Search This Blog

Showing posts with label Phishing Campaign. Show all posts

Scammers Impersonating European Anti-Fraud Office to Launch Phishing Campaigns


Threat analysts have unearthed multiple incidents of fraud and phishing attempts via malicious texts, letters, and scam phone calls purporting to be from OLAF, the European Anti-Fraud Office. 

The European Anti-Fraud Office (also known as OLAF,) is a body mandated by the European Union (EU) with guarding the Union's financial interests. It was established on 28 April 1999, under the European Commission Decision 1999/352. 

To target entities and individuals, scammers often impersonate the European Commission or OLAF’s logo and the identity of OLAF staff members to look convincing. They try to lure victims by offering to transfer the money on the condition that if the victim pays a charge and provides financial and private data.

European Anti-Fraud Office methodology 

OLAF’s investigators achieve their goal by launching independent internal and external investigations. Threat analysts coordinate the activities of their anti-fraud partners in the Member States to counter fraud activities. 

OLAF supplies EU member states with the necessary support and passes technical knowledge to assist them in anti-fraud activities. It also contributes to the design of the anti-fraud strategy of the European Union and takes adequate measures to strengthen the relevant legislation. 

Targeting prominent names and businesses 

Earlier this year in April, European Union's anti-fraud agency accused France's far-right presidential candidate Marine Le Pen and members of her party of misusing thousands of euros' worth of EU funds while serving in the European Parliament. 

According to the Investigative website Mediapart, the OLAF report claimed Le Pen had misappropriated 140,000 euros of public money with party members, diverting 617,000 euros. However, none were accused of profiting directly, but of claiming EU funds for staff and event expenses. 

In 2017, OLAF put an end to an intricate fraud scheme via which more than EUR 1.4 million worth of European Union funds, meant for emergency response hovercraft prototypes, had been misused. 

The investigators unearthed the fraud pattern as part of their investigation into alleged irregularities in a Research and Innovation project granted to a European consortium. The Italian-led consortium, with partners in France, Romania, and the United Kingdom, was handed the responsibility of managing two hovercraft prototypes to be utilized as emergency nautical mediums able to reach remote areas in case of environmental accidents. 

During on-the-spot checks performed in Italy by OLAF and the Italian Guardia di Finanza, OLAF identified multiple disassembled components of one hovercraft, as well as another hovercraft that was completed after the deadline of the project. It became crystal clear that, in order to obtain the EU funds, the Italian partners had falsely attested to the existence of the required structural and economic conditions to carry out the project. 

Preventive tips 

The European Anti-Fraud Office recommends users follow the tips mentioned below: 

If an individual receives any such request regarding transferring money and claims to be from OLAF or one of its staff members, then it is a scam because OLAF NEVER offers or requests money transfers to or from citizens. OLAF only investigates fraud impacting the EU budget, and suspicions of misconduct by EU staff. Additionally, do not reply or carry out any of the actions contained in the correspondence.

The impacted individual should immediately report any fraud and/or phishing attempt to national authorities competent for crimes and/or cybercrime. OLAF does not investigate scams related to cryptocurrencies or personal finances.

Threat Actors Exploit WeTransfer to Spread Lampion Malware


In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety

Snake Keylogger is Back, Targets IT Corporates

Snake Keylogger tracks keystrokes 

Snake Keylogger is back again with a brand new malspam campaign distributing through phishing mails sent to corporate firms' managers. Bitdefender Antispam Labs found the campaign on 23 August 2022. 

A Keylogger is a kind of malicious software that keeps record of your keystrokes and forwards it to hackers. 

Keyloggers can be deployed in your system without you knowing, generally through a malicious infected website or email attachment. 

In few cases, the hackers may use a physical Keylogger on your computer that maybe like a malicious USB drive or customised phone charging cable. 

Campaign Details

As per the Bitdefender experts, the IP addresses used in the attack came from Vietnam, while the campaigns main targets were in USA, and over 1000 inboxes have received the phishing emails. 

Threat actors leverage the corporate profile of Qatar's one of the leading IT and cloud services providers to lure victims into clicking a ZIP archive. The archive includes an executable file named “CPMPANY PROFILE.exe.”

As per Bitdefender blogpost, the file installs the malicious Snake Keylogger payload on the victim system's host. The data is extracted through SMTP. 

About Snake Keylogger

It is an infamous info and credential stealing malware that steals sensitive information from victim's device. It has keyboard logging and screenshot capturing capabilities. It is a major threat to organizations due to its surveillance and data stealing capabilities.

Besides this, it can steal info from system keyboards. It is also known as 404 Keylogger. The malware came out in 2020 and can be found at underground forums/message boards for hundred dollars. The malware is generally used in campaigns driven by financial aims, these include fraud based campaigns and identity thefts. 

How to stay safe?

A Keylogger tracks every keystroke a user makes, allowing hackers to get your passwords, personal information, and financial data. However, you can follow some steps to stay safe. 

According to Bitdefender:

Always verify the origin and validity of correspondence before interacting with links or attachments, and deploy security solutions. Ensure that accounts are protected via two-factor (2FA) or multi-factor (MFA) authentication processes that will prevent cybercriminals from logging into accounts should your system get compromised, and install a security solution on their devices.

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations

About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Ukrainian Authorities Take Down Phishing Gang That Siphoned 100 Million Hryvnias


The Ukraine Cyber Police Department and the Pechersk Police Department arrested nine members of a cybercriminal organization that defrauded over 5,000 citizens of Ukraine of more than 100 million hryvnias (about $3.39 million) via phishing attacks. 

The fraudsters designed more than 400 phishing sites for exfiltrating the banking details of Ukrainian citizens under the guise of social security payments from E.U. countries. The malicious landing pages were hosting an application form to fill out to receive financial help from the European Union. 

Some of the phishing sites registered by the hackers included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others. 

“Nine people created and administered more than 400 fake web resources for obtaining banking data of citizens. Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. Using phishing links, victims took surveys and entered bank card details.” reads the advisory published by the Ukrainian Cyber Police. 

Once in possession of the bank details, the malicious hackers carried out unauthorized access to the victim’s online banking and siphoned money from their accounts. The hackers defrauded more than 5,000 citizens, stealing a total amount of more than 100 million hryvnias. 

The law enforcement operation culminated in the seizure of computer equipment, mobile phones, and bank cards as well as the criminal proceeds illicitly obtained through unlawful activities. If the arrested individuals are found guilty of fraud charges under the Criminal Code of Ukraine, they face up to 15 years in prison. 

“Criminal proceedings have been opened under Part 3 of Art. 190 (Fraud), Part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. Perpetrators may face up to fifteen years in prison.,” the advisory further reads. “The issue of declaring suspicion and selecting preventive measures for the persons involved is being resolved.” 

The local police warned citizens to receive information regarding financial payments only from official sources, avoid clicking on suspicious links, and never provide private and banking information to third parties posing as government organizations.

"NakedPages" Phishing Toolkit Advertised for Sale on Cybercrime and Telegram Platforms


CloudSEK researchers have unearthed a brand new sophisticated phishing toolkit dubbed "NakedPages” which is advertised for sale on multiple cybercrime platforms and Telegram channels. 

The toolkit, which was designed using NodeJS Framework operates JavaScript code and is fully automated having more than 50 phishing templates and site projects. 

“Naked Pages is the phishing tool any serious developer//spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined,” reads an advertisement on a cybercrime forum.

Additionally, the advertisement mentions that there is a possibility of providing software licenses if the buyer pays $1000 upfront and contributes by sharing new thoughts for the open-source project on GitHub. The buyers can contact the hacker via a Google Forms page. 

According to CloudSEK researchers, the toolkit is manufactured to work on Linux and requests for read, write and execute permissions from the ‘user’ and also asks for learning and execute permissions from both ‘group’ and ‘others’ in order to function smoothly. 

Moreover, the toolkit is laced with fully-integrated and battle-based anti-bot features, capable of sporting security bugs of different types from over 120 nations.

“[NakedPages] would equip malicious actors with the details required to launch sophisticated ransomware attacks,” researchers explained.

CloudSEK has not identified the author behind the new phishing toolkit but believes there is a new player on GitHub and the cybercrime platform, with both accounts being less than a month old. “There have been no concrete samples shared by the threat actor. Repeated attempts for establishing contact were made by our source, but the threat actor hasn’t responded,” CloudSEK stated. 

The researchers also issued an advisory to the users who may be impacted by NakedPages to monitor for anomalies in accounts and systems that could be indicators of possible account breaches and execute multi-factor authentication (MFA) practices across all accounts. 

Last month, the Resecurity Hunter unit detected a new phishing campaign, dubbed Frappo, disseminated aggressively on the dark web and via Telegram channels. The phishing campaign allowed scammers to host and design high-quality phishing websites that mimicked popular online banking, e-commerce, and retail services in order to exfiltrate private data from their target customers. 

The phishing pages impersonated 20 financial institutions (FIs), online retailers, and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.

Reverse Tunnels and URL Shorteners Employed by Attackers to Launch Phishing Campaign


Security researchers at CloudSEK, a digital risk protection firm have witnessed a significant surge in the usage of reverse tunnel services and URL shorteners in conjunction with wide-scale phishing campaigns. 

The methodology employed by attackers is different from the more typical modus operandi of registering domains with hosting providers, who are more likely to react to complaints and shut down the malicious sites. 

The reverse tunnel services assist threat actors in hosting phishing pages locally using their devices and route connections via the external service. Additionally, they can develop new URLs through the URL shortening services as many times as required to bypass security detection. Many of the phishing URLs are updated in less than 24 hours, making it more difficult for researchers to spot and take down malicious domains. 

As reported by BleepingComputer, researchers have identified more than 500 sites hosted and distributed using a combination of reverse tunneling and URL shortening. Ngrok, LocalhostRun, and Argo were the most commonly abused reverse tunnel services, while,, and were the most prevalent URL shorteners. 

According to CloudSEK, cybercriminals may hide their identity by using URL shorteners to mask the name of the URL, which is typically a series of random characters. The malicious links are distributed via Telegram, WhatsApp, phony social media pages, texts, and emails. 

It is worth noting that the cybersecurity landscape is not unfamiliar with the exploit of reverse tunneling. For example, the digital banking platform of the State Bank of India had been previously impersonated for such phishing campaigns to exfiltrate users’ credentials. 

The malicious link was concealed behind “cutt[.]ly/UdbpGhs” and directed to the domain “ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi” that employed Cloudflare’s Argo tunneling service. Subsequently, the malicious page requested bank account credentials, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. However, CloudSEK did not share how damaging this campaign was for bank users. 

Private details collected this way can be sold on the dark web or used by hackers to drain bank accounts. If the data is from a firm, the attackers could use it to launch ransomware attacks or business email compromise (BEC) scams. To mitigate the risks, users should avoid clicking on links received from an unfamiliar source.

Beware of New Phishing Campaign Targeting Facebook Users


Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.

Latest Phishing Campaign Deploys Malware and Steals Critical Information

A phishing campaign on a massive scale is targeting Windows PC and wants to deploy malware that can hack usernames, passwords, contents of the crypto wallets, and credit card credentials. Malware named RedLine Stealer is provided as a malware-as-a-service scheme, giving amateur level cybercriminals the option to steal various kinds of critical personal information, for amounts as much as $150. The malware first surfaced in 2020, but RedLine recently added a few additional features and is widely spread in large-scale spam campaigns in April. 

The phishing email campaign includes a malicious attachment which, if active, starts the process of deploying malware. Hackers target users (mostly) from Europe and North America. The malware uses CVE-2021-26411 exploits discovered in Internet Explorer to send the payload. The vulnerability was revealed last year and patched, to limit the malware's impact on users who are yet to install the security updates. Once executed, RedLine Stealer does starting recon against the target system, looking for information that includes usernames, the type of browser that the user has, and if an antivirus is running in the system. 

After that, it finds information to steal and then extracts passwords, credit card data, and cookies stored in browsers, crypto wallets, VPN login credentials, chat logs, and information from files. Redline can be bought from the dark web, hackers are offered services on different hierarchical levels, this shows how easy it has become to buy malware. Even noob hackers can rent the software for $100 or get a lifetime subscription for $800. 

The malware is very simple, but very effective, as it can steal vast amounts of data, and inexperienced hackers can take advantage of this. ZDNet reports "it's possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability." The users should keep their operating systems updated, anti-virus and apps updated, to prevent known vulnerabilities from getting exploited for distributing malware.

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials


The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.

To Spread STRRAT Malware, Phishing Campaign Impersonates Shipping Giant Maersk


A new phishing campaign employing bogus shipping delivery lures installs the STRRAT remote access trojan on the computers of unsuspecting victims. Fortinet identified the new campaign after detecting phishing emails mimicking Maersk Shipping, a worldwide shipping behemoth, but utilising seemingly authentic email addresses. 

STRRAT is a multi-functional Remote Access Trojan that dates to at least mid-2020. It is unusually Java-based and is normally sent to victims via phishing email. Previous STRAAT operations, like other phishing attacks, used an intermediary dropper (e.g., a malicious Excel macro) attached to the email that downloaded the ultimate payload when viewed. Instead of using that method, this sample attaches the final payload directly to the phishing email. 

In the case of Maersk Shipping, the message eventually goes through "acalpulps[.]com" before being delivered to the final recipient after leaving the sender's local infrastructure. This domain was only registered in August 2021, which makes it questionable. Furthermore, the domain utilised in the "Reply-To" address, "ftqplc[.]in," was recently registered (October 2021), making it highly suspicious as well. The email body urges the recipient to open attachments regarding a pending shipment. 

A PNG image and two Zip archives are directly attached to the sample email. "maersk.png" is simply an image file. However, the two Zip archives “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” include an embedded copy of STRRAT. When one of these archives is unzipped, the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” is displayed. However, when you open the file in Jar Explorer, a few things become clear. 

Firstly, this package contains a significant number of Java class files. Second, the strings in the class "FirstRun" appear to be scrambled or encoded. Lines beginning with "ALLATORIxDEMO" denote the presence of the Allatori Java Obfuscator. 

STRRAT malware first collects basic information about the host system, such as its architecture and any anti-virus software that are operating on it, before checking local storage and network capability. STRRAT can collect user keystrokes, enable remote control operation, steal passwords from web browsers such as Chrome, Firefox, and Microsoft Edge, steal passwords from email clients such as Outlook, Thunderbird, and Foxmail, and launch a pseudo-ransomware module to simulate an infection. 

Trojans like STRRAT are frequently overlooked because they are less sophisticated and more randomly distributed. However, this phishing attempt proves that even little threats can cause significant damage to organizations.

US Arrested Multi-year Phishing Scam Suspect


An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials


Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.

Hackers Exploit Glitch Platform to Host Malicious URLs


Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East. 

The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content. 

Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.

 Exploiting Glitch 

According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.

“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.

“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.” 

The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools. A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page. 

The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.

Threat Actors Use Tiny Font Size to Bypass Email Filters in BEC Phishing Campaign


A new Business Email Compromise (BEC) campaign targeting Microsoft 365 users employs an array of innovative sophisticated tactics in phishing emails to avoid security protections. 

Researchers at email security firm Avanan first discovered the campaign in September that can fool natural language processing filters through hiding text in a one-point font size within mails. Attackers are also concealing links within the Cascading Style Sheets (CSS) in their phishing emails. This is one more tactic that serves to confuse pure language filters like Microsoft’s Normal Language Processing (NLP), researchers stated in a report. 

According to cybersecurity expert Jeremy Fuchs, the One Font campaign also includes messages with links coded within the font> tag, which destroys the potency of email filters that rely on natural language for analysis.

 “This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see,” Fuchs explained.

In 2018, researchers uncovered an identical campaign called ZeroFont, which employed similar strategies to move past Microsoft NLP in its Office 365 security protections. That campaign inserted concealed text with the font dimension of zero inside messages to fool email scanners that rely on natural language processing in order to spot malicious e-mails. 

According to Avanan analysts, just like ZeroFont, One Font also targets Office 365 enterprises, an action that can lead to BEC, and finally compromise the firm’s network if the emails aren’t flagged and users are duped into handing over their credentials. 

The moment it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention. Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link carries victims to a phishing page where they appear to be entering their credentials in order to update their passwords. Instead, threat actors steal their credentials to use them for malicious purposes. 

How to minimize threats? 

According to Jeremy Fuchs, organizations should opt for a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation. 

Implementing a security architecture that focuses on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help in mitigating risks.

Microsoft Issued a Warning About a Rise in HTML Smuggling Phishing Attacks


Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks. 

HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised. 

"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns. 

HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead. 

Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter. 

"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email


Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website The website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.

Attackers Use Cookie Theft Malware to Hijack YouTube Accounts


Google claims it has disrupted a new phishing campaign targeting YouTube creators with cookie theft malware in which attackers were attempting to hijack YouTube accounts and exploit them to promote cryptocurrency frauds. 

The actors behind this campaign were recruited on a Russian-speaking forum that targeted thousands of YouTubers with malicious emails. The attackers tempted victims via fake collaboration opportunities such as providing free VPN, music player, or anti-virus software. 

After winning the confidence of a victim, the hackers would send a URL, either via email or a PDF on Google Drive, promising legal software but which instead took the target to a malicious page. Once installed, the malware steals cookies from the targets search engine via the smash-and-grab technique.

The scammers then use the cookies to gain access to the victim’s account and sold it in the dark web to the highest bidders. The cookies were sold between the range of $3 and $4,000, depending on the number of subscribers. 

Since the start of the campaign in 2019, threat actors created roughly 15,000 accounts, as well as domains associated with fake companies, alongside more than 1,000 websites that were used to deliver malware. Some of the websites posed legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were designed using online templates. The malware used in this phishing campaign included Azorult, Grand Stealer, Kantal, Masad, Nexus stealer, Predator the Thief, RedLine, Raccoon, Vikro Stealer, and Vidar, alongside open-source tools such as Sorano and AdamantiumThief. The malware could steal both passwords and cookies. 

In collaboration with YouTube, Gmail, Trust & Safety, and Safe Browsing teams, Google decreased the volume of malicious emails by 99.6% on Gmail. Since May 2021, the company has blocked 1.6 million messages the scammers sent to their victims. The Internet search giant also displayed roughly 62,000 Safe Browsing warnings for the identified phishing pages, blocked 2,400 files, and restored roughly 4,000 impacted accounts. 

“With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly,, and Moreover, to protect our users, we have referred the below activity to the FBI for further investigation,” Google explained.

DocuSign Phishing Campaign is Aimed Against Lower-Level Employees


Phishing attacks involving non-executive staff with access to sensitive corporate information are on the rise. According to Avanan researchers, non-executives were impersonated in half of all phishing emails reviewed in the previous several months, while 77% targeted employees at the same level. 

Previously, phishing attacks were aimed at fooling business people, with phishing actors impersonating CEOs and CFOs. After gathering the appropriate information, attackers will pose as the company's CEO or another high-ranking official and send an email to finance personnel requesting money transfers to an account they control. 

"Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain," researchers said. 

This made sense because sending orders and making urgent requests as a high-ranking employee enhances the likelihood of the receiver complying with these messages. Phishing actors switched to lower-ranking individuals who can nonetheless serve as great entry points into corporate networks, as CEOs became more alert and security teams in large firms built additional measures around those "important" accounts. 

In their emails, the malicious actors suggest using DocuSign as an alternative signing option, prompting recipients to enter their credentials in order to read and sign the document. These emails are not from DocuSign, despite the fact that they appear to be.

DocuSign, Inc. is an American firm based in San Francisco, California that helps businesses handle electronic contracts. DocuSign's Agreement Cloud includes eSignature, which allows users to sign documents electronically on a variety of devices. DocuSign has over a million customers and hundreds of millions of users across the globe. DocuSign's signatures, including EU Advanced and EU Qualified Signatures, are consistent with the US ESIGN Act and the European Union's eIDAS regulation. 

Rather than spoofing DocuSign notifications, phishing scammers were signing up for free accounts with the cloud-based documented signature service and compromising the accounts of others in August, according to researchers, in order to fool email recipients into clicking on malicious links. 

When an email appears in your inbox, it's vital to read it carefully for any signs of fraud. According to the researchers, unsolicited files, spelling errors, and requests for your credentials should all be treated with caution. Phishing attempts based on DocuSign aren't exactly new, and several threat actors have taken use of them to steal login passwords and transmit malware.

Russia-Linked TA505 Targets Financial Organizations in MirrorBlast Phishing Campaign


Russia-based threat group TA505 is deploying a weaponized Excel document in a new malware campaign, tracked as MirrorBlast, targeting financial organizations. 

According to cybersecurity experts at Morphisec Labs, the most significant feature of the new MirrorBlast campaign is the low detection rates of malicious Excel documents by the security software, putting organizations at high risk that rely solely upon detection tools.

Evasive technique 

The developers of the malware campaign use phishing emails to mount the first phase of its attack. The initial email contains an Excel document that uses a macro. The macro, which can only be executed on a 32-bit version of Office due to ActiveX compatibility issues, contains a lightweight Office file designed to bypass detection. 

"The macro code performs anti-sandboxing by checking if these queries are true: computer name is equal to the user domain; and username is equal to admin or administrator," the researchers explained. "We have observed different variants of the document; in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties. Later it moved to the sheet cells. In addition, the code has added one more obfuscation layer on top of the previous obfuscation." 

Upon installation, the command executes JScript, which generates the msiexec.exe process responsible for downloading and installing the MSI package. The dropped MSI package, comes in two variants, one written in REBOL and one in KiXtart, according to researchers who analyzed several samples of the dropped MSI package. 

Subsequently, the MSI package sends the machine's information to a command and control (C2) server, including the computer name, user name, and a list of running processes. The C2 server then responds with a code telling the software how to proceed. The malware campaign also uses a Google feed proxy URL with a fraudulent message requesting the user to access a SharePoint or Onedrive file. This helps the attackers evade detection, Morphisec said.

Since September 2021, the malware campaign has targeted multiple institutions in regions such as Canada, the US, Hong Kong, and Europe. Morphisec tied the attack to TA505, an active Russian threat group that has been operating since 2014 and has a long history of creativity in the manner they lace Excel documents in phishing campaigns. 

In this malware campaign, researchers observed certain aspects of the attack that led them to attribute it to TA505. This includes the infection chain and installer script. It also uses similar domain names to other TA505 attacks and an MD5 hash that matches one used in another of the group's assaults.