Search This Blog

Showing posts with label Email Hacking. Show all posts

Baltimore City was Duped Out of $376K


A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.

ICO Struck by 2650% Rise in Email Attacks in 2021


The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.

You Might Be A Victim Of Google Voice Scam, Here's How To Protect Your Account


According to the FBI, Americans sharing their contact numbers online are attacked by Google Voice authentication scams. FBI explains that scammers are targeting users who have posted their phone numbers as a form of contact while trying to sell their products or services on online market platforms and social media. 

"Recently, we have also been getting reports of people who are getting targeted in other locations, including sites where you post about lost pets," reports FBI. 

Once successful, scammers set up a Google voice account in their victims' name or hack the target's Gmail accounts. Scammers use these hijacked emails later for other malicious campaigns or phishing attacks. 

The scammers contact their targets using text messages or emails that show their interest in items up for selling, the scammer then asks the seller to verify themselves by providing an authentication code from Google. FBI says "what he is really doing is setting up a Google Voice account in your name using your real phone number as verification."

After the Google Voice account is set up, scammers can easily launch other attacks, these attacks can't be retracted back to their origin. An attacker can also use these codes to penetrate and take control of a victim's Gmail account. 

How to protect yourself? 

If you have suffered a Google Voice authentication scam, the FBI suggests visiting Google's support website for assistance on how to get back your Google Voice account and retake your Voice number. 
  • You can also follow these tips suggested by the FBI:  ‌
  • Never share your Google verification code with anyone.  ‌
  • Only deal with buyers or customers in person. Use verified payment platforms for money transfer. ‌Avoid sharing your email Ids to buyers/sellers doing business on phone. 
  • Don't rush yourself into a sale. Your buyer may pressure you to respond, keep patience, don't get manipulated. 
If you suspect you have fallen victim to these online scams, you can report the incident to the FBI's Internet Crime Complaint Center, or call their local FBI office. 

"If your linked number gets claimed, that means you or someone else is using that number with another Voice account. If you still own the linked number, you can add it back to the Voice account where you want to use it," says the Google support website.

TA551 Employs the SLIVER Red Team Tool


According to cybersecurity firm Proofpoint, the cybercriminal group known as TA551 has demonstrated a significant shift in tactics with the inclusion of the open-source pentest tool Sliver to its arsenal. 

Proofpoint has been tracking TA551 as a criminal threat actor since 2016. Other security firms refer to it as Shathak. TA551 acquires access to stolen mails or hacked email accounts – commonly known as thread hijacking – which it exploits in email campaigns to disseminate malware, according to Proofpoint. Ursnif, IcedID, Qbot, and Emotet were among the malware payloads released by TA551. For ransomware threat actors, this actor serves as an initial access facilitator. 

The use of SLIVER by TA551 illustrates the actor's versatility. TA551 would compromise a victim and potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware as an established initial access broker exploiting initial access via email threat campaigns. SLIVER allows TA551 actors to obtain rapid access to victims and engage with them, giving them more direct capabilities for execution, persistence, and lateral mobility. This could eliminate the need for secondary access. 

Proofpoint has discovered that their banking trojan-based operations have resulted in ransomware attacks. Proofpoint examines with a high level of certainty. In 2020, TA551 IcedID implants were linked to the Maze and Egregor ransomware attacks.

Proofpoint discovered emails that seemed to be answers to prior conversations but included password-protected compressed Word documents on October 20, 2021. Sliver, an open-source, cross-platform adversary simulation, and red team platform are downloaded from the attachments. The activity differed significantly from the strategies, techniques, and processes used in TA551. When a victim opens the zipped attachment, they are routed to a Microsoft Word document with macros. SLIVER is downloaded if macros are enabled. 

Information collection, command and control (C2) functionality, token manipulation, process injection, and other functions are all available for free online with SLIVER. Cybercrime threat actors are increasingly relying on red teaming techniques. Between 2019 and 2020, for example, Proofpoint saw a 161% rise in threat actors using the red teaming tool Cobalt Strike. Lemon Tree and Veil are two further offensive frameworks that appear to be employed as first-stage payloads by cybercriminals. 

Cybercriminals' adoption of Sliver comes only months after US and UK government agencies warned that Russian state-sponsored cyberspy organization APT29 had added the pentest framework to their arsenal. However, the move is unsurprising, as security specialists have long warned of the blurring line between nation-state and cybercriminal activity, with each side adopting strategies from the other to better mask their footprints, or engaging in both sorts of operations.

Chipotle's Email Marketing Account Compromised to Spread Malware


In mid-July, a new phishing attack was detected that used a compromised mailing service account. In the four days between July 13, 2021, and July 16, 2021, the anti-phishing company uncovered 121 phishing emails in this campaign. 

In May 2021, Nobelium (suspected of being behind the SolarWinds attack) tried a similar phishing method. Microsoft reported in May on a Nobelium campaign in which fraudulent emails were delivered to 3,000 accounts across 150 companies in 24 countries. All of the fraudulent emails were sent by Constant Contact mailing service, using the hacked account of the US Agency for International Development (USAID). 

Inky, the anti-phishing firm identified the new campaign, and the amount is likely to be a small fraction of the overall number of emails sent. Inky states in its study that it is examining if the current campaign was initiated by the same threat actor or by copycat criminals using the same approach as Nobelium. 

The method comprises of hacking into a legitimate mail service user's account. The account used in the most recent instance belonged to Chipotle, a fast-food chain, and the mail provider used was Mailgun. Because the emails look authentic from high-reputation sources, this approach has a high success rate. 

Since they come from a high-reputation IP address (Mailgun: and pass SPF and DKIM authentication, the emails clear various automated phish detection systems. 

Two were vishing attacks (phony voicemail alerts with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft, out of 121 phishing emails discovered. Inky does not specify what malware was used in the vishing attacks, nor does it mention the firms which were phished. 

A mail.chipotle[.]com link in the 14 USAA bank impersonations was linked to a fake and fraudulent USAA Bank credential harvesting site. The credential harvesting site is a convincing copy of the legitimate bank site, along with a flawless logo of USAA logo. 

The researchers commented, “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born.” 

The majority of phishing emails masquerade to be from Microsoft. This is predictable, given that nearly everyone has a Microsoft account, and almost all store a wealth of information (such as other logins, trade secrets, financial details, and more). 

In the sample presented by Inky, the email is sent by ‘Microsoft 365 Message Center'. The subject reads, “You have (7) clustered/undelivered emails 16 July 2021,” This should not mislead an informed user who wonders why Microsoft is sending emails through a fast-food chain, but it may deceive automated detection systems that depend largely on the sender reputations. 

The email's body is a classic fraud trap. Seven emails from the target have been held up due to storage difficulties, but they are now ready for collection (the curiosity trigger). Ignoring the notification may result in the account being disabled (the fear trigger). Then there's a button that says "Release messages to the inbox." The user is sent to a credential harvesting fake Microsoft login page when they click this button. 

The difference between the sender's name (in this case, Microsoft, USAA, and VM Caller ID) and the actual email sender (in this case, postmaster[@]chipotle[.]com) is the key to identifying this sort of phishing email. The former is unlikely to send emails using the latter. However, on the other hand, secure email gateways frequently rely on verifying simply whether the sending domain is authentic and that the email is coming from an approved range of IP addresses.

EU Banking Regulator Suffers Cyberattack in a Microsoft Email Breach

A significant EU financial regulator, the EU Banking Authority said that it suffered a cyberattack where its Microsoft email systems were hacked. The US company is putting the blame on a Chinese threat actor. Recently, Microsoft said that a Chinese state-sponsored hacking group was exploiting earlier unknown security vulnerabilities in Microsoft's exchange email services to hijack government and user data. The list of victims counts to as many as tens of thousands. Microsoft earlier this week said that "Hafnium attacks were in no way connected to the separate SolarWinds-related attacks." 

Threat actor "Hafnium" is highly skilled and sophisticated, says Microsoft. Hafnium has earlier attacked companies based in the US that include cybersecurity firms, law firms, defense contractors, think tanks, defense agencies, NGOs, and universities. The EBA (EU Banking Authority) said in a statement that the inquiries have not revealed any data theft as of now. Presently, the EBA e-mail infrastructure is safe and the investigation concludes that there has been no data breach, says the statement. 

There's no evidence to suggest that the breach affected anything more than email servers.  The company says that the investigation is still in process and security measures have been set up to restore the functionality of e-mails. EBA in a statement issued on Sunday said that it had shut down its systems as a preventive measure, observing that hackers may have got access to personal data in the emails. The company has issued updates to fix the security issues. It is very much likely that the hackers may want to take the advantage of the unpatched systems, says Tom Burt, Microsoft executive. 

In this regard, Security Week reported, "Beijing typically rejects US hacking charges out of hand and last year berated Washington following allegations that Chinese hackers were attempting to steal coronavirus research. In January, the US said Russia was probably behind the massive SolarWinds hack that hit large swathes of the government and private sectors, and which experts say may constitute an ongoing threat."  

Norwegian Parliament Hit by a Cyber-Attack on Its Internal Email System

Stortinget, the Norwegian Parliament succumbed to a cyber-attack that targeted its internal email system. The news came in on Tuesday when the Norwegian parliament's director, Marianne Andreassen, affirmed that the threat actors had targeted the parliament. 

The hackers penetrated email accounts for elected representatives and employees, from where they stole various amounts of data. Andreassen said that the incident is currently being monitored, and, so couldn't give any insight into who was responsible for the attack, or the number of hacked accounts.

People whose accounts were exposed in the attack have been informed about the same and a report has been filed with the Norwegian police and the nation's intelligence agency has just begun investigating the incident, as per a statement the agency posted on its Twitter account after the incident. 

The local press, who initially broke the story additionally, announced that the parliament's IT staffs has closed down its email service to keep the hackers from siphoning more information. 

Besides this, a representative for Norway's main opposition party, the Labour Party, told public broadcaster NRK that the attack had additionally affected a few Labour Party members and staff. 

After the incident was found, the Norwegian National Security Authority (NSA) was brought in to counter the attack and get to the bottom of what had occurred "We have been involved for a few days," said NSA spokesman Trond Oevstedal. 

"We are assisting parliament with analysis and technical assistance." Andreassen said that the parliament had discovered "anomalies a little more than a week ago." 

"A number of risk-reducing immediate measures were implemented to stop the attack," said Andreassen. "These measures had an immediate effect." 

In a statement issued earlier read: "Burglary has been registered in the email accounts of a small number of parliamentary representatives and employees. Our analyses show that different amounts of data have been downloaded." 

The Storting through this statement said that the attackers had snatched a vague measure of data. So far no there is no info released with respect to what sort of cyber-attack was executed against the Norwegian parliament or who was responsible for it. 

However, as Andreassen said to the reporters they take the matter quite seriously and have given our complete attention to investigating the situation to get a complete image of the incident and the possible degree of harm caused by it.

Aeronautical agency’s email account hacked

The official email account of the Aeronautical Development Agency (ADA) was recently hacked and data manipulated, allegedly by a private aerospace engineering company.

The hackers breached into the TAN login and even changed a mobile number linked the certain account and unauthorised online corrections were made to manipulate tax returns of a private aerospace engineering company in Bengaluru.

Rangarajan S (58), a senior executive with the ADA, filed a complaint with the cybercrime police of the Criminal Investigation Department (CID) seeking legal action against unknown hackers on June 4. Based on the complaint, the police registered a case under various sections of the Information Technology Act and are probing.

In his complaint, Rangarajan said the hackers not only accessed details of financial transactions, but also made changes in the TDS for 2017-18. In addition to this, the hackers also allegedly changed the password, email ID and mobile IDs, and updated the PAN details of the company they belonged to. The police said the fraud might have occurred between March and May this year and come to light recently during the verification of official accounts.

“On March 31, an amount of Re 1 has been remitted to ADA’s TAN number. Also, some unknown person has filed 27EQ return of 4th quarter FY 2018-19 offline on May 7 (possibly at TIN-FC centre). ADA’s TDS Reconciliation and Correction Enabling Systems user ID and login password have been accessed unauthorisedly on May 14.”

Confirming the account’s hacking, senior ADA officials said that though there has been a breach in the account, there is no security concern. “This is not a serious issue as the account was in the open domain. No data pertaining to the agency has been compromised,” an officer said.

The cybercrime police are trying to ascertain the motive behind the hacking.

3 million dollar was stolen from Investment company through email hacking scam

According to authorities, Two con artists from New Jersey and their team hacked into several corporate accounts stealing almost $3 million which was meant for a Manhattan real state transaction on Thursday.

The fraud took place after two foreigners gained access to the corporate email account of the investment company, they were keeping eye on potential investment deals through the emails. The name of the investment firm has not been revealed.

Before a deal of $2.8 million dollar was done, the foreigners emailed the investment company fraudulent account details that appeared to be coming from intended recipient. According to the prosecutors, the two foreigners who planned and stole the money from investment company are known by the name  Estarlin Reynoso and  Lucy Beswick

According to the court papers, Beswick, 27 instructed  Reynoso, 29, step by step on how to open a business account and how to wire the stolen funds through the whatsapp messaging service.

Manhattan DA Cyrus Vance said “New Yorkers whose jobs include wiring money should pay attention to this case, Business email compromises cause billions in worldwide losses each year, but there are steps that companies large and small can take to avoid becoming a victim.”

Vance has suggested businesses to be careful of the authenticity of the emails. They should be verified through verbal communication if transfer of funds are involved.He also suggested to use anti-phishing tools to authenticate emails.

According to the Prosecutor, Reynoso transferred funds to three different banks in China before the fraud was detected. Both the accused were charged with Larceny,identity theft and criminal possession of stolen funds.
The investment company was able to recover most of the funds. Beswick was freed without bail while Reynoso was released on bail for $10000.

Personal data of almost a billion people are hacked

Personal data of nearly one billion people have been hacked by a caliginous company that is untraceable since the incident has happened. 

The database contains email addresses of around 982 million people. According to researchers, this could be the ‘biggest and most comprehensive email database' breaches ever.

The pieces of information that have been compromised includes names, gender, date of birth, employer, details of social media accounts and home addresses. 

The database was created by, and it did not have any kind of security measure. 

The firm was a marketing company, that offered a service of email validation to another marketing firm. The service includes authentication of email addresses. 

The company took down its website after the leak was uncovered and they have refused requests for a comment on the situation.

The motive behind the hack is not clear as the backers are maintaining their anonymity because of dubious tactics used by them to offer their service. 

Moreover, they have refused to comment on the situation.

Lee County Tax Collector’s email hacked

On Thursday, an email went out from the office of Lee County Tax Collector Larry Hart, sent by hackers having gained access to his email.

It has been reported that Hart was using a device out of his office and the device was compromised.

Lee County taxpayers are now worried that their information might have been compromised in the hack. However, Noelle Branning, Deputy Chief Tax Collector, said that because Larry Hart rarely emails taxpayers directly, they aren’t likely to have received the email.

"We don't think our taxpayers need to have any concern," Branning said. "Additionally, it doesn't appear that any taxpayer information has been compromised in any way."

While the office maintains that it does not seem that any information has been compromised, Branning cautions anyone opening an email from Hart to be careful.

"If it's an email coming from Mr. Hart containing an attachment or a link, no one should open the attachment, nor should they try to click on the link," said Branning.

Hart’s account has been disabled as a security measure and is undergoing a forensic exam. A cybersecurity professional is helping them get to the bottom of the hack. Meanwhile, an organisation-wide advisory has been sent to make them aware of the risk.

Other counties have also been warned of the possibility of a hack.

Email Account's of Jeffrey Tambor hacked by "Guccifer"

The AOL mail account of Jeffery Tambor and his wife Kasia was hacked by a "celebrity hacker" called Guccifer. The hacker is also the reason behind many recent leaks on Dorothy Bush Koch ,  Colin Powell ,  Lisa Murkowski ,Jim Nantz , Patricia Legere , Bill Clinton and Sidney Blumenthal.

He leaked lots of data from the hacked accounts including private pictures and correspondences. He used Jeffrey Tambor's email account to distribute material previously stolen from the mail accounts of other victims, including former Bill Clinton aide Sidney Blumenthal and Joseph Verner Reed, a top United Nations under-secretary-general.And like his previous hacks he leaked private pictures of Mr.Jeffery Tambor.

 He also used the AOL account of  Kasia Tambor’s to send mails to reporters containing a memos of that Blumenthal sent to Hillary Clinton  about the political situation in Libya.

Based on past attacks the IP address of the hacker is said to be from Russia but it is most probably a proxy, a hacker who is smart enough to pull of such hacks will not be leaving traces.

Anonymous leaks 1GB of internal Govt emails from the Syrian Ministry of Foreign Affairs

The hacktivist hacker group Anonymous have leaked 1GB of documents that contains internal government emails from Syrian Ministry of Foreign Affairs. Hackers has leaked the data as part of the ongoing operation called "#OpSyria".

The leaked documents contains all sort of information including scanned passports from Syrian ministers (PDF) and details about arms transportation from Ukraine,  and even a report which shows that 200 tons of Syrian bank notes have been shipped from Russia.

"Most of the material is in Arabic and we invite all arabic speakers to look through the mails for interesting documents." Hackers invite arabic speakers to translate the documents.

The files can be accessed via the email viewer set up on par-anoia.net or by downloading the compressed MBOX archive and importing it into an email client.