Search This Blog

Showing posts with label Phishing and Spam. Show all posts

Cloudflare Users Targeted by Hackers that Breached into Twilio


On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.



SVCReady: A New Loader Gets Ready

 

Recently, a team of researchers has found a brand new wave of phishing campaigns spreading a previously documented malware family called SVCReady. 

Based on HP Wolf Security telemetry, SVCReady which is in its early stage of development, has been in the light of cyber crimes since the end of April 2022, with the authors iteratively updating the malware several times last month. 

"The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. 

The malware is known for its unconventional way of targeting PCs- using shellcode hidden in the properties of Microsoft Office documents instead of PowerShell or MSHTA. 

The attackers send Microsoft Word document attachments to targets via email that contain Visual Basic for Applications (VBA) AutoOpen macros designed to execute the deployment of malicious payloads. 

After getting a command in the system, the malware tries to achieve persistence on the system. Following the goal the malicious actors copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated universally unique identifier (UUID). 
Further, the malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe. 

The malware has the ability to capture systems information, capture screenshots, run shell commands, and download and execute arbitrary files. Reports also indicated that there are possibilities of malware having links with TA551. 

Additionally, HP said that it has noted overlaps between SVCReady and TA551 (aka Hive0106 or Shathak) malware, however, at present it cannot be confirmed if the same threat actor is behind the latest campaign. 

"It is possible that we are seeing the artifacts left by two different attackers who are using the same tools. However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns,” Schläpfer noted.

Small Businesses Remain Vulnerable, With Rising Cyberattacks

 

Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

In 2021, the UK Government was Plagued by Hundreds of Spam Emails

 

The UK government was reportedly bombarded with billions of phishing emails last year, with large numbers of questionable and fraudulent links being clicked on by staff. Comparitech recently published a report on these fraudulent emails and got responses in the sort of freedom of information requests from 260 government agencies. 

According to Comparitech, 764,331 government employees got a total of 2.7 billion fraudulent emails, averaging 2,399 per employee. However, this indicates that the emails were most likely flagged as malicious and prohibited by the relevant government agency. 

In 2021, personnel opened 0.32 percent of malicious emails on average, with 0.67 percent of these events resulting in employees clicking on potentially dangerous links, as per research. According to Comparitech, this might suggest some UK government employees clicked on 57,736 questionable links last year. The firm reiterated whether any FOI responses have been unclear - were ignored to avoid overestimating this amount. 

357 million fraudulent emails were received by NHS Digital's 3,996 employees, amounting to 89,353 mails per employee. Other essential infrastructure services, such as railway supplier Network Rail Limited, received 223 million malicious emails, or 5,033 emails per employee, while tax authority HM Revenue & Customs received 27.9 million spam emails, or 415 emails per employee. 

In other cases, the researchers' attempts to better grasp the government's ransomware threat were hampered by respondents' lack of transparency. "One government department reported in 2021 it had identified 97 data theft over just 30 days. Seventy-one government agencies were also glad to announce why they had not been hit by ransomware in 2021 the remaining 187 didn't say whether or not they had. In 2021, only two government agencies disclosed it had been the victims of a successful ransomware attack," said Paul Bischoff of Comparitech.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

According to Arkose Labs, the Bots Target Financial Organizations

 

Children as young as five use internet channels for a variety of activities, so it isn't just adults who are essentially living online. The epidemic hastened the adoption of the internet by children for online lessons, entertainment, and socializing.

In the preface to a company's study paper, 2022 State of Fraud & Account Security Report, Kevin Gosschalk, founder and CEO of Arkose Labs, writes, "A familiar term heard in the last few years is 'data is the new oil." "Data is the precious resource who feeds the digital world, which today permeates so much of our daily lives. Work, socializing, education, and a variety of other activities all take place primarily in the digital realm."

Bloomberg Intelligence estimates the online "metaverse" might be worth $800 billion by 2024, according to the cybersecurity firm. "Fraudsters will have an immensely broader attack surface to target as a result of this." Threat actors can corrupt smart appliances, connected autos, and virtual reality gadgets in addition to PCs and mobile devices." 

According to the Arkose research, fraud assaults on financial institutions are increasing in frequency "as well as sophistication." Internet fraud has increased by 85 percent in recent months, and much more than a fifth of all internet traffic is a cyberattack. Not only fraudsters, but Master Fraudsters - the worst type of fraudster – are coming after gaming, internet streaming, and social media sites with all guns blazing. These are the most prominent and, as a result, the most harmful internet pastimes for youngsters. 

Although children are more comfortable with the internet and can navigate it like a pro, but are not always aware of the dangers which lurk there. They might not be able to spot situations where cybercrooks are attempting to take advantage of human gullibility. 

The Arkose Labs analysis also highlighted an 85 percent increase in login or registration stage attacks year over year. "Once an existing account has been hijacked, attackers can monetize it in a variety of ways," according to Gosschalk, "including stealing bank information, reselling credentials, redeeming collected loyalty points, and more." "Fake new accounts are employed in assaults like stock hoarding, content harvesting, and spam and phishing messaging," says the report.

Indeed, according to the Arkose Labs analysis, the average individual now has over 100 passwords. Abuse of financial information and credentials drove an 85 percent increase in login and registration invasions last year compared to 2020. 

The Arkose Labs analysis indicated such automated services assist in targeting more enterprises: bots utilizing "scraping" assaults helped compromise at least 45 percent of the traffic on travel sites. Meanwhile, phishing, fraud, and the promise of a free trial were used to increase the number of bogus accounts last year compared to 2020. Financial firms and financial institutions have been major targets for attacks.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Users at Citibank Attacked by a Massive Phishing Scam

 

Scammers impersonating Citibank are now targeting customers in an online phishing campaign. Thousands of bogus email messages were sent to bank customers, according to Bitdefender's Antispam Lab, with the intent of collecting sensitive personal information and internet passwords. 

Responding to unusual activities or an unauthorized login attempt, the accounts have been placed on hold. As a result, the attackers claim all users should authenticate existing accounts as soon as possible to avoid a permanent ban.

According to Bitdefender's internal telemetry, these campaigns are focused primarily on the United States, with 81 percent of the phishing emails sent ending up in the mailboxes of American Citibank customers. However, it has also reached the United Kingdom (7 percent), South Korea (4 percent), and a small number have indeed made it to Canada, Ireland, India, and Germany. When it comes to the origins of these phishing attacks, 40% of the phoney emails appear to have come from the United States, while 13% came via IP addresses in Mexico. 

The cybercriminals behind the effort utilize email subject lines like "Account Confirm Confirmation Required," "Second Reminder: Your Account Is On Hold," and "Account Confirm Confirmation Required" to deceive Citibank clients into opening the emails. Other subject lines were, "Urgent: Account Confirmation Required," "Security Alert: Your Account Is On Hold," and "Urgent: Your Citi Account Is On Hold." 

Since some of the phishing emails in the campaign use the official Citibank logo to make them appear more real, the scammers who sent them did not take the time to correctly fake the sender's email address or repair any punctuation issues in the email body.

Citing phoney transactions or payments, and also questionable login attempts is another strategy used to create these phishing emails which appear to be from Citibank itself, to fool potential victims into authenticating actual accounts. When victims click the verify button, users are taken to a cloned version of the legitimate Citibank homepage. However, if a Citibank customer goes this far, fraudsters will steal the credentials and utilize them in future assaults. 

Bitdefender has discovered another large-scale phishing campaign that went live between February 11 and 15, 2022, offering victims the opportunity to seek cash compensation from the United Nations. The challenge in this situation is to identify the beneficiary as a scam victim, one of the 150 people who were declared eligible for a $5 million payout from Citibank. 

Banks rarely send SMS or email alerts to customers about critical account changes, thereby users can contact the bank and ask to speak to an agent if they receive a message which makes strong claims. Instead of calling the phone numbers included in the email, users should go to the bank's official website and look up the information on the contact page.

Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Group-IB Found 140 Resources with Fraudulent Schemes under the Guise of Olympic Games Broadcasts

 

Group-IB experts have identified 140 resources in the network that, under the guise of live broadcasts of the Winter Olympic Games in Beijing, redirect users to fraudulent and phishing sites. Most of the dangerous resources are already blocked. 

"After the opening of the XXIV Winter Olympic Games in Beijing, the specialists of the Information Security Incident Response Center (CERT-GIB) found 140 active resources that were used to host illegal broadcasts, and therefore for scamming and phishing. In total, 289 sites could potentially be involved in the scheme," said experts. 

The largest fraudulent network is Kinohoot, which includes over a hundred resources. During the Summer Olympic Games in Tokyo, CERT-GIB specialists found 120 resources of the same type created for conducting fraudulent live broadcasts. 

Group-IB explained that the user sees on one of the pages of the hacked resource a video player window with an embedded link to the live broadcast and symbols of the Winter Olympic Games. Users must register, enter the phone numbers and indicate a special access code to watch the broadcast. This leads the victim to phishing resources. 

Attackers can offer users to participate in the drawing of free access to broadcasts, and to receive a cash prize, the user must pay a conversion fee, which is usually 300-500 rubles ($4-7), and enter bank card data on a phishing resource, or send an SMS to the specified number. Instead of broadcasting, the victim is connected to various paid services and subscriptions. 

"Such Internet scams have been known for quite a long time, but scammers constantly adjust their schemes to popular or significant events in the world and, of course, use newly registered domains for this. In this scheme, in order to gain the trust of the victim, the redirect is often placed on legitimate hacked sites, for example, universities (Ecuadorian Universidad Esp ritu Santo or Indonesian Universitas Muhammadiyah Yogyakarta), charitable foundations and non-profit organizations (African Studies Association)," said the head of CERT-GIB Alexandra Kalinina. 

Group-IB experts recommend to follow sporting contests of the Olympic Games only on official resources, as well as to be wary of draws and not to enter the data of bank cards and personal data on suspicious sites.

Hackers Linked to Palestine Use the New NimbleMamba Malware

 


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told. 

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware



Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

US Arrested Multi-year Phishing Scam Suspect

 

An Italian man who was involved in a multi-year phishing scam aimed towards fraudulently stealing hundreds of unpublished book manuscripts from popular authors such as Margaret Atwood and Ethan Hawke − has been imprisoned. The accused will be in prison for a maximum of 20 years if found guilty of wire fraud and another additional two years for a count of aggravated identity theft. 

The Department of Justice while reporting on the incident, stated, that the man is 29-year-old Filippo Bernardini, was arrested by the FBI on Wednesday at the John F. Kennedy International Airport, in New York. The report also said that he was previously working at London-based publisher Simon & Schuster who allegedly impersonated editors, agents, and others personnel involved in the publishing industry to obtain manuscripts of unpublished books fraudulently. 

“We were shocked and horrified on Wednesday to learn of the allegations of fraud and identity theft by an employee of Simon & Schuster UK. The employee has been suspended pending further information on the case…” Simon & Schuster said in a statement to Variety. 

“…The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.” 

Following the incident, agencies said that the scheme was started in August 2016 wherein Bernardini used various fake email addresses which were linked to over 160 domains spoofing literary talent agencies, literary scouting agencies, and publishing houses. 

Furthermore, he also sent phishing emails attacking employees of a New York City-based literary scouting company and obtained their sensitive data to gain access to the organization’s database of synopses and other information regarding upcoming books. 

"These prepublication manuscripts are valuable, and the unauthorized release of a manuscript can dramatically undermine the economics of publishing, and publishing houses generally work to identify and stop the release of pirated, prepublication, manuscripts," the Department of Justice said today. 

"Such pirating can also undermine the secondary markets for published work, such as film and television, and can harm an author’s reputation where an early draft of the written material is distributed in a working form that is not in a finished state."

Bracing for Evolving Phishing Frauds

 

Phishing scams are still the most common type of cybercrime. Unfortunately, as social engineering attacks get more advanced, this tendency is likely to continue in 2022. The numbers are worrisome and the phishing attacks account for more than 80% of all security issues reported. 

In fact, phishing attacks have been successful in 74 percent of firms in the United States. Companies must be watchful and proactive by implementing a defense strategy as phishing will remain the favoured method of attack for cybercriminals in the coming year. Phishing attacks have the potential to compromise infrastructure and organizations will need to plan ahead and anticipate investing more money in preventative measures in 2021 than they did in 2021. 

Phishing takes a new turn 

As cybercriminals get more sophisticated, here are some of the tactics that businesses should be aware of. It will be considerably difficult to distinguish between spoof and legitimate emails. Email recipients may be alarmed by clever subject lines. Email recipients may be alarmed by clever subject lines such as "Changes to your health benefits" or "Unusual login detected." 

Other common methods of attack include denied memberships, fraudulent subscription calls-to-action, and billing and payment warnings. Furthermore, fraudsters are becoming more sophisticated in their use of false links. Users who aren't paying attention may be scammed into clicking on links that lead to harmful websites. Phishing assaults will be elevated to a new level as a result of social engineering attempts. Artificial intelligence-based tactics, such as copying someone's voice to elicit sensitive information, will become more common. 

A good offense is the best defense

The good news for businesses is that they can use artificial intelligence (AI), email security, and cybersecurity training to protect themselves from more sophisticated phishing assaults. Investing in AI-based preventative tools that track and examine email communications is the first line of defence. 

A strong AI solution examines variables like the devices' external senders and employees, who they message, what time of day they communicate, and where they communicate from. This data is then used to create trusted email sender profiles, which are subsequently compared to incoming emails to authenticate the sender and detect and avoid sophisticated phishing efforts. Artificial intelligence-based monitoring software may even scan photos for fake login sites and altered signatures, then immediately quarantine malicious emails so that the end-user never sees them. 

Another preventative step is email security. Technology that displays warning banners and identifies problematic emails is beneficial since it allows users to quarantine or mark messages as safe with a single click. Passwords that have been compromised can be used to launch cyberattacks. Single sign-on (SSO), multifactor authentication (MFA), and password management are all included in an identity and access management (IAM) tool. 

Another option to mitigate the security concerns associated with passwords is to use passwordless authentication. This method confirms a user's identity by utilizing biometrics, such as fingerprints, and one-time passwords, which require users to enter a code that is either emailed, transmitted through SMS, or received via an authenticator app. 

Finally, a company is only as powerful as its employees, emphasising the importance of cybersecurity training. The first line of defence is employees. An organization's odds of experiencing a cybersecurity incident can be reduced by up to 70% by boosting security awareness. Security awareness training should always be included in onboarding, and phishing simulation campaigns should be run regularly, at least once a month. 

While this may appear excessive, research reveals that four to six months after each training session, trained employees begin to forget what they learned. With hybrid workplaces becoming increasingly widespread post-pandemic, over half of the remote workers use email as their major mode of contact, demonstrating the importance of security awareness training. 
 
According to the FBI, firms in the United States lost more than $1.8 billion in costs due to business email compromise (BEC) or spearphishing last year. Phishing scams resulted in adjusted losses of more than $54 million, according to the FBI. Given that phishing remains a popular type of intrusion, it's reasonable to assume that number will continue to rise. 

Organizations may help defend their businesses from being hacked by utilising AI's complete functionality to construct a powerful security platform that detects threats, as well as strengthened email security measures and employee training.

190 Australian Organisations Left Vulnerable to Phishing Attacks

 

An "extremely permissive" Sender Policy Framework document exposed 190 Australian companies to business email compromise and phishing, allowing cybercriminals to mimic verified sender addresses. 

The Sender Policy Framework (SPF) is an anti-spam and verification mechanism that allows delivering organizations to inspect within the Domain Name System (DNS) which Internet Protocol addresses recipient email systems may expect legitimate emails to originate from. 

Sebastian Salla of security vendor Can I Phish in Sydney discovered that an unknown city government in Queensland had added to its SPF file each IP address that Amazon Web Services reserves for Elastic Cloud Compute cases in Australia. 

This totaled to over 1,000,000 IPv4 addresses, posing a threat to many organizations' email supply chain, according to Salla. 

“Each of the affected 190 organizations and their downstream customers is at an extreme risk to business email compromise and phishing-related attacks,” Salla wrote.

“Anyone with a credit card can sign-up for an AWS account, spin up an EC2 instance, request AWS to remove any SMTP restrictions, and begin sending SPF authenticated emails as though they are any of these organizations.” 

Salla's tests revealed that he was prepared to submit SPF-authenticated emails that passed all scans. Salla was able to determine that the SPF file had been used for customers of an Australian managed service provider and internet development company by analyzing it. 

He also stated that the vulnerabilities discovered had been addressed by the managed service provider. Salla discovered that the too permissive SPF file was produced about three years ago, putting the businesses impacted by the flaw in jeopardy all that time. 

Salla said the MSP has “removed all the overly permissive /16 address blocks and replaced them with single IP addresses for the mail servers that are actually under their control” – thus applying “the fix to all affected customers at once”.

Fake site of Yandex-Bank, which has not yet been launched, has appeared on the Internet

 A fake website of a not yet working Yandex bank appeared on the Network. The credit institution itself has not yet started to work fully, but the fake website is still in maintenance mode. Through such sites, fraudsters can collect personal data for further resale, use them for phishing and attacks on a real bank and its customers. Experts note that although the process of blocking fake websites takes no more than two days, their frequent appearance becomes a big problem for banks.

In general, the site copies the trademark of a real bank, but it does not look very informative. However, this does not distinguish it from the original version, which also contains only information that "Yandex-bank will be here", as well as about current vacancies and with the information required to be disclosed for banks.

A fake domain (in which words from the original domain are simply rearranged) was registered by a private person on September 29, according to the WHOIS service data. That is the day after the official announcement of the name change from "Acropolis" to Yandex-Bank.

Yandex does not disclose plans to launch financial services. The company's press service reported that the resource "is not related to Yandex and may mislead users." The Central Bank did not respond to the request

As a rule, the creators of fake websites pursue the goal of stealing personal data in order to resell them on the black market in the future.

"One such application (full name, number, even without passport data) can cost 3 thousand rubles ($40). The most expensive prices are for applications from a potential borrower for a mortgage," the expert said.

"Void Balaur" Cyber Mercenary Group Unveiled by Trend Micro

 

In some kind of a prolific campaign of economically motivated attacks that has been continuing since 2015, a hacker-for-hire operation provided by cyber mercenaries has attacked thousands of individuals and organizations throughout the world. 

Human rights activists, journalists, legislators, telecommunications experts, and medical professionals are among those attacked by the gang, according to Trend Micro cybersecurity analysts. It's been named Void Balaur, after a multi-headed beast from Slavic legend. 

Since 2018, the cyber-mercenary gang has advertised its activities on Russian-language forums. Hacking into the email and social media profiles, as well as obtaining and selling critical personal and financial information, are among the main services provided. These attacks will also put information-stealing software onto victims' devices occasionally. 

It appears that it makes little difference whoever the targets are, as long as those behind the assaults are compensated by their employers. Only a few missions are active at any one moment, but those that are, command Void Balaur's undivided attention for the time being. 

"There will just be a dozen targets a day, usually less. But those targets are high-profile targets -- we found government ministers, members of parliaments, a lot of people from the media, and a lot of medical doctors," Feike Hacquebord, senior threat researcher for Trend Micro told. 

Among those attacked are a former intelligence chief and five active members of the administration in an undisclosed European country. People and institutions being targeted are located all over the world, including North America, Europe, Russia, and India, to name a few. 

Several of the cyberattacks seem to be politically motivated, aimed against persons in nations in which the victim's human rights may be infringed by governments if they are revealed. Several Void Balaur attacks, like other harmful hacking activities, begin with phishing emails that are targeted at the selected victim. The organization claims to be able to get access to certain email accounts with no user input at all and to be selling this service at a premium fee compared to prior attacks. 

Many campaigns run for a substantial amount of time. One such targeting an undisclosed huge conglomerate in Russia, for example, remained active from at least September 2020 to August 2021 and targeted not only the owners of the enterprises but also their family members and senior members of all the enterprises within the corporate name. 

"There's a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted, and that all happens over more than one year," said Hacquebord.

HM Treasury of UK Received Five Million Malicious Emails in Past Three Years

 

Her Majesty’s Treasury, the UK government department answerable for the country’s financial policy, has been hit by almost five million destructive email assaults in the previous three years, according to official figures. 

A Freedom of Information (FoI) request submitted by the think tank Parliament Street revealed that 4,870,389 phishing, malware and spam emails concentrating on HM Treasury were effectively blocked in this period. This comprised 1,271,207 malicious email attacks from October 2018 to September 2019, 1,918,944 between October 2019 to September 2020, and 1,680 from October 2020 to September 2021. 

The information comes as Chancellor Rishi Sunak prepares to ship the United Kingdom govt’s annual budget, which is anticipated to incorporate pledges around cybersecurity, such as funding to minimize the digital skills gap. 

The figures highlight the escalating determination of threat actors to access and steal confidential government information. Earlier this week, Parliament Street disclosed that more than 126 million malicious emails had been fired at House of Commons inboxes this year, a 358% increase at the overall figure for 2020. However, there was no specific data on how many threats slipped past email filters over this period. 

The number of malicious emails blocked by HoC filters in 2018 was 15.7 million, which surged to nearly 30.3 million in 2019, but then dropped again to almost 28 million in 2020. With 126.4 million malicious emails recorded up to September this year, Parliament Street believes the total for 2021 could reach as high as 150 million.

“The ever-present cyber threat facing public sector organizations is not going to disappear any time soon. In fact, recent trends indicate that cyber-attacks are likely to become more sophisticated, and criminals will find new ways to breach systems, disrupt apps and websites, and steal sensitive data,” Chris Ross, SVP International for Barracuda Networks, said. 

“This is why it is imperative the organizations defend themselves from all angles, with web application firewalls, to protect cloud infrastructure and network, email inbox defense software, to help defend against the onslaught of phishing attacks targeting employees, and a third-party data backup solution, to protect data and organizations against the growing ransomware threat,” he added.

Intuit Alerted QuickBooks Customers About Ongoing Phishing Attacks

 

QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges. 

According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired. 

"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained. 

All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them. 

Customers who have already opened attachments or followed links in the phishing emails should do the following: 
  • Delete any downloaded files as soon as possible. 
  • Scan their systems with an updated anti-malware solution. 
  • Reset their passwords. 
  • On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks. 
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month. 

According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October. While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts. 

To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk. Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names. 

If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade. 

Copyright scams and account takeover attacks 

In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason. Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers. 

The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam. 

In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit." 

As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.