Search This Blog

Showing posts with label Phishing and Spam. Show all posts

Snowshoeing: How the Tactic can Spam Through Your E-mails


Cybercriminals employ a wide array of fraudulent techniques to entice users into falling for their email traps. One such infamous technique that draws attention while we speak of various scamming methods, is ‘Spam Emails’. 
Spam emails are one of the various pitfalls for netizens. These emails come with a multitude of capacities and can have numerous impacts on a user, even leading to severe scams. One of the spamming tactics used by spammers is 'Snowshoeing', which we will be discussing today. What is Snowshoeing? Snowshoeing is essentially spamming on a very large scale. In a snowshoeing campaign, the spammer may use multiple IP addresses in order to spread spam emails over various internet domains.  
Snowshoeing technique derives its name from how 'snow shoes' spread across a large surface area. If you use a regular shoe on snow, it will most likely result in you sinking or slipping on the ice. With snow shoes, a person's weight spreads out more evenly, they are designed to have that effect.  
Similarly, in Snowshoeing spamming, the attacker makes use of multiple IP addresses, rather than one, in order to consequently spread the spam load across various domains. This way, Snowshoeing spam could comparatively be very dangerous to its targets than many other spamming tactics. 

What Does Snowshoe Spamming Mean? 

Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes. Specialized spam trapping organizations are often hard-pressed to identify and trap snowshoe spamming via conventional spam filters.  
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide area to steer clear of filters, expertly navigating them.  

How does Snowshoeing work? 

Snowshoeing differs from other solicited bulk mail and criminal spams, as in Snowshoeing, the attacker leverages several fraudulent business names and fake identities than just one, changing voice-mails and postal drops on a regular basis.  
While a reputable mailer put a good effort to garner trust from an audience, and to develop a brand reputation by using legitimate business addresses, identified domains, and small, static, and easily identifiable selection of IPs, in order to present the audience with a legitimate identity. On the other hand, Snowshoe spammers make use of anonymous and unidentified "whois" records. 
To further spread the spam load, snowshoe spammers frequently utilise domain assortments, which may be connected to many providers and servers.   
Snowshoe spammers use anonymous domains, which makes it nearly impossible to track down the owner and report the spam. 

How to tackle Snowshoeing spam? 

In order to mitigate Snowshoe spamming, administrators may follow certain steps, such as applying policies hierarchically at the organization, group, or mailbox level. One may as well rewrite addresses. For complex, multi-domain environments, one may rewrite both inbound and outgoing addresses. 

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks


Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.

UK Water Provider Targeted by Clop Group Ransomware

The UK water supplier, South Staffordshire Water fell prey to a CLOP Ransomware attack. Following the attack, the company released a statement mentioning that the exploit had no effect on the systems that distribute water safely. 

South Staffordshire Water plc, also known as South Staffs Water, is a UK water supply firm that supplies water to a small portion of the West Midlands, Staffordshire, and other nearby counties in England.

Over 1,500 square kilometers in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire, South Staffordshire provides drinking water to about 1.3 million individuals and 35,000 commercial clients.

The company was able to offer Cambridge Water and South Staffs Water customers safe water because of the security measures in place. Additionally, South Staffordshire Water reassures its clients that all service teams are working normally, negating any possibility of prolonged disruptions as a result of the incident.

Alongside carefully collaborating with the relevant governmental and regulatory agencies, the company is looking into the issue. The supplier's identity was published to the Clop ransomware gang's Tor leak site along with a claim of responsibility for the attack.

The wrong firm extorted by hackers

The Clop ransomware gang's Tor leak site through a release on their onion website today stated that Thames Water was their target. They claimed to have gained access to SCADA systems that they could control to affect 15 million users.

The hackers contend that they acted appropriately by not encrypting their data and only stealing 5TB from the hacked systems. Further claims have it that they warned Thames Water of its network security flaws. However, after allegedly failing to reach an agreement on the ransom payment, the actors released the first sample of stolen information, which included passport images, screenshots from SCADA systems used for water treatment, driver's license images, etc.

In a statement released today, Thames Water formally refuted these assertions, further asserting that any accusations of Clop breaching its network were "cyber-hoaxes" and that its services were already at capacity. One significant aspect of the lawsuit is that, among the public material, Clop offers a table of usernames and passwords that includes the email addresses of South Staffordshire and South Staff Water.

This incident occurs as eight locations in the UK are enforcing water rationing rules and hosepipe bans because of extreme drought. Due to the extreme pressure that could be placed on water suppliers to pay the demanded ransom, cybercriminals don't choose their victims at random.

However, for this to happen, Clop must target its threats on the appropriate party. However, given the amount of attention the situation has received, it's likely too late for that at this point.

Microsoft: Phishing Alert Over Russian-Related Threats

As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.

In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.

Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.

Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent. 

Targets &Tactics

Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."

The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.

Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.

The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.

If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive. 

According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL.  Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."

Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.

The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.


According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."

The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.

As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.

The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.

Cloudflare Users Targeted by Hackers that Breached into Twilio

On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.

SVCReady: A New Loader Gets Ready


Recently, a team of researchers has found a brand new wave of phishing campaigns spreading a previously documented malware family called SVCReady. 

Based on HP Wolf Security telemetry, SVCReady which is in its early stage of development, has been in the light of cyber crimes since the end of April 2022, with the authors iteratively updating the malware several times last month. 

"The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. 

The malware is known for its unconventional way of targeting PCs- using shellcode hidden in the properties of Microsoft Office documents instead of PowerShell or MSHTA. 

The attackers send Microsoft Word document attachments to targets via email that contain Visual Basic for Applications (VBA) AutoOpen macros designed to execute the deployment of malicious payloads. 

After getting a command in the system, the malware tries to achieve persistence on the system. Following the goal the malicious actors copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated universally unique identifier (UUID). 
Further, the malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe. 

The malware has the ability to capture systems information, capture screenshots, run shell commands, and download and execute arbitrary files. Reports also indicated that there are possibilities of malware having links with TA551. 

Additionally, HP said that it has noted overlaps between SVCReady and TA551 (aka Hive0106 or Shathak) malware, however, at present it cannot be confirmed if the same threat actor is behind the latest campaign. 

"It is possible that we are seeing the artifacts left by two different attackers who are using the same tools. However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns,” Schläpfer noted.

Small Businesses Remain Vulnerable, With Rising Cyberattacks


Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC


A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

In 2021, the UK Government was Plagued by Hundreds of Spam Emails


The UK government was reportedly bombarded with billions of phishing emails last year, with large numbers of questionable and fraudulent links being clicked on by staff. Comparitech recently published a report on these fraudulent emails and got responses in the sort of freedom of information requests from 260 government agencies. 

According to Comparitech, 764,331 government employees got a total of 2.7 billion fraudulent emails, averaging 2,399 per employee. However, this indicates that the emails were most likely flagged as malicious and prohibited by the relevant government agency. 

In 2021, personnel opened 0.32 percent of malicious emails on average, with 0.67 percent of these events resulting in employees clicking on potentially dangerous links, as per research. According to Comparitech, this might suggest some UK government employees clicked on 57,736 questionable links last year. The firm reiterated whether any FOI responses have been unclear - were ignored to avoid overestimating this amount. 

357 million fraudulent emails were received by NHS Digital's 3,996 employees, amounting to 89,353 mails per employee. Other essential infrastructure services, such as railway supplier Network Rail Limited, received 223 million malicious emails, or 5,033 emails per employee, while tax authority HM Revenue & Customs received 27.9 million spam emails, or 415 emails per employee. 

In other cases, the researchers' attempts to better grasp the government's ransomware threat were hampered by respondents' lack of transparency. "One government department reported in 2021 it had identified 97 data theft over just 30 days. Seventy-one government agencies were also glad to announce why they had not been hit by ransomware in 2021 the remaining 187 didn't say whether or not they had. In 2021, only two government agencies disclosed it had been the victims of a successful ransomware attack," said Paul Bischoff of Comparitech.

Top Israeli Officials Duped by Bearded Barbie Hackers


Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

According to Arkose Labs, the Bots Target Financial Organizations


Children as young as five use internet channels for a variety of activities, so it isn't just adults who are essentially living online. The epidemic hastened the adoption of the internet by children for online lessons, entertainment, and socializing.

In the preface to a company's study paper, 2022 State of Fraud & Account Security Report, Kevin Gosschalk, founder and CEO of Arkose Labs, writes, "A familiar term heard in the last few years is 'data is the new oil." "Data is the precious resource who feeds the digital world, which today permeates so much of our daily lives. Work, socializing, education, and a variety of other activities all take place primarily in the digital realm."

Bloomberg Intelligence estimates the online "metaverse" might be worth $800 billion by 2024, according to the cybersecurity firm. "Fraudsters will have an immensely broader attack surface to target as a result of this." Threat actors can corrupt smart appliances, connected autos, and virtual reality gadgets in addition to PCs and mobile devices." 

According to the Arkose research, fraud assaults on financial institutions are increasing in frequency "as well as sophistication." Internet fraud has increased by 85 percent in recent months, and much more than a fifth of all internet traffic is a cyberattack. Not only fraudsters, but Master Fraudsters - the worst type of fraudster – are coming after gaming, internet streaming, and social media sites with all guns blazing. These are the most prominent and, as a result, the most harmful internet pastimes for youngsters. 

Although children are more comfortable with the internet and can navigate it like a pro, but are not always aware of the dangers which lurk there. They might not be able to spot situations where cybercrooks are attempting to take advantage of human gullibility. 

The Arkose Labs analysis also highlighted an 85 percent increase in login or registration stage attacks year over year. "Once an existing account has been hijacked, attackers can monetize it in a variety of ways," according to Gosschalk, "including stealing bank information, reselling credentials, redeeming collected loyalty points, and more." "Fake new accounts are employed in assaults like stock hoarding, content harvesting, and spam and phishing messaging," says the report.

Indeed, according to the Arkose Labs analysis, the average individual now has over 100 passwords. Abuse of financial information and credentials drove an 85 percent increase in login and registration invasions last year compared to 2020. 

The Arkose Labs analysis indicated such automated services assist in targeting more enterprises: bots utilizing "scraping" assaults helped compromise at least 45 percent of the traffic on travel sites. Meanwhile, phishing, fraud, and the promise of a free trial were used to increase the number of bogus accounts last year compared to 2020. Financial firms and financial institutions have been major targets for attacks.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars


Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Users at Citibank Attacked by a Massive Phishing Scam


Scammers impersonating Citibank are now targeting customers in an online phishing campaign. Thousands of bogus email messages were sent to bank customers, according to Bitdefender's Antispam Lab, with the intent of collecting sensitive personal information and internet passwords. 

Responding to unusual activities or an unauthorized login attempt, the accounts have been placed on hold. As a result, the attackers claim all users should authenticate existing accounts as soon as possible to avoid a permanent ban.

According to Bitdefender's internal telemetry, these campaigns are focused primarily on the United States, with 81 percent of the phishing emails sent ending up in the mailboxes of American Citibank customers. However, it has also reached the United Kingdom (7 percent), South Korea (4 percent), and a small number have indeed made it to Canada, Ireland, India, and Germany. When it comes to the origins of these phishing attacks, 40% of the phoney emails appear to have come from the United States, while 13% came via IP addresses in Mexico. 

The cybercriminals behind the effort utilize email subject lines like "Account Confirm Confirmation Required," "Second Reminder: Your Account Is On Hold," and "Account Confirm Confirmation Required" to deceive Citibank clients into opening the emails. Other subject lines were, "Urgent: Account Confirmation Required," "Security Alert: Your Account Is On Hold," and "Urgent: Your Citi Account Is On Hold." 

Since some of the phishing emails in the campaign use the official Citibank logo to make them appear more real, the scammers who sent them did not take the time to correctly fake the sender's email address or repair any punctuation issues in the email body.

Citing phoney transactions or payments, and also questionable login attempts is another strategy used to create these phishing emails which appear to be from Citibank itself, to fool potential victims into authenticating actual accounts. When victims click the verify button, users are taken to a cloned version of the legitimate Citibank homepage. However, if a Citibank customer goes this far, fraudsters will steal the credentials and utilize them in future assaults. 

Bitdefender has discovered another large-scale phishing campaign that went live between February 11 and 15, 2022, offering victims the opportunity to seek cash compensation from the United Nations. The challenge in this situation is to identify the beneficiary as a scam victim, one of the 150 people who were declared eligible for a $5 million payout from Citibank. 

Banks rarely send SMS or email alerts to customers about critical account changes, thereby users can contact the bank and ask to speak to an agent if they receive a message which makes strong claims. Instead of calling the phone numbers included in the email, users should go to the bank's official website and look up the information on the contact page.

Giant User Theft and Bot Attacks Target on Job Seekers


Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Group-IB Found 140 Resources with Fraudulent Schemes under the Guise of Olympic Games Broadcasts


Group-IB experts have identified 140 resources in the network that, under the guise of live broadcasts of the Winter Olympic Games in Beijing, redirect users to fraudulent and phishing sites. Most of the dangerous resources are already blocked. 

"After the opening of the XXIV Winter Olympic Games in Beijing, the specialists of the Information Security Incident Response Center (CERT-GIB) found 140 active resources that were used to host illegal broadcasts, and therefore for scamming and phishing. In total, 289 sites could potentially be involved in the scheme," said experts. 

The largest fraudulent network is Kinohoot, which includes over a hundred resources. During the Summer Olympic Games in Tokyo, CERT-GIB specialists found 120 resources of the same type created for conducting fraudulent live broadcasts. 

Group-IB explained that the user sees on one of the pages of the hacked resource a video player window with an embedded link to the live broadcast and symbols of the Winter Olympic Games. Users must register, enter the phone numbers and indicate a special access code to watch the broadcast. This leads the victim to phishing resources. 

Attackers can offer users to participate in the drawing of free access to broadcasts, and to receive a cash prize, the user must pay a conversion fee, which is usually 300-500 rubles ($4-7), and enter bank card data on a phishing resource, or send an SMS to the specified number. Instead of broadcasting, the victim is connected to various paid services and subscriptions. 

"Such Internet scams have been known for quite a long time, but scammers constantly adjust their schemes to popular or significant events in the world and, of course, use newly registered domains for this. In this scheme, in order to gain the trust of the victim, the redirect is often placed on legitimate hacked sites, for example, universities (Ecuadorian Universidad Esp ritu Santo or Indonesian Universitas Muhammadiyah Yogyakarta), charitable foundations and non-profit organizations (African Studies Association)," said the head of CERT-GIB Alexandra Kalinina. 

Group-IB experts recommend to follow sporting contests of the Olympic Games only on official resources, as well as to be wary of draws and not to enter the data of bank cards and personal data on suspicious sites.

Hackers Linked to Palestine Use the New NimbleMamba Malware


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told. 

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware

Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

US Arrested Multi-year Phishing Scam Suspect


An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."

Bracing for Evolving Phishing Frauds


Phishing scams are still the most common type of cybercrime. Unfortunately, as social engineering attacks get more advanced, this tendency is likely to continue in 2022. The numbers are worrisome and the phishing attacks account for more than 80% of all security issues reported. 

In fact, phishing attacks have been successful in 74 percent of firms in the United States. Companies must be watchful and proactive by implementing a defense strategy as phishing will remain the favoured method of attack for cybercriminals in the coming year. Phishing attacks have the potential to compromise infrastructure and organizations will need to plan ahead and anticipate investing more money in preventative measures in 2021 than they did in 2021. 

Phishing takes a new turn 

As cybercriminals get more sophisticated, here are some of the tactics that businesses should be aware of. It will be considerably difficult to distinguish between spoof and legitimate emails. Email recipients may be alarmed by clever subject lines. Email recipients may be alarmed by clever subject lines such as "Changes to your health benefits" or "Unusual login detected." 

Other common methods of attack include denied memberships, fraudulent subscription calls-to-action, and billing and payment warnings. Furthermore, fraudsters are becoming more sophisticated in their use of false links. Users who aren't paying attention may be scammed into clicking on links that lead to harmful websites. Phishing assaults will be elevated to a new level as a result of social engineering attempts. Artificial intelligence-based tactics, such as copying someone's voice to elicit sensitive information, will become more common. 

A good offense is the best defense

The good news for businesses is that they can use artificial intelligence (AI), email security, and cybersecurity training to protect themselves from more sophisticated phishing assaults. Investing in AI-based preventative tools that track and examine email communications is the first line of defence. 

A strong AI solution examines variables like the devices' external senders and employees, who they message, what time of day they communicate, and where they communicate from. This data is then used to create trusted email sender profiles, which are subsequently compared to incoming emails to authenticate the sender and detect and avoid sophisticated phishing efforts. Artificial intelligence-based monitoring software may even scan photos for fake login sites and altered signatures, then immediately quarantine malicious emails so that the end-user never sees them. 

Another preventative step is email security. Technology that displays warning banners and identifies problematic emails is beneficial since it allows users to quarantine or mark messages as safe with a single click. Passwords that have been compromised can be used to launch cyberattacks. Single sign-on (SSO), multifactor authentication (MFA), and password management are all included in an identity and access management (IAM) tool. 

Another option to mitigate the security concerns associated with passwords is to use passwordless authentication. This method confirms a user's identity by utilizing biometrics, such as fingerprints, and one-time passwords, which require users to enter a code that is either emailed, transmitted through SMS, or received via an authenticator app. 

Finally, a company is only as powerful as its employees, emphasising the importance of cybersecurity training. The first line of defence is employees. An organization's odds of experiencing a cybersecurity incident can be reduced by up to 70% by boosting security awareness. Security awareness training should always be included in onboarding, and phishing simulation campaigns should be run regularly, at least once a month. 

While this may appear excessive, research reveals that four to six months after each training session, trained employees begin to forget what they learned. With hybrid workplaces becoming increasingly widespread post-pandemic, over half of the remote workers use email as their major mode of contact, demonstrating the importance of security awareness training. 
According to the FBI, firms in the United States lost more than $1.8 billion in costs due to business email compromise (BEC) or spearphishing last year. Phishing scams resulted in adjusted losses of more than $54 million, according to the FBI. Given that phishing remains a popular type of intrusion, it's reasonable to assume that number will continue to rise. 

Organizations may help defend their businesses from being hacked by utilising AI's complete functionality to construct a powerful security platform that detects threats, as well as strengthened email security measures and employee training.

190 Australian Organisations Left Vulnerable to Phishing Attacks


An "extremely permissive" Sender Policy Framework document exposed 190 Australian companies to business email compromise and phishing, allowing cybercriminals to mimic verified sender addresses. 

The Sender Policy Framework (SPF) is an anti-spam and verification mechanism that allows delivering organizations to inspect within the Domain Name System (DNS) which Internet Protocol addresses recipient email systems may expect legitimate emails to originate from. 

Sebastian Salla of security vendor Can I Phish in Sydney discovered that an unknown city government in Queensland had added to its SPF file each IP address that Amazon Web Services reserves for Elastic Cloud Compute cases in Australia. 

This totaled to over 1,000,000 IPv4 addresses, posing a threat to many organizations' email supply chain, according to Salla. 

“Each of the affected 190 organizations and their downstream customers is at an extreme risk to business email compromise and phishing-related attacks,” Salla wrote.

“Anyone with a credit card can sign-up for an AWS account, spin up an EC2 instance, request AWS to remove any SMTP restrictions, and begin sending SPF authenticated emails as though they are any of these organizations.” 

Salla's tests revealed that he was prepared to submit SPF-authenticated emails that passed all scans. Salla was able to determine that the SPF file had been used for customers of an Australian managed service provider and internet development company by analyzing it. 

He also stated that the vulnerabilities discovered had been addressed by the managed service provider. Salla discovered that the too permissive SPF file was produced about three years ago, putting the businesses impacted by the flaw in jeopardy all that time. 

Salla said the MSP has “removed all the overly permissive /16 address blocks and replaced them with single IP addresses for the mail servers that are actually under their control” – thus applying “the fix to all affected customers at once”.