Search This Blog

Showing posts with label Fraud. Show all posts

WhatsApp Message Fraud Dupes Automobile Firm of Rs.1 Crore

 


A well-known automobile company, JBM Group, has been duped for Rs.1 Crore in yet another fraudulent incident that took place via fake WhatsApp messages. 

As per the police, the fraudster, in a WhatsApp message to the Chief Finance Officer of JBM, Vivek Gupta claimed to be the company’s vice chairman and had the money transferred to the bank accounts. As per the officials, a total of eight transactions had been made with seven different bank accounts, worth Rs 1,11,71,696. 

In the wake of the incident, an FIR has been registered against the unidentified fraudster under section 419 (cheating by impersonation), 420 (cheating) of IPC, and Section 66-D of IT Act at Cybercrime police station.

“The fraudsters claimed to be a JBM Group vice chairman Nishant Arya. The WhatsApp profile picture of the caller displayed Arya’s photograph. On verifying Truecaller, it reflected that the number belonged to Arya. I was also informed by the sender that he is busy in an important meeting, I could not directly call to make any further inquiry.” The CFO stated in his complaint. 

“I carried out the instructions of the sender under the bona fide impression that the instructions were coming from my superior Nishant Arya who needed to effectuate these transactions which were both very important and extremely urgent. The sums were transferred from two entities of the JBM Group, namely JBM Industries and JBM Auto. At the request of the sender, the UTR numbers confirming such transfers were also shared on the same WhatsApp chat,” Gupta further added. 

Serum Institute of India duped of Rs. 1 Crore via WhatsApp

Earlier this month, on September 7, a similar case was seen involving the Serum Institute of India (SII) which was duped for Rs. 1 Crore via a WhatsApp message sent by the threat actor posing as its CEO Adar Poonawalla. The messages were being sent to one of the institute’s directors. The transactions were then made to a few bank accounts, worth Rs. 1,01,01,554. 

The police officials are looking for the identity of the accused, the one who sent the fraudulent messages, and the holder of the bank accounts to which the transactions were made. 

How to Avoid Cyber Fraud?

With ever-increasing cases of cyber fraud via WhatsApp and other popular messaging platforms,  users are recommended to stay vigilant and follow exercise caution to avoid any scam that may result in financial loss. Users must follow the given steps in order to safeguard themselves against cyber fraud: 

1. Ensure to crosscheck the identity of a person or entity, if you receive messages from an unknown contact, claiming to be someone you know. 

2. Crosscheck the authentication of the source from where you are receiving the messages. 
 
3. Do not share your bank details with anyone. Since banks do not ask for such details, be cautious if the messages claim to be delivered from a bank. 

4. Do not click on the links sent by a suspicious number. The link may lead to malicious websites that are capable of duping you into revealing your passwords and sensitive information.

Cyberfraud has become an increasingly troublesome form of cybercrime as more and more people are falling prey to different forms and kinds of cyberfraud. While reporting it to the cybercrime branch of the police is one solution, netizens must stay wary of lures presented on social media to trap them for financial purposes.

Binance Executive: Scammers Created a 'Deep Fake Hologram' of him to Fool Victims

 

According to a Binance public relations executive, fraudsters created a deep-fake "AI hologram" of him to scam cryptocurrency projects via Zoom video calls.

Patrick Hillmann, chief communications officer at the crypto hypermart, stated he received messages from project teams thanking him for meeting with them virtually to discuss listing their digital assets on Binance over the past month. This raised some suspicions because Hillmann isn't involved in the exchange's listings and doesn't know the people messaging him.

"It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann said. "Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members."

Hillmann included a screenshot of a project manager asking him to confirm that he was, in fact, on a Zoom call in his write-up this week. The hologram is the latest example of cybercriminals impersonating Binance employees and executives on Twitter, LinkedIn, and other social media platforms.

Scams abound in the cryptocurrency world.
Despite highlighting a wealth of security experts and systems at Binance, Hillman insisted that users must be the first line of defence against scammers. He wrote that they can do so by being vigilant, using the Binance Verify tool, and reporting anything suspicious to Binance support.

“I was not prepared for the onslaught of cyberattacks, phishing attacks, and scams that regularly target the crypto community. Now I understand why Binance goes to the lengths it does,” he added.

The only proof Hillman provided was a screenshot of a chat with someone asking him to confirm a Zoom call they previously had. Hillman responds: “That was not me,” before the unidentified person posts a link to somebody’s LinkedIn profile, telling Hillman “This person sent me a Zoom link then your hologram was in the zoom, please report the scam”.

The fight against deepfakes
Deepfakes are becoming more common in the age of misinformation and artificial intelligence, as technological advancements make convincing digital impersonations of people online more viable.

They are sometimes highly realistic fabrications that have sparked global outrage, particularly when used in a political context. A deepfake video of Ukrainian President Volodymyr Zelenskyy was posted online in March of this year, with the digital impersonation of the leader telling citizens to surrender to Russia.

On Twitter, one version of the deepfake was viewed over 120,000 times. In its fight against disinformation, the European Union has targeted deepfakes, recently requiring tech companies such as Google, Facebook, and Twitter to take countermeasures or face heavy fines.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Alert! This Huge Network of 11,000 Fake Investment Sites Targets Europe

 

Researchers discovered a massive network of over 11,000 domains used to market several bogus investment schemes to European users. 
To establish an air of credibility and attract a wider number of victims, the platforms display false evidence of affluence and falsified celebrity endorsements. The operation's purpose is to dupe people into believing they have a chance for high-return investments and persuade them to spend a minimum of 250 EUR ($255) to sign up for the bogus services. 

Group-IB researchers found the operation and documented the vast network of phishing sites, content hosting, and redirections. More than 5,000 of the discovered malicious domains are still operational, according to Group-IB. At the moment, the countries targeted by this initiative are the United Kingdom, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic. 

Scamming Process 

To reach as many users as possible, the fraudsters promote the ads on multiple social media platforms or utilise hacked Facebook and YouTube. Victims who fall for the scam and click on the advertisements to learn more are sent to landing pages with supposed success stories. 

The crooks then ask for contact information. In an extensive social engineering scam, a "customer agent" from a call centre contacts the victim and offers the investment terms and conditions. Eventually, the victim is persuaded to deposit at least 250 EUR, while the information given on the false site is saved and utilised in future operations or purchased on the dark web. 

After depositing the cash, the victim gains access to a bogus investment dashboard that supposedly lets them track daily gains. After depositing the cash, the victim obtains access to a bogus investment dashboard that purports to show daily returns. This is done to maintain the idea of a legitimate investment and attract victims to deposit more money in exchange for higher earnings. 

The fraud is uncovered when the victim attempts to withdraw money from the site without first requesting final payment. Group-IB researchers talked with the fraudsters and taped their chat with the operator during the inquiry. Parts of this audio have been muted for privacy concerns. 

Investments are never risk-free, thus promises of assured profits should be seen as warning flags. Furthermore, genuine investing platforms do not provide personal account managers for modest deposits.

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

Fraudsters Resorting to 'Synthetic Identity Fraud to Commit Financial Crimes

 

Identity theft is still a common tactic for hackers to damage the credit score. To steal even more and avoid discovery, an increasing number of fraudsters are turning to "synthetic identity fraud," which includes constructing spoof personalities to deceive financial institutions.

Michael Timoney, VP of Secure Payments at the Federal Reserve Bank of Boston stated, “This is growing. It’s got big numbers tied to $20 billion(Opens in a new window) plus (in losses), and we’re not really seeing a drop in it. Due to the pandemic, the numbers have gotten even higher."

Timoney described how the threat exploits a critical vulnerability in the US banking system at the RSA conference in San Francisco: when a customer applies for a credit card or a loan, many businesses do not always verify their identification. Timoney defined synthetic identity fraud as the use of multiple pieces of personally identifiable information to create a totally new person. 

He added, “It’s different from traditional identity theft because if someone stole my identity they would be acting in my name. I would go into my bank account and see my money is gone or I’d try to log into my account but I’d be locked out.” 

“Because of data breaches, there is so much information out there for sale. In other cases, the crooks will alter or make up the Social Security number and address data entirely, hoping the companies won't catch on. Once you apply for credit with your brand new identity, there is no credit file out there for you, but one gets created immediately. So right off the bat, you now have a credit file associated with this synthetic. So it sort of validates the identity. Now you got an identity and it has a credit record."  

The hacker will then strive to improve the credit rating of the spoof identity in order to secure larger loans or credit card limits before bailing without ever paying the lending agency. He added that the fraudster will settle their charges and request further credit. 

According to Timoney, the scammers have also been using the fraudulent personas to seek for unemployment benefits and obtain loans from the Paycheck Protection Program, which began during the pandemic to assist businesses in paying their employees. 

How to stop synthetic identity fraud?

To combat synthetic identity fraud, the United States is developing (Opens in a new window) the Electronic Consent Based Social Security Number Verification Service, which can determine whether a Social Security number matches one of these on record. However, Timoney stated that the system will only be offered to financial institutions and will not be open to other industries that provide credit to clients. 

In response, Timoney emphasized that it is critical for businesses to be on the lookout for warning indicators linked with synthetic identity fraud. This might include inconsistencies in the applicant's background. For example, consider a person who is 60 years old but has never had a credit history while having lived in the United States their whole life or an 18-year-old with a credit score of at least 800. 

Another method for detecting synthetic identity theft is to see if a loan application has any confirmed family members. One should be looking at a lot more than just the name, address, and Social Security number.

Suspected Phishing Email Fraudster Arrested in Nigeria

 

A Nigerian man has been arrested by Interpol and African cops on suspicion of running a multi-continent cybercrime network that specialised in sending phishing emails to businesses. His alleged operation was behind so-called business email compromise (BEC), a combination of fraud and social engineering in which employees at targeted firms are duped into doing things like wiring money to scammers or sending sensitive information abroad. 

This is done by impersonating executives or suppliers and sending messages with instructions on where to deliver payments or data, often by getting into an employee's work email account. The 37-year-arrest old's is part of a year-long counter-BEC operation code-named Operation Delilah, which began with intelligence from cybersecurity firms Group-IB and Palo Alto Networks Unit 42, and Trend Micro. 

According to the groups involved, Op Delilah, which began in May 2021, is another success story from Interpol's Cyber Fusion Center, a public-private partnership between law enforcement and industry experts based in Singapore. The arrest, however, comes after the FBI issued a strong warning about BEC earlier this month, claiming that it is still the most costly threat to businesses throughout the world. Between June 2016 and December 2022, email scams cost businesses and people at least $43.3 billion. 

The FBI stated that BEC continues to develop and change, targeting small local companies to larger enterprises, and personal transactions, adding that it monitored a 65 per cent increase in identified global exposed losses, with victims in 177 countries, between July 2019 and December 2021. When law enforcement attempted to catch the suspected fraudster in this case, he fled Nigeria in 2021. He attempted to return to Nigeria in March 2022 but was recognised and detained as a result of the intelligence-gathering relationship. The intelligence was passed on to Nigerian police by Interpol's African Joint Operation against Cybercrime (AFJOC), which was assisted by law enforcement from Australia, Canada, and the United States. Nigerian cops eventually apprehended the man at Lagos' Murtala Mohammed International Airport. Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of suspected gang members. 

"The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and Interpol's private sector partners in combating cybercrime," Garba Baba Umar, assistant inspector general of the Nigeria Police Force, said in a statement this week. 

The security companies involved in the operation closely monitored the alleged Nigerian BEC crew under the name SilverTerrier, or TMT, and Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of these suspected gang members. Delilah was preceded by the Interpol-led Falcon I and Falcon II operations, which took place in 2020 and 2021 and resulted in the arrest of 14 members of the criminal gang. 

The earlier operations, as well as the most recent one, were assisted by Unit 42 and Group-IB, among other security analysts. TMT has been tracked by Group-IB since 2019. We're warned that by 2020, the criminals would have infiltrated more than 500,000 businesses in 150 nations. One of the defendants seized in Nigeria during Falcon II had more than 50,000 possible victim domain credentials on his laptop, according to Interpol. 

Meanwhile, Unit 42 researchers allege that the 37-year-old Nigerian detained as part of Delilah has been a criminal since 2015. 

The security analysts at Palo Alto Networks wrote in a blog, "We have identified over 240 domains that were registered using this actor's aliases. Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York city associated with a major financial institution when registering his malicious domains." 

They discovered that he has a stated affinity for ISRStealer, Pony, and LokiBot malware. He also prefers enormous gold, blingy jewellery, according to a social media snapshot of the alleged perp on the Unit 42 blog. According to the security researchers, the suspect is well-connected with other BEC criminals and also appears to share social media contacts with a trio detained in 2021 as part of Falcon II.

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam

 

Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

 US Reclaimed $15 Million From an Ad Fraud Operation

 

The US government has recovered more than $15 million in earnings from the 3ve digital advertising fraud enterprise, which cost firms more than $29 million in unviewed ads. 

Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev, according to the Justice Department, accessed more than 1.7 million infected computers between December 2015 and October 2018, using tens of command and control (C&C) servers as the Kovter botnet, a click-fraud malware would quietly run in the background while connecting to sites to consume advertisements. 

A forfeiture order, according to the Justice Department, resulted in the transfer of $15,111,453.84 from Swiss bank accounts to the US government. The technique resulted in the falsification of billions of ad views and the spoofing of over 86,000 domains. According to the US Department of Justice, groups paid over $29 million for advertising never seen by real people. 

Ovsyannikov and Timchenko were arrested in 2018, pleaded guilty, and sentenced to jail terms in the United States. For this role in 3ve (pronounced "Eve"), Isaev and five others are accused of money laundering, wire fraud, computer intrusion, and identity theft, yet they stay free. 

The US also charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov, five Russian citizens, with running the Methbot ad fraud scheme, which is thought to have netted the fraudsters more than $7 million in illegal gains. 

"This forfeiture is the greatest international cybercrime recovery in the Eastern District of New York's history," said United States Attorney Peace in a press statement.

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.

Payment Fraud Attack Rate Across Fintech Increased by 70% in 2021

 

The index based on a global network of over 34,000 sites and apps and a poll of over 1,000 consumers, reveals that payment fraud attacks across fintech increased by 70% in 2021, the greatest increase of any category in the network. 

Payment fraud has increased in tandem with a whopping 121 percent year-over-year increase in fintech transaction volumes on Sift's network, making this industry a tempting target for cybercriminals. These escalating attacks, as per this data, were mostly focused on alternative payments such as digital wallets, which witnessed a 200 percent increase in payment fraud, as well as payments service providers (+169 percent) and cryptocurrency exchanges (+140 percent). 

These approaches were targeted towards buy now/pay later (BNPL) providers, which showed a 54 percent increase in fraud attack rates year over year. Sift's Trust and Safety Architects discovered a rising number of fraud schemes on Telegram in late 2021, providing unlimited access to BNPL accounts via fake credit card numbers and compromised email addresses, demonstrating the wide range of methods fraudsters use to target the whole fintech sector.

Along with a 23 percent increase in blocked payment fraud assaults in 2021, Sift noticed a network-wide rise in daily transaction volumes across all industries. Similarly, 49 percent of poll respondents indicated they've been a victim of payment abuse in the last one to three years, with 41 percent of those who have been victims in the last year alone. Financial service websites were regarded as the sites that pose the most risk by 33% of the victims, which could have a detrimental impact on the customer’s trust. 

Jane Lee, Trust and Safety Architect at Sift. stated, “Many brands fail to realize that the damage of payment fraud goes beyond the initial financial impact. The vast majority of consumers report abandoning brands after they experience fraud on a business’s website or app, diminishing customer lifetime value and driving up acquisition costs. Further, potential customers who see unauthorized charges from a particular company on their bank statements will forever associate that brand with fraud. In order to combat these attacks and grow revenue, businesses should look to adopt a Digital Trust & Safety strategy—one that focuses on preventing fraud while streamlining the experience for their customers.”

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Ukrainian CERT Alerts Citizens of Phishing Attacks Using Hacked Accounts

 

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of new phishing attacks directed at Ukrainian citizens, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. 

The emails arrive with the subject line "" (meaning "Attention") and pretend to be from a domestic email service named Ukr.net, but the sender's email address is "muthuprakash.b@tvsrubber[.]com," according to the agency. The messages allegedly alert recipients of an unauthorised attempt to log in to their accounts from an IP address based in Donetsk, Ukraine, and urge them to change their passwords immediately by clicking on a link. 

CERT-UA noted in a Facebook post over the weekend, "After following the link and entering the password, it gets to the attackers. In this way, they gain access to the email inboxes of Ukrainian citizens." 

The fact that TVS Rubber is an automotive company situated in the Indian city of Madurai suggests that the phishing emails were distributed through an already compromised email account. In a further update, CERT-UA stated that it had discovered an additional 20 email addresses used in the attacks, some of which belonged to sysadmins and faculty members at the Ramaiah University of Applied Sciences, an academic institution in Bengaluru, India. 

An email address from Hodek Vibration Technologies Pvt. Ltd., an India-based automotive company that designs and manufactures dampers for cars, light and heavy commercial vehicles, and other industrial equipment, is also featured in the list. 

"All these mailboxes have been compromised and are being used by the Russian Federation's special services to carry out cyberattacks on Ukrainian citizens," the agency said. 

The news comes as NATO states unanimously approved to admit Ukraine as a "Contributing Participant" to the Cooperative Cyber Defence Centre of Excellence (CCDCOE), as Russia's military invasion of the country entered its second week and cyber strikes poured down on government and commercial targets. 

"Ukraine's presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations. Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training," Col Jaak Tarien, director of CCDCOE, said in a statement.

Finland Alerted About Facebook Accounts Compromised via Messenger Phishing

 

The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations. 

According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS. If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them. 

Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list. 

“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described. 

The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts: 
• They start by sending a message through Facebook Messenger from the previously compromised friend's account. 
• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros. 
• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry. 
• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account. 

The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers." 

Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users. 

Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks. These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.

20K WordPress Sites Exposed by Insecure Plugin REST-API

 

The WordPress WP HTML Mail plugin is prone to a high-severity issue that can lead to code injection and the distribution of persuasive phishing emails. It is used by over 20,000 sites. 

'WP HTML Mail' is a plugin that allows creating customized emails, contact form notifications, and other messages that online platforms deliver to their users. 

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all functional with the plugin. While the volume of sites that utilise it isn't big, many of them have a large audience, causing the vulnerability to impact a large number of people. 

According to research by Wordfence's Threat Intelligence team, an unauthenticated actor might use the vulnerability dubbed "CVE-2022-0218" to change the email template to include arbitrary information. 

Cybercriminals can also utilise the same flaw to send phishing emails to anyone who has registered on the hacked sites. The problem is with how the plugin registers two REST-API routes for retrieving and updating email template settings. 

Unauthorized users can call and execute the functions since these API endpoints aren't appropriately protected from unauthorised access. 

In its report, Wordfence explains in detail: “The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.” 

Aside from phishing assaults, an adversary might inject harmful JavaScript into the email template, which would run whenever the site administrator accessed the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the entire takeover of the site. 

On December 23, 2021, Wordfence detected and reported the vulnerability to the plugin's creator, but they didn't hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security fix addressed the vulnerability. 

As a result, all WordPress site owners and administrators should make sure they have the newest version of the 'WP HTML Mail' plugin installed.

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks

 

Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

Phishing Emails Deliver Scary Zombie-themed MirCop Ransomware

 

A new phishing campaign that poses as supply lists attacks users with the MirCop ransomware, which encrypts a target PC in less than fifteen minutes. 

The perpetrators start the attack by sending an unsolicited email to the victim, claiming to be following up on a previous order arrangement. The email body includes a hyperlink to a Google Drive URL that, when clicked, downloads an MHT file (webpage archive) to the victim's device. 

The use of Google Drive lends credibility to the email and is in accordance with standard business procedures. Simple but crucial choices like this can determine whether the victim clicks the URL or sends the email to the spam folder for threat actors. When people open the file, all they see is a fuzzy image of what appears to be a supplier list, stamped and signed for added legitimacy. 

When the MHT file is opened, it will download a RAR archive from “hXXps://a[.]pomf[.]cat/gectpe.rar” containing a.NET malware downloader. The EXE file in the RAR archive uses VBS scripts to drop and run the MirCop payload on the affected machine. 

The ransomware starts capturing screenshots right away, locks files, changes the background to a terrifying zombie-themed graphic, and instructs victims on what to do next. The entire procedure, according to Cofense, takes less than 15 minutes from the time the victim opens the phishing email. 

Following that, the user is only able to use certain web browsers to contact the actors and arrange for the ransom payment. The actors have no interest in infiltrating the victim's computer discreetly or staying there for long to conduct cyber espionage or acquire files for extortion. On the contrary, the attack happens swiftly, and the source of the problem is noticeable to the victim instantly. 

About the ransomware

MicroCop is an outdated ransomware strain that is used to send its victims ridiculous ransom demands. That was until Michael Gillespie broke the encryption and released a free decryptor. 

As per BleepingComputer, it was not able to verify whether that old decryptor still works with the payloads delivered in the most recent campaign, but it's possible that it can still unlock the files.

According to Cofense, the identical variant has been circulating since June of this year, indicating that MicroCop is still active and that people should be wary when dealing with unwanted emails.

Creator of McAfee Antivirus Software Charged For Conspiracy?

 

Creator of McAfee antivirus software, Businessman John McAfee is charged under a conspiracy to commit fraud and money laundering in the U.S. McAfee and his bodyguard Jimmy Gale Watson Jr are found guilty of advertising cryptocurrencies on Mr. McAfee's huge Twitter follower base to inflate prices. As per prosecutors, these currencies were then sold, earning a total of $2m (€1.45 M). The accused have not issued any response to the charges made.  Currently, McAfee (age 75) is under detention in Spain due to separate charges relating to tax fraud, that he is denying. 

The fresh charges were filed in the Manhattan Federal Court, New York. He is facing potential extradition to the U.S, whereas Watson was captured earlier this week. According to BBC, "in 2012, he made headlines after police in the Central American country of Belize investigated the death of one Mr. McAfee's neighbors and named him as a 'person of interest'. Mr. McAfee left the country saying he feared for his own safety. Officials ultimately said he was not a suspect." McAfee and his bodyguard are accused of buying promoting the cryptocurrency assets on Twitter, where Mr. McAfee has millions of followers. 

As per the US justice department and the Commodity Futures Trading Commission, the plan was to sell these assets the moment the asset's price rose. The pair is said to make $11M (€8m) from the cryptocurrency startup payments via promoting the assets on Twitter, while the investors who bought them were unaware of the payments. As per the federal prosecutor, this equals exploiting a widely used social media platform (in this case Twitter) and the enthusiasm of investors in the growing cryptocurrency sector to profit millions via deceit and lies. In the former case which was disclosed the previous year. 

Mr. McAfee was charged for not filing tax returns from 2014-2018. He is also accused of using different people's names to hide his assets which include a yacht and property. "The entrepreneur, who was born in the UK, also launched unsuccessful bids to become the Libertarian Party's candidate for the US presidential elections in 2016 and 2020. Mr. McAfee has previously expressed his disdain for taxes, tweeting in 2019 that he had not filed tax returns for years because "taxation is illegal", reports BBC.  

FBI Warns Victims Against Scammers Threating with Jail Time

 

Recently the US FBI has noted an increase in phone calls that usually spoof the Bureau’s telephone number. The actors pretend to be FBI officers and ask the victims for their personal information. The FBI headquarters’ number sometimes is "spoof" or false, so that the call appears to originate from the FBI on the calling ID of the destination. In this scam, fraudulent callers posing as an agent of the FBI ask for the personal information of the recipient. These calls are however fraudulent; any genuine law enforcement officer would not ask a citizen for their personal information. The FBI describes this form of fraud as impersonation fraud, which revolves around criminals attempting to raise money. 

The FBI says that the criminals at times attempt to ransom victims to gain publicly identifiable information, whether physical or financial. The scammers are getting more subtle, coordinated, technologically advanced, and are mostly focusing on young and elderly people. 

The most recent case holds the actors acting as FBI agents and threatening their targets with fines and jail times, unless and until the target accords any piece of personal information to the actor. The FBI alerted that the organization has been notified of many such incidents where the actor attempts to steal their personal details. Seemingly, most of the fraudsters are targeting people from North Florida.  

One of the victims of the fraud claimed that scammers first contacted him as a representative of sweepstakes to agree on giving out confidential information in return for a big prize. Following a failure to distribute all the information sought, a second scammer who impersonated an FBI officer called the victim and demanded the same information to help target the sweepstakes organization in its investigation. In another case, the victim was contacted by a threat actor posing to be an FBI representative and asked for personal information. 

"The caller claimed to have an immediate need for personal information about the victim—to include financial account numbers—in order to eliminate the victim as a suspect in the alleged crime," stated the FBI. "When the victim declined to provide the information, the caller threatened fines and jail time." 

In regards to such incidents, the FBI advises the targets to reach out to the nearest local office to verify the incident and help in the further investigation to solve the case. They also said that none of the FBI agents would ever ask for money or personal information and therefore one must be vigilant against such scams.