Search This Blog

Showing posts with label Phishing Attacks. Show all posts

Owner of CafePress Penalized $500,000 for Hiding a Data Breach


CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.

Python Libraries Hacked AWS Data and Keys  


Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.

84% of US Businesses Experienced Identity-Related Breaches


According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 

Millions of Facebook Users' Credentials Were Stolen via Authentic App Services


The phishing effort used Facebook and Messenger to deceive millions of consumers into visiting advertising pages and websites where personal account information was exposed. 

The phishing campaign used messages through messenger to entice users to open the link, thus the pop-up requested for account credentials, which unsuspecting consumers provided by filling out the phishing form with their login and password. The campaign operators used the hacked accounts to send more hacker messages to their friends, earning a lot of money through internet advertising fees.

The effort peaked in April-May 2022 but has been active since at least September 2021, as per PIXM, a New York-based AI-focused cybersecurity business. Since one of the identified phishing pages included a link to a publicly accessible traffic monitoring app ( without authentication, PIXM was able to track down the threat actor and map the campaign. 

Over 405 different usernames were uncovered by PIXM, each of which was linked to a distinct phishing landing page. In 2022, one username, teamsan2val, got 6.3 million views, up 128 percent from 2021. All of these usernames had a total of 399,017,673 sessions. The phishers also informed an OWASP researcher who claimed they made roughly $150 for every thousand visitors from the United States. This equates to $59.85 million in total revenue.

These 405 usernames, as per the researchers, are merely a small portion of the total number of accounts employed in the effort. The second wave of redirections begins after the victim inputs the credentials on the phishing landing page, bringing visitors to advertising pages, survey forms, and so on. These redirects provide referral revenue for the threat actors, which is believed to be in the millions of dollars at this scale. One may deduce three things about the malicious attacks going on based on these new discoveries and disclosures. These are the attacks: 
  • Software-based
  • Growing at an exponential rate 
  • Vulnerable populations are targeted

On all landing pages, PIXM discovered a common code snippet that contained a reference to a website that had been seized as part of an investigation against a Colombian individual named Rafael Dorado. It's unclear who took control of the domain and posted the message.

A reverse whois search turned up links to a real web development company in Colombia, as well as ancient websites selling Facebook "like bots" and hacking services. 

The results of PIXM's inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, although many of the identified URLs have been offline.

Users' Crypto Wallets are Stolen by Fake Binance NFT Mystery Box Bots


Researchers have discovered a new campaign to disperse the RedLine Stealer — a low-cost password seeker sold on underground forums — by mutating oneself with the data malware from GitHub repositories using a fake Binance NFT mystery box bots, an array of YouTube videos that take advantage of global interest in NFTs. 

The enticement is the promise of a bot that will automatically purchase Binance NFT Mystery Boxes as they become available. Binance mystery boxes are collections of non-fungible token (NFT) things for users to purchase in the hopes of receiving a one-of-a-kind or uncommon item at a discounted price. Some of the NFTs obtained in such boxes can be used in online blockchain games to add unusual cosmetics or identities. However, the bot is a hoax. According to Gustavo Palazolo, a malware analyst at Netskope Threat Labs, the video descriptions on the YouTube pages encourage victims to accidentally download RedLine Stealer from a GitHub link. 

In the NFT market, mystery boxes are popular because they provide individuals with the thrill of the unknown as well as the possibility of a large payout if they win a rare NFT. However, marketplaces such as Binance sell them in limited quantities, making some crates difficult to obtain before they sell out. 

"We found in this attempt that the attacker is also exploiting GitHub in the threat flow, to host the payloads," Palazolo said. "RedLine Stealer was already known for manipulating YouTube videos to proliferate through false themes," Palazolo said. The advertising was spotted by Netskope in April. "While RedLine Stealer is a low-cost malware, it has several capabilities that might do considerable harm to its victims, including the loss of sensitive data," Palazolo said. This is why prospective buyers frequently use "bots" to obtain them, and it is exactly this big trend that threat actors are attempting to exploit. 

The Ads were uploaded during March and April 2022, and each one includes a link to a GitHub repository that purports to host the bot but instead distributes RedLine. "" is the name of the dropped file, which contains a program of a similar name, which is the cargo, a Visual C++ installation, and a README.txt file. Because RedLine is written in.NET, it demands the VC redistributable setup file to run, whereas the prose file contains the victim's installation instructions.

If the infected machine is found in any of the following countries, the virus does not run, according to Palazolo: Armenia, Azerbaijan,  Belarus,  Kazakhstan,  Kyrgyzstan,  Moldova,  Russia,  Tajikistan Ukraine, and Uzbekistan.

The repository's GitHub account, "NFTSupp," began work in March 2022, according to Palazolo. The same source also contains 15 zipped files including five different RedLine Stealer loaders. "While each of the five loaders we looked at is slightly different, they all unzip and inject RedLine Stealer in the same fashion, as we discussed earlier in this report. The oldest sample we identified was most likely created on March 11, 2022, and the newest sample was most likely compiled on April 7, 2022," he said. These promotions, on the other hand, use URLs that lead to MediaFire downloads. This operation is also spreading password-stealing trojans, according to VirusTotal. 

RedLine is now available for $100 per month on a subscription basis to independent operators, and it allows for the theft of login passwords and cookies from browsers, content from chat apps, VPN keys, and cryptocurrency wallets. Keep in mind that the validity of platforms like YouTube and GitHub doesn't really inherently imply content reliability, as these sites' upload checks and moderation systems are inadequate.

Beware of iCloud Phishing Attacks, MetaMask Warns Apple Users


ConsenSys-owned crypto wallet provider MetaMask is warning its community regarding possible phishing attacks via Apple’s iCloud service. In a Twitter thread posted on April 17, the company warned its customers that the encrypted passwords for their accounts, called MetaMask vaults, will be uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app. 

 As a result, a phishing account that exploits a customer’s iCloud account will also compromise their passwords and hence their crypto wallets. This comes after an Apple user, who goes by “revive_dom” claimed on Twitter to have lost crypto assets worth $650,000 from his MetaMask crypto wallet. 

“This is how it happened. Got a phone call from Apple, literally from Apple (on my caller Id) Called it back because I suspected fraud and it was an Apple number. So, I believed them. They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped,” the user wrote in his thread. 

The phishing campaign involves certain default device settings in iPhones, iPads which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data. Metamask is an online crypto wallet that allows users to store their crypto assets such as Bitcoin, Ethereum, etc, as well as non-fungible-tokens (NFTs).

“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the company tweeted. 

Serpent, the founder of a project called DAPE NFT, explained how the fraudsters stole from a victim. On April 15, the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

During the call, the fraudsters said there was unusual activity on the victim’s Apple ID and asked for a one-time verification code. This is the six-digit verification code sent out to a user when they want to reset their Apple ID password or even login from a different laptop or iPhone, iPad, etc. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.

 How to shut cloud backups?

Metamask in a warning tweet has requested users to disable iCloud backups by following the steps mentioned below: - 

Go to Settings > Profile > iCloud > Manage Storage > Backups, then turn off the toggle. 

To ensure that iCloud will not “surprise” you with backups you didn’t allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites


Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.

Threat Actors Abuse Calendly App to Steal Account Credentials


Cyber criminals have unearthed a new vector of assault to utilize during phishing campaigns. Calendly, a free scheduling app, permits malicious actors to use email to lure the victim to a meeting with the title and link they choose. This increases the authenticity of the phishing email as it seems to come from a legitimate firm. 

Earlier this year in February, security analysts at INKY, an email monitoring firm, discovered specific instances where the phishing actors titled the meeting "You have received a new fax document" with an embedded link to "preview" the document. The link instead brought victims to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials. 

The webpage also contained a common methodology employed by attacker in newer phishing campaigns to ensure credentials are free of typos, in which the victim is lured to enter their credentials twice, due to the credentials being "invalid.” 

The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. According to INKY, majority of the methodologies employed in this campaign are standard, the use of Calendly has not been previously spotted. 

“The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities,” the Calendly spokesperson stated. 

“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

Calendly has also detailed a couple of steps that should help users improve their security. The company advises reviewing the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure. 

To protect against credential harvesting, another option is to use a password manager. The use of password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated websites. A password manager will not autofill the password, and will alert the users that the website they're on is not authentic.

Threat Advert is a New Service Strategy Invented by AsyncRAT


AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 

A Phishing Attack Impersonates the US DoL in Order to Steal Account Credentials


Many phishing attacks seek to defraud individuals by mimicking and imitating legitimate companies and organizations. A phishing email that looks to be from an official government agency is particularly deceiving since it exudes authority. Inky discovered a harmful campaign in the latter half of 2021 that spoofs the US Department of Labor in order to steal the account credentials of unwary victims. 

In a blog post published on Wednesday, Inky describes a series of phishing assaults in which the sender address on the majority of the emails looked to come from, the Department of Labor's legitimate domain. A couple of the emails were spoofed to appear to be sent from, which is not the department's actual domain. The remainder came from a collection of newly formed look-alike domains, including dol-gov[.]com, dol-gov[.]us, and bids-dolgov[.]us. These phishing emails claimed to be from a senior DoL employee in charge of procurement and asked recipients to submit bids for "ongoing government projects." 

A PDF attachment accompanying the email appeared to be an official DoL document, complete with all the necessary images and branding. On the second page of the PDF, a BID button led to what looked to be the Department of Labor's procurement platform but was actually a rogue website impersonating the department. 

When the victim closed the document, they saw an exact replica of the official DoL website. The smart phishers simply copied and pasted HTML and CSS from the original site onto the phishing site. 

The website then displays a "Click here to bid" button as the following step in the process. Anyone who clicks on that button will be directed to a credential harvesting form with instructions on how to submit a bid using a Microsoft account or another business account. The victim would be informed that their credentials were incorrect after entering them. The credentials, however, had been stolen by the attacker. If the user tried to input their credentials again, they would be sent to the official DoL page, which would further trick them. 

The phishers were able to send their phishing emails via abused servers supposedly managed by a non-profit professional membership group in the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com). 

Inky suggested a few tips to safeguard customers from this type of phishing scam, such as the fact that US government domains normally end in .gov or .mil rather than .com or another suffix, the US government does not usually send cold emails to collect bids for projects, and to check SMTP server settings. SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

US Arrested Multi-year Phishing Scam Suspect


An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."

190 Australian Organisations Left Vulnerable to Phishing Attacks


An "extremely permissive" Sender Policy Framework document exposed 190 Australian companies to business email compromise and phishing, allowing cybercriminals to mimic verified sender addresses. 

The Sender Policy Framework (SPF) is an anti-spam and verification mechanism that allows delivering organizations to inspect within the Domain Name System (DNS) which Internet Protocol addresses recipient email systems may expect legitimate emails to originate from. 

Sebastian Salla of security vendor Can I Phish in Sydney discovered that an unknown city government in Queensland had added to its SPF file each IP address that Amazon Web Services reserves for Elastic Cloud Compute cases in Australia. 

This totaled to over 1,000,000 IPv4 addresses, posing a threat to many organizations' email supply chain, according to Salla. 

“Each of the affected 190 organizations and their downstream customers is at an extreme risk to business email compromise and phishing-related attacks,” Salla wrote.

“Anyone with a credit card can sign-up for an AWS account, spin up an EC2 instance, request AWS to remove any SMTP restrictions, and begin sending SPF authenticated emails as though they are any of these organizations.” 

Salla's tests revealed that he was prepared to submit SPF-authenticated emails that passed all scans. Salla was able to determine that the SPF file had been used for customers of an Australian managed service provider and internet development company by analyzing it. 

He also stated that the vulnerabilities discovered had been addressed by the managed service provider. Salla discovered that the too permissive SPF file was produced about three years ago, putting the businesses impacted by the flaw in jeopardy all that time. 

Salla said the MSP has “removed all the overly permissive /16 address blocks and replaced them with single IP addresses for the mail servers that are actually under their control” – thus applying “the fix to all affected customers at once”.

IKEA Suffers Phishing Cyberattack, Employees Mail Compromised


Once the mail servers are compromised, hackers use them for gaining access to reply to the organization's employee emails in reply-chain attacks. If a message is sent from a company, it saves the hacker from getting caught. Hackers also compromise access to internal company emails, targetting business partners. IKEA warned its employees of an ongoing reply chain phishing attack on internal mailboxes. The compromised emails are also sent from different IKEA organizations and firm partners. The cyberattack targets Inter IKEA mailboxes, and different IKEA companies, business partners and suppliers, that were affected by the same attack.

"The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection. The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle," reports SecurityAffairs. 

The attack is also sending these malicious emails to employees in users in IKEA organizations. Meaning, the attack might come from emails, it can come from a co-worker, an external company, or a reply thread for an already continued conversation. It is a warning to the employees which hints that fraud messages are difficult to notice because they come from within an organization. Phishing messages containing downloaded links include seven digits at the end, the organization asked employees to bring to notice if they find anything suspicious. 

IKEA also disabled the option of employees sending the emails from quarantine, to avoid the confusion that messages were separated for error by email filters. Security Affairs reports, "recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and use stolen internal reply-chain emails to avoid detection."

Five Members of the Phoenix Hacking Group Held by Ukraine Police


The Security Service of Ukraine (SSU) has apprehended five people suspected of being members of the multinational "Phoenix" hacker organization, that carried out phishing assaults using counterfeit Apple support websites. 

The suspects reportedly resided in Kyiv or Kharkiv, according to the SSU, and all five were graduates of higher technical education institutes. Since then, police have confiscated computer equipment, mobile phones, software, and hardware thought to be used by the organization. 

Phoenix specializes in phishing scams to acquire remote control of smartphones. Viewers were directed to phishing websites that have been clones of legitimate Apple and Samsung help websites. The scheme lasted at least two years, and the hackers successfully gained access to hundreds of people's accounts. 

Individuals might also hire Phoenix for remote mobile phone hacking for $100 to $200. Investigators also learned that the hackers were accessing stolen or lost Apple iPhones. Once the devices were unlocked, the organization would sell them to unsuspecting buyers. 

SSU estimates that the five people arrested represent the majority of Phoenix, but they intend to continue their investigation to find any other accomplices. Phoenix is now facing charges under Article 361 of Ukraine's Criminal Code, which deals with criminal tampering with the operation of electronic computers, systems, and computer networks. 

A hacker renowned for data breaches reportedly obtained gigabytes of AT&T customer data, including social security numbers, in August. The hacker, identified as "ShinyHunters," had asked for $1 million to remove the data. 

AT&T disputed that the data came from their servers. The same month, T-Mobile learned of a server compromise that culminated in stolen data on over 100 million users being sold on a hacker website.

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups


The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.

Users Warned About the Steam Scam Prevailing in the Wild


Another new internet fraud is circulating that may result in PC gamers losing access to their Steam accounts or perhaps getting their systems infected with a virus. 

Valve's Steam is a video game digital distribution service. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was eventually expanded to also include titles from third-party publishers. 

If one has ever played a multiplayer online game, then they must be probably familiar with skins. Skins are decorative overlays for in-game goods that are widely traded in. These are, however, available to buy for either virtual or real money. 

Malwarebytes has issued a warning about a potential skins fraud that might result in users losing access to their accounts and their vast library of video games. As per a recent blog post from Malwarebytes Labs, one of the earliest frauds is skin phishing, wherein a scammer creates a false marketplace, a replica of a genuine game-themed lounge, or even a fake user's trade inventory page to breach an account. 

The fact that this strategy may be performed out in a very short period makes it highly risky. A scammer will commence by sending out a message with a malicious link to potential suspects on Steam or Discord. The messages are like this;

“Yo, I don’t know you, unfortunately, but this is for you, I do not need that knife [link]” 

“I haven’t met you, unfortunately (or not lol), but take it, I dont don’t need that skin [link]” 

After a user's Steam account has been compromised, they must contact the Steam assistance team to try to restore it, but by then, the fraudster has most likely altered their password as well as other login details. To make the matter worse, they might attempt identity theft by signing into a victim's additional online accounts with their Steam credentials. 

Malwarebytes suggests that Steam users must set two-factor authentication (2FA) for their accounts as well as avoid clicking on any URLs from unfamiliar persons in-game or online to safeguard themselves from this and other similar scams.

APT35 Continues Targeting Important US Citizens and Institutions


This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year. 

APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications. 

Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff. 

Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.

 "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said. 

Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar. 

APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.

Intuit Alerted QuickBooks Customers About Ongoing Phishing Attacks


QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges. 

According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired. 

"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained. 

All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them. 

Customers who have already opened attachments or followed links in the phishing emails should do the following: 
  • Delete any downloaded files as soon as possible. 
  • Scan their systems with an updated anti-malware solution. 
  • Reset their passwords. 
  • On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks. 
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month. 

According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October. While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts. 

To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk. Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names. 

If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade. 

Copyright scams and account takeover attacks 

In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason. Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers. 

The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam. 

In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit." 

As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.

Nigerian Scammers Specializing in BEC Attacks Continue to Mature


Cybersecurity researchers at Palo Alto Networks Unit 42 have actively tracked the evolution of SilverTerrier Nigerian Business Email Compromise (BEC) threat actors. 

From 2014 to the present, researchers have uncovered over 170,700 samples of malware directly linked to Nigerian BEC actors. These samples have been noticed in over 2.26 million phishing attacks targeting users across all industries worldwide.

Evolution of Nigerian threat actors 

Business email compromise (BEC) attacks are one of the most financially damaging cybercrimes and have been on the rise over the past seven years. The Nigerian threat actors dubbed SilverTerrier, have contributed greatly to this growth. These threat actors are responsible for collectively producing more than 170,700 samples of malware directly linked to 2.26 million attacks, according to Palo Alto Network findings. 

SilverTerrier specializes in business email compromise attacks, the kind of email fraud in which scammers impersonate a target’s coworker or friend, then ask for wire transfers. The focus on Nigerian threat actors provides insight into one of the world’s largest subcultures given Nigeria’s historic ranking as a top-five hotspot for cybercrime. 

When first discovered in 2014, SilverTerrier included only a few individuals experimenting with commodity malware. Presently, it has 540 individual threat actors performing attacks worldwide.

Researchers at Palo Alto Networks have traced one such individual named, Onuegwu Ifeany, who studied computer science at Imo State University and launched Ifemonums-Solution LTD as a legitimate business venture in late 2014. That same year, he began his criminal activities, and from 2014 until his arrest, he registered over 150 malicious domains for personal use and to support other actors. Many of these domains also served as command-and-control infrastructure for over 2,200 samples of malware, including Pony, LokiBot, PredatorPain, ISRStealer, ISpySoftware, Remcos, and NanoCore.

Over the past seven years, researchers have also discovered over 10 different commodity information stealer families employed by SilverTerrier actors, with more effective tools being adopted over older ones. Since 2014, the threat actors have employed 13 RAT families, with LuminosityLink, NJRat, Quasar, and WarZone dropping in popularity over time, but Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat are still actively used. 

How to protect yourself against BEC attacks? 

According to GreatHorn report, nearly 50% of all BEC attacks result from the spoofing of an individual’s identity in the display name. Among those spear phishing emails, cybercriminals are also using company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to conduct their attacks. By following the steps given below you can mitigate the risks: - 

  • Avoid free web-based e-mail accounts 
  • Enable multi-factor authentication for business email accounts
  • Don’t open any email from unknown parties
  • Secure your domain 
  • Double-check the sender’s email address
  • “Forward,” don’t “reply” to business emails 
  • Know your customers and vendor’s habit 
  • Always verify before sending money or data

Zix: Attackers Increasingly Adopting New Techniques to Target Users


Cybercriminals are continuously expanding their toolkit by experimenting with new strategies and approaches in order to improve their effectiveness against both technological and human adversaries. 

According to research released by Zix, attackers are increasingly adopting new tactics to target users. The research covered several examples and also examined numerous consistent attack techniques and patterns that tend to affect organizations across the globe. 

“Cybercrime is exploding in 2021 and if there is anything that could be learned over the past year, it is that threat hunters are essential,” stated Troy Gill, Manager of Research at Zix. 

“Companies cannot wait for potential threats to emerge but must proactively identify security incidents that may go undetected by automated security tools. As we enter into the back half of the year, we will continue to see phishing, Business Email Compromise (BEC) and ransomware attackers become more sophisticated and bad actors asking for higher bounties to release data they have compromised.” 

The most common techniques employed by attackers: 

-Customized phishing attacks are on the upswing: Between Q1 and Q2, phishing assaults increased in frequency and sophistication, with campaigns becoming particularly tailored to specific users through the use of CAPTCHAs and web certificate data. Many websites, such as Spotify and DocuSign, were utilized to attract consumers. 

-New attack trends have surfaced: Email threats have grown in the first half of 2021, with 2.9 billion emails quarantined through June. URL and text-based cyberattacks increased steadily in the first half of the year, whereas email-based attacks dropped in the first five months before spiking in June.  

-BEC (business email compromise) attacks have become the most extensively employed technique: Businesses were determined to be the most susceptible and sought after by attackers, according to the research. Hackers have been seen eavesdropping in on discussions from inside a hacked account before delivering more personalized messages in an attempt to extract financial data or passwords.