Search This Blog

Showing posts with label Fraud Mails. Show all posts

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

Consumers Warned of Rising Delivery Text Scams

 

Consumers are being advised to be wary of delivery scam texts while purchasing online for Christmas and Boxing Day sales. 

New research from cybersecurity firm Proofpoint shows that delivery 'smishing' scams are on the rise during the busiest shopping season of the year, according to UK Finance. So far in Q4, more than half (55.94%) of all reported smishing text messages impersonated parcel and package delivery firms. In Q4 2020, only 16.37 percent of smishing efforts were made. 

In comparison to Q4 2020, Proofpoint saw a considerable decrease in different types of smishing frauds in Q4 2021. Text scams mimicking financial institutions and banks, for example, accounted for 11.73 percent of all smishing attacks in 2021, compared to 44.57 percent in 2020. 

The information comes from Proofpoint's operation of the NCSC's 7726 text message system. Customers can use this method to report suspicious texts. 

Delivery smishing scams typically begin with a fraudster sending a bogus text message to the recipient alerting them that the courier was unable to make a delivery and demanding a charge or other information to rearrange. The consumer will be directed to a fake package delivery company's website, where they will be asked to provide personal and financial information. 

Following the significant development in online shopping during COVID-19, this form of scam has become increasingly common. Over two-thirds (67.4%) of all UK texts were reported as spam to the NCSC's 7726 text messaging system in the 30 days to mid-July 2021, according to Proofpoint. 

Which? revealed a very clever smishing fraud involving an extremely convincing DPD fake website in a recent investigation. 

Katy Worobec, managing director of economic crime at UK Finance, commented: “Scrooge-like criminals are using the festive season to try to trick people out of their cash. Whether you’re shopping online or waiting for deliveries over the festive period, it’s important to be on the lookout for scams. Don’t let fraudsters steal your Christmas – always follow the advice of the Take Five to Stop Fraud campaign and stop and think before parting with your information or money.” 

Steve Bradford, senior vice president EMEA at SailPoint, stated: “The sharp rise in text message scams – or smishing, which has increased tenfold compared to last year, should be a stark warning to the public. With parcel delivery scam texts expected to spike this Christmas, it’s clear cyber-criminals are using every opportunity available to target victims using new methods. This comes as more businesses use SMS to engage with customers, to accommodate the digital-first mindset that now characterizes many consumers. But this also opens the doors to threat actors able to masquerade as popular websites or customer service support."

“Consumers must be extra vigilant and refrain from clicking any links in text messages that they’re unsure about. It’s also crucial they are keeping their data, identities, and banking information safe – for example, by not taking pictures of their credit card and financial information, since photos often get stored in the cloud, which risks potential exposure to malicious actors.”

Scam Phishing Network Costs Victims $80m Per Month

 

Researchers discovered a sophisticated phishing attack that costs millions of people across the world around $80 million per month. 

The campaign, according to security firm Group-IB, targets consumers in over 90 countries, including the United States, Canada, South Korea, and Italy. It sends out fraudulent surveys and giveaways from well-known companies in order to acquire their personal and financial information. According to the firm, a single network targets over 10 million victims and 120 brands. 

“Fraudsters trap their victims by distributing invitations to partake in the survey, after which the user would allegedly get a prize. Each such offer contains a link leading to the survey website. For ‘lead generation,’ the threat actors use all possible legitimate digital marketing means: contextual advertising, advertising on legal and completely rogue sites, SMS, mailouts, and pop-up notifications,” Group-IB explained. 

“To build trust with their victims, scammers register look-alike domain names to the official ones. Less frequently, they were also seen adding links to the calendar and posts on social networks. After clicking the targeted link, a user gets in the so-called traffic cloaking, which enables cyber-criminals to display different content to different users, based on certain user parameters.” 

While the victim is being sent to this 'branded survey,' information about their experience is being gathered and used to personalise a final harmful link that can only be opened once, making it more difficult to identify and shut down the scam. 

Group-IB noted, “At the final stage, the user is asked to answer questions to receive a prize from a well-known brand and to fill out a form asking for their personal data, which is allegedly needed to receive the prize. The data required usually includes the full name, email, postal address, phone number, bank card data, including expiration date and CVV.” 

Dmitriy Tiunkin, the vendor's head of digital risk protection in Europe, called the current situation a "scamdemic." The firm discovered 60 separate networks, each with over 70 domain names, running similar targeted links.

Intuit Alerted QuickBooks Customers About Ongoing Phishing Attacks

 

QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges. 

According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired. 

"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained. 

All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them. 

Customers who have already opened attachments or followed links in the phishing emails should do the following: 
  • Delete any downloaded files as soon as possible. 
  • Scan their systems with an updated anti-malware solution. 
  • Reset their passwords. 
  • On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks. 
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month. 

According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October. While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts. 

To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk. Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names. 

If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade. 

Copyright scams and account takeover attacks 

In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason. Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers. 

The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam. 

In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit." 

As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.