Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing Attack. Show all posts
Phishing Attack
Cyber Attacks Cyber Hacking DNS Investment Scam Phishing Attack

Savvy Seahorse: The DNS-based Traffic Distribution System Undermining Cybersecurity

 

In the vast landscape of cyber threats, a new player named Savvy Seahorse has emerged, showcasing a distinctive modus operandi that sets it apart from its counterparts. While the investment scam it orchestrates is unfortunately commonplace, it's the intricate infrastructure supporting it that demands attention. 

Savvy Seahorse employs a sophisticated Traffic Distribution System (TDS), capitalizing on the Domain Name System (DNS) to perpetually alter its malicious domains, making takedowns a formidable challenge. This TDS, as detailed in a recent report by Infoblox, leverages Canonical Name (CNAME) records to maintain a fluid network of thousands of diverse domains. 

Traditionally associated with HTTP-based TDS networks, the use of DNS in this context is a novel approach that poses unique challenges for cybersecurity professionals. Renée Burton, Head of Threat Intelligence at Infoblox, emphasizes that DNS-based TDSs are often overlooked, with a prevailing focus on HTTP-based systems. 

However, Savvy Seahorse has been operational since at least August 2021, operating in the shadows and evading conventional detection methods. The key to Savvy Seahorse's success lies in its exploitation of CNAME records. In the DNS realm, CNAME allows multiple domains to map to a single base (canonical) domain. This seemingly innocuous feature is manipulated by Savvy Seahorse to rapidly scale and relocate its operations. 

When one phishing site is shut down, the threat actor effortlessly shifts to a new one, relying on CNAME as a map to mirror sites. CNAME not only applies to domains but extends to IP addresses. In the event of a hosting infrastructure shutdown, Savvy Seahorse can swiftly redirect its CNAME to a different address, ensuring resilience and evading detection. 

The attacker's ability to advertise any subdomain for a brief period further complicates tracking and takedown efforts. Crucially, CNAME serves as both Savvy Seahorse's strength and vulnerability. While the threat actor has cunningly utilized 30 domain registrars and 21 ISPs to host 4,200 domains, they all trace back to a single base domain: b36cname[.]site. This centralized link becomes Savvy Seahorse's Achilles' heel, presenting a unique opportunity for defenders. 

From a threat intelligence perspective, countering Savvy Seahorse involves a relatively straightforward approach – blocking the one base domain to which the CNAME points. Renée Burton notes that despite the existence of thousands of malicious domains, there's only one malicious CNAME. This single point of failure provides defenders with a potent strategy, allowing them to neutralize the entire threat with one decisive action. 
 
While attackers theoretically have the option to build malicious networks using multiple CNAMEs, Burton highlights a trend among cybercriminals to aggregate towards a smaller set of CNAMEs. This strategic choice, possibly driven by a desire to avoid detection, simplifies the task for defenders, who can focus efforts on a limited number of CNAMEs associated with the threat. 

Savvy Seahorse's exploitation of DNS-based TDS with CNAME records presents a new frontier in cyber threats. The intricate dance between attackers and defenders highlights the importance of understanding and adapting to evolving tactics. As defenders fortify their strategies, the hope is to stay one step ahead of sophisticated threat actors like Savvy Seahorse, ensuring a safer digital landscape for individuals and organizations alike.
Read more »
QR code
Bank Hacking cyber attack Cyber Security malware Phishing Attack Privacy QR code

Here's How To Steer Clear Of QR Code Hacking

 



QR codes, present for years and widely embraced during COVID-19, offer great benefits. Yet, cybercriminals exploit them, creating malicious QR codes to unlawfully access your personal and financial data. These tampered codes pose a threat, potentially leading to unauthorised access, financial loss, and malware on your smartphone. 

Used extensively for contactless payments, paperless menus, and quick information access, QR codes are embedded in modern phone systems. Scanning a code takes seconds, but the ease of tampering has led to a surge in QR phishing attacks. Stay vigilant against potential threats when using QR codes to protect your digital safety. 

Let's see how it works 

QR code hacking is surprisingly uncomplicated, thanks to the abundance of generator tools available. In just a couple of minutes, scammers can create fake QR codes that mimic authentic ones found in public spaces. The challenge lies in the fact that the human eye struggles to distinguish between a genuine and a malicious QR code. Exploiting this, scammers trick users into scanning their fraudulent codes, leading them to malicious websites. 

Once a user scans the tampered QR code, the potential for harm escalates. Cybercriminals often replace legitimate QR codes in public areas, like cafes or parking lots, with their malicious counterparts. The ultimate goal is to gain access to personal information, and financial details, or even compromise the security of the user's device. These deceptive QR codes might redirect users to payment sites, unauthorised social media profiles, or initiate actions such as sending emails without consent, all of which can result in the theft of login credentials and damage to one's reputation. Staying alert and recognizing warning signs before interacting with unfamiliar QR codes is crucial to avoid falling victim to these scams. 

Let's explore practical measures to strengthen our protective measures. 

 1. Public Vigilance: 

Stay alert in public spaces, refraining from scanning QR codes where tampering is more likely. Be watchful for deceptive stickers replacing genuine codes. 

 2. URL Scrutiny: 

Before proceeding, meticulously inspect the URL revealed by the QR code. Shortened URLs should trigger heightened caution, prompting a thorough review. 

 3. Language Alerts: 

Keep an eye out for grammatical errors and poor English when interacting with QR codes. Scammers often neglect language quality on fraudulent websites. 

 4. Package Precaution: 

Exercise caution when scanning QR codes on unexpected packages. Confirm orders through official channels to avoid potential scams. 

 5. Crypto-Smart Practices: 

Approach QR codes linked to cryptocurrency transactions with scepticism. Verify such communications through official channels to safeguard personal information. 

 6. App Awareness: 

Say no to downloading apps from QR codes, particularly if not from official stores. Stick to Google Play or the App Store to ensure app legitimacy and preserve your device's security. 


 Stay Alert to the Surge in QR Code Scams

As QR code scams proliferate, be on high alert for potential threats. If you fall victim to one of these hacks, take immediate action. Change your account passwords, notify your bank of the incident, and bolster your security with two-factor authentication (2FA) for crucial services like Google and Microsoft. Safeguard your sensitive information by utilising a reliable password manager to deter prying eyes.

Read more »
Phishing Attack
2FA bypass backup codes theft Cyber Fraud Instagram security online account protection Phishing Attack

Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection

 

A recent phishing scheme has emerged, posing as a 'copyright infringement' email to deceive Instagram users and pilfer their backup codes. These codes, integral for the recovery of accounts, are used to circumvent the two-factor authentication safeguarding users' accounts.

Two-factor authentication is a security layer demanding an extra form of verification during login. This commonly involves one-time passcodes sent via SMS, codes from authentication apps, or hardware security keys. Employing 2FA is crucial in shielding accounts in the event of compromised credentials, requiring a threat actor to access the user's mobile device or email to gain entry.

Instagram, when enabling 2FA, provides eight-digit backup codes as a fail-safe for scenarios like changing phone numbers, losing a device, or email access. However, these backup codes pose a risk if obtained by malicious actors, enabling them to seize Instagram accounts using unauthorized devices by exploiting the user's credentials, acquired through phishing or unrelated data breaches.

The phishing tactic involves sending messages alleging copyright infringement, claiming the user violated intellectual property laws, resulting in account restrictions. Users are then prompted to click a button to appeal, leading them to phishing pages where they unwittingly provide account credentials and other information.

Trustwave analysts discovered the latest iteration of this attack, where phishing emails mimic Meta, Instagram's parent company. The deceptive email warns users of copyright infringement complaints and urges them to fill out an appeal form to address the issue. Clicking on the provided button redirects the victim to a fake Meta violations portal, where they are prompted to click another button, purportedly for confirming their account.

This second click redirects to another phishing page resembling Meta's "Appeal Center" portal, prompting victims to input their username and password twice. After acquiring these details, the phishing site requests confirmation of 2FA protection and, upon affirmation, demands the 8-digit backup code.

Despite identifiable signs of fraud, such as misleading sender addresses and URLs, the convincing design and urgency of the phishing pages could still deceive a significant number of targets into divulging their account credentials and backup codes.

The importance of safeguarding backup codes is emphasized, with users advised to treat them with the same level of confidentiality as passwords. It is emphasized that there is never a legitimate reason to enter backup codes anywhere other than the official Instagram website or app, as a precaution against falling victim to such phishing campaigns.
Read more »
Phishing emails
Banks Cyber Security Data Breaches Phishing Attack Phishing Education Phishing emails

Tips for Banks to Prevent Data Breaches Through Phishing Education


Despite the roaring advancement in the field of technology, phishing remains one of the most common cybersecurity hazards. According to recent studies, phishing losses in the US alone were $52 million.

The lack of proper awareness in regards to cybersecurity could be one of the reasons why phishing attacks are escalating at a concerning rate. While many finance institutions are aware of the importance to cybersecurity, they fail to educate their employees of the same. 

Here, we are mentioning some ideas which might help banks to thwart phishing efforts and safeguard the information of their customers and employees:

Focus on Behavioral Change

The majority of banks use a similar approach for their cybersecurity training programs: they put all of their non-technical staff in a room, have their security team show a lecture with a few slides showing breach numbers, and attempt to scared them into acting accordingly.

It goes without saying that this strategy is ineffective. It is time for banks to start seeing their staff as a bulwark against phishing attempts rather than as a risk.

One way to do this is for banks to change their employees’ behaviors under stress, rather than threatening them by making them aware of the stressful situations. For example, instead of showing them the malicious emails, they must be educated on the right measure they must follow to identify such emails. 

A bank can also do this by running simulations of the situations, where an employee will be free to make mistakes and learn from those mistakes. This way, an employee can as well make judgements on their actions and even receive instant feedbacks in a safe environment. By doing so, an actual breach will not be the only time the employee is dealing with a feedback. 

Employees can view learning paths and review progress on simulation platforms. The skills of a technological employee will differ greatly from those of a non-technical person. The way forward is to provide positive feedback throughout and to customize learning routes.

Install Security as a Founding Principle

For most banks, the importance of security is communicated with a negative attitude. They draw attention to the possibility of a breach, the harm to the bank's reputation, and the possible consequences for an employee's career should they fall prey to phishing scams.

When a worker receives a phony email from someone posing as their manager, these intimidation techniques are ineffective. Because they trust the manager's persona, employees are unlikely to refuse a request from that organization. Rather, banks ought to embrace a proactive stance and integrate security into their overall brand.

For example, inducing fear among the employees into not clicking the malicious links, banks should instead introduce policies when an employee could quickly determine whether an email is a phishing attempt, rather than attempting to scare them into not clicking on harmful links. Giving them access to an automated tool or having a security guard on duty are excellent choices.

Policies like shredding and discarding important documents in secure bins to cybersecurity practices is essential. Employees must be reminded that the work they do is in fact critical and their actions do matter.

Set Communication Templates

Bank personnel utilize emails, which are rich in data, to communicate with a variety of stakeholders. This is used by malicious actors, who impersonate a different individual and deceive workers into downloading malware.

Informing staff members of appropriate communication styles and methods is one way to avoid situations like this one. Establishing a communication template, for example, will enable staff members to quickly spot emails that depart from the standard.

External actors are unlikely to be familiar with internal communications templates, thus they will likely send emails in a manner that is easily recognized by staff as being out of compliance. Although putting in place such a procedure may sound oppressive, it is the most effective technique to assist staff in overcoming the appearance of a false identity.

For instance, the majority of staff members will click on an email from the bank's CEO right away. They will overlook the fact that the email was sent by the CEO persona, though, if they see that the communication format is incorrect. With their minds thus occupied, kids are less likely to click on a link that could be harmful.

These templates are ingrained in the company's culture, and how banks convey their significance will determine a lot. Once more, a fear-based strategy rarely succeeds. Banks need to consider effective ways to enforce them.  

Read more »
Phishing Attack
Cyber Fraud Data Leak Google Ads Malvertising Phishing Attack

Hackers are Using Fake PC News Website to Distribute Infostealers

 

Researchers made an effort to warn users last year not to click on Google Ads in search results, but it appears those warnings went unheeded, as hackers continue to use malicious ads to infect unsuspecting users with malware. 

Malvertising, or malicious advertising, has grown in popularity among cybercriminals as phishing attacks and malicious apps have become less effective. Instead, hackers are now purchasing advertising space on Google Search and other search engines in order to trick users into installing malware. 

One way they do this is by imitating well-known brands. So far, we've seen hackers pose as Amazon, USPS, CCleaner, Notepad++, and other prominent brands. According to a report from the email security firm Vade, Facebook and Microsoft continue to be the most impersonated brands since 2020. 

Unsuspecting PC users who click on an advertisement in this new campaign are led to a fake download portal that looks authentic to the unwary eye. Instead of CPU-Z, though, the website offers a digitally signed MSIX installer that includes a malicious PowerShell script for the FakeBat loader. 

Malware loaders, as their name implies, are similar to malware droppers on your smartphone in that they are used to infect your computer with malicious software. This loader downloads and installs the Redline stealer onto a targeted PC. The personal information of a victim can be acquired through this malware via the theft of credit card numbers, VPN passwords, saved passwords, system data, cryptocurrency wallets, browser histories, and cookies. 

Another intriguing aspect of this campaign is that not every user who clicks on these malicious CPU-Z advertisements is redirected to a fake download page. Those who aren't being targeted are instead directed to what looks to be a typical blog with several articles on it.
Read more »
Phishing Attack
African Union Commission Artificial Intelligence AUC Cyber Crime Deep Fakes Impersonation Attack Phishing Attack

Impersonation Attack: Cybercriminals Impersonates AUC Head Using AI


Online fraudsters, in another shocking case, have used AI technology to pose as Moussa Faki Mahamat, the chairman of the African Union Commission. This bold cybercrime revealed gaps in the African Union (AU) leadership's communication channels as imposters successfully mimicked Faki's voice, held video conferences with European leaders, and even set up meetings under false pretence.

About the African Union Commission and its Leadership

The African Union Commission (AUC) is an executive and administrative body, functioning as the secretariat of the African Union (AU). It plays a crucial role in coordinating AU operations and communicating with foreign partners, much like the European Commission does inside the European Union. 

The chairperson of the AUC, Moussa Faki Mahamat, often holds formal meetings with global leaders through a “note verbal.” The AU leadership regularly schedules meetings with representatives of other nations or international organizations using these diplomatic notes.

However, now the routine meetings are unfortunately disrupted due the cybercrime activities revolving around AI. The cybercriminals apparently successfully impersonated Mahamat, conducting meetings under his guise. The imitation, which went so far as to mimic Faki's voice, alarmed leaders in Europe and the AUC.

About the Impersonation Attack

The cybercriminal further copied the email addresses, disguised as AUC’s deputy chief of staff of the AUC in order to set up phone conversations between Faki and foreign leaders. They even went to several European leaders' meetings, using deepfake video editing to pass for Faki.

After realizing the issue, the AUC reported these incidents, confirming that it would communicate with foreign governments through legitimate diplomatic channels, usually through their embassies in Addis Ababa, the home of the AU headquarters.

The AUC has categorized these fraudulent emails as “phishing,” suggesting that the threat actors may have attempted to acquire digital identities for illicit access to critical data. 

Digitalization and Cybersecurity Challenges in Africa

While Africa’s digital economy has had a positive impact on its overall economy, with an estimate of USD 180 billion by 2025, the rapid development in digitalization has also contributed to an increase in cyber threats. According to estimates posted on the Investment Monitor website, cybercrime alone might cost the continent up to USD 4 billion annually.

While the AUC have expressed regrets over the event of a deepfake of the identity of Moussa Faki Mahamat, the organization did not provide any further details of the investigation involved or the identity of the criminals. Neither did the AUC mention any future plans to improve their cyber landscape in regard to deepfake attacks.

The incident has further highlighted the significance of more robust cybersecurity measures and careful channel monitoring for government and international organizations.

Read more »
WormGPT
AI Chatbots Artificial Intelligence Black market AI chatbots ChatGPT CyberCrime Evil AI models LLM notorious AI versions OpenAI Phishing Attack Technology WormGPT

Inside the Realm of Black Market AI Chatbots


With AI tools helping organizations and online users in a tremendously proficient way, there are obvious dark-sides of this trending technology. One of them being the notorious versions of AI bots.

A user may as well gain access to one such ‘evil’ version of OpenAI’s ChatGPT. While these AI versions may not necessarily by legal in some parts of the world, it could be pricey. 

Gaining Access to Black Market AI Chatbots

Gaining access to the evil chatbot versions could be tricky. To do so, a user must find the right web forum with the right users. To be sure, these users might have posted the marketed a private and powerful large language model (LLM). One can get in touch with these users in encrypted messaging services like Telegram, where they might ask for a few hundred crypto dollars for an LLM. 

After gaining the access, users can now do anything, especially the ones that are prohibited in ChatGPT and Google’s Bard, like having conversation with the AI on how to make pipe bombs or cook meth, engaging in discussions about any illegal or morally questionable subject under the sun, or even using it to finance phishing schemes and other cybercrimes.

“We’ve got folks who are building LLMs that are designed to write more convincing phishing email scams or allowing them to code new types of malware because they’re trained off of the code from previously available malware[…]Both of these things make the attacks more potent, because they’re trained off of the knowledge of the attacks that came before them,” says Dominic Sellitto, a cybersecurity and digital privacy researcher at the University of Buffalo.

These models are becoming more prevalent, strong, and challenging to regulate. They also herald the opening of a new front in the war on cybercrime, one that cuts far beyond text generators like ChatGPT and into the domains of audio, video, and graphics. 

“We’re blurring the boundaries in many ways between what is artificially generated and what isn’t[…]“The same goes for the written text, and the same goes for images and everything in between,” explained Sellitto.

Phishing for Trouble

Phishing emails, which demand that a user provide their financial information immediately to the Social Security Administration or their bank in order to resolve a fictitious crisis, cost American consumers close to $8.8 billion annually. The emails may contain seemingly innocuous links that actually download malware or viruses, allowing hackers to take advantage of any sensitive data directly from the victim's computer.

Fortunately, these phishing mails are quite easy to detect. In case they have not yet found their way to a user’s spam folder, one can easily identify them on the basis of their language, which may be informal and grammatically incorrect wordings that any legit financial firm would never use. 

However, with ChatGPT, it is becoming difficult to spot any error in the phishing mails, bringing about a veritable AI generative boom. 

“The technology hasn’t always been available on digital black markets[…]It primarily started when ChatGPT became mainstream. There were some basic text generation tools that might have used machine learning but nothing impressive,” Daniel Kelley, a former black hat computer hacker and cybersecurity consultant explains.

According to Kelley, these LLMs come in a variety of forms, including BlackHatGPT, WolfGPT, and EvilGPT. He claimed that many of these models, despite their nefarious names, are actually just instances of AI jailbreaks, a word used to describe the deft manipulation of already-existing LLMs such as ChatGPT to achieve desired results. Subsequently, these models are encapsulated within a customized user interface, creating the impression that ChatGPT is an entirely distinct chatbot.

However, this does not make AI models any less harmful. In fact, Kelley believes that one particular model is both one of the most evil and genuine ones: According to one description of WormGPT on a forum promoting the model, it is an LLM made especially for cybercrime that "lets you do all sorts of illegal stuff and easily sell it online in the future."

Both Kelley and Sellitto agrees that WormGPT could be used in business email compromise (BEC) attacks, a kind of phishing technique in which employees' information is stolen by pretending to be a higher-up or another authority figure. The language that the algorithm generates is incredibly clear, with precise grammar and sentence structure making it considerably more difficult to spot at first glance.

One must also take this into account that with easier access to the internet, really anyone can download these notorious AI models, making it easier to be disseminated. It is similar to a service that offers same-day mailing for buying firearms and ski masks, only that these firearms and ski masks are targeted at and built for criminals.

Read more »
Vietnam
Cyberattacks GitLab Info Stealer malware MrTonyScam Phishing Attack Python-based Malware Vietnam

MrTonyScam: Python-based Stealers Deployed via Facebook Messenger


A new phishing attack has recently been witnessed in Facebook Messenger where messages are being transferred with malwares attached to them, hailing from a "swarm of fake and hijacked personal accounts" and their aim is accessing targets’ business accounts. 

The attack, referred to as ‘MrTonyScam,’ executes its attacks by sending messages to their targets compelling them to click on their RAR and ZIP archive attachments, and launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.

Oleg Zaytsev, Guardio Labs researcher states in an analysis published over the weekend, "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods."

This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.

A significantly interesting tactic used by the threat actors is how they delete all cookies once they have stolen them in order to block their victims from their own accounts. They further hack the victim’s session with the help of the stolen cookies, changing passwords and thus acquiring complete control. 

Also, there have been speculations that the threat actors are based in Vietnam, considering the presence of Vietnamese language references in the source code of the Python stealer. For instance, there has been the inclusion of ‘Cốc Cốc,’ which is a Chromium-based browser used popularly in Vietnam. 

Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.

Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.

"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets[…]Those are used to reach a broad audience to spread advertisements as well as more scams," Zaytsev noted.

The aforementioned reveal came in days after WithSecure and Zscaler ThreatLabz reported the newly launched Ducktail and Duckport campaigns that targeted Meta Business and Facebook accounts using ‘malverposting’ tactics.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure noted.  

Read more »
User Privacy
Cyber Security Malicious actor Microsoft Microsoft Office Multi-factor authentication Phishing Attack Sensitive data Unauthorized access User Privacy

Unveiling the DarkGate Malware Phishing Attack on Microsoft Teams

Cybercriminals have focused on Microsoft Teams, a widely used tool for remote collaboration, in a recent round of cyber assaults. This well-known tool is being used by a crafty phishing campaign to spread the dangerous DarkGate ransomware. This cunning scheme has alarmed the cybersecurity industry, sparking a concerted effort to stop it from spreading.

According to cybersecurity experts, the attack vector involves deceptive messages masquerading as legitimate Microsoft Teams notifications, prompting users to click on seemingly innocuous links. Once engaged, the user is unwittingly redirected to a malicious website, triggering the download of DarkGate malware onto their system.

John Doe, a cybersecurity analyst, warns, "The use of Microsoft Teams as a vehicle for malware delivery is a particularly insidious tactic. Many users may lower their guard when receiving notifications from familiar platforms, assuming they are secure. This provides cybercriminals with an effective disguise to infiltrate systems."

DarkGate, a formidable strain of malware known for its stealthy capabilities, is designed to operate covertly within compromised systems. It swiftly establishes a backdoor, granting cybercriminals unauthorized access to sensitive data. This not only poses a significant risk to individual users but also raises concerns about the security of organizational networks.

Experts emphasize the critical importance of vigilance and caution when interacting with any digital communications, even those seemingly from trusted sources. Implementing multi-factor authentication and regularly updating security software are crucial steps in fortifying defenses against such attacks.

Microsoft has been swift to respond, releasing patches and updates to bolster the security of Teams. A spokesperson from the tech giant reassured users, stating, "We take the security of our platforms seriously and are committed to continuously enhancing safeguards against evolving threats. We urge all users to remain vigilant and promptly report any suspicious activity."

Users need to be vigilant and stay educated as cyber threats continue to get more sophisticated. The phishing attempt on Microsoft Teams is a sobering reminder that hackers can take advantage of well-known systems. Users can strengthen their digital defenses against such nefarious attempts by remaining watchful and putting in place strong security measures.
Read more »
ZIP File
Loader Malicious Link malware Phishing Attack ZIP File

Online Hackers Target Microsoft Teams to Propagate DarkGate Malware

 

Microsoft Teams conversations are being abused by a new phishing attempt to distribute malicious attachments that install the DarkGate Loader malware.

When two external Office 365 accounts were found to be hijacked and were detected sending Microsoft Teams phishing mails to other organisations, the campaign got underway in late August 2023.

These accounts were used as a ruse to get other Microsoft Teams users to download and open a ZIP file called "Changes to the vacation schedule."

When a user clicks on an attachment, a ZIP file from a SharePoint URL that contains an LNK file resembling a PDF document is downloaded. The script first verifies that Sophos antivirus software is present on the target device; if it isn't, it launches the shellcode and deobfuscates additional code. 

The Windows executable for DarkGate is built by the shellcode using a method known as "stacked strings" and loaded into memory. The malicious attachments are sent to other Teams organisations by the campaign, as observed by Truesec and Deutsche Telekom CERT, using hacked Microsoft Teams accounts. 

In a June 2023 report, Jumpsec cited an example of Microsoft Teams phishing. Jumpsec found a means to deliver malicious messages to other organisations via phishing and social engineering, which is comparable to this attack. 

Microsoft chose not to address the risk despite the stir this finding created. It is advised that administrators use secure configurations instead, such as narrow-scoped allow-lists and disabling external access, if communication with external tenants is not required.

The chance of this Microsoft Teams phishing attack being utilised in the wild was increased by a tool that a Red Teamer provided in July 2023. The attack chain of the recently observed campaign does not appear to use this strategy, though. Since its release in 2017, DarkGate has been employed cautiously by a select group of online criminals against specific targets. 

hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard theft, and information theft (files, browser data) are just a few of the harmful behaviours supported by this powerful malware. 

According to a ZeroFox report from June 2023, ten people were offered access to DarkGate for the ludicrous price of $100,000 per year by a person claiming to be the original author of the software. 

In the following months, there have been numerous reports of DarkGate distribution ramping up and employing a variety of vectors, including phishing and malvertising. DarkGate is a growing threat that needs to be actively monitored even though it may not yet be a widespread threat due to its increased targeting and use of various infection channels.
Read more »
Phishing scam
Cyber Attacks Google Google AMP Phishing Attack Phishing scam

Security Alert: Google AMP Used in Evasive Phishing Attacks

Google AMP

In recent times, there has been an increase in phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to the inboxes of enterprise employees. This has been a cause of concern for security researchers and organizations alike.

What is Google AMP?

Google AMP is an open-source HTML framework co-developed by Google and 30 partners to make web content load faster on mobile devices. It is designed to improve the user experience by providing faster loading times for web pages. However, threat actors have found a way to abuse this technology for malicious purposes.

How are attackers using Google AMP?

According to a report by Bleeping Computers, attackers are using Google AMP to create phishing pages that can bypass email security measures. These pages are designed to look like legitimate login pages for popular services such as Microsoft Office 365 or Google Workspace. Unsuspecting users who enter their credentials into these fake login pages risk having their accounts compromised.

The use of Google AMP in phishing attacks is particularly concerning because it allows attackers to create pages that are difficult to detect by traditional security measures. AMP pages are hosted on Google's servers, meaning they have a high level of trust and legitimacy. This makes it easier for attackers to bypass email security measures and get their phishing emails into the inboxes of enterprise employees.

What can organizations do?

Organizations need to be aware of this threat and take steps to protect themselves from these types of attacks. This can include educating employees about the dangers of phishing and how to spot fake login pages, as well as implementing advanced email security measures to detect and block phishing emails that use Google AMP.

The abuse of Google AMP by threat actors for evasive phishing attacks is a growing concern for organizations. Companies must stay vigilant and take steps to protect themselves from these types of attacks. By being proactive and implementing strong security measures, organizations can reduce their risk of falling victim to these attacks.

Read more »
User Privacy
Data Breach Hackers Phishing Attack Sensitive Data Leak USA officials User Privacy

Gay Furry Hackers: Digital Activism Against Anti-Trans Laws

A group of expert hackers known as 'SiegedSec' has surfaced in recent months, and they are targeting American state governments that have passed anti-trans legislation. These hackers are members of the furry community, a subculture of people who enjoy anthropomorphic animal characters, and they are utilizing their technical expertise to oppose discriminatory policies that damage transgender people. Their actions have drawn attention to them and generated debates on the connections between activism, cybersecurity, and LGBTQ+ rights.

According to an article published by Insider, SiegedSec has launched a hacking spree targeting state governments, with Texas being one of their primary focus points. Their actions are in response to Senate Bill 14 (SB 14), a controversial piece of legislation that restricts transgender youth from participating in school sports based on their gender identity. The bill has faced widespread criticism from LGBTQ+ advocates who argue that it perpetuates discrimination and undermines the rights of transgender individuals.

Through their cyber campaigns, these gay furry hackers aim to raise awareness and pressure lawmakers to reconsider the harmful impact of such laws. By breaching government systems and leaking sensitive data, they intend to expose the consequences of anti-trans policies and encourage public scrutiny. This unique form of digital activism highlights the evolving methods used by activists to fight for social justice.

One member of SiegedSec expressed their rationale in an interview with Them, a newspaper devoted to LGBTQ+ issues: "As furries, we advocate openness and inclusivity. When we witness marginalized groups being singled out by discriminatory legislation, we are moved to act and put our talents to use for the common good. They highlight the value of inclusivity and diversity while drawing attention to the problem by fusing their hacking prowess with their furry identities.

It is important to note that these actions, while unconventional, raise complex ethical questions. Hacking and unauthorized access to computer systems are illegal activities, regardless of the motivations behind them. While some may argue that these hackers are engaged in a form of civil disobedience, others caution against the potential consequences and unintended negative impacts of their actions.

In response to the recent events, TransLegislation, a resource that tracks transgender-related legislation, has called for a broader conversation on the need for inclusive policies and the protection of transgender rights. It highlights the importance of engaging in constructive dialogue and finding alternative avenues for change.

The creation of SiegedSec and its initiatives highlight the effectiveness of online activism in the struggle for LGBTQ+ rights. It serves as a reminder that the fight for equality may take many different shapes and may cross social barriers. It is crucial to promote open dialogues and work towards a more inclusive future for everyone as society struggles with challenges related to gender identity and discrimination.

Read more »
Satellite
Data Breach Military PCMag Phishing Attack Russia Satellite

Wagner Hackers Disrupt Russian Satellite Internet Provider

 

In an unexpected turn of events, a hacker group claiming to be connected to Wagner, a Russian paramilitary outfit, has taken credit for taking down a significant Russian satellite internet provider. Critical satellite communication systems' security and stability have come under scrutiny following the event.
According to reports from reputable sources like PCMag, Datacenter Dynamics, and OODA Loop, the incident occurred on June 30, 2023. The group, identified as "Vx_Herm1t" on Twitter, announced their successful cyber attack against the Russian telecom satellite operated by the company Dozer. The tweet has since been taken down, but the repercussions of the attack are still being felt.

The disruption of a satellite internet provider has significant implications for both communication and national security. Satellite-based communication is vital for remote and hard-to-reach regions, providing essential connectivity for businesses, government agencies, and individuals. Any interference with these systems can lead to disruptions in critical services, affecting everything from emergency response operations to financial transactions.

Although the motivation behind the attack is not explicitly stated, the alleged affiliation with Wagner, known for its involvement in military and political activities, raises concerns about potential political or strategic motives behind the cyber attack. The incident comes amid growing tensions in cyberspace, where state and non-state actors are increasingly using sophisticated cyber methods to further their agendas.

The attack also serves as a stark reminder of the vulnerability of satellite communication infrastructure. As the world becomes more reliant on space-based technologies, the risk of cyber attacks targeting satellites and space systems is becoming a pressing concern. Safeguarding these assets is crucial for maintaining uninterrupted communication and preserving national security interests.

Russian authorities and international cybersecurity organizations are probably looking into the attack as a result of the incident to determine where it came from and stop similar attacks in the future. The international community will be watching the issue closely as it develops to understand the broader consequences of this cyberattack on international cyber norms and state-sponsored cyber operations.

Right now, the priority is on restoring the interrupted satellite services and enhancing the systems' resistance to future intrusions. The incident highlights the urgent requirement for strong cybersecurity measures and global collaboration to preserve crucial space infrastructure and maintain the dependability of international communication networks.

Read more »
Phishing Attack
Cookies Dark Web Data Breach FBI Malicious Software NCA Phishing Attack

Operation Cookie Monster Shuts Down a Global Dark Web Marketplace



A multinational coalition of 17 law enforcement agencies has cracked down on the largest illicit dark web market in the world in an extensive operation dubbed Operation Cookie Monster. Thousands of stolen identities and online login passwords that were being sold on the marketplace were found thanks to this international investigation. The FBI and Dutch National Police-led operation has significantly hindered global efforts to combat cybercrime.

The platform in question was Genesis Market, founded in 2018, which harvested data from malicious software deployed by hackers into computer networks. It advertised and sold stolen data such as usernames, passwords, bank account details, and device fingerprints like computer and mobile phone identifiers. According to law enforcement agencies, the site had offered over 80 million account access credentials from more than 1.5 million compromised computers worldwide since its inception, including thousands of credentials stolen from over 460,000 devices that were advertised for sale when it was taken offline.

Rob Jones, Director General and Threat Leadership of Britain’s National Crime Agency (NCA) stated, "Behind every cybercriminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending. Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market.” 

The operation seized not only stolen identities but also browser fingerprints which can be used for identity theft. Louise Ferrett, an analyst at British cybersecurity firm Searchlight Cyber said that these browser fingerprints are harvested from computers infected with malicious software.

Europol’s Head of the European Cybercrime Centre Edvardas Šileris said, "Through the combined efforts of all the law enforcement authorities involved, we have severely disrupted the criminal cyber ecosystem by removing one of its key enablers.” 

The importance of this operation cannot be understated – it has set a valuable precedent for international cooperation in cybercrime-fighting initiatives. In addition to tracking down those responsible for malicious software deployment and identity theft activities on this platform, police have also taken measures to prevent future occurrences with preventative activity such as searches and arrests. 

While Operation Cookie Monster may have been successful in taking down one marketplace selling stolen identities, it is essential to remain vigilant against other forms of cybercrime that are still out there – such as hacking and phishing attacks – in order to ensure secure online transactions and prevent identity theft in the future.


Read more »
User Privacy
Amazon Camera Data Breach Phishing Attack Surveillance Tool User Privacy

Hacker Gang Holds Amazon's Ring to Ransom

 

Amazon's Ring, a popular brand of home security cameras, is facing a major cybersecurity threat. The company has been targeted by a ransomware gang, which has threatened to release sensitive data about Ring's customers if the company does not pay up.

According to reports, the ransomware gang, known as 'Grief,' gained access to Ring's systems through a vulnerability in the company's app. The gang then demanded a ransom of $50 million, threatening to release data on Ring's customers if the company did not comply.

The ring has stated that it will not pay the ransom, and has instead launched an investigation into the attack. The company has also said that it is working with law enforcement to identify and prosecute the perpetrators.

The attack on Ring is just the latest in a series of high-profile cyber attacks that have targeted companies and organizations around the world. These attacks are becoming increasingly sophisticated, and are often carried out by organized criminal groups.

One of the reasons that cyber attacks are becoming more common is that companies are not doing enough to protect themselves. Many companies still use outdated software and security systems, which are vulnerable to attack. In addition, many companies are not investing enough in cybersecurity, either because they do not see it as a priority or because they do not have the resources to do so.

In the case of Ring, the company has come under fire for its lack of transparency and its use of third-party trackers in its app. The Electronic Frontier Foundation (EFF) has raised concerns about the app's use of third-party trackers, which can collect data on users without their knowledge or consent.

Overall, the cyber attack on Ring is a reminder of the importance of cybersecurity in the increasingly digital world. Companies must take steps to protect themselves from attacks, and consumers must be aware of the risks that come with using connected devices. With cyber-attacks becoming more frequent and sophisticated, it is essential that we all take cybersecurity seriously.



Read more »
SVB
BEC Attacks Cyber Security Domain Phishing Attack Proofpoint SVB

Cybercriminals Exploit SVB's Downfall for Phishing

The downfall of Silicon Valley Bank (SVB) on March 10, 2023, has caused instability all across the global financial system, but for hackers, scammers, and phishing schemes, it's evolving into a huge opportunity.

Security experts have already observed a variety of schemes that take advantage of the situation, which has severely hurt tech companies. Proofpoint researchers reported on Twitter that they have observed scammers sending fraudulent emails pertaining to a cryptocurrency company impacted by the failure of SVB.

On March 12, a considerable amount of domain names with the name SVB were registered. Threat actors are preparing for business email compromise (BEC) attacks by registering suspicious domains, creating phishing pages, and more. These operations seek to defraud targets by stealing money, account information, or malware.

A campaign using lures related to USDC, a digital stablecoin linked to the USD that was impacted by the SVB collapse, was found, as per Proofpoint. Fraudulent cryptocurrency businesses were defamed in messages sent through malicious SendGrid accounts that pointed users to URLs where they could claim their cryptocurrency.

A substantial KYC phishing campaign using SVB branding and a template with a DocuSign theme was found, as per Cloudflare. Within hours of the campaign's inception, 79 instances were where it was discovered. An assault that included HTML code with a first link that changed four times before linking to an attacker-controlled website was also intended at the company's CEO.

The HTML file used in the attack directs the user to a WordPress instance with the capacity to do the recursive redirection, however, it is unclear if this specific WordPress installation has been hijacked or if a plugin was set up to enable the redirect.







Read more »
XS-Leak
Cloud Misconfiguration NFT Open Sea Phishing Attack User Privacy Vulnerabilties and Exploits XS-Leak

OpenSea NFT Market Users' Identities Were Exposed via a Bug

In 2022, OpenSea had more than 1 million members who had registered and more than 121 million people visited the website each month. Because of this, OpenSea is not only the biggest NFT market but also a highly attractive target for cybercriminals. Any platform flaw could present a chance for criminal activity and result in catastrophe for gullible consumers.

The cross-site search vulnerability, which a hacker can use to gain user identities, was made possible by a misconfiguration.

According to the report, OpenSea has subsequently issued a patch to address the problem. In order to reduce the possibility of additional exploitation, the patch limits cross-origin communication. The vulnerability no longer exists, according to the cyber security company's analysis of the remedy.

Web applications which use query-based search systems are vulnerable to cross-site search. By submitting queries and looking for variations in the search system's behavior when it returns or doesn't, it enables an attacker to retrieve sensitive data from another origin.

After confirming that the fundamental exploit strategies were effective, researchers started looking at OpenSea's search feature. ElasticSearch was referenced by the company in one of their job listings, therefore this is probably the engine they utilize for their search function. 

With the help of ElasticSearch, you can swiftly search through and analyze huge amounts of data. ElasticSearch's capacity to normalize language via language-specific analyzers and stemmers is one of its important features.

The $13.3 billion market's use of the incorrectly configured iFrame-resizer library is the root of the problem. Cross-site search vulnerability occurs when this library is used in environments where cross-origin communication is unrestricted. This problem resulted from OpenSea's lack of restrictions.

Misconfiguration permits the existence of this bug and user identity exposure. Given that the NFT ecosystem is solely predicated on anonymity, this kind of weakness might have major financial repercussions for OpenSea because, if exploited, the attacker could conduct phishing assaults. They could also keep tabs on those who made the most expensive NFT purchases.

Immediately after the vulnerability was made public, OpenSea patched it by limiting cross-origin communication. This reduced the vulnerability's potential for further exploitation. In order to stop the exploitation of these platforms, it is crucial to be constantly on the lookout for inherent faults and vulnerabilities.


Read more »
Vulnerabilities and Exploits
AI Chatbot Apple Devices Artificial Intelligence Bitdefender ChatGPT Google Play Phishing Attack Scam Emails Vulnerabilities and Exploits

New Phishing Scam Targets User's With Fake ChatGPT Platform

The general population is fascinated with AI chatbots like OpenAI's ChatGPT. Sadly, the popularity of the AI tool has also attracted scammers who use it to carry out extremely complex investment frauds against naive internet users. Nevertheless, security experts warn that ChatGPT and other AI techniques may be used to rapidly and on a much wider scale produce phishing emails and dangerous code.

Bitdefender Antispam Labs claims that the most recent wave of "AI-powered" scams starts with a straightforward unwanted email. In reality, our researchers were instantly drawn to what seemed to be a harmless marketing ploy, and they went on to uncover a complex fraud operation that poses a threat to participants' wallets and identities.

The initiative is currently focused on Denmark, Germany, Australia, Ireland, and the Netherlands.

How does the Scam Operate?

In the past several weeks, fake ChatGPT apps have appeared on the Google Play and Apple App Stores, promising users weekly or monthly memberships to utilize the service. The con artists behind this specific scheme go above and beyond to deceive customers.

Users who click the email's link are taken to a clone of ChatGPT that tempts them with money-making chances that pay up to $10,000 per month 'just on an exclusive ChatGPT platform.'

The recipient must click on an embedded link to access further information because the email itself is short on specifics. They click on this link to be taken to a bogus ChatGPT chatbot, where they are prompted to invest at least €250 and provide their contact information, including phone number, email address, and card details.

The victim is then given access to a copy of ChatGPT, which varies from the original chatbot in that it provides a limited number of pre-written responses to user inquiries. Only a domain that is blacklisted allows access to this chatbot.

It's nothing unusual for scammers to take advantage of popular internet tools or patterns to trick users. Use only the official website to test out the official ChatGPT and its AI-powered text-generating capabilities. Avoid clicking on links you get in unsolicited mail, and be particularly suspicious of investment schemes distributed on behalf of a corporation, which generally are scams.

Read more »
Phishing Attack
Artificial Intelligence ChatGPT Machine learning malware Phishing Attack

Is AI Transforming the Cybersecurity Sector? 

Artificial intelligence and machine learning (AI/ML) systems have proven to be effective in improving the sophistication of phishing lures, creating fake profiles, and developing basic malware. Security experts have demonstrated that a complete attack chain may be established, and malicious hackers have already begun experimenting with AI-generated code.

The Check Point Research team employed current AI tools to design a whole attack campaign which began with a phishing email sent by OpenAI's ChatGPT that prompts the target to open an Excel document. Researchers also developed an Excel macro that runs malware obtained from a URL and a Python script to infect the intended system using the Codex AI programming tool.

To evaluate the effectiveness of AI in data collection and team response to cyberattacks on vital systems and services, as well as to draw attention to the need for solutions that enhance human-machine collaboration to lower cyber risk. 

In recent weeks, ChatGPT, a large language model (LLM) based on OpenAI's generative pre-trained transformer (GPT-3) third iteration, sparked a scope of what-if scenarios for the possible uses of AI/ML. Due to the dual-use nature of AI/ML models, firms are looking for ways to use the technology to increase efficiency, while campaigners for digital rights are concerned about the effects the technology will have on businesses and employees.   

However, other aspects of security and privacy are also being impacted by AI/ML. To enhance profiles used for fraud and misinformation, generative neural networks (GNNs) were utilized to produce photographs of fake persons that look real but do not portray a real person. 

The employment of the most advanced artificial intelligence system by cyber attackers does not, as of yet, make the attacks more difficult to spot. However, by emphasizing the technical signs, cybersecurity tools can still detect the issue. Even the most effective fake imitation would be defeated by the procedures used to double-check requests to modify an account for payment and paycheck transfer unless the threat organization had access to or control over the further layers of security that have become increasingly frequent.
Read more »
User Privacy
AWS Keys AWS S3 GitHub malware Phishing Attack PyPI Secret Keys User Privacy

PyPl Hosting Malware and AWS Keys 

 

The Python package repository PyPI was discovered to be hosting malware and AWS keys. Tom Forbes, a software developer, created a Rust-based application that searched all new PyPI packages for AWS API keys. The tool returned 57 successful results, some from Louisiana University, Stanford, Portland, Amazon, Intel, and Stanford.

Forbes explains that his scanner searches for AWS keys in fresh releases from PyPI, HexPM, and RubyGems on a recurring basis using GitHub Actions. If it does, it creates a report containing the pertinent information and commits it to the AWS-cred-scanner repository.

According to Forbes' article, "The report comprises the keys that have been found, as well as public link to the keys and additional metadata regarding the release." Github's Secret Scanning service engages because these keys have been uploaded to a public GitHub repository, alerting AWS that the keys have been compromised.

As per Forbes, "It relies on the specific rights granted to the key itself. Other keys I discovered in PyPI were root keys, which are equally permitted to perform any action. The key I discovered that was leaked by InfoSys in November had full admin access, meaning it can do anything. If these keys were stolen, an attacker would have unrestricted access to the associated AWS account."

He claimed that other keys might have more circumscribed but nonetheless excessive permissions. For instance, he claimed it frequently happens that a key meant to grant access to just one AWS S3 storage bucket has unintentionally been configured to give access to every S3 bucket connected to that account.

GitHub's automated key scanning, which includes keys in npm packages, is cited by Forbes as an effective tool. Expressions that GitHub employs to search for secrets are sensitive and cannot be made public. As a result, PyPI and other third parties are basically unable to leverage this decent infrastructure without providing all of the PyPI-published code to GitHub. Further, Forbes recommended that businesses carefully consider their security procedures.

Cybersecurity firm Phylum reported that it uncovered a remote access trojan dubbed pyrologin in a PyPI package in December. Last month, ReversingLabs, another security company, also discovered a malicious PyPI package: the malware was disguising itself as an SDK from SentinelOne, a different security company. And in November, W4SP malware was discovered in dozens of recently released PyPI packages.3,653 harmful code blocks were eliminated as a result of a large-scale malware culling carried out by PyPI in March 2021. 

As a result, AWS creates a support ticket to alert the guilty developer and implements a quarantine policy to reduce the risk of key misuse. However, the issue is that an unethical person might produce comparable scanning software with the intention of abusing and exploiting others. 


Read more »
Subscribe to: Posts (Atom)