Search This Blog

Showing posts with label Scam. Show all posts

Global Scam Operation "Classiscam" Expanded to Singapore

 

Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years  migrating to Europe. 

"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News. 

The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm. Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic. 

Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States. 

Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan. The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022. 

This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages. Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices. When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction. 

The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising. 

"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said. 

In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot. 

"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said. 

"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment." 

The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards. Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back. 

These calls are made by assistant employees posing as platform tech support professionals.  In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.

While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.

A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.

Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.

"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."

"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."

Social Media Used to Target Victims of Investment Scams

Security researchers have discovered a huge investment scam effort that uses online and telephone channels to target victims across Europe. Since fake investment scams have been around for a while, people are familiar with them.

Over 10,000 malicious websites tailored for consumers in the UK, Belgium, the Netherlands, Germany, Poland, Portugal, Norway, Sweden, and the Czech Republic are included in the "gigantic network infrastructure" spotted by Group-IB.

The scammers work hard to promote the campaigns on numerous social media sites, or even compromise Facebook and YouTube to get in front of as many users as they can.

The firm's aim is to mislead consumers into believing they have the chance to invest in high-yield chances and persuade them to deposit a minimum of 250 EUR ($255) to join up for the phony services.

Scam operation

  • Posts promoting phony investment schemes on hacked social media accounts, such as Facebook and YouTube, are the first to entice victims.
  • Images of regional or international celebrities are frequently used to give the illusion that the scam is real.
  • The scammers then demand contact information. In a sophisticated social engineering scam, a 'customer agent' from a call center contacts the victim and offers the investment terms and conditions.
  • Eventually, the victim is persuaded to make a deposit of at least 250 EUR, and the information they provided on the false website is either saved and utilized in other attacks or sold on the dark web.
  • After the victim deposits the money, they are given access to a fictitious investment dashboard that claims to allow them to monitor daily earnings.
  • When the victim tries to use the site to withdraw funds but is first asked for final payment, the fraud is discovered.

Over 5000 of the 11,197 domains used in the campaign were still operational as of this writing.

It is advisable to check that an investment platform is from a reputable broker when it interests you. It may also be possible to spot the fraud by searching for user evaluations and looking for patterns in a large number of comments. 


Alert! This Huge Network of 11,000 Fake Investment Sites Targets Europe

 

Researchers discovered a massive network of over 11,000 domains used to market several bogus investment schemes to European users. 
To establish an air of credibility and attract a wider number of victims, the platforms display false evidence of affluence and falsified celebrity endorsements. The operation's purpose is to dupe people into believing they have a chance for high-return investments and persuade them to spend a minimum of 250 EUR ($255) to sign up for the bogus services. 

Group-IB researchers found the operation and documented the vast network of phishing sites, content hosting, and redirections. More than 5,000 of the discovered malicious domains are still operational, according to Group-IB. At the moment, the countries targeted by this initiative are the United Kingdom, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic. 

Scamming Process 

To reach as many users as possible, the fraudsters promote the ads on multiple social media platforms or utilise hacked Facebook and YouTube. Victims who fall for the scam and click on the advertisements to learn more are sent to landing pages with supposed success stories. 

The crooks then ask for contact information. In an extensive social engineering scam, a "customer agent" from a call centre contacts the victim and offers the investment terms and conditions. Eventually, the victim is persuaded to deposit at least 250 EUR, while the information given on the false site is saved and utilised in future operations or purchased on the dark web. 

After depositing the cash, the victim gains access to a bogus investment dashboard that supposedly lets them track daily gains. After depositing the cash, the victim obtains access to a bogus investment dashboard that purports to show daily returns. This is done to maintain the idea of a legitimate investment and attract victims to deposit more money in exchange for higher earnings. 

The fraud is uncovered when the victim attempts to withdraw money from the site without first requesting final payment. Group-IB researchers talked with the fraudsters and taped their chat with the operator during the inquiry. Parts of this audio have been muted for privacy concerns. 

Investments are never risk-free, thus promises of assured profits should be seen as warning flags. Furthermore, genuine investing platforms do not provide personal account managers for modest deposits.

Facebook Ads Push Android Adware, Installed 7M Times on Google Play Store

 

Several adware programmes marketed aggressively on Facebook as system cleansers and optimizers for Android devices have accumulated millions of downloads from the Google Play store. 

The applications lack all of the advertised functionality and push adverts while attempting to stay on the device for as long as possible. To avoid deletion, the applications regularly change their icons and names, posing as Settings or the Play Store itself. 

Adware applications make use of the Android component Contact Provider, which allows them to transport data between the device and web services. Because the subsystem is contacted whenever a new programme is installed, the adware might exploit it to start the ad-serving process. It may appear to the user that the advertising is being pushed by the legitimate app they installed. 

McAfee researchers found the adware applications. They point out that customers do not need to activate them after installation to see the advertising because the adware runs automatically without user intervention. The first thing these intrusive apps do is set up a permanent service for displaying adverts. If the process is "killed" (terminated), it instantly restarts. 

This video demonstrates how the adware's name and icon change automatically and how ad-serving occurs without user intervention. 

According to McAfee's analysis, consumers are persuaded to believe the adware applications because they see a Play Store link on Facebook, leaving little room for uncertainty. As a result, exceptionally high download counts for the specific type of apps have emerged, as shown below:
  • Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
  • EasyCleaner, com.easy.clean.ipz, 100K+ downloads
  • Power Doctor, com.power.doctor.mnb, 500K+ downloads
  • Super Clean, com.super.clean.zaz, 500K+ downloads
  • Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
  • Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
  • Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
  • Keep Clean, org.clean.sys.lunch, 1M+ downloads
  • Windy Clean, in.phone.clean.www, 500K+ downloads
  • Carpet Clean, og.crp.cln.zda, 100K+ downloads
  • Cool Clean, syn.clean.cool.zbc, 500K+ downloads
  • Strong Clean, in.memory.sys.clean, 500K+ downloads
  • Meteor Clean, org.ssl.wind.clean, 100K+ downloads
The majority of impacted users are from South Korea, Japan, and Brazil, however, the adware has regrettably spread globally. The adware applications have been removed from the Google Play Store. Users who installed them, on the other hand, must manually delete them from the device.

Despite their limited advantages, system cleansers and optimizers are popular software categories. Cybercriminals know that many people would attempt such methods to extend the life of their gadgets, thus they disguise dangerous software as such.

US Government Alerts Americans of Rising SMS Phishing Attacks

 

The Federal Communications Commission (FCC) has cautioned Americans about an increase in SMS (Short Message Service) phishing attacks aimed at stealing their personal information and money. Such attacks are also known as smishing or robotexts (as the FCC refers to them), and the fraudsters behind them may utilise a variety of enticements to fool you into disclosing sensitive information. 

"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said [PDF]. 

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June." 

Smishing baits reported to the FCC by American customers include statements concerning unpaid bills, package delivery concerns, bank account problems, or police enforcement activities. Links sending users to landing pages imitating bank websites and requesting them to authenticate a transaction or unlock frozen credit cards are among the most clever and persuasive baits used in text message phishing attempts. 

Phishing SMS messages may also be faked to make it look that the sender is someone you're more likely to trust, such as the IRS or a company one is familiar with. While some attackers will try to steal financial information, others are less fussy and will collect whatever personal information they can get their hands on to use in later frauds or sell to other bad actors. The FCC suggests the following methods to protect against SMS phishing attacks:
  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Be on the lookout for misspellings or texts that originate with an email address.
  • Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
  • If a business sends you a text you weren't expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices

 

Last Friday, the US Department of Justice (DOJ) revealed that a Florida citizen named Ron Aksoy had been arrested and alleged with selling thousands of fake and counterfeit Cisco goods over 12 years. 

Aksoy, also known as Dave Durden, would have operated at least 19 firms based in New Jersey and Florida, as well as at least 15 Amazon stores, around 10 eBay storefronts, and many additional corporations worth more than $1 billion. Aksoy faces three counts of mail fraud, four counts of wire fraud, and three counts of trafficking in counterfeit products. 

According to court records, the fraudulent firms purchased tens of thousands of counterfeit Cisco networking equipment from China and Hong Kong and resold them to consumers in the United States and across the world, fraudulently advertising the items as new and authentic. Chinese counterfeiters modified earlier, lower-model goods (some of which had been sold or dumped) to look to be authentic versions of newer, improved, and more expensive Cisco gear. 

As a result, the fraudulent and counterfeit items had severe performance, functionality, and safety issues, costing users tens of thousands of dollars. According to the indictment, between 2014 and 2022, Customs and Border Protection (CBP) confiscated approximately 180 shipments of counterfeit Cisco equipment being transported to the Pro Network Entities (the fraudulent firm name under which Aksoy operated) from China and Hong Kong. 

In response to some of these seizures, Aksoy would have filed fraudulent official papers to CBP using the pseudonym "Dave Durden," which he also used to contact with Chinese co-conspirators. The entire enterprise reportedly generated over $100 million in income, with Aksoy keeping a sizable portion while his co-conspirators received the remainder. Potential victims have been advised to get in touch with authorities. 

The DOJ has developed a publicly available list of Pro Network firms, as well as the accused criminal's eBay and Amazon stores.

HR Manager of Private Company Duped of ₹28 Lakh

 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam

 

Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

Phishing Scam Adds a Chatbot Like Twist to Steal Data

 

According to research published Thursday by Trustwave's SpiderLabs team, a newly uncovered phishing campaign aims to reassure potential victims that submitting credit card details and other personal information is safe. 

As per the research, instead of just embedding an information-stealing link directly in an email or attached document, the procedure involves a "chatbot-like" page that tries to engage and create confidence with the victim. 

Researcher Adrian Perez stated, “We say ‘chatbot-like’ because it is not an actual chatbot. The application already has predefined responses based on the limited options given.” 

Responses to the phoney bot lead the potential victim through a number of steps that include a false CAPTCHA, a delivery service login page, and finally a credit card information grab page. Some of the other elements in the process, like the bogus chatbot, aren't very clever. According to SpiderLabs, the CAPTCHA is nothing more than a jpeg file. However, a few things happen in the background on the credit card page. 

“The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed,” Perez stated.

The campaign was identified in late March, according to the business, and it was still operating as of Thursday morning. The SpiderLabs report is only the latest example of fraudsters' cleverness when it comes to credit card data. In April, Trend Micro researchers warned that fraudsters were utilising phoney "security alerts" from well-known banks in phishing scams. 

Last year, discussions on dark web forums about deploying phishing attacks to capture credit card information grew, according to Gemini Advisory's annual report. Another prevalent approach is stealing card info directly from shopping websites. Researchers at RiskIQ claimed this week that they've noticed a "constant uptick" in skimming activity recently, albeit not all of it is linked to known Magecart malware users.

SaaS App Vanity URLs Can Be Spoofed for Phishing & Social Engineering

 

Researchers warn that vanity links made by businesses to add their brand to well-known cloud services could become a handy vector for phishing attacks and a technique to deceive users. Cloud services that don't check whether subdomains have been modified may allow URLs that appear to be from "varonis.box.com" or "apple.zoom.us," according to a Varonis advisory released on Wednesday. 

In the instance of Box.com, this could result in a malicious document; in the case of Zoom, it could result in a data-gathering webinar unrelated to the stated brand. The issue arises when a cloud service permits the usage of a vanity subdomain but does not validate it or use it to provide services. More than six months ago, Varonis warned Box.com and Zoom of the problem, as well as Google, whose URLs to Google Docs might be spoofed. 

The issues are essentially fixed, according to the company. According to Or Emanuel, director of research and security at Varonis, the vulnerability is likely to occur for other providers. "We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers." 

Attackers use well-known companies to hide dangerous code and phishing sites, which allows them to dupe victims into trusting false e-mail messages and website links. In 2019, for example, three-quarters of businesses learned that the lookalike domain had been created by a third party using a top-level domain other than.COM. Varonis' research takes a different approach to the problem. 

Rather than looking at top-level domains, the company's researchers looked into ways to abuse the subdomains that many cloud service providers allow their customers to use. "Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

When a customer is permitted to utilise their brand as a subdomain, such as varonis.zoom.us, a software-as-a-service (SaaS) application is vulnerable to the attack since the subdomain is no longer validated when the link is provided to a third party, such as participants in a conference call or webinar. In the case of Zoom's service, attackers may design a webinar that asks registrants a series of social engineering-friendly questions, rebrand the webinar as a well-known organisation, and then modify the resulting URL to the targeted URL. 

The original domain — for example, attacker.zoom.us — might be changed to varonis.zoom.us without affecting the link's functioning. A well-branded page might trick a victim into providing personal information, especially if the subdomain indicates that the host is a well-known organisation. In the case of Box.com, a link like app.box.com/f/abcd1234 may be modified to varonis.app.box.com/f/abcd1234 to make it look like an official form gathering information while actually sending it to the attacker.  

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns." 

This type of social engineering is beneficial in phishing assaults, as well as persuading people to click on links or download suspicious files. According to the FBI's annual Internet Crime Complaint Center (IC3) report, losses from cybercrime, including phishing attacks, reached approximately $7 billion in 2021. According to Emanuel, cloud providers should verify that any URL change is confirmed by the link's encoding. 

According to Varonis, both Box.com and Google have fixed the issues, albeit the errors still present for Google Forms and Google Docs when using the "Publish to the web" function. When the subdomain is changed, Zoom will notify users. Furthermore, users should be wary of links, particularly if the connected page requires too much information or leads to further links or files. 

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service

 

The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”

 Facebook: Bogus Event Scammers are Targeting Vendors

 

Victims have experienced nothing but worry as a result of a real-world scam that takes the pleasure out of craft fairs. It may sound strange, but it's a common criticism aimed at small/self-employed business owners who sell their own creations. They sell a range of craft-style things similar to those seen on Etsy and Redbubble in large quantities. Putting these products in front of live audiences at an event will almost certainly increase sales. 

Vendor fraud denotes misdeeds executed on a company's accounts payable (AP) for financial gain by vendors, or an employee. It's a type of scam that includes misrepresenting a vendor's or recipient's account details in AP to reroute payments.

How does this bogus vendor fair operate?

Regardless of location, the mainstream follows a consistent pattern. 
  • The imposters create completely new Facebook accounts and frequently use the same name on many accounts. 
  • They collect information from potential fair exhibitors via multiple web forms wherein name, address, description of sold things, business name, and phone number are all requested. 
  • Payment inquiries are made at this point. The recovery of funds might range from "fairly easy" to "total disaster" depending on the payment type.

How are the victims selected? 

Before claiming why an event is taking place nearby, the fraudsters use the seller's own public information against them, indicating the seller's location or even the types of products sold. The most intriguing aspect of it all is that fake fair frauds aren't an unusual occurrence. It's a legitimate sub-industry populated by devoted con artists. 

For example, false payments — in a payment scheme, the fraudster and employee can create a fictitious vendor (shell company) or manipulate an actual vendor's account to reflect their information. 

Changes to existing checks or the creation of unauthorized checks are examples of check changes. An employee takes checks from a vendor, alters the beneficiary, or forges the vendor's signature, and deposits the monies into an account of their choosing. 

Overbilling — When dealing with large numbers, a vendor expands invoices by adding extra goods or services to invoices raised to your organization. 

Vendor Fraud Classification 
  • Billing Fraud: Employees might manipulate payments in two ways. It can entail creating a fake vendor or generating duplicate payments using a genuine vendor's account. 
  • Fictitious Vendor - An employee with sufficient authority and access creates a fictitious vendor account or a shell corporation, registers it as a vendor, and makes regular payments to it. 
  • Duplicate Payments - An employee impersonates a legitimate vendor, manipulates payment data, and makes duplicate payments on a vendor's invoice. 
  • Check Manipulation: An employee falsifying or altering information on a vendor's check to redirect funds to a personal bank account. 
  • Bribery Acceptance: This sort of fraud is the outcome of an agreement between a vendor and an employee, in which the employee receives personal remittances from the seller in exchange for more advantages or sales.
  • Excess Billing: When a vendor invoices the company for excess quantities/prices than what was previously agreed upon, it is referred to as overbilling. 
  • Price fixing: Two sellers work together to fix prices at greater than normal levels.
  • Bid rigging: A form of fraud that involves collaboration between two or more vendors and workers to secure a procurement contract in favor of the highest bidder.
  • Cyber fraud: Vendor fraud cases are conducted by unknown, unauthorized personnel with no link to either the company or the vendor, making them the most difficult to identify. 

Indicators of threat 

For customers: the seller claims to be unavailable (for example, because they are traveling or have relocated to another country) and demands money before arranging for delivery of the items. They must pay the seller using foreign money transfers, checks, or direct bank transfers. They may receive a forged email receipt from the website's secure payment provider.

For vendors: Even if one is selling an expensive item like a car, the potential buyer is willing to buy your item without seeing it in person. The goods are widely available in the customer's native country, and a possible overseas buyer might be interested in purchasing them (e.g. a car or a couch). The cost of shipping frequently outweighs the cost of the item. 

Measures

Facebook posts without a location tag are an attempt to remain anonymous. Methods of Invoice Matching, Using Data Mining, Methodologies Establishing a fraud helpline might allow staff to report problems without fear of repercussions.

Vendor fraud can have a significant financial impact on a company, it can be avoided by properly developing, evaluating, and updating corporate rules regularly. 

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

YouTube Scammers Steal $1.7M in Fake Crypto Giveaway

 

According to Group-IB, a group of online scammers made approximately $1.7 million by promising cryptocurrency giveaways on YouTube. 

The group allegedly aired 36 YouTube videos between February 16 and 18, gaining at least 165,000 views, according to the Singapore-based security company. To give validity to their efforts, they included footage of tech entrepreneurs and crypto enthusiasts like Elon Musk, Brad Garlinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood. 

According to Group-IB, the channels were either hacked or bought on the black market. They included links to at least 29 websites with instructions on how to double cryptocurrency investments in the streams they built. 

'Investors' were encouraged to send a tiny sum of virtual currency and promised that they would be paid back twice that amount. Some victims were prompted to enter seed phrases to 'link' their wallets, depending on the cryptocurrency and wallet type utilised. 

However, the fraudsters were able to take control of their wallet and withdraw all of their funds as a result of this. The scammers received 281 transactions totalling nearly $1.7 million into their crypto wallets in just three days. The precise number of victims and the overall amount stolen, however, are unknown. 

Group-IB stated, “The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.” 

Crypto enthusiasts should be wary of freebies and avoid sharing personal information online, according to Group-IB. Users were also encouraged to double-check the authenticity of any promos and use a password manager to store any seed phrases.

One arrested in ₹1,200-Crore Crypto Fraud Case, 900 Investors Scammed

 

The Enforcement Directorate announced on Tuesday that it had arrested a suspect in connection with a money-laundering investigation into a Kerala-based businessman who is suspected of scamming more than 900 investors out of Rs 1,200 crore in exchange for bitcoin. 

Abdul Gafoor, one of the most prominent stockists of the 'Morris Coin Cryptocurrency,' was arrested on March 24, according to the source. The next day, he was taken into prison by the Enforcement Directorate (ED) and held until March 31. Mr Gafoor was accused of not complying with the investigation and of being extremely evasive in his responses, according to the federal investigation agency. 

The agency stated, "Considering the fact that Abdul Gafoor is one of the directors of Stoxglobal Brokers Pvt. Ltd. and has played an active role in facilitating the placement and layering of proceeds of crime, he has been placed under arrest on March 24," 

The ED case arose from an FIR filed by the Kerala Police (Malappuram crime branch unit) against the case's main accused, businessman Nishad K. The agency alleged Nishad K "cheated several investors by accepting investments, under a Ponzi scheme, through his three Bengaluru based firms-- Long Reach Global, Long Reach Technologies and Morris Trading by offering high returns of dividend such as 3-5 per cent per day." 

According to the police complaint, "more than 900 investors were cheated to the tune of ₹ 1,200 crore." The investigation discovered that "Nishad, the main accused person, had appointed those persons as pin stockists who had invested a minimum of ₹ 10 lakh in Nishad's scheme and Nishad promised them that he would give five per cent as commission on the investment.” 

The ED stated, "They made aggressive enrolment of new members into an illegal money circulation scheme under the garb of multi-level marketing, resorted to the fraudulent practice of investing the money received from the investors in the Morris Coin cryptocurrency plan run by Nishad and others". 

It alleged that this resulted in the viral growth of the scheme network, resulting in significant unjust gain at the cost of investors. It had previously stated that the deposits taken from the general public were illegal and did not require any regulatory approval. It had attached Nishad K's assets worth ₹ 36.72 crore, as well as those of his colleagues, including the Indian Rupee equivalent of cryptocurrencies purchased with proceeds of crime by a close associate, in January.

Payment Fraud Attack Rate Across Fintech Increased by 70% in 2021

 

The index based on a global network of over 34,000 sites and apps and a poll of over 1,000 consumers, reveals that payment fraud attacks across fintech increased by 70% in 2021, the greatest increase of any category in the network. 

Payment fraud has increased in tandem with a whopping 121 percent year-over-year increase in fintech transaction volumes on Sift's network, making this industry a tempting target for cybercriminals. These escalating attacks, as per this data, were mostly focused on alternative payments such as digital wallets, which witnessed a 200 percent increase in payment fraud, as well as payments service providers (+169 percent) and cryptocurrency exchanges (+140 percent). 

These approaches were targeted towards buy now/pay later (BNPL) providers, which showed a 54 percent increase in fraud attack rates year over year. Sift's Trust and Safety Architects discovered a rising number of fraud schemes on Telegram in late 2021, providing unlimited access to BNPL accounts via fake credit card numbers and compromised email addresses, demonstrating the wide range of methods fraudsters use to target the whole fintech sector.

Along with a 23 percent increase in blocked payment fraud assaults in 2021, Sift noticed a network-wide rise in daily transaction volumes across all industries. Similarly, 49 percent of poll respondents indicated they've been a victim of payment abuse in the last one to three years, with 41 percent of those who have been victims in the last year alone. Financial service websites were regarded as the sites that pose the most risk by 33% of the victims, which could have a detrimental impact on the customer’s trust. 

Jane Lee, Trust and Safety Architect at Sift. stated, “Many brands fail to realize that the damage of payment fraud goes beyond the initial financial impact. The vast majority of consumers report abandoning brands after they experience fraud on a business’s website or app, diminishing customer lifetime value and driving up acquisition costs. Further, potential customers who see unauthorized charges from a particular company on their bank statements will forever associate that brand with fraud. In order to combat these attacks and grow revenue, businesses should look to adopt a Digital Trust & Safety strategy—one that focuses on preventing fraud while streamlining the experience for their customers.”

Spanish Police Arrested SIM Swappers who Stole Money from Victims Bank Accounts

 

The Spanish National Police have arrested eight suspected members of a criminal organisation who used SIM swapping assaults to steal money from the victims' bank accounts. 

SIM switching assaults are used by criminals to get control of victims' phone numbers by duping mobile operator workers into transferring their numbers to SIMs controlled by the fraudsters. The attackers can steal money, cryptocurrency, and personal information, including contacts linked with online accounts, once a SIM has been stolen. Criminals could take over social media accounts and utilise SMS to circumvent 2FA services utilized by online services, including financial services. 

In the incident under investigation by Spanish police, the cybercriminal gained the victims' personal information and bank details via fraudulent emails in which they pretended to be their bank. The fraudsters were able to falsify the victims' official documents and use them to dupe phone store staff into issuing them with replica SIM cards. They were able to overcome SMS-based 2FA needed to access bank accounts and take the money once they had the SIM cards. 

The press release published by the Spanish National Police stated, “Agents of the National Police have dismantled a criminal organization dedicated, presumably, to bank fraud through the duplication of SIM cards. There are eight detainees based in Catalonia and acting throughout Spain who, through malicious messages and posing as a bank, obtained personal information and bank details to access the accounts of the victims whose identity they usurped through the falsification of official documents. With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank’s security confirmation messages. In this way they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”

The first SIM swapping attack linked to this group occurred in March 2021, when Spanish authorities received two reports about fraudulent transactions in different parts of the country. Crooks used bank transfers and digital quick payment services based in the region of Barcelona to launder the stolen funds. Seven people were arrested in Barcelona and one in Seville as a byproduct of the operation. The suspects' bank accounts were also banned by the authorities. 

The FBI announced this week that SIM swap attacks have increased, with the objective of stealing millions of dollars from victims by hijacking their mobile phone numbers. According to the FBI, US individuals have lost more than $68 million as a result of SIM switching assaults in 2021, with the number of complaints and damages nearly doubling since 2018. The FBI's Internet Crime Complaint Center (IC3) received 1,611 SIM switching assault reports in 2018, compared to 320 complaints between 2018 and 2002, resulting in a total loss of $12 million. 

Individuals should take the following steps, as per the FBI: 

• Do not post details regarding financial assets, such as bitcoin ownership or investment, on social networking platforms or forums. 
• Do not disclose the mobile number account details to representatives who ask for the account password or pin over the phone. Verify the call by calling the mobile carrier's customer support number. • Posting personal information online, such as your phone number, address, or other identifying information, is not a good idea. 
• To access online accounts, use a variety of unique passwords. 
• Any changes in SMS-based connectivity should be noted. 
• To gain access to online accounts, use strong multi-factor authentication solutions such as biometrics, physical security tokens, or standalone authentication software. 
• For easy login on mobile device applications, do not save passwords, usernames, or other information. 

On the other hand, mobile providers should take the following safety measures, according to the FBI: 

• Employees should be instructed and training sessions on SIM swapping should be held. 
• Examine incoming email addresses containing formal correspondence for minor differences that could make fraudulent addresses appear real and match the names of actual clients. 
• Establish stringent security standards that allow workers to effectively check customer credentials before transferring their phone numbers to a new device.

Intuit Alerted About Phishing Emails Threatening to Delete Accounts

 

Customers of accounting and tax software supplier Intuit have been warned of an ongoing phishing attack masquerading the organisation and attempting to mislead victims with fraudulent account suspension notifications. 

Customers who were notified and told that their Intuit accounts had been disabled as a result of a recent server security upgrade prompted Intuit to issue the advisory. 

The attackers stated in the phishing messages, masquerading as the Intuit Maintenance Team, "We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season." 

To regain access to their accounts, the receivers need to visit https://proconnect.intuit.com/Pro/Update right away. By clicking the link, they will most likely be redirected to a phishing site controlled by the attacker, which will seek to infect them with malware or steal their financial or personal information. 

Those who hesitate before clicking the embedded link are warned that they risk losing access to their accounts permanently. The financial software company stated the sender "is not associated with Intuit, is not an approved agent of Intuit, nor is their use of Intuit's brands authorised by Intuit," and that it isn't behind the emails. 

Customers who have received phishing emails are advised not to click any embedded links or open attachments, according to the maker of TurboTax and QuickBooks. 

To avoid being infected with malware or redirected to a phishing landing page that would try to steal the credentials, it's best to delete the emails. Customers who have already opened attachments or clicked links in phishing emails should take the following steps: 
  • Delete any downloaded files immediately. 
  • Scan their systems using an up-to-date anti-malware solution. 
  • Change their passwords
On its support page, Intuit also provides information on how users can safeguard themselves from phishing assaults. 

QuickBooks clients were also cautioned in October about phishing attacks that used bogus renewal charges as bait. Fraudsters contacted QuickBooks users via websites in the same month, telling them to upgrade to prevent their databases from being destroyed or corporate backup files automatically erased, with the intent of taking over their accounts.