Search This Blog

Showing posts with label Phishing Scams. Show all posts

Schools' Files Leak Online Days After Ransomware Deadline


Many documents purported to have been stolen from Minneapolis Public Schools, and have now been posted online. In the days following the announcement of the breach, a cyber gang claimed that the district did not meet its deadline to pay a ransom demand of $1 million. 

It was evident that download links appeared on a website designed to look like a technology news blog in the middle of the night, a front for the attack, on Wednesday morning, and the next day, the links appeared on Telegram, an encrypted instant messaging service widely used by terrorists and far-right extremists.

There is still some doubt about the contents of the large 92-gigabyte file currently being sent to the 74. There is still a significant difference between the available download and what the Medusa ransomware gang claimed it stole from the district. This is 157 terabytes - 1,000 gigabytes in one terabyte. 

Earlier this month, a dark web blog belonging to the criminal group uploaded a file tree detailing the ownership of the files to its website. As the file tree shows on the left, it would appear that a large amount of sensitive information is contained in the records that are visible in the file tree. In addition to these questions, you will be able to obtain information about allegations of sexual violence by students, district finances, student discipline, special education, civil rights investigations, and notification of student maltreatment and sexual offenders, as well as information regarding district finances, student discipline, special education, and civil rights investigations.  

Even though the full scale of the breach is not known yet, cybersecurity experts say present and former Minneapolis residents and district employees should take steps to protect themselves as soon as possible.  

According to Doug Levin, the national director of the K-12 Security Information Exchange and an expert in K-12 cybersecurity incidents, now is a good time to implement two-factor authentication to accounts that can benefit from it as well as avoid reusing passwords across multiple services. 

However, experts said that there are no easy solutions for those who are now at risk of having sensitive personal information accessible to them, including personal information about incidents of student sexual misconduct. Levin is one of the most prominent mental health professionals in the country. He says that if you are the victim of harassment, you should strongly consider seeking mental health counseling or creating an action plan.  

As Levin explained, when a genie has been allowed out of its bottle, it is extremely difficult to re-inject it. As he continued, he stated that the school district had no idea what it could do to comfort these individuals or even to provide them with any recourse. Credit monitoring is not helpful. They would like their well-being and reputation to be protected.  

There have been several complaints about the Minnesota district's public communications about a ransomware attack, which it initially referred to as an "encryption event." This past Friday, the Minneapolis district announced that the ransomware group had released the stolen records on the dark web, a part of the internet accessible only with special software that can leave the user untraceable. 

In a Telegram message, the user identified himself as an 18-year-old Minneapolis high school student who was interested in downloading the data, because they were concerned it might contain sensitive information such as their Social Security number or other personal information, The 74 reported.  

The district has urged the community, as a part of its checklist of safety precautions, that downloads of the breached data should be avoided as much as possible. The paper argues that doing so could contribute to the work of cybercriminals because it would increase our community's fear of the information and increase the level of panic that they would cause.  

Additionally, the district has issued warnings to its residents urging them not to respond to suspicious emails or phone calls because they may be phishing scams. It has also urged them to change their passwords periodically. A statement from the district stated that the district was working to determine which records had been compromised on Friday. As a result of the ongoing process that is expected to take some time, the company planned to inform affected individuals when it was complete.  

Callow believed ransomware victims should take a proactive approach to notify those whose data was stolen in the first place. The investigation will be completed at the end of the investigation rather than waiting until it is completed.   

Growing Threat From Deep Fakes and Misinformation


The prevalence of synthetic media is rising as a result of the development of tools that make it simple to produce and distribute convincing artificial images, videos, and music. The propagation of deepfakes increased by 900% in 2020, according to Sentinel, over the previous year.

With the rapid advancement of technology, cyber-influence operations are becoming more complex. The methods employed in conventional cyberattacks are increasingly being utilized to cyber influence operations, both in terms of overlap and extension. In addition, we have seen growing nation-state coordination and amplification.

Tech firms in the private sector could unintentionally support these initiatives. Companies that register domain names, host websites, advertise content on social media and search engines, direct traffic, and support the cost of these activities through digital advertising are examples of enablers.

Deep learning, a particular type of artificial intelligence, is used to create deepfakes. Deep learning algorithms can replace a person's likeness in a picture or video with other people's visage. Deepfake movies of Tom Cruise on TikTok in 2021 captured the public. Deepfake films of celebrities were first created by face-swapping photographs of celebrities online.

There are three stages of cyber influence operations, starting with prepositioning, in which false narratives are introduced to the public. The launch phase involves a coordinated campaign to spread the narrative through media and social channels, followed by the amplification phase, where media and proxies spread the false narrative to targeted audiences. The consequences of cyber influence operations include market manipulation, payment fraud, and impersonation. However, the most significant threat is trust and authenticity, given the increasing use of artificial media that can dismiss legitimate information as fake.

Business Can Defend Against Synthetic Media:

Deepfakes and synthetic media have become an increasing concern for organizations, as they can be used to manipulate information and damage reputations. To protect themselves, organizations should take a multi-layered approach.
  • Firstly, they should establish clear policies and guidelines for employees on how to handle sensitive information and how to verify the authenticity of media. This includes implementing strict password policies and data access controls to prevent unauthorized access.
  • Secondly, organizations should invest in advanced technology solutions such as deepfake detection software and artificial intelligence tools to detect and mitigate any threats. They should also ensure that all systems are up-to-date with the latest security patches and software updates.
  • Thirdly, organizations should provide regular training and awareness programs for employees to help them identify and respond to deepfake threats. This includes educating them on the latest deepfake trends and techniques, as well as providing guidelines on how to report suspicious activity.
Furthermore, organizations should have a crisis management plan in place in case of a deepfake attack. This should include clear communication channels and protocols for responding to media inquiries, as well as an incident response team with the necessary expertise to handle the situation. By adopting a multi-layered approach to deepfake protection, organizations can reduce the risks of synthetic media attacks and protect their reputation and sensitive information.

Stay Alert Against Messages Like 'Account Suspended, Update PAN'

Banking fraud has increased in recent years. There has been an increase in digital phishing attacks claimed by HDFC Bank customers as the social media outcry has mounted in recent days. Several HDFC Bank customers reported to the authorities that many of the incidents involved phishing SMSes that they received in February. 

There are indications that they have adopted a revised method of operation to step up their efforts to protect others which may have been the case. To strengthen cybersecurity measures, phishing links masquerade as verification processes as part of their phishing campaign. 

There has been a significant number of customers who have been receiving false text messages in the last few days, which claim that they have been blocked or suspended because they have not updated their Permanent Account Numbers (PAN) because their PAN has not been updated. The message you are receiving is a fake one, so keep an eye out and be aware of it. 

The Public Information Bureau (PIB) has recently issued a warning to the customers of the State Bank of India (SBI) regarding fake messages purporting to be from SBI officials that claim the recipient's YONO account has been disabled as a result of a power cut. 

One of the most common ways scammers use to trick people is through phishing SMS messages, which is one of the methods they use to steal their money in different ways. Cyber fraudsters use phishing bank SMS as a means of scaring people away by telling them their bank account has been suspended by cyber thieves. 

A link is attached to the SMS and it asks the users to click on it to update their KYC or PAN details. The problem arises, however, when someone is tricked into believing that the SMS is legitimate and clicks on the link, and their phone is hacked and money is lost. 

Often more common than you might think is phishing SMS fraud. Most banks have issued an advisory informing customers not to be fooled by them. Earlier this month, HDFC alerted its customers that these types of frauds have been taking place. 

There was a viral HDFC bank SMS sent to some of its users that they received on their mobile phones. Some of their users tagged the bank with the message. There has been an attempt by fraudsters to create a fake HDFC Bank website, giving the false appearance that there is a verification process when it is not. HDFC customers have now received a link with the details of the offer.  

An alert was sent by Manoj Nagpal, the CEO of Outlook Asia Capital, who posted a picture of the infected email to Twitter with a description of what he had seen. The same message has also been received by many other customers as well. It has been recommended by Nagpal that people should refrain from clicking on links that have been sent via email or SMS.  

What Are the Methods Used by Fraudsters?

To use fraudsters to commit fraud. Here is how HDFC bank explains how this happens. 

First step: The fraudsters create bogus emails impersonating bank employees that ask consumers to activate a link in the email that instructs them to verify or update the account information in their accounts as soon as possible. 

Second step: When a customer clicks on the link provided by the email, the victim is taken to a fake site that appears to be the official website of the Bank. There is a web form on this site that allows the customer to enter their personal information so that we can communicate with them. 

If you doubt any SMS request, report any suspicious SMSes, or confirm a bank alert with a bank manager to avoid having your account hacked, make sure to check the sender's identity before acting on it.   

 A two-factor authentication system should be implemented for online banking to keep personal information secure. The OTP and password that you used to access your account must be entered every time you want to access it. Using your fingerprints as a second password is even possible if you have a secure device. The message you receive should not be clicked on and any unidentified links should be deleted.    

What is a Pretexting Attack, and How can you Avoid it?


Pretexting is one of the most prevalent methods employed by cybercriminals, despite the fact that you may not frequently hear the phrase. 

The strategy is crucial to phishing fraud. These attacks, in which malicious messages are conveyed to unsuspecting victims, are a widespread hazard. Phishing accounts for 90% of all data breaches, according to CISCO's 2021 Cybersecurity Threat Report. 

What exactly is a pretexting attack? 

The underlying framework of social engineering tactics is pretexting. Meanwhile, social engineering is the process through which fraudsters persuade people into undertaking specific acts. 

In the context of information security, this typically takes the form of phishing scams, which are messages from a purportedly legitimate sender asking the receiver to download an attachment or click a link that brings them to a fraudulent website. 

Social engineering can also be used to induce various types of data breaches. A fraudster, for example, might access an organization's grounds posing as a delivery person, and then slip into a secure area of the property. 

All of these social engineering techniques have one thing in common: the attacker's request appears to be legitimate. In other words, they have the pretext to contact people - therefore 'pretexting'. Because gaining the victim's confidence is vital to the attack's success, the attacker will conduct research on their target and fabricate a plausible narrative to increase their credibility. 

Modus operandi 

In pretexting scams, the fraudster establishes a relationship with the victim in order to earn their trust.

Consider the following scenario: your company's financial assistant receives a phone call from someone pretending to be from a current supplier. The finance assistant delivers all the details the caller requires after a series of phone calls in which the caller describes the need to verify financial information as part of a new process. 

In this case, the caller developed a friendship with the victim and used a convincing tale to deceive the target into disclosing the information. 

In other instances, building the target's confidence over time is unnecessary. This is frequently the case if the attacker has compromised or is spoofing a senior employee's account. The prospect of an urgent message from a director is frequently sufficient to ensure that the employee complies with the request. 

Prevention tips 

Avoiding interactions with messages from unknown or dubious senders is the most efficient strategy to protect yourself and your organization from scammers. 

The goal of scammers is to deceive individuals into clicking on links or downloading contaminated attachments. Any communication requesting you to do one of these things should be approached with extreme caution. 

If you're ever unsure whether a message is real, seek secure ways to confirm it. If you receive a request from an employee, for example, speak with them in person, by phone, or over an instant messaging application. Although you may be hesitant to do this for a senior employee, especially if their message indicates that the request is urgent or that they will be in meetings all day, it is better to be safe than sorry. 

Your organization's information security policy should include instructions similar to this to ensure that you are adhering to best practices. This guidance should be reinforced in any information security worker awareness training you receive.

 Google Chrome Flaw Enables Sites to Copy text to Clipboard

A flaw in the Google Chrome browser and other Chromium-based browsers could enable malicious websites to automatically rewrite the contents of the clipboard without asking the user's permission or requiring any user involvement.

Developer Jeff Johnson claims that the clipboard poisoning exploit was unintentionally added to Chrome version 104.  Web pages can also write to the system clipboard in Safari and Firefox, but both browsers have gesture-based security measures in place.

The flaw has been spotted by Chrome developers, but a patch has not yet been released, therefore it is still present in the most recent desktop and mobile versions of Chrome.

Security flaw

Operating systems have a temporary storage area called the system clipboard. It can contain sensitive information like passwords, banking account numbers, and cryptocurrency wallet strings and is frequently used for copying and pasting.

Users are at risk as they may end up being the targets of malware attacks if arbitrary content is written over this temporary storage space.

Users might be lured to visit websites that have been carefully built to look like reputable bitcoin services by hackers. The website might write the threat actor's address to the clipboard when the user attempts to make a payment and copy their wallet address to the clipboard.

On some websites, the user may be given the option to add more information to the clipboard when selecting text to copy from a website typically the page URL. However, in such cases, there is no obvious notification or user input before the clipboard overflows with random text.

All online browsers that support clipboard writing, have poor and insufficient security measures, according to a blog post on the subject.

When a user selects a piece of text and presses Control+C or chooses 'Copy' from the context menu, the web page is given permission to utilize the clipboard API.

Johnson explained, "Therefore, even a seemingly innocent action like clicking a link or using the arrow keys to scroll down the page allows the website to overwrite one's system clipboard." He conducted tests on Safari and Firefox and discovered that loading a web page allowed clipboard writing permission when the down arrow key was pressed or the mouse scroll wheel was used to navigate.

Fortunately, Johnson's testing showed that websites could not misuse this authorization to read clipboard contents, as it would be problematic for user privacy.

 Facebook: Bogus Event Scammers are Targeting Vendors


Victims have experienced nothing but worry as a result of a real-world scam that takes the pleasure out of craft fairs. It may sound strange, but it's a common criticism aimed at small/self-employed business owners who sell their own creations. They sell a range of craft-style things similar to those seen on Etsy and Redbubble in large quantities. Putting these products in front of live audiences at an event will almost certainly increase sales. 

Vendor fraud denotes misdeeds executed on a company's accounts payable (AP) for financial gain by vendors, or an employee. It's a type of scam that includes misrepresenting a vendor's or recipient's account details in AP to reroute payments.

How does this bogus vendor fair operate?

Regardless of location, the mainstream follows a consistent pattern. 
  • The imposters create completely new Facebook accounts and frequently use the same name on many accounts. 
  • They collect information from potential fair exhibitors via multiple web forms wherein name, address, description of sold things, business name, and phone number are all requested. 
  • Payment inquiries are made at this point. The recovery of funds might range from "fairly easy" to "total disaster" depending on the payment type.

How are the victims selected? 

Before claiming why an event is taking place nearby, the fraudsters use the seller's own public information against them, indicating the seller's location or even the types of products sold. The most intriguing aspect of it all is that fake fair frauds aren't an unusual occurrence. It's a legitimate sub-industry populated by devoted con artists. 

For example, false payments — in a payment scheme, the fraudster and employee can create a fictitious vendor (shell company) or manipulate an actual vendor's account to reflect their information. 

Changes to existing checks or the creation of unauthorized checks are examples of check changes. An employee takes checks from a vendor, alters the beneficiary, or forges the vendor's signature, and deposits the monies into an account of their choosing. 

Overbilling — When dealing with large numbers, a vendor expands invoices by adding extra goods or services to invoices raised to your organization. 

Vendor Fraud Classification 
  • Billing Fraud: Employees might manipulate payments in two ways. It can entail creating a fake vendor or generating duplicate payments using a genuine vendor's account. 
  • Fictitious Vendor - An employee with sufficient authority and access creates a fictitious vendor account or a shell corporation, registers it as a vendor, and makes regular payments to it. 
  • Duplicate Payments - An employee impersonates a legitimate vendor, manipulates payment data, and makes duplicate payments on a vendor's invoice. 
  • Check Manipulation: An employee falsifying or altering information on a vendor's check to redirect funds to a personal bank account. 
  • Bribery Acceptance: This sort of fraud is the outcome of an agreement between a vendor and an employee, in which the employee receives personal remittances from the seller in exchange for more advantages or sales.
  • Excess Billing: When a vendor invoices the company for excess quantities/prices than what was previously agreed upon, it is referred to as overbilling. 
  • Price fixing: Two sellers work together to fix prices at greater than normal levels.
  • Bid rigging: A form of fraud that involves collaboration between two or more vendors and workers to secure a procurement contract in favor of the highest bidder.
  • Cyber fraud: Vendor fraud cases are conducted by unknown, unauthorized personnel with no link to either the company or the vendor, making them the most difficult to identify. 

Indicators of threat 

For customers: the seller claims to be unavailable (for example, because they are traveling or have relocated to another country) and demands money before arranging for delivery of the items. They must pay the seller using foreign money transfers, checks, or direct bank transfers. They may receive a forged email receipt from the website's secure payment provider.

For vendors: Even if one is selling an expensive item like a car, the potential buyer is willing to buy your item without seeing it in person. The goods are widely available in the customer's native country, and a possible overseas buyer might be interested in purchasing them (e.g. a car or a couch). The cost of shipping frequently outweighs the cost of the item. 


Facebook posts without a location tag are an attempt to remain anonymous. Methods of Invoice Matching, Using Data Mining, Methodologies Establishing a fraud helpline might allow staff to report problems without fear of repercussions.

Vendor fraud can have a significant financial impact on a company, it can be avoided by properly developing, evaluating, and updating corporate rules regularly. 

Cybercriminals Impersonate Government Employees to Spread IRS Tax Frauds


At end of the 2021 IRS income tax return deadline in the United States, cybercriminals were leveraging advanced tactics in their phishing kits, which in turn granted them a high delivery success rate of spoofed e-mails with malicious attachments. 

On April 18th, 2022, a notable campaign was detected which invested phishing e-mails imitating the IRS, and in particular one of the industry vendors who provide services to government agencies which include e-mailing, Cybercriminals chose specific seasons when taxpayers are all busy with taxes and holiday preparations, which is why one should be extra cautious at these times.

The impersonated IT services vendor is widely employed by key federal agencies, including the Department of Homeland Security, as well as various state and local government websites in the United States. The detected phishing e-mail alerted victims about outstanding IRS payments, which should be paid via PayPal, and included an HTML attachment which looked like an electronic invoice. Notably, the e-mail has no URLs and was delivered to the victim's mailbox without being tagged as spam. The e-mail was delivered through many "hops" based on the inspected headers, predominantly using network hosts and domains registered in the United States.

It is worth mentioning that none of the affected hosts had previously been 'blacklisted,' nor had any evidence of bad IP or anomalous domain reputation at the time of identification. The bogus IRS invoice's HTML attachment contains JS-based obfuscation code. Further investigation revealed embedded scenarios which detected the victim's IP (using the GEO2IP module, which was placed on a third-party WEB-site), most likely to choose targets or filter by region. 

After the user views the HTML link, the phishing script shall prompt the user to enter personal credentials, impersonating the Office 365 authentication process with an interactive form.

The phishing-kit checks access to the victim's e-mail account through IMAP protocol once the user enters personal credentials. The actors were utilizing the "supportmicrohere[.]com" domain relying on the de-obfuscated JS content. 

Threat actors most likely tried to imitate Microsoft Technical Support and deceive users by utilizing a domain with similar spelling. The script intercepts the user's credentials and sends them to the server using a POST request. Login and password are sent to the jbdelmarket[.]com script through HTTP POST. A series of scripts to examine the IP address of the victim is hosted on the domain jbdelmarket[.]com. The phishing e-header emails include multiple domain names with SPF and DKIM records. 

A Return-Path field in the phishing e-mail was set as another e-mail controlled by the attackers which gather data about e-mails that were not sent properly. The Return-Path specifies how and where rejected emails will be processed, and it is used to process bounces from emails.

Morley Businesses Provider Uncovered a Ransomware Attack


Morley, a business services company revealed this week , it had been the target of a ransomware assault which could have exposed the personal information of over 500,000 people. The incident was found in August 2021 when it observed certain files had become unavailable owing to a ransomware attack.

Morley Companies, Inc., based in Saginaw, Michigan, provides business operations to Fortune 500 and Global 100 companies, such as session management, back-office procedures, contact centers, and trade show showcases and displays. 

According to an investigation, for all individuals affected, Morley will cover the expenses of 2 years of IDX identity protection. Those who are affected will be alerted and given instructions on how to join IDX's program. The intruders may have had access to user and staff data, including confidential and sensitive health information. To be precise, the hack exposed the personal information of 521,046 people in total. The company did not explain why it took about 6 months after discovering the breach to begin alerting victims in its letters to victims. 

Morley's security incident notification noted, "As a result, Morley realized the data may have been stolen from its digital environment." "Morley then started collecting personal information needed to notify possibly affected persons, which he finished in early 2022." 

In order to determine why the files weren't accessible anymore, Morley said it had to engage a cybersecurity specialist. When the root of the incident was uncovered, which was revealed to have been a ransomware epidemic, the company engaged the assistance of local experts to analyze the information and identify all those who had been impacted. 

Although this looks to be optimistic, the cyber-intelligence platform claims to have only recently uncovered Morley's data on the dark web. This is often a caution, the data will be used in future attacks by other threat actors, such as specific phishing.

IT Personnel Equally Susceptible to Phishing Attempts as the General Population


In a cyber threat survey wherein 82,402 IT employees from four different companies participated, it was discovered that even they are not immune to cyber threats. The study was designed to know how IT workers respond to the emails that simulated one of the four commonly used phishing tactics. 

According to the report, 22% of recipients that received Phishing emails that impersonate HR announcements and statements or ask for assistance with invoicing get the most attention and clicks from the employees. 

Matthew Connor, F-Secure Service Delivery Manager and lead author of the report, said that he noticed that the study's most notable discovery was that workers from IT sectors seemed equal or even more susceptible to phishing attempts than the general public. 

“The privileged access that technical personnel has to an organization’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern…,”
"...Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing,” Connor said. 

According to the statistics, the email that was asking the recipient to help with an invoice (referred to as CEO Fraud in the report) was the second most fraudulent email that receives 16% clicks from recipients. 

Furthermore, the study identified the least frequently clicked emails and these include Service Issue Notification and document Share notifications emails that received 7% and 6% clicks from the recipients. 

Furthermore, the study had discovered that these departments were no better at reporting phishing threats than others. IT and DevOps were ranked third and sixth out of nine departments in terms of reporting.