Security researchers have discovered a huge investment scam effort that uses online and telephone channels to target victims across Europe. Since fake investment scams have been around for a while, people are familiar with them.
Over 10,000 malicious websites tailored for consumers in the UK, Belgium, the Netherlands, Germany, Poland, Portugal, Norway, Sweden, and the Czech Republic are included in the "gigantic network infrastructure" spotted by Group-IB.
The scammers work hard to promote the campaigns on numerous social media sites, or even compromise Facebook and YouTube to get in front of as many users as they can.
The firm's aim is to mislead consumers into believing they have the chance to invest in high-yield chances and persuade them to deposit a minimum of 250 EUR ($255) to join up for the phony services.
Scam operation
Over 5000 of the 11,197 domains used in the campaign were still operational as of this writing.
It is advisable to check that an investment platform is from a reputable broker when it interests you. It may also be possible to spot the fraud by searching for user evaluations and looking for patterns in a large number of comments.
Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible.
The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.
How does the scam work?
The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).
In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.
The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam. The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.
Domains used
In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.
The two primary sets of domains and IPs that make up Luna Moth infrastructure can be tied to subscription fraud:
Standard tools
Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner, are being utilized by the group.
The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.