Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing Campaign. Show all posts
User Privacy
Credential Phishing iPhone Users Mobile Security Phishing Campaign User Privacy

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
Read more »
Phishing Campaign
Data Privacy Info Stealer Malicious Files malware Phishing Campaign

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF

 

FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware. 

The attackers, as initially reported by Hackread, conceal themselves as a hotel reservation company rather than depending on complicated technical means. They send phishing emails with the subject "December Room Availability Query," which contain fake holiday season booking details. A downloader link included within the malicious PDF file initiates the phishing attempt. 

Following an investigation, FortiGuard Labs experts discovered a multi-stage process involving.NET executable files, PowerShell scripts, and fraudulent Windows Form presentations. The attackers expertly navigate through these steps, using techniques such as fake error messages to mask the successful execution of the MrAnon Stealer malware. 

The MrAnon Stealer runs in the background, employing cx-Freeze to compress its actions and bypass detection measures. Its meticulous approach includes screenshot capture, IP address retrieval, and sensitive information retrieval from various applications. 

MrAnon Stealer, according to FortiGuard Labs, can steal information from bitcoin wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. It specifically targets VPN clients such as NordVPN, ProtonVPN, and OpenVPN Connect. The attackers employ a Telegram channel as a means of exchange for command and control. Using a bot token, the stolen data is sent to the attacker's Telegram channel, along with system information and a download link.

As evidenced by the spike of requests for the downloader URL in November 2023, this malware campaign was aggressive and actively running, with a primary target on Germany. The hackers demonstrated a calculated strategy by switching from Cstealer in July and August to the more potent MrAnon Stealer in October and November. 

Users are strongly advised to take cautious, especially when dealing with unexpected emails containing suspicious files, as online vulnerabilities are at an all-time high. Vigilance and common sense are the keys to thwarting cybercriminal activities because they safeguard against the exploitation of human flaws and ensure online security.
Read more »
QBot
Cofense DarkGate malware Phishing Campaign PikaBot Qakbot QBot

After Qakbot, DarkGate and Pikabot Emerge as the New Notorious Malware


The PikaBot malware has been added to the already complicated phishing campaign that is transmitting the darkGate malware infections, making it the most sophisticated campaign since the Qakbot operation was taken down.

The phishing email campaign began in September 2023, right after the FBI took down the Qbot (Qakbot) infrastructure. 

In a report recently published by Cofense, researchers explain that the DarkGate and Pikabot operations employ strategies and methods that are reminiscent of earlier Qakbot attacks, suggesting that the threat actors behind Qbot have now shifted to more recent malware botnets.

"This campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable the phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered," the report reads. 

This presents a serious risk to the organization because DarkGate and Pikabot are modular malware loaders that have many of the same features as Qbot, and Qbot was one of the most widely used malware botnets that were spread by malicious email.

Threat actors would likely utilize the new malware loaders, like Qbot, to get initial access to networks and carry out ransomware, espionage, and data theft assaults.

The DarkGate and Pikabot Campaign

Earlier this year, there had been a dramatic surge in malicious emails promoting the DarkGate ransomware. Starting in October 2023, threat actors have begun using Pikabot as the main payload.

This phishing attack takes place by sending an email – that is a reply or forward of a stolen discussion threat – to the targeted victims, who trust the fraudulent communications. 

After clicking on the embedded URL, users are prompted to download a ZIP file containing a malware dropper that retrieves the final payload from a remote location. These tests ensure that the users are legitimate targets.

According to Cofense, the attackers tested a number of early malware droppers to see which one worked best, including:

  • JavaScript dropper for downloading and executing PEs or DLLs. 
  • Excel-DNA loader based on an open-source project used in developing XLL files, exploited here for installing and running malware. 
  • VBS (Virtual Basic Script) downloaders that can execute malware via .vbs files in Microsoft Office documents or invoke command-line executables. 
  • LNK downloaders that exploit Microsoft shortcut files (.lnk) to download and execute malware.
  • As of September 2023, the DarkGate malware served as the ultimate payload for these attacks. In October 2023, PikaBot took its place.

DarkGate and PikaBot

DarkGate first came to light in 2017, however only became available to the threat actors past summer. As a result, its contribution to conducting phishing attacks and malvertising increases.

This sophisticated modular malware may perform a wide range of malicious actions, such as keylogging, bitcoin mining, reverse shelling, hVNC remote access, clipboard theft, and information (files, browser data) theft.

PikaBot, on the other hand, was discovered much recently in 2023. It consists of a loader and a core module, slotting in extensive anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles targeted systems and transfers the data to its command and control (C2) infrastructure, awaiting additional instructions.

The C2 delivers the commands to the malware that order it to download and run modules in the form of DLL or PE files, shellcode, or command-line commands.

Cofense has further cautioned that PikaBot and DarkGarw campaigns are being conducted by threat actors who are conversant with what they are doing and that their capabilities are top-of-the-line. Thus, organizations must be thoroughly introduced to the TTPs for this phishing campaign.  

Read more »
Phishing Campaign
Advanced Social Engineering cyber attack Cyber Attacks Phishing Attacks Phishing Campaign

Worldwide Tailor-Made Massive Phishing Campaign

The spotlight turned towards a worldwide phishing campaign when an incident unfolded involving an Imperva staff member who was singled out and almost ensnared by a social engineering assault.

Imperva, situated in San Mateo, California, operates as a cybersecurity company. It specializes in offering protective solutions for corporate data and application software, ensuring that businesses are shielded from potential threats. 

It all began when he (an Imperva staff member) tried to sell a car seat on Yad2, a website for used items. Someone interested in buying messaged him on WhatsApp and introduced a fake payment service, using Yad2's look, and sent a link (hxxps://yad2[.]send-u[.]online/4765567942451). 

The fake site had the Yad2 logo and an orange button to get paid. Subsequently, the target was led to a payment page, which then transmitted the credit card information to the fraudsters. The website also featured a customer support chat feature that enabled the individual to communicate with Yad2. 

This expansive operation encompassed over 800 distinct fraudulent domains, taking on the guise of approximately 340 reputable global enterprises. Among these were prominent financial institutions, postal and courier services, and social media and e-commerce platforms. 

Renowned names like Facebook, Booking.com, and other frequently visited websites were among the imitated entities, all of which attract substantial user traffic. 

A campaign originating from Russian IP addresses has been detected, and it has been linked to around 800 distinct scam domains, all of which are outlined in the Indicators of Compromise (IOCs). The campaign's origins can be traced back to May 2022, and it continues to remain active, undergoing periodic updates. The comprehensive analysis uncovered phishing websites in over 48 languages, all engaged in the impersonation of more than 340 different companies. 

At its core, social engineering exploits the power of human interaction as an attack vector. Its primary objective revolves around influencing, manipulating, or deceiving individuals to disclose crucial information or obtain entry within an organization. 

This type of manipulation often capitalizes on people's willingness to help or their apprehensions of potential repercussions. For instance, an attacker might assume the role of a coworker grappling with an immediate problem, seeking permission for additional network resources.
Read more »
Threat Intelligence
Cyber Attacks Global Firms Phishing Campaign Phishing Tool Threat Intelligence

'Greatness' Phishing Tool Abuses Microsoft 365 Credentials

 

The 'Greatness' phishing-as-a-service (PhaaS) platform has experienced an increase in activity as it targets organisations using Microsoft 365 in the United States, Canada, the United Kingdom, Australia, and South Africa. 

The Microsoft 365 cloud-based productivity tool is used by many organisations globally, making it a lucrative target for cybercriminals looking to steal data or credentials for use in network breaches.

Researchers at Cisco Talos describe how the Greatness phishing platform started operating in the middle of 2022, with a surge in activity in December 2022 and then again in March 2023. 

Most victims are based in the United States, and many of them are employed in industries like manufacturing, healthcare, technology, education, real estate, construction, finance, and business services.

Modus operandi 

The Greatness Phishing-as-a-Service includes everything a would-be phishing actor needs to run a successful campaign. To conduct an assault, the service user logs into the 'Greatness' admin panel with their API key and a list of target email addresses. 

The PhaaS platform allocates the required infrastructure, such as the server that will host the phishing website and generate the HTML attachment. The affiliate then creates the email's content, offers any additional information, and makes any necessary adjustments to the preset settings.

The victims then receive an email from the service containing a phishing attachment in HTML. When this attachment is opened, the browser runs obfuscated JavaScript code to establish a connection with the 'Greatness' server and retrieve the phishing page that will be shown to the user. 

As Greatness pre-fills the proper email to provide the impression of validity, the victim just enters their password on the convincing phishing page. In order to secure a valid session cookie for the target account, the phishing platform now manages the authentication flow between the victim's browser and the genuine Microsoft 365 login page.

'Greatness' will urge the victim to enter it if the account is two-factor authenticated while initiating a request on the genuine Microsoft service to send the one-time code to the target's device. 

Following the entry of the MFA code, Greatness will log in as the victim on the genuine Microsoft platform and send the authenticated session cookie to the affiliate via a Telegram channel or the service's web panel. 

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," stated Cisco.

The attackers can then access the victim's email, files, and data in Microsoft 365 services via this session cookie. Frequently, the stolen credentials are also used to break into business networks, resulting in even riskier activities like the distribution of ransomware.
Read more »
Stolen Data
Antivirus cybercriminals Hacking keylogger malware Phishing Campaign Phishing Mails Snake Keylogger Stolen Data

Here's all you Need to Know About Snake Keylogger


In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

Read more »
Phishing Campaign
Cyber Attacks Cypto Flipper Zero Instagram Phishing Campaign

Phishing Campaign Uses Flipper Zero to Steal Crypto and Sensitive Data Worldwide


What is the Flipper Zero campaign?

Experts have found a new phishing campaign that targets cybersecurity professionals and hacking enthusiasts. The campaign steals cryptocurrency and the personal information of victims. 

Flipper Zero is behind the attack, it's a portable multi-tool for pentesters, cybersecurity experts, and hackers. The tool is used to find any type of access control system, radio protocols or RFID, NFC, Bluetooth, etc. 

The tool began as a big-hit Kickstarter project but met with various obstacles. Result? Demand weighed more than supply- giving a big opportunity to cybercriminals. Today, experts are noticing various fake online stores that sell Flipper Zero and fake Twitter profiles promoting the stores. One such account uses typosquatting to fool people by cleverly replacing a letter in the spelling because the "L" in Flipper is an uppercase "i." Such accounts are currently very active, providing immediate responses to customer queries. 

Stealing crypto and data via Flipper Zero

People who fall under this trap will in the end get redirected to the phishing checkout page, where they are asked to submit a lot of sensitive data- email id, name, and residential address. Additionally, there's only one way to pay on these pages- cryptocurrency (bitcoin or ether). 

But the experts are saying that the wallets displayed on fake shops are empty, which can only mean two things, either the scammers keep changing their addresses to avoid getting doxed or no one actually fell for the trick. 

The company is struggling to battle this campaign, as it has now reached Instagram as well. The company tweeted: “Dear @Instagram and @InstagramComms, there are hundreds of fake and scam accounts imitating our official Flipper Zero Instagram account. These fraudulent accounts try to fool people and steal money. We can't report them because we are rejected to have a verified blue check mark.” 

What next for Flipper Zero?

The Flipper Zero Kickstarter campaign was last active in 2020, and it was a big hit. Initially, the campaign goal was $60,000 but it received a massive amount of over $4.8 million in pledges. The first users shared their feats on social media, and it received much appreciation from the audience, which pushed the production even more. But the production hit the brakes when PayPal held $1.3 million for months. 

In September 2020, the Flipper Zero team said that PayPal decided to hold the amount without giving any reason and later suspended the company's account, compromising the entire project. In November 2020, Flipper Zero with the help of a legal team managed to get back around three-quarters of the fund ($980,000), but PayPal kept around $350,000 to "mitigate possible claims."


Read more »
Scammers
Cyber Fraud EU Anti-Fraud EU Commission Phishing Campaign Scammers

Scammers Impersonating European Anti-Fraud Office to Launch Phishing Campaigns

 

Threat analysts have unearthed multiple incidents of fraud and phishing attempts via malicious texts, letters, and scam phone calls purporting to be from OLAF, the European Anti-Fraud Office. 

The European Anti-Fraud Office (also known as OLAF,) is a body mandated by the European Union (EU) with guarding the Union's financial interests. It was established on 28 April 1999, under the European Commission Decision 1999/352. 

To target entities and individuals, scammers often impersonate the European Commission or OLAF’s logo and the identity of OLAF staff members to look convincing. They try to lure victims by offering to transfer the money on the condition that if the victim pays a charge and provides financial and private data.

European Anti-Fraud Office methodology 

OLAF’s investigators achieve their goal by launching independent internal and external investigations. Threat analysts coordinate the activities of their anti-fraud partners in the Member States to counter fraud activities. 

OLAF supplies EU member states with the necessary support and passes technical knowledge to assist them in anti-fraud activities. It also contributes to the design of the anti-fraud strategy of the European Union and takes adequate measures to strengthen the relevant legislation. 

Targeting prominent names and businesses 

Earlier this year in April, European Union's anti-fraud agency accused France's far-right presidential candidate Marine Le Pen and members of her party of misusing thousands of euros' worth of EU funds while serving in the European Parliament. 

According to the Investigative website Mediapart, the OLAF report claimed Le Pen had misappropriated 140,000 euros of public money with party members, diverting 617,000 euros. However, none were accused of profiting directly, but of claiming EU funds for staff and event expenses. 

In 2017, OLAF put an end to an intricate fraud scheme via which more than EUR 1.4 million worth of European Union funds, meant for emergency response hovercraft prototypes, had been misused. 

The investigators unearthed the fraud pattern as part of their investigation into alleged irregularities in a Research and Innovation project granted to a European consortium. The Italian-led consortium, with partners in France, Romania, and the United Kingdom, was handed the responsibility of managing two hovercraft prototypes to be utilized as emergency nautical mediums able to reach remote areas in case of environmental accidents. 

During on-the-spot checks performed in Italy by OLAF and the Italian Guardia di Finanza, OLAF identified multiple disassembled components of one hovercraft, as well as another hovercraft that was completed after the deadline of the project. It became crystal clear that, in order to obtain the EU funds, the Italian partners had falsely attested to the existence of the required structural and economic conditions to carry out the project. 

Preventive tips 

The European Anti-Fraud Office recommends users follow the tips mentioned below: 

If an individual receives any such request regarding transferring money and claims to be from OLAF or one of its staff members, then it is a scam because OLAF NEVER offers or requests money transfers to or from citizens. OLAF only investigates fraud impacting the EU budget, and suspicions of misconduct by EU staff. Additionally, do not reply or carry out any of the actions contained in the correspondence.

The impacted individual should immediately report any fraud and/or phishing attempt to national authorities competent for crimes and/or cybercrime. OLAF does not investigate scams related to cryptocurrencies or personal finances.
Read more »
User Security
Banking Trojan File Share Servers Malicious Payload malware Phishing Campaign User Security

Threat Actors Exploit WeTransfer to Spread Lampion Malware

 

In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety
Read more »
Snake Keylogger
malspam malware Phishing Campaign Snake Keylogger

Snake Keylogger is Back, Targets IT Corporates


Snake Keylogger tracks keystrokes 

Snake Keylogger is back again with a brand new malspam campaign distributing through phishing mails sent to corporate firms' managers. Bitdefender Antispam Labs found the campaign on 23 August 2022. 

A Keylogger is a kind of malicious software that keeps record of your keystrokes and forwards it to hackers. 

Keyloggers can be deployed in your system without you knowing, generally through a malicious infected website or email attachment. 

In few cases, the hackers may use a physical Keylogger on your computer that maybe like a malicious USB drive or customised phone charging cable. 

Campaign Details

As per the Bitdefender experts, the IP addresses used in the attack came from Vietnam, while the campaigns main targets were in USA, and over 1000 inboxes have received the phishing emails. 

Threat actors leverage the corporate profile of Qatar's one of the leading IT and cloud services providers to lure victims into clicking a ZIP archive. The archive includes an executable file named “CPMPANY PROFILE.exe.”

As per Bitdefender blogpost, the file installs the malicious Snake Keylogger payload on the victim system's host. The data is extracted through SMTP. 

About Snake Keylogger

It is an infamous info and credential stealing malware that steals sensitive information from victim's device. It has keyboard logging and screenshot capturing capabilities. It is a major threat to organizations due to its surveillance and data stealing capabilities.

Besides this, it can steal info from system keyboards. It is also known as 404 Keylogger. The malware came out in 2020 and can be found at underground forums/message boards for hundred dollars. The malware is generally used in campaigns driven by financial aims, these include fraud based campaigns and identity thefts. 

How to stay safe?

A Keylogger tracks every keystroke a user makes, allowing hackers to get your passwords, personal information, and financial data. However, you can follow some steps to stay safe. 

According to Bitdefender:

Always verify the origin and validity of correspondence before interacting with links or attachments, and deploy security solutions. Ensure that accounts are protected via two-factor (2FA) or multi-factor (MFA) authentication processes that will prevent cybercriminals from logging into accounts should your system get compromised, and install a security solution on their devices.





Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
User Security
Cyber Fraud Phishing Campaign Phishing Gang User Privacy User Security

Ukrainian Authorities Take Down Phishing Gang That Siphoned 100 Million Hryvnias

 

The Ukraine Cyber Police Department and the Pechersk Police Department arrested nine members of a cybercriminal organization that defrauded over 5,000 citizens of Ukraine of more than 100 million hryvnias (about $3.39 million) via phishing attacks. 

The fraudsters designed more than 400 phishing sites for exfiltrating the banking details of Ukrainian citizens under the guise of social security payments from E.U. countries. The malicious landing pages were hosting an application form to fill out to receive financial help from the European Union. 

Some of the phishing sites registered by the hackers included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others. 

“Nine people created and administered more than 400 fake web resources for obtaining banking data of citizens. Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. Using phishing links, victims took surveys and entered bank card details.” reads the advisory published by the Ukrainian Cyber Police. 

Once in possession of the bank details, the malicious hackers carried out unauthorized access to the victim’s online banking and siphoned money from their accounts. The hackers defrauded more than 5,000 citizens, stealing a total amount of more than 100 million hryvnias. 

The law enforcement operation culminated in the seizure of computer equipment, mobile phones, and bank cards as well as the criminal proceeds illicitly obtained through unlawful activities. If the arrested individuals are found guilty of fraud charges under the Criminal Code of Ukraine, they face up to 15 years in prison. 

“Criminal proceedings have been opened under Part 3 of Art. 190 (Fraud), Part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. Perpetrators may face up to fifteen years in prison.,” the advisory further reads. “The issue of declaring suspicion and selecting preventive measures for the persons involved is being resolved.” 

The local police warned citizens to receive information regarding financial payments only from official sources, avoid clicking on suspicious links, and never provide private and banking information to third parties posing as government organizations.
Read more »
User Security
Cyber Crime JavaScript Phishing Campaign Phishing Toolkit User Security

"NakedPages" Phishing Toolkit Advertised for Sale on Cybercrime and Telegram Platforms

 

CloudSEK researchers have unearthed a brand new sophisticated phishing toolkit dubbed "NakedPages” which is advertised for sale on multiple cybercrime platforms and Telegram channels. 

The toolkit, which was designed using NodeJS Framework operates JavaScript code and is fully automated having more than 50 phishing templates and site projects. 

“Naked Pages is the phishing tool any serious developer//spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined,” reads an advertisement on a cybercrime forum.

Additionally, the advertisement mentions that there is a possibility of providing software licenses if the buyer pays $1000 upfront and contributes by sharing new thoughts for the open-source project on GitHub. The buyers can contact the hacker via a Google Forms page. 

According to CloudSEK researchers, the toolkit is manufactured to work on Linux and requests for read, write and execute permissions from the ‘user’ and also asks for learning and execute permissions from both ‘group’ and ‘others’ in order to function smoothly. 

Moreover, the toolkit is laced with fully-integrated and battle-based anti-bot features, capable of sporting security bugs of different types from over 120 nations.

“[NakedPages] would equip malicious actors with the details required to launch sophisticated ransomware attacks,” researchers explained.

CloudSEK has not identified the author behind the new phishing toolkit but believes there is a new player on GitHub and the cybercrime platform, with both accounts being less than a month old. “There have been no concrete samples shared by the threat actor. Repeated attempts for establishing contact were made by our source, but the threat actor hasn’t responded,” CloudSEK stated. 

The researchers also issued an advisory to the users who may be impacted by NakedPages to monitor for anomalies in accounts and systems that could be indicators of possible account breaches and execute multi-factor authentication (MFA) practices across all accounts. 

Last month, the Resecurity Hunter unit detected a new phishing campaign, dubbed Frappo, disseminated aggressively on the dark web and via Telegram channels. The phishing campaign allowed scammers to host and design high-quality phishing websites that mimicked popular online banking, e-commerce, and retail services in order to exfiltrate private data from their target customers. 

The phishing pages impersonated 20 financial institutions (FIs), online retailers, and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.
Read more »
URL Shorteners
Cyber Attacks Malicious Campaign Phishing Campaign Reverse Tunnels URL Shorteners

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign

 

Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while Bit.ly, is.gd, and cutt.ly were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.
Read more »
security threat
Cyber Scam Mobile Security Phishing Campaign security threat

Beware of New Phishing Campaign Targeting Facebook Users

 

Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.
Read more »
Windows
Credit Card Data data security Internet Explorer Login Credentials malware Malware Campaign Phishing Campaign Windows

Latest Phishing Campaign Deploys Malware and Steals Critical Information

A phishing campaign on a massive scale is targeting Windows PC and wants to deploy malware that can hack usernames, passwords, contents of the crypto wallets, and credit card credentials. Malware named RedLine Stealer is provided as a malware-as-a-service scheme, giving amateur level cybercriminals the option to steal various kinds of critical personal information, for amounts as much as $150. The malware first surfaced in 2020, but RedLine recently added a few additional features and is widely spread in large-scale spam campaigns in April. 

The phishing email campaign includes a malicious attachment which, if active, starts the process of deploying malware. Hackers target users (mostly) from Europe and North America. The malware uses CVE-2021-26411 exploits discovered in Internet Explorer to send the payload. The vulnerability was revealed last year and patched, to limit the malware's impact on users who are yet to install the security updates. Once executed, RedLine Stealer does starting recon against the target system, looking for information that includes usernames, the type of browser that the user has, and if an antivirus is running in the system. 

After that, it finds information to steal and then extracts passwords, credit card data, and cookies stored in browsers, crypto wallets, VPN login credentials, chat logs, and information from files. Redline can be bought from the dark web, hackers are offered services on different hierarchical levels, this shows how easy it has become to buy malware. Even noob hackers can rent the software for $100 or get a lifetime subscription for $800. 

The malware is very simple, but very effective, as it can steal vast amounts of data, and inexperienced hackers can take advantage of this. ZDNet reports "it's possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability." The users should keep their operating systems updated, anti-virus and apps updated, to prevent known vulnerabilities from getting exploited for distributing malware.

Read more »
Threat actor
Cyber Security Microsoft Phishing Campaign sensitive credential Threat actor

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials

 

The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.
Read more »
Remote Access Trojan
email security malware Phishing Campaign Remote Access Trojan

To Spread STRRAT Malware, Phishing Campaign Impersonates Shipping Giant Maersk

 

A new phishing campaign employing bogus shipping delivery lures installs the STRRAT remote access trojan on the computers of unsuspecting victims. Fortinet identified the new campaign after detecting phishing emails mimicking Maersk Shipping, a worldwide shipping behemoth, but utilising seemingly authentic email addresses. 

STRRAT is a multi-functional Remote Access Trojan that dates to at least mid-2020. It is unusually Java-based and is normally sent to victims via phishing email. Previous STRAAT operations, like other phishing attacks, used an intermediary dropper (e.g., a malicious Excel macro) attached to the email that downloaded the ultimate payload when viewed. Instead of using that method, this sample attaches the final payload directly to the phishing email. 

In the case of Maersk Shipping, the message eventually goes through "acalpulps[.]com" before being delivered to the final recipient after leaving the sender's local infrastructure. This domain was only registered in August 2021, which makes it questionable. Furthermore, the domain utilised in the "Reply-To" address, "ftqplc[.]in," was recently registered (October 2021), making it highly suspicious as well. The email body urges the recipient to open attachments regarding a pending shipment. 

A PNG image and two Zip archives are directly attached to the sample email. "maersk.png" is simply an image file. However, the two Zip archives “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” include an embedded copy of STRRAT. When one of these archives is unzipped, the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” is displayed. However, when you open the file in Jar Explorer, a few things become clear. 

Firstly, this package contains a significant number of Java class files. Second, the strings in the class "FirstRun" appear to be scrambled or encoded. Lines beginning with "ALLATORIxDEMO" denote the presence of the Allatori Java Obfuscator. 

STRRAT malware first collects basic information about the host system, such as its architecture and any anti-virus software that are operating on it, before checking local storage and network capability. STRRAT can collect user keystrokes, enable remote control operation, steal passwords from web browsers such as Chrome, Firefox, and Microsoft Edge, steal passwords from email clients such as Outlook, Thunderbird, and Foxmail, and launch a pseudo-ransomware module to simulate an infection. 

Trojans like STRRAT are frequently overlooked because they are less sophisticated and more randomly distributed. However, this phishing attempt proves that even little threats can cause significant damage to organizations.
Read more »
USA
Cyber Security hacker arrested Impersonation Techniques Phishing and Spam Phishing Attacks Phishing Campaign Phishing scam USA

US Arrested Multi-year Phishing Scam Suspect

 

An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."
Read more »
Threat actor
Credential stealing Cyber Attacks Germany Phishing Campaign Threat actor

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials

 

Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.
Read more »
Subscribe to: Posts (Atom)