Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Email. Show all posts
Privacy
Cyberattacks CyberCrime DataBreaches Email Firefox Malware attacks Mozilla Privacy

Protecting User Privacy by Removing Personal Data from Data Broker Sites

 


As part of its new subscription service model, Mozilla Firefox is offering its users the possibility of finding and removing their personal and sensitive information from data brokers across the internet. This new subscription model is known as Mozilla Monitor Plus and will allow users to locate and remove their sensitive information. 

To eliminate their phone numbers, e-mail, home addresses, and other information that is usually sold to data broker platforms for profit, the company offers a new subscription model called Mozilla Monitor-Plus. This is particularly interesting since Mozilla already offers a free service of privacy monitoring called Firefox Monitor which was previously known as Mozilla Monitor - which is now being revamped to strengthen privacy for users.

Previously, Mozilla Monitor was a free service that sent users notifications when their email accounts had been compromised. The new version is now called Monitor-Plus, and it is a subscription-based service. Approximately 10 million current Mozilla Monitor users will now have the opportunity to run scans to see if their personal information has been hacked by using the subscription-based service. 

Whenever a breach is detected, Monitor Plus provides the tools to make sure that a user's information remains private again if a breach is detected. Data broker websites have a convoluted and confusing process that individuals have to deal with when they try to remove their information from them. It is not uncommon for people to find themselves unsure of who is using their personal information or how to get rid of it once they find it online.

However, most sites have either an opt-out page or require them to contact the broker directly to request removal. This process can be simplified by Mozilla Monitor, which searches across 190 data broker sites known for selling private and personal information proactively.

Mozilla will initiate a request on behalf of the user for removal if any data provided to Mozilla is discovered on those sites, including name, location, and birthdate. The removal process can take anywhere from a day to a month, depending on how serious the problem is. There are two subscription options available for users of this feature, the Monitor Plus subscription costs $13.99 per month or $8.99 per month with an annual subscription, which includes this feature. 

The free option for users who do not wish to subscribe to Firefox is to scan data broker sites once. However, these users will have to manually go through the steps to remove their information from these websites. This may encourage them to upgrade to the Monitor Plus subscription, as it provides automatic removals for a process that can be very tedious otherwise.

In regards to data breaches, both free and paid users will continue to receive alerts and will have access to tools to learn how to fix high-risk breaches. By providing their email addresses, as well as a few personal details such as their first and last name, city, state, and date of birth, users can initiate a free one-time scan for their device.

There will then be the possibility to scan the tool for potential exposures and let users know about them and how they can be fixed. It is Mozilla's policy to initiate a data removal request on behalf of users who wish to have their data removed. The status of the requests of users can be viewed, as well as the progress of their requests can be tracked. 

Furthermore, Mozilla will perform a monthly scan after the removal of personal information to ensure that it is kept safe on 190+ data broker sites even after the removal. Users must submit their first and last name, current city and state, date of birth, and email address to initiate a scan. Mozilla has an extensive privacy policy that protects the privacy of this information and encrypts it.

With this kind of information in hand, Mozilla applies a scan to your personal information, showing you where your information has been exposed by data breaches, brokers, or websites that collect personal information. In 2023 alone, 233 million people will have been affected by data breaches, and it is for this reason that a tool such as this is vital in the current environment. The Mozilla Monitor Plus subscription will include monthly scans and automatic removal of any malware that is found on your computer.
Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
Technology
ChatGPT Cyberattacks Cybersecurity Email OpenAI Technology

ChatGPT Loses Its Spark: Google A.I. Researcher Identifies Children as the Key Challenge

 


The number of ChatGPT users is declining for the first time, and those users are not those you thought they would be. According to estimates from Similarweb, a web analytics firm, a 9.7% drop in traffic to ChatGPT's website was recorded in June, almost two months after it started. U.S. data showed a steeper decline in ChatGPT unique visitors than in Canada. In the U.S., unique visitors to ChatGPT fell by 10.3% from last month. 

In June, according to analytics firm Similarweb, monthly traffic to ChatGPT's website and its registered visitors declined for the first time. This was a result of the popularity of its AI chatbot launched in November. 

Globally, ChatGPT's website generated 9.7% less traffic in June than in May based on its desktop and mobile web traffic. It has been reported that ChatGPT's website has seen a 5.7% drop in unique visitors. The data also reveal that the visitor's time spent on the website was down by 8.5%, as indicated by the statistics of the website. 

Similarweb's Senior Insights Manager, David Carr, said a decline in traffic to the chatbot is a sign that its novelty has worn off, and traffic levels are declining. According to Rishi Jaluria, an analyst at RBC Capital Markets, there is a greater demand for generative AI that can provide real-time data to make better predictions based on the data. 

An inquiry sent to OpenAI for a comment did not receive a response immediately. A frenzied usage of generative AI from chatGPT to everyday tasks such as writing and coding led to a flurry of activity. As two months passed since the debut of the service, it surpassed the milestone of 100 million monthly active users. 

A consumer application like this is one of the fastest-growing applications in history and has now amassed over 1.5 billion monthly visits, making it one of the top 20 websites on the internet. There have been instances where ChatGPT has far surpassed the search engine that Microsoft (MSFT.O) once operated, Bing, which also uses OpenAI's technology in its search engine. 

Recently, some ChatGPT competitors have launched their chatbots such as Google's (GOOGL.O) Bard, which the company first announced a few months ago. A free chatbot powered by OpenAI is also available on Microsoft's search engine Bing, which is connected to OpenAI. 

The ChatGPT app was released by OpenAI for the iOS platform in May, which could reduce some of the traffic that is coming to the website from its iOS app. It has also been suggested that the change in usage is related to the summer break for students, as fewer students seek out homework assistance during the summer. 

There were more than 17 million downloads of the chatbot on iOS worldwide as of July 4, according to data.ai, a firm specializing in analytics. There has been steady growth in the U.S. market for the app. Downloads peaked on May 31 and have continued to rise in the first six weeks after its release, with downloads averaging 530,000 per week. 

It could be that a recent slowdown in growth might enable ChatGPT's running costs to be managed better, since ChatGPT requires a lot of computing power to answer queries, resulting in higher costs. According to Sam Altman, founder, and CEO of OpenAI, the costs to run the company's services are "eye-watering" and will be rolled out in phases. 

There is no cost to use ChatGPT, but you can get access to OpenAI's more advanced model, GPT-4, for $20 a month if you want to subscribe to it as a premium subscription. Based on the latest estimate from YipitData, there are roughly 1.5 million people in the United States who have signed up for the subscription. A revenue estimate of $200 million has been made by OpenAI for this year. ChatGPT, in addition to charging developers and enterprises for API access to its AI models directly, also makes money through a partnership with Microsoft, which invested over $10 billion into the company, and through the sale of its API access directly to developers and enterprises. 

François Chollet, a Google software engineer, and artificial intelligence researcher, knows one thing for sure: There is no error. During an email exchange with Fortune, he commented that "there is one thing certain, it is no longer booming." 

There is something Chollet knows is about to happen: it is summer vacation time. On Twitter, the engineer claimed that the majority of kids would not use ChatGPT for educational purposes, but rather would play Minecraft or enjoy summer activities instead. ChatGPT has seen a steady decline in search interest over the past couple of years, while Minecraft has seen a steady increase in search interest over those same years. 

The reason for this is easy to identify: a significant portion of students are using ChatGPT to do their homework as part of their college classes. As a data scientist and author, Sam Gilbert told me that ChatGPT is commonly used for this purpose, where people can share and exchange data. Among the most popular searches on Google, he found the second most popular type of search is for topics such as "ChatGPT essay", "ChatGPT math," and "ChatGPT history", aside from those related to job applications.
Read more »
phishing
Cyber Attacks CyberCrime DDoS Email Microsoft 365 Microsoft Outlook Outlook phishing

Outlook Services Paralyzed: Anonymous Sudan's DDoS Onslaught

 


In the last few days, several distributed denial-of-service (DDoS) attacks have been launched against Microsoft Outlook, one of the world's leading email providers. Anonymous Sudan, a hackers' collective, has launched DDoS attacks against Microsoft Outlook. The attacks, which aim to disrupt services and create concerns about various issues, have disrupted Outlook users worldwide. Additionally, online platforms are quite vulnerable to cyber threats because they are hosted online. 

Several outages have been reported today on Outlook.com for the same reason as yesterday's outages. Anonymous Sudan, an Internet hacking collective, claims that it performs DDoS attacks against the service on hackers' behalf. 

It has been claimed, however, that the hacktivist group Anonymous Sudan is responsible for the attack. They assert that they are conducting a distributed denial of service (DDoS) attack on Microsoft's service in protest of US involvement in Sudanese internal affairs by operating cyberattacks against its infrastructure. 

Approximately 1 million Outlook users across the globe have been affected by this outage, which follows two more major outages yesterday. Due to this issue, Outlook's mobile app cannot be used by users in a wide range of countries as users cannot send or receive emails. 

There have been complaints on Twitter about Outlook's spotty email service. Users assert that it has impacted their productivity as a result. 

It was announced over the weekend that the hacktivist group would be launching a campaign against the US as a response to the US interference in Sudanese internal affairs recently as part of its anti-US campaign. They cited the visit made by Secretary of State Antony Blinken to Saudi Arabia last week, in which he discussed the ongoing humanitarian situation in the country. 

There has also been an announcement by the White House that economic sanctions will be imposed on various corrupt government entities in Sudan, including the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF), which are considered responsible for the escalation of the conflict. 

In response to this, Anonymous Sudan launched a distributed denial of service attack in late November, targeting the ride-sharing platform Lyft, in an attempt to overload a site or server with bot requests, thereby essentially bringing it to a standstill. 

It is also worth noting that several regional healthcare providers across the country were also taken offline during the weekend campaign.

Email communication was interrupted by several disruptions, including delayed or failed delivery of messages, intermittent connectivity problems, and slow response times. This was as a result of this issue. Individual users were inconvenienced by these interruptions; however, businesses that rely on Outlook for their day-to-day operations were also facing challenges as a result of these disruptions. This attack demonstrates the vulnerability of online platforms and emphasizes the need for robust cybersecurity measures to guard against threats of this nature. This is to ensure online platforms remain secure. 

In many tweets posted to Twitter by Microsoft, the company has alternated back and forth between saying they have mitigated the issue and that the issue is back again, implying that these outages are caused by technical issues. 

A group called Anonymous Sudan is claiming responsibility for the outages, claiming they are out to protest the US infiltrating Sudanese internal affairs through its involvement in the DDoS attacks against Microsoft and claim responsibility for the outages as well.

As a result of the continuous DDoS attacks on Microsoft Outlook and Microsoft 365 services, the group has been taunting Microsoft in its statements in the past month. 

There is increasing evidence that Microsoft Outlook continues to suffer crippling attacks from Anonymous Sudan, which frequently result in the suspension of service and the growth of concerns about the security of the online environment due to DDoS attacks launched by Anonymous Sudan. It has been observed that these deliberate disruptions hurt the user experience and the online platform. This is because these disruptions expose them to cyber threats. 

This ongoing situation only confirms the importance of cybersecurity measures to safeguard critical online services. The necessity of introducing these measures would be essential to ensure their protection in the future. Additionally, it raises questions about the platform's ability to cope with persistent and coordinated attacks on its cybersecurity system. 

The case between Anonymous Sudan and Microsoft in a world where cybersecurity threats are increasing by the day, serves as a timely reminder of the importance of continuous vigilance. This is to prevent these threats from becoming stronger as they progress in a direction not fully understood by users.
Read more »
ZIP File
Bitdefender Cisco Crypto Data Breach Decrypter Email Encryption Malicous Files ZIP File

Free MortalKombat Ransomware Decryptor Released

An open-source universal decryptor for the newly discovered MortalKombat malware, which encrypts files, has been made available by the Romanian cybersecurity firm Bitdefender. The virus has been employed on dozens of victims in the United States, United Kingdom, Turkey, and the Philippines, as per a recent Cisco analysis.

Emails with malware ZIP attachments containing BAT loader scripts are sent to random users by MortalKombat distributors. When the script is run, it will download and run the Laplas Clipper and ransomware binaries on the computer.

Although it has been identified since 2010, Xorist is disseminated as a ransomware constructor, enabling online threat actors to design and alter their own variant of the malware. The MortalKombat decryptor is a standalone executable that doesn't require installation on affected devices. The user may optionally choose a specific place holding backed-up encrypted data. It offers to scan the entire filesystem to find files infected by MortalKombat.

In addition, Bitdefender said that the malware has a clipboard-monitoring feature that targets users of cryptocurrencies particularly. The emails include references to expired cryptocurrency payments and attachments that resemble CointPayments transaction numbers but conceal the malware payload. The ransomware, which encrypts all of a PC's data, including those in virtual machines and the recycle bin, is downloaded by the software after its launch. It takes the victim's background and replaces it with a Mortal Kombat 11 image, hence the name.

In a study by PCrisk, Cisco discovered a leaked version of the Xorist builder, where the builder interface options closely mirrored an actual Xorist ransomware building interface. The creator creates an executable ransomware file that the attackers can further modify. Notably, MortalKombat was used in recent attacks by an unidentified financially motivated malicious attacker as a part of a phishing operation targeted at multiple companies.

Read more »
Reddit
AMA Cyber Attacks Cybersecurity Data Theft Email Reddit

An Exploit on Reddit Shows MFA's Limitations

 


It is becoming increasingly obvious that attackers are finding ways to circumvent multifactor authentication mechanisms as a result of the latest hack of a well-known company. 

A threat actor sent out an email containing a link as part of a spearphishing attack on Reddit on January 9, and Reddit's users were informed as a result that one employee had been successfully convinced to click on the link in an email sent out as part of the spearphishing attack. Investigators found that the website mimicked the behavior of the intranet gateway, and attempted to steal second-factor tokens and credentials at the same time.  

According to Reddit, compromising the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours. During this time, they accessed internal documents, dashboards, and code that were stored on the system. 

In a follow-up AMA video, Reddit CTO Chris Slowe (aka KeyserSosa) explained that while his company is investigating, there is still no evidence that the attacker accessed user data or production systems, as he explained in the video. 

Chris Slowe mentioned that the inability to prove a negative makes it extremely difficult for Reddit to determine anything at this point. Therefore, the team at Reddit is continuing its investigation. There is a burden of proof at the moment that suggests that access to the data was limited to several systems outside the main production environment. 

The Reddit social media community has become the latest company to fall victim to a cyberattack that harvests the credentials of its employees and enables access to sensitive systems through social engineering. In late January, Riot Games, the company responsible for making the popular game League of Legends, announced that they had been compromised. Threat actors had exploited a social engineering attack to steal code and delay updating the game, thereby delaying the release of updates. With compromised login credentials taken from Rockstar Games' Rockstar Studios, the maker of the Grand Theft Auto franchise, four months earlier, attackers were able to gain access to the Rockstar Data Warehouse and steal the source code. 

Phishing attacks and credential theft are two of the most common causes of breaches, even when the breaches are minor. As a result of the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection services, more than three-quarters of IT professionals and IT security managers said their companies had experienced a successful email attack in the past year, according to the survey. Furthermore, there was an average number of fines and recovery costs associated with the most expensive attacks for the average firm. 

However, phishing and spear-phishing are considered common threats to businesses, with only 26% of respondents feeling unprepared for both attacks. Compared to 2019 when 47% and 36% of respondents claimed their firms were unprepared to face the threat of a data breach, this is an improvement. In the report, it was found that there has been an increase in concern over account takeovers in the past few years. 

The report states that although organizations may be better equipped to prevent phishing attacks, they may not have the capacity to resolve account takeovers, which are usually a consequence of phishing attacks that succeed. 

Cybersecurity Relies Heavily on Employees 

Aside from the irony of the Reddit hack, the incident provides a valuable lesson on the importance of employee training. As soon as the employee entered the credentials into the phishing website, he suspected something was amiss, and he immediately contacted Reddit's IT department to inquire about the incident. As a result, the window of opportunity available to the attacker was reduced, and the damage they could do was limited. 

"The time has come for us to stop looking at employees as weaknesses and instead begin to view their contributions to organizations as the strengths they are or can be," Dudley emphasizes. Technical controls are just a limited part of what organizations can do. Employees can also offer further context for why something does not seem right. 

Slowe, Reddit's account manager, said that, in the follow-up AMA, the employee who was at the center of the Reddit breach wouldn't be faced with a long-term punishment, but all access to the account would be revoked until the problem is resolved. 

As always, the problem is that it takes only one person to fall for something like [a phish], he explained. In this case, Slowe mentioned that he is exceptionally grateful that the employee reported it immediately after realizing it had happened.   
Read more »
Security
Cyber Security data security Email Gmail Safety Security

This New Encryption Can Make Gmail Safer

 

There's a new way to keep your Gmail safe from prying eyes, and experts say it's well worth using. Google announced the addition of end-to-end encryption (E2EE) to Gmail on the web, which will allow enrolled Google Workspace users to send and receive encrypted emails within and outside their domain. 

In an email interview with Lifeire, end-to-end encryption is critical for any communications service because it restricts message content to the sender and receiver(s), according to Jeff Wilbur, senior director of online trust at the nonprofit Internet Society.

"This means that the message content can be seen by bad actors or rogue employees and is subject to access by law enforcement under warrant," Wilbur added. "With end-to-end encrypted email, only the sender and recipient(s) have the key to unscramble the data, so it is safe from prying eyes of any kind."

Users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already have access to client-side encryption, or what Google refers to as E2EE. The email header won't be encrypted if you enable the new encryption. Still, Google claims that data delivered as part of the email's body and attachments cannot be decrypted by Google servers.

"With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage," Google wrote on its support website. "That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally."

The sender's and the receiver's devices—also referred to as device-to-device encryption—are these two ends in a true end-to-end encrypted messaging service, according to Anurag Lal, CEO of the cybersecurity firm NetSfere, in an email interview with Lifewire. He stated that this type of encryption is perfectly safe because it ensures that only the intended recipient can access the messages. Once messages are encrypted on the sender's device, they cannot be decrypted until they reach the receiver's device.

"While traversing the internet, a message may take several hops from server to server before reaching its final destination," he added. "True E2EE ensures that the message cannot be decrypted on any of these hops, thereby providing complete protection. It should be noted that in E2EE, the ends can refer to any two endpoints. Therefore it's essential to know what these endpoints are to understand if your messages are truly protected."

Private Data

Other email services that don't use Gmail provide end-to-end encryption. People can utilize PGP encryption to encrypt their own emails, but there are also email providers that focus on email encryption, like ProtonMail, according to Robert Andersen, CEO of data security firm Grape ID, in an email to Lifewire.

"Sadly, implementing PGP encryption typically requires significantly more effort than most people are willing to put forth (watch online training videos)," he added. "ProtonMail is a good solution for those who don't mind changing email providers and paying a subscription."

According to Kory Fong, vice president of engineering at Private AI, end-to-end encryption is "essential" for emails to maintain confidentiality. The only way to guarantee that only the sender and the recipient can view all the information in that email is to use this method.

"So even the email provider that controls the servers can't see what's in the messages," he added. "Generally, email services like Gmail will encrypt your email in transit, but Google itself can still access the content and even give access to third parties, but won't without explicit consent."

Fong said that ProtonMail is the most well-known provider that offers end-to-end email encryption, even in its free tier. "The company uses asymmetric, zero-access encryption, meaning even ProtonMail itself can't read what's in your emails," he added.

Another option for users who value their privacy above all else is to distribute a public key to others while automatically encrypting their mail with a private key. This is simple to use thanks to programs like GPG Suite and other GPG plugins, according to Fong. Whichever option you select, E2EE for email is crucial because, according to Andersen, email serves as the entry point to your entire online identity and data.

"Email provides centralized access to all of your online accounts, and your 26,000+ tracked digital profile attributes could easily get in the wrong hands leading to hundreds of types of fraud and scams," he added.
Read more »
Spoofing
Cyber Fraud Email Fraud phishing Scam Security Spoofing

The Four Major Types of Spoofing Attacks and How to Avoid Them

 

Spoofing is the act of concealing a communication or identity so that it appears to be from a reliable, authorized source. Spoofing attacks can take many forms, ranging from the common email spoofing attacks used in phishing campaigns to caller ID spoofing attacks used to commit fraud. 

As part of a spoofing attack, attackers may also target more technical elements of an organization's network, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service. 

Spoofing attacks typically prey on trusted relationships by impersonating a person or organization known to the victim. These messages may even be personalized to the victim in some cases, such as whale phishing attacks that use email spoofing or website spoofing. there are various types of spoofing attacks. Here are three of the most common.
  • IP spoofing attack
An IP spoofing attack occurs when an attacker attempts to impersonate an IP address in order to pretend to be another user. The attacker sends packets from a false source address during an IP address spoofing attack. These IP packets are sent to network devices and function similarly to a DoS attack. To overwhelm a device with too many packets, the attacker uses multiple packet addresses.
 
IP spoofing attacks, which are one of the more common types of spoofing attacks, can be detected using a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and detect abnormal traffic. This alerts  that something isn't right and allows you to investigate further.

If looking for IP addresses and flow data in particular that can lead you to illegal internet traffic. Detecting IP spoofing attacks early is critical because they frequently occur as part of DDoS (Direct Denial of Service) attacks, which can bring the entire network down.
  • Email Spoofing Attacks
Email spoofing attacks occur when an attacker sends an email that appears to be from another sender. The sender field is spoofing in these attacks to display bogus contact information. The attacker pretends to be this entity and then sends you an email asking for information. These attacks are frequently used to impersonate administrators and request account information from other members of staff.
 
Email spoofing attacks are perhaps the most dangerous because they directly target employees. Responding to the wrong email can give an attacker access to sensitive information. If you receive a spoofed email, your first line of defense should be to be skeptical of email display names.

Attackers frequently spoof display names, so double-check the email address. If the email contains any links, you can open them in a new window to see if they are legitimate. It's also a good idea to look for spelling mistakes and other inaccuracies that could indicate the sender isn't legitimate.
  • DNS Spoofing Attacks
DNS, or domain name system, attacks jumble up the list of public IP addresses. DNS servers maintain a database of public IP addresses and hostnames that are used to aid in network navigation. When a DNS attack occurs, the attacker alters domain names, causing them to be rerouted to a new IP address.

One example is when you enter a website URL and are directed to a spoofed domain rather than the website you intended to visit. This is a common method for attackers to introduce worms and viruses into networks.

It is a good idea to use a tool like dnstraceroute to detect a DNS spoofing attack. DNS spoofing attacks rely on an attacker spoofing the DNS response. Using dnstraceroute, you can see where the DNS request was answered. You'll be able to see the DNS server's location and whether someone spoofed the DNS response.
Read more »
Spam
Cyber Security Email Email Attacks Fraud Mails Phishing and Spam Phishing Attacks Spam

Snowshoeing: How the Tactic can Spam Through Your E-mails

 

Cybercriminals employ a wide array of fraudulent techniques to entice users into falling for their email traps. One such infamous technique that draws attention while we speak of various scamming methods, is ‘Spam Emails’. 
 
Spam emails are one of the various pitfalls for netizens. These emails come with a multitude of capacities and can have numerous impacts on a user, even leading to severe scams. One of the spamming tactics used by spammers is 'Snowshoeing', which we will be discussing today. What is Snowshoeing? Snowshoeing is essentially spamming on a very large scale. In a snowshoeing campaign, the spammer may use multiple IP addresses in order to spread spam emails over various internet domains.  
 
Snowshoeing technique derives its name from how 'snow shoes' spread across a large surface area. If you use a regular shoe on snow, it will most likely result in you sinking or slipping on the ice. With snow shoes, a person's weight spreads out more evenly, they are designed to have that effect.  
 
Similarly, in Snowshoeing spamming, the attacker makes use of multiple IP addresses, rather than one, in order to consequently spread the spam load across various domains. This way, Snowshoeing spam could comparatively be very dangerous to its targets than many other spamming tactics. 
 

What Does Snowshoe Spamming Mean? 


Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes. Specialized spam trapping organizations are often hard-pressed to identify and trap snowshoe spamming via conventional spam filters.  
 
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide area to steer clear of filters, expertly navigating them.  

 
How does Snowshoeing work? 

 
Snowshoeing differs from other solicited bulk mail and criminal spams, as in Snowshoeing, the attacker leverages several fraudulent business names and fake identities than just one, changing voice-mails and postal drops on a regular basis.  
 
While a reputable mailer put a good effort to garner trust from an audience, and to develop a brand reputation by using legitimate business addresses, identified domains, and small, static, and easily identifiable selection of IPs, in order to present the audience with a legitimate identity. On the other hand, Snowshoe spammers make use of anonymous and unidentified "whois" records. 
 
To further spread the spam load, snowshoe spammers frequently utilise domain assortments, which may be connected to many providers and servers.   
 
Snowshoe spammers use anonymous domains, which makes it nearly impossible to track down the owner and report the spam. 
 

How to tackle Snowshoeing spam? 

 
In order to mitigate Snowshoe spamming, administrators may follow certain steps, such as applying policies hierarchically at the organization, group, or mailbox level. One may as well rewrite addresses. For complex, multi-domain environments, one may rewrite both inbound and outgoing addresses. 
 
Read more »
Security
Campaign Data Email File malware Safety Security

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

 

The notorious 'Grandoreiro' banking trojan was discovered in recent attacks targeting employees of a chemicals manufacturer in Spain and automotive and machinery manufacturers in Mexico. The malware has been active in the wild since at least 2017 and continues to be one of the most serious threats to Spanish-speaking users. 

The most recent campaign, discovered by Zscaler analysts, began in June 2022 and is still ongoing. It entails the deployment of a Grandoreiro malware variant with several new anti-detection and anti-analysis features, as well as a redesigned C2 system.

The infection chain begins with an email purporting to be from the Mexican Attorney General's Office or the Spanish Public Ministry, depending on the target. The message's subject matter includes state refunds, notices of litigation changes, mortgage loan cancellations, and other items.

The email contains a link that takes recipients to a website where they can download a ZIP archive. That file contains the Grandoreiro loader module disguised as a PDF file in order to trick the victim into running it. Once this occurs, the loader retrieves a Delphi payload in the form of a compressed 9.2MB ZIP file from a remote HTTP file server ("http://15[.]188[.]63[.]127:36992/zxeTYhO.xml") and extracts and executes it.

The loader gathers system information, retrieves a list of installed antivirus programmes, cryptocurrency wallets, and e-banking apps, and sends it to the C2. To avoid sandbox analysis, the final payload is signed with a certificate stolen from ASUSTEK and has an inflated size of 400MB thanks to "binary padding."

In one case, as security analyst Ankit Anubhav pointed out on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is yet another attempt to avoid detection. Finally, Grandoreiro is made persistent between reboots by adding two new Registry keys and setting it to launch at system startup.

Grandoreiro features

One of the new features in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping and taking down the malware's infrastructure difficult.

The C2 communication pattern is now the same as LatentBot's, with "ACTION+HELLO" beacons and ID-based cookie value responses. The similarities between the two malware strains were discovered by Portuguese cybersecurity blogger Pedro Taveres in 2020, but the C2 communication techniques were only recently incorporated into Grandoreiro's code.

The malware on the host has the following backdoor capabilities:
  • Keylogging
  • Auto-Updation for newer versions and modules
  • Web-Injects and restricting access to specific websites
  • Command execution
  • Manipulating windows
  • Guiding the victim's browser to a specific URL
  • C2 Domain Generation via DGA (Domain Generation Algorithm)
  • Imitating mouse and keyboard movements
Outlook

The recent campaign suggests that Grandoreiro's operators prefer to carry out highly targeted attacks rather than send large volumes of spam emails to random recipients.

Furthermore, the malware's continuous evolution, which provides it with stronger anti-analysis and detection avoidance features, lays the groundwork for stealthier operations. While Zscaler's report does not go into detail about the current campaign's objectives, Grandoreiro's operators have previously demonstrated financial motivations, so the case is assumed to be the same.
Read more »
VPNS
Anonymous Email Russia Telegram Ukraine Ukraine Websites VPNS

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."
Read more »
WordPress
Bugs data security Email Flaws Fraud phishing Vulnerabilities and Exploits WordPress

20K WordPress Sites Exposed by Insecure Plugin REST-API

 

The WordPress WP HTML Mail plugin is prone to a high-severity issue that can lead to code injection and the distribution of persuasive phishing emails. It is used by over 20,000 sites. 

'WP HTML Mail' is a plugin that allows creating customized emails, contact form notifications, and other messages that online platforms deliver to their users. 

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all functional with the plugin. While the volume of sites that utilise it isn't big, many of them have a large audience, causing the vulnerability to impact a large number of people. 

According to research by Wordfence's Threat Intelligence team, an unauthenticated actor might use the vulnerability dubbed "CVE-2022-0218" to change the email template to include arbitrary information. 

Cybercriminals can also utilise the same flaw to send phishing emails to anyone who has registered on the hacked sites. The problem is with how the plugin registers two REST-API routes for retrieving and updating email template settings. 

Unauthorized users can call and execute the functions since these API endpoints aren't appropriately protected from unauthorised access. 

In its report, Wordfence explains in detail: “The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.” 

Aside from phishing assaults, an adversary might inject harmful JavaScript into the email template, which would run whenever the site administrator accessed the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the entire takeover of the site. 

On December 23, 2021, Wordfence detected and reported the vulnerability to the plugin's creator, but they didn't hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security fix addressed the vulnerability. 

As a result, all WordPress site owners and administrators should make sure they have the newest version of the 'WP HTML Mail' plugin installed.
Read more »
Mobile Security
Email Email Hacking FBI Gmail Google Voice Mobile Security

You Might Be A Victim Of Google Voice Scam, Here's How To Protect Your Account

 

According to the FBI, Americans sharing their contact numbers online are attacked by Google Voice authentication scams. FBI explains that scammers are targeting users who have posted their phone numbers as a form of contact while trying to sell their products or services on online market platforms and social media. 

"Recently, we have also been getting reports of people who are getting targeted in other locations, including sites where you post about lost pets," reports FBI. 

Once successful, scammers set up a Google voice account in their victims' name or hack the target's Gmail accounts. Scammers use these hijacked emails later for other malicious campaigns or phishing attacks. 

The scammers contact their targets using text messages or emails that show their interest in items up for selling, the scammer then asks the seller to verify themselves by providing an authentication code from Google. FBI says "what he is really doing is setting up a Google Voice account in your name using your real phone number as verification."

After the Google Voice account is set up, scammers can easily launch other attacks, these attacks can't be retracted back to their origin. An attacker can also use these codes to penetrate and take control of a victim's Gmail account. 

How to protect yourself? 

If you have suffered a Google Voice authentication scam, the FBI suggests visiting Google's support website for assistance on how to get back your Google Voice account and retake your Voice number. 
  • You can also follow these tips suggested by the FBI:  ‌
  • Never share your Google verification code with anyone.  ‌
  • Only deal with buyers or customers in person. Use verified payment platforms for money transfer. ‌Avoid sharing your email Ids to buyers/sellers doing business on phone. 
  • Don't rush yourself into a sale. Your buyer may pressure you to respond, keep patience, don't get manipulated. 
If you suspect you have fallen victim to these online scams, you can report the incident to the FBI's Internet Crime Complaint Center, or call their local FBI office. 

"If your linked number gets claimed, that means you or someone else is using that number with another Voice account. If you still own the linked number, you can add it back to the Voice account where you want to use it," says the Google support website.
Read more »
Phishing Attacks
Cyber Attacks Email Email Account Compromise IKEA phishing Phishing Attacks

IKEA Suffers Phishing Cyberattack, Employees Mail Compromised

 

Once the mail servers are compromised, hackers use them for gaining access to reply to the organization's employee emails in reply-chain attacks. If a message is sent from a company, it saves the hacker from getting caught. Hackers also compromise access to internal company emails, targetting business partners. IKEA warned its employees of an ongoing reply chain phishing attack on internal mailboxes. The compromised emails are also sent from different IKEA organizations and firm partners. The cyberattack targets Inter IKEA mailboxes, and different IKEA companies, business partners and suppliers, that were affected by the same attack.

"The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection. The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle," reports SecurityAffairs. 

The attack is also sending these malicious emails to employees in users in IKEA organizations. Meaning, the attack might come from emails, it can come from a co-worker, an external company, or a reply thread for an already continued conversation. It is a warning to the employees which hints that fraud messages are difficult to notice because they come from within an organization. Phishing messages containing downloaded links include seven digits at the end, the organization asked employees to bring to notice if they find anything suspicious. 

IKEA also disabled the option of employees sending the emails from quarantine, to avoid the confusion that messages were separated for error by email filters. Security Affairs reports, "recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and use stolen internal reply-chain emails to avoid detection."
Read more »
XSS Vulnerability
API Cloud based services Cyber Security Email XSS Vulnerability

Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

 

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees." 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It's utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim's emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."
Read more »
malware
CAPTCHA Security Email malware

Hackers hiding malware behind Captcha







Hackers are hiding malware inside the Captcha to evade email security gateways. This technique helps attackers in establishing the authencity of the email. 

There are various social engineering methods that are used by the hackers in tricking users to believe them. 

A new email campaign using an email id @avis.ne.jp, alerts recipients that they received a voice message.  The voice attached with a preview tempts users to listen to the full message.

The email contains a play button, which directs users to the page that contains captcha, this step is to bypass the automated analysis tools and to bypass secure email gateways.

The malicious page asks users to select a Microsoft account to log in when the victim login all their credentials are captured.

“Both pages are legitimate Microsoft top-level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe,” reads Cofense report.

Before clicking on any link attached to the email, the user should investigate that the website is safe or not. 


Read more »
Email Hacking
Aeronautical Aeronautical Development Agency Business Email Compromise Email Email Account Compromise Email Hacking

Aeronautical agency’s email account hacked

The official email account of the Aeronautical Development Agency (ADA) was recently hacked and data manipulated, allegedly by a private aerospace engineering company.

The hackers breached into the TAN login and even changed a mobile number linked the certain account and unauthorised online corrections were made to manipulate tax returns of a private aerospace engineering company in Bengaluru.

Rangarajan S (58), a senior executive with the ADA, filed a complaint with the cybercrime police of the Criminal Investigation Department (CID) seeking legal action against unknown hackers on June 4. Based on the complaint, the police registered a case under various sections of the Information Technology Act and are probing.

In his complaint, Rangarajan said the hackers not only accessed details of financial transactions, but also made changes in the TDS for 2017-18. In addition to this, the hackers also allegedly changed the password, email ID and mobile IDs, and updated the PAN details of the company they belonged to. The police said the fraud might have occurred between March and May this year and come to light recently during the verification of official accounts.

“On March 31, an amount of Re 1 has been remitted to ADA’s TAN number. Also, some unknown person has filed 27EQ return of 4th quarter FY 2018-19 offline on May 7 (possibly at TIN-FC centre). ADA’s TDS Reconciliation and Correction Enabling Systems user ID and login password have been accessed unauthorisedly on May 14.”

Confirming the account’s hacking, senior ADA officials said that though there has been a breach in the account, there is no security concern. “This is not a serious issue as the account was in the open domain. No data pertaining to the agency has been compromised,” an officer said.

The cybercrime police are trying to ascertain the motive behind the hacking.
Read more »
MSN
Email Hotmail Microsoft MSN

Microsoft’s email services hacked




Microsoft has confirmed a data breach by unknown hackers who might have been successful in accessing a ‘’limited’’ number of Microsoft customer’s Email.

According to the company, hackers breached the Microsoft network between January 1 and March 28 and compromised the Microsoft support agent’s credentials.

Microsoft sent an email notification to all their customer via stating, “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments”

The company has confirmed the incident to TechCrunch that account of users of services like @msn.com and @hotmail.com had been compromised in the recent breach, but the exact number of victims is not known. 

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

Microsoft is urging all its affected users to change their passwords immediately. 




Read more »
Subscribe to: Posts (Atom)