “People Also Viewed” column. 

Who is Behind the Fake Profiles? 

Security experts are not yet certain of the identity of the threat actors behind the creation and operation of these fake profiles. Likewise, the intention leading to the cyber security incident also remains unclear.  

LinkedIn, in a statement given to KrebsOnSecurity, said its team is working on tracking the fake accounts and taking down the con men. “We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam,” said LinkedIn. 

What can LinkedIn do?  

LinkedIn could take simple steps that could inform the user about the profile they are looking at, and whether to trust the given profile. Such as, adding a “created on” date for every profile, and leveraging the user with filtered searches. 

The former CISO Mason of LinkedIn says it could also experiment with offering the user something similar to Twitter’s ‘verified mark’ to those who chose to validate that they can respond to email at the domain linked with their stated current employer. Mason also added LinkedIn needs a more streamlined process allowing employers to remove phony employee accounts.

Scylla: Ad Fraud Scheme in 85 Apps with 13 Million Downloads


Security researchers have exposed 85 apps involved in the ongoing ad frauds campaign that began in 2019. 75 apps of these apps are on Google Play, while 10 are present on the App store. The apps have collectively more than 13 million downloads to date. 
Researchers from HUMAN’s Satori Threat Intelligence have collectively named all the mobile apps that are being identified in the ad fraud campaign as ‘Scylla’.  
The malicious apps flooded the mobiles with advertisements, both visible and hidden ads. Additionally, the fraudulent apps garnered revenue by impersonating as legitimate apps in app stores. Although these apps are not seen as severe threats to the users, the adware operators can use them for more malicious activities.  
According to the researchers, Scylla is believed to be the third wave of an ad fraud campaign that came to light in August 2019, termed ‘Poseidon’. The second wave, called ‘Charybdis’ led up to the end of 2020. 

The original operation, Poseidon comprised over 40 fraudulent android apps, designed to display out-of-context ads or even ads hidden from the view of mobile users. 
The second wave, Charybdis, was a more sophisticated version of Poseidon, targeting advertising platforms via code obfuscation tactics. Scylla apps, on the other hand, expand beyond Android, to charge against the iOS ecosystem. In addition to this, Scylla relies on additional layers of code obfuscation, using Allatori Java obfuscator, making it hard for the researchers to detect or reverse engineer the adware. 
These fraudulent apps are engineered to commit numerous kinds of ad frauds, including mimicking popular apps (such as streaming services) to trick advertising SDKs into placing their ads, displaying out-of-context and hidden ads, generating clicks from the unaware users, and generating profit off ads to the operator. 
"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," states HUMAN security. 
According to the sources, the researchers have informed Google and Apple about these fraudulent apps, following which the apps are being removed from Google Play and App Store. Users are recommended to simply remove the apps if they have downloaded one of the suspected adware by any chance. 
Furthermore, with regards to the increasing frauds, the Satori researchers have suggested certain precautionary measures that could be taken into account for the user to not fall for the adware frauds. It includes examining their apps before downloading them, looking out for apps that you do not remember downloading, and avoiding third-party app stores that could harbor malicious applications.