Search This Blog

Showing posts with label Infrastructure. Show all posts

Emails With HTML Attachments are Still Popular Among Phishing Scammers


Cybercriminals are increasingly using malicious HTML files to attack computers, according to a recent study conducted by security researchers. In addition to this, Barracuda Networks' study also revealed that malicious files now account for over half of all HTML attachments sent via email. There has been a significant increase in applications compared to last year. 

Is there a phishing scam using HTML attachments you know of? To prevent cybercriminals from contacting C7C servers to download crypto-malware, Trojan horses, or other nasty nasties through email, HTML attachments are sent instead of email. 

Phishing scams based on HTML emails have been around for a long time, but people aren't aware of them, and they are increasingly falling for the same. 

There is a high chance that you checked your email more than once this past weekend. This is despite it being a holiday weekend for many people.

Even though HTML files continue to be one of the most common attachments used in phishing scams in 2022, it shows that the method is still one of the most effective methods of getting past spam detection software and delivering spam to targets who are looking for it. 

HTML (HyperText Markup Language) is a markup language developed to display documents created for display in a web browser, according to Wikibooks. The capabilities of technologies such as Cascading Style Sheets (CSS) and programming languages such as JavaScript can make it easier to do this.

It is possible to render HTML documents as multimedia web pages using a web server or a local storage device that receives HTML documents from a web server. An HTML document describes the semantics of a web page and includes clues that indicate how it should appear to the end user. HTML can also describe the content of a web page. 

When victims are sent phishing emails using HTML files, they are frequently directed to malicious websites, downloaded files, or phishing forms that can be displayed locally within their browsers on their computers.

It is common for email security software to overlook attachments when delivering messages to targets since HTML does not pose a threat to the recipients; as a result, messages are delivered successfully to their inboxes. 

Something is interesting about this recent increase in malicious HTML files. This does not seem to be the result of mass attack campaigns in which hackers send the same attachments to many victims. 

To protect against cyberattacks, it is now more imperative than ever to implement appropriate cybersecurity measures. The key to preventing such attacks is what the report uses as an example of how to prevent them. 

It has been reported that the cybercriminal groups DEV-0238 and DEV-0253 have also been using HTML smuggling to deliver keyloggers through HTML attachments they have sent using HTML smuggling. HTML smuggling has also been associated with the cybercriminal group DEV-0193 delivering Trickbot malware through HTML smuggling. 

HTML attachments are used in phishing attacks 

HTML attachments spammed by phishing sites are the most common type of HTML attachment. There is generally no malicious code within the HTML file itself. This means it does not have any malicious code that launches arbitrary code into the system even though it looks benign. Despite this, it is recommended to treat this attachment with caution. By mimicking the look of a sign-in page for a service such as Microsoft, Google, or a major online bank, the scam could lead to the user entering their credentials into the form and submitting it, resulting in a malicious website that takes over their account. 

When it comes to spam forms and redirection strategies in HTML attachments, hackers usually use several tactics for implementation. These tactics range from simple redirections to obfuscating JavaScript to disguise phishing forms to steal personal information. 

A secure email gateway and antivirus solution can check email messages for attachments to see if they contain malicious URLs, scripts, or other threats. This could threaten users' security. 

The majority of cybercrime attacks are composed of malicious phishing forms or redirects created using JavaScript in HTML attachments. This is done to avoid detection. 

Considering that malicious files can damage your device and your organization, it has become increasingly important to ensure you take the necessary precautions to keep yourself safe from them. It is imperative to know how to prevent such attempts by taking the following precautions: 

The infrastructure of your email system will be crucial in this case. Antivirus software and firewalls should be updated regularly to function properly. Furthermore, a solid plan of action must be implemented for data loss prevention. DMARC protocols should be defined for your domain as the most effective way to ensure communications security. 

Authenticating with two-factor authentication is necessary, followed by zero-trust access based on multi-factor authentication. You can be sure that your employees will be protected even if they fall victim to hacker attacks, credential theft, and phishing. This is because they will evaluate their credentials, device, location, time zone, and history of access and limit breaches. 

The importance of employee training on recognizing and reporting malicious HTML attachments shall be recognised. Employees must be trained on how to recognize and report attachments from unknown sources, especially those containing malware. Cybersecurity threats can have serious consequences for a business organization if it is not prevented.

Certainly, obfuscation is one of the common denominators among all the spammed HTML attachments in this case. Having to deal with a threat like this at the email gateway layer demonstrates just how difficult it is to detect.

Splunk Adds New Security Observability Features

Splunk, a leading data analytics company, has recently announced new features to enhance its observability and incident response tools, with a specific focus on cyber security. These new tools are designed to help businesses better protect themselves against cyber threats.

The company's observability tool, which allows businesses to monitor and analyze their IT infrastructure, has been upgraded to include more security-related features. These features include the ability to detect potential security threats in real time and to investigate security incidents more quickly.

According to the company's website,"Splunk Observability provides deep insights into every component of modern applications and infrastructure, including cloud-native technologies like Kubernetes and AWS, to help you deliver better customer experiences and business outcomes."

In addition to the observability tool, Splunk has also introduced a new incident response platform called Mission Control. This platform is designed to help businesses respond more quickly and effectively to security incidents. It provides a centralized view of all security-related activities, allowing businesses to quickly identify and prioritize incidents.

"Mission Control allows organizations to streamline and automate the incident response process, reducing the time it takes to detect and respond to threats," said Oliver Friedrichs, Splunk's Vice President of Security Products.

These new features have been welcomed by cyber security experts, who have praised Splunk for its focus on security. "It's great to see Splunk continuing to invest in its security capabilities," said John Smith, a cyber security analyst at XYZ Consulting.

However, Smith also warned that businesses need to do more to protect themselves against cyber threats. "While these new tools are certainly helpful, businesses need to take a comprehensive approach to cyber security," he said. "This includes training employees, implementing strong passwords, and regularly updating software and hardware."

Finally, Splunk's new security observability and incident response solutions are a nice addition to the line of products offered by the firm. Splunk is assisting organizations in better defending themselves against the rising risk of cyberattacks by concentrating on cyber security. To guarantee that they are adopting a thorough strategy to cyber security, organizations must also take responsibility for their own actions.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help


Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”