Search This Blog

Showing posts with label Scammers. Show all posts

Scammers Impersonating European Anti-Fraud Office to Launch Phishing Campaigns

 

Threat analysts have unearthed multiple incidents of fraud and phishing attempts via malicious texts, letters, and scam phone calls purporting to be from OLAF, the European Anti-Fraud Office. 

The European Anti-Fraud Office (also known as OLAF,) is a body mandated by the European Union (EU) with guarding the Union's financial interests. It was established on 28 April 1999, under the European Commission Decision 1999/352. 

To target entities and individuals, scammers often impersonate the European Commission or OLAF’s logo and the identity of OLAF staff members to look convincing. They try to lure victims by offering to transfer the money on the condition that if the victim pays a charge and provides financial and private data.

European Anti-Fraud Office methodology 

OLAF’s investigators achieve their goal by launching independent internal and external investigations. Threat analysts coordinate the activities of their anti-fraud partners in the Member States to counter fraud activities. 

OLAF supplies EU member states with the necessary support and passes technical knowledge to assist them in anti-fraud activities. It also contributes to the design of the anti-fraud strategy of the European Union and takes adequate measures to strengthen the relevant legislation. 

Targeting prominent names and businesses 

Earlier this year in April, European Union's anti-fraud agency accused France's far-right presidential candidate Marine Le Pen and members of her party of misusing thousands of euros' worth of EU funds while serving in the European Parliament. 

According to the Investigative website Mediapart, the OLAF report claimed Le Pen had misappropriated 140,000 euros of public money with party members, diverting 617,000 euros. However, none were accused of profiting directly, but of claiming EU funds for staff and event expenses. 

In 2017, OLAF put an end to an intricate fraud scheme via which more than EUR 1.4 million worth of European Union funds, meant for emergency response hovercraft prototypes, had been misused. 

The investigators unearthed the fraud pattern as part of their investigation into alleged irregularities in a Research and Innovation project granted to a European consortium. The Italian-led consortium, with partners in France, Romania, and the United Kingdom, was handed the responsibility of managing two hovercraft prototypes to be utilized as emergency nautical mediums able to reach remote areas in case of environmental accidents. 

During on-the-spot checks performed in Italy by OLAF and the Italian Guardia di Finanza, OLAF identified multiple disassembled components of one hovercraft, as well as another hovercraft that was completed after the deadline of the project. It became crystal clear that, in order to obtain the EU funds, the Italian partners had falsely attested to the existence of the required structural and economic conditions to carry out the project. 

Preventive tips 

The European Anti-Fraud Office recommends users follow the tips mentioned below: 

If an individual receives any such request regarding transferring money and claims to be from OLAF or one of its staff members, then it is a scam because OLAF NEVER offers or requests money transfers to or from citizens. OLAF only investigates fraud impacting the EU budget, and suspicions of misconduct by EU staff. Additionally, do not reply or carry out any of the actions contained in the correspondence.

The impacted individual should immediately report any fraud and/or phishing attempt to national authorities competent for crimes and/or cybercrime. OLAF does not investigate scams related to cryptocurrencies or personal finances.

PyPI Alerts of First-ever Phishing Campaign Against its Users

 

The Python Package Index, PyPI, issued a warning this week about an ongoing phishing campaign aimed at stealing developer credentials and injecting malicious updates into the repository's packages.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.” states the warning.

The phishing messages are intended to trick recipients into clicking a link in order to comply with a new Google mandatory validation process for all packages. Recipients are urged to complete the validation process by September to avoid having their packages removed from PyPI.

When users click the link, they are taken to a Google Sites landing page that looks similar to PyPI's login page. After obtaining the user account credentials, the attackers were able to push malicious updates to legitimate packages.

“The phishing attempt and the malicious packages are linked by the domain linkedopports[.]com, which appears in the malicious package code and also functions as the location to which the phishing site tries to send the stolen credentials.” reads the analysis published by Checkmarx.

This campaign's malicious packages attempt to download and execute a file from the URL hxxps:/python-release[.]com/python-install.scr. The packages had a low detection rate at the time of discovery; the malicious code is digitally signed and unusually large (63MB) in an attempt to evade AV detection).

The researchers also discovered another domain associated with this attacker's infrastructure, "ledgdown[.]com," which was registered under the same IP address. This domain masquerades as the official website of the cryptocurrency assets app "ledger live."
`
“This is another step in the attacks against open source packages and open source contributors.” concludes the post. “We recommend checking your network traffic against the IOCs listed below and as always, encouraging contributors to use 2FA.”

PyPI announced that it is revising its eligibility requirements for the hardware security key programme in the aftermath of the phishing attack. Any maintainer of a critical project, regardless of whether they already have TOTP-based 2FA enabled, it said.

Binance Executive: Scammers Created a 'Deep Fake Hologram' of him to Fool Victims

 

According to a Binance public relations executive, fraudsters created a deep-fake "AI hologram" of him to scam cryptocurrency projects via Zoom video calls.

Patrick Hillmann, chief communications officer at the crypto hypermart, stated he received messages from project teams thanking him for meeting with them virtually to discuss listing their digital assets on Binance over the past month. This raised some suspicions because Hillmann isn't involved in the exchange's listings and doesn't know the people messaging him.

"It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann said. "Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members."

Hillmann included a screenshot of a project manager asking him to confirm that he was, in fact, on a Zoom call in his write-up this week. The hologram is the latest example of cybercriminals impersonating Binance employees and executives on Twitter, LinkedIn, and other social media platforms.

Scams abound in the cryptocurrency world.
Despite highlighting a wealth of security experts and systems at Binance, Hillman insisted that users must be the first line of defence against scammers. He wrote that they can do so by being vigilant, using the Binance Verify tool, and reporting anything suspicious to Binance support.

“I was not prepared for the onslaught of cyberattacks, phishing attacks, and scams that regularly target the crypto community. Now I understand why Binance goes to the lengths it does,” he added.

The only proof Hillman provided was a screenshot of a chat with someone asking him to confirm a Zoom call they previously had. Hillman responds: “That was not me,” before the unidentified person posts a link to somebody’s LinkedIn profile, telling Hillman “This person sent me a Zoom link then your hologram was in the zoom, please report the scam”.

The fight against deepfakes
Deepfakes are becoming more common in the age of misinformation and artificial intelligence, as technological advancements make convincing digital impersonations of people online more viable.

They are sometimes highly realistic fabrications that have sparked global outrage, particularly when used in a political context. A deepfake video of Ukrainian President Volodymyr Zelenskyy was posted online in March of this year, with the digital impersonation of the leader telling citizens to surrender to Russia.

On Twitter, one version of the deepfake was viewed over 120,000 times. In its fight against disinformation, the European Union has targeted deepfakes, recently requiring tech companies such as Google, Facebook, and Twitter to take countermeasures or face heavy fines.

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Global Scam Operation "Classiscam" Expanded to Singapore

 

Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years  migrating to Europe. 

"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News. 

The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm. Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic. 

Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States. 

Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan. The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022. 

This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages. Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices. When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction. 

The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising. 

"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said. 

In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot. 

"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said. 

"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment." 

The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards. Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back. 

These calls are made by assistant employees posing as platform tech support professionals.  In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.

While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.

A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.

Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.

"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."

"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."

Alert! This Huge Network of 11,000 Fake Investment Sites Targets Europe

 

Researchers discovered a massive network of over 11,000 domains used to market several bogus investment schemes to European users. 
To establish an air of credibility and attract a wider number of victims, the platforms display false evidence of affluence and falsified celebrity endorsements. The operation's purpose is to dupe people into believing they have a chance for high-return investments and persuade them to spend a minimum of 250 EUR ($255) to sign up for the bogus services. 

Group-IB researchers found the operation and documented the vast network of phishing sites, content hosting, and redirections. More than 5,000 of the discovered malicious domains are still operational, according to Group-IB. At the moment, the countries targeted by this initiative are the United Kingdom, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic. 

Scamming Process 

To reach as many users as possible, the fraudsters promote the ads on multiple social media platforms or utilise hacked Facebook and YouTube. Victims who fall for the scam and click on the advertisements to learn more are sent to landing pages with supposed success stories. 

The crooks then ask for contact information. In an extensive social engineering scam, a "customer agent" from a call centre contacts the victim and offers the investment terms and conditions. Eventually, the victim is persuaded to deposit at least 250 EUR, while the information given on the false site is saved and utilised in future operations or purchased on the dark web. 

After depositing the cash, the victim gains access to a bogus investment dashboard that supposedly lets them track daily gains. After depositing the cash, the victim obtains access to a bogus investment dashboard that purports to show daily returns. This is done to maintain the idea of a legitimate investment and attract victims to deposit more money in exchange for higher earnings. 

The fraud is uncovered when the victim attempts to withdraw money from the site without first requesting final payment. Group-IB researchers talked with the fraudsters and taped their chat with the operator during the inquiry. Parts of this audio have been muted for privacy concerns. 

Investments are never risk-free, thus promises of assured profits should be seen as warning flags. Furthermore, genuine investing platforms do not provide personal account managers for modest deposits.

CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices

 

Last Friday, the US Department of Justice (DOJ) revealed that a Florida citizen named Ron Aksoy had been arrested and alleged with selling thousands of fake and counterfeit Cisco goods over 12 years. 

Aksoy, also known as Dave Durden, would have operated at least 19 firms based in New Jersey and Florida, as well as at least 15 Amazon stores, around 10 eBay storefronts, and many additional corporations worth more than $1 billion. Aksoy faces three counts of mail fraud, four counts of wire fraud, and three counts of trafficking in counterfeit products. 

According to court records, the fraudulent firms purchased tens of thousands of counterfeit Cisco networking equipment from China and Hong Kong and resold them to consumers in the United States and across the world, fraudulently advertising the items as new and authentic. Chinese counterfeiters modified earlier, lower-model goods (some of which had been sold or dumped) to look to be authentic versions of newer, improved, and more expensive Cisco gear. 

As a result, the fraudulent and counterfeit items had severe performance, functionality, and safety issues, costing users tens of thousands of dollars. According to the indictment, between 2014 and 2022, Customs and Border Protection (CBP) confiscated approximately 180 shipments of counterfeit Cisco equipment being transported to the Pro Network Entities (the fraudulent firm name under which Aksoy operated) from China and Hong Kong. 

In response to some of these seizures, Aksoy would have filed fraudulent official papers to CBP using the pseudonym "Dave Durden," which he also used to contact with Chinese co-conspirators. The entire enterprise reportedly generated over $100 million in income, with Aksoy keeping a sizable portion while his co-conspirators received the remainder. Potential victims have been advised to get in touch with authorities. 

The DOJ has developed a publicly available list of Pro Network firms, as well as the accused criminal's eBay and Amazon stores.

Reverse Tunnelling & URL Shortening Services Used in Evasive Phishing

 

Researchers are detecting an increase in the usage of reverse tunnel services, as well as URL shorteners, for large-scale phishing operations, leaving malicious activity more difficult to detect. This strategy differs from the more typical practise of registering domains with hosting providers, who are more inclined to answer complaints and remove phishing sites. 

Threat actors can use reverse tunnels to host phishing websites locally on their own computers and route connections through an external service. They can evade detection by using a URL shortening service to produce new links as frequently as they desire. Many phishing URLs are renewed in less than 24 hours, making tracing and eliminating the domains more complex. 

CloudSEK, a digital risk prevention company, has seen a rise in the number of phishing efforts that combine reverse tunnelling and URL shortening services. According to a report shared with BleepingComputer by the business, researchers discovered more than 500 sites hosted and disseminated in this manner. CloudSEK discovered that the most extensively misused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare's Argo. They also saw an increase in the use of URL shortening services such as Bit.ly, is.gd, and cutt.ly. 

Reverse tunnel services protect the phishing site by managing all connections to the local server where it is housed. The tunnel service resolves any incoming connections and forwards them to the local computer. Victims who interact with these phishing sites have their personal data saved directly on the attacker's computer. Thus according to CloudSEK, the threat actor conceals the name of the URL, which is often a string of random characters, by utilising URL shorteners. 

As a result, a suspicious domain name is masked under a short URL. Opponents, according to CloudSEK, are disseminating these links using popular communication channels such as WhatsApp, Telegram, emails, SMS, or bogus social media pages. It is important to note that the abuse of these services is not new. 

In February 2021, for example, Cyble produced proof of Ngrok misuse. However, according to CloudSEK's results, the situation is worsening. CloudSEK discovered one phishing campaign that impersonated YONO, a digital banking platform provided by the State Bank of India. The attacker's URL was masked under "cutt[.]ly/UdbpGhs" and directed to the site "ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi," which made advantage of Cloudflare's Argo tunnelling service. 

This phishing page asked for bank account information, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. CloudSEK did not disclose the effectiveness of this operation, but it did point out that threat actors seldom use the same domain name for more than 24 hours, however, they do recycle the phishing page designs.

"Even if a URL is reported or blocked, threat actors can easily host another page, using the same template" - CloudSEK 

This sensitive information may be sold on the dark web or utilised by attackers to deplete bank accounts. If the information comes from a business, the threat actor might use it to execute ransomware attacks or business email compromise (BEC) fraud. 

Users should avoid clicking on links obtained from unknown or dubious sources to protect themselves from this sort of danger. Manually typing a bank's domain name into the browser is an excellent way to avoid being exposed to a bogus website.

HR Manager of Private Company Duped of ₹28 Lakh

 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam

 

Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service

 

The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

YouTube Scammers Steal $1.7M in Fake Crypto Giveaway

 

According to Group-IB, a group of online scammers made approximately $1.7 million by promising cryptocurrency giveaways on YouTube. 

The group allegedly aired 36 YouTube videos between February 16 and 18, gaining at least 165,000 views, according to the Singapore-based security company. To give validity to their efforts, they included footage of tech entrepreneurs and crypto enthusiasts like Elon Musk, Brad Garlinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood. 

According to Group-IB, the channels were either hacked or bought on the black market. They included links to at least 29 websites with instructions on how to double cryptocurrency investments in the streams they built. 

'Investors' were encouraged to send a tiny sum of virtual currency and promised that they would be paid back twice that amount. Some victims were prompted to enter seed phrases to 'link' their wallets, depending on the cryptocurrency and wallet type utilised. 

However, the fraudsters were able to take control of their wallet and withdraw all of their funds as a result of this. The scammers received 281 transactions totalling nearly $1.7 million into their crypto wallets in just three days. The precise number of victims and the overall amount stolen, however, are unknown. 

Group-IB stated, “The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.” 

Crypto enthusiasts should be wary of freebies and avoid sharing personal information online, according to Group-IB. Users were also encouraged to double-check the authenticity of any promos and use a password manager to store any seed phrases.

Intuit Alerted About Phishing Emails Threatening to Delete Accounts

 

Customers of accounting and tax software supplier Intuit have been warned of an ongoing phishing attack masquerading the organisation and attempting to mislead victims with fraudulent account suspension notifications. 

Customers who were notified and told that their Intuit accounts had been disabled as a result of a recent server security upgrade prompted Intuit to issue the advisory. 

The attackers stated in the phishing messages, masquerading as the Intuit Maintenance Team, "We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season." 

To regain access to their accounts, the receivers need to visit https://proconnect.intuit.com/Pro/Update right away. By clicking the link, they will most likely be redirected to a phishing site controlled by the attacker, which will seek to infect them with malware or steal their financial or personal information. 

Those who hesitate before clicking the embedded link are warned that they risk losing access to their accounts permanently. The financial software company stated the sender "is not associated with Intuit, is not an approved agent of Intuit, nor is their use of Intuit's brands authorised by Intuit," and that it isn't behind the emails. 

Customers who have received phishing emails are advised not to click any embedded links or open attachments, according to the maker of TurboTax and QuickBooks. 

To avoid being infected with malware or redirected to a phishing landing page that would try to steal the credentials, it's best to delete the emails. Customers who have already opened attachments or clicked links in phishing emails should take the following steps: 
  • Delete any downloaded files immediately. 
  • Scan their systems using an up-to-date anti-malware solution. 
  • Change their passwords
On its support page, Intuit also provides information on how users can safeguard themselves from phishing assaults. 

QuickBooks clients were also cautioned in October about phishing attacks that used bogus renewal charges as bait. Fraudsters contacted QuickBooks users via websites in the same month, telling them to upgrade to prevent their databases from being destroyed or corporate backup files automatically erased, with the intent of taking over their accounts.  

Finland Alerted About Facebook Accounts Compromised via Messenger Phishing

 

The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations. 

According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS. If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them. 

Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list. 

“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described. 

The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts: 
• They start by sending a message through Facebook Messenger from the previously compromised friend's account. 
• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros. 
• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry. 
• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account. 

The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers." 

Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users. 

Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks. These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.

Stolen TikTok Videos have Infiltrated YouTube Shorts

 

Scammers are taking full advantage of the debut of Google's new TikTok competitor, YouTube Shorts, which has proven to be an excellent platform for feeding stolen content to billions of engaged viewers. Researchers have cautioned that this content is being exploited to conduct rackets such as advertising adult dating websites, hustling diet pills, and selling marked-up commodities. Although YouTube Shorts is still in beta, scammers have had plenty of time to shift their best TikTok-tested flimflams over to the Google cosmos, which is already populated by billions of viewers. 

Satnam Narang, a Tenable analyst, has been analyzing social media for over a decade and discovered that scammers are having great success stealing TikTok's most viral videos and exploiting them on YouTube Shorts to get viewers to click on a variety of sites and links. Narang examined 50 distinct YouTube channels and discovered that, as of December, they had accumulated 3.2 billion views across at least 38,293 videos stolen from TikTok creators. He stated that the YouTube channels had over 3 million subscribers. 

The most common type of fraud Narang discovered was the use of extremely popular TikTok videos, especially challenges showing gorgeous women, to serve links to adult dating sites that run affiliate programmes that pay for clicks.

These websites pay affiliates on a cost per action (CPA) or cost per lead (CPL) basis to incentivize them. Scammers, on the other hand, have started taking advantage of these affiliate offers to gain cash by duping users of social media networks. Scammers only need to persuade consumers to visit these adult dating websites and sign up with an email address, whether valid or not. When a visitor to an adult dating website becomes a registered user, the fraudster is able to get anywhere from $2–$4 for the successful CPL conversion. 

“While adult-dating scams proliferate across many platforms, the introduction of YouTube Shorts, with its enormous potential reach and built-in audience, is fertile ground that will only serve to help these scams become even more widespread,” Narang explained. “This trend is alarming because of how successful these tactics have become so quickly on YouTube Shorts, based on the volume of video views and subscribers on these fake channels promoting stolen content.” 

Viewers of YouTube Shorts were also offered advertisements with viral TikTok exercise videos for trending products, such as the pants dubbed "the leggings" on social media. The famous leggings, with a seam across the back to improve even the flattest posterior, were being offered on YouTube Shorts at a markup by scammers expecting the new breed of customers wouldn't notice the padded price, Narang discovered.

$50 Million Lost to Fraudsters Impersonating as Broker-Dealers

 

A California man admitted his involvement in a large-scale and long-running Internet-based fraud scam that allowed him and other fraudsters to drain about $50 million from hundreds of investors.

Between 2012 and October 2020 Allen Giltman, 56, and his co-conspirators constructed phoney websites to collect money from people via the internet by advertising various investment opportunities (mainly the purchase of certificates of deposit). 

According to court documents, "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims. At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist." 

They advertised the phoney investment sites in Google and Microsoft Bing search results for phrases like "best CD rates" and "highest cd rates." The scammers pretended to be FINRA broker-dealers in interactions with victims seeking investment possibilities, claiming to be employed by the financial companies they imitated on the scam sites. 

They employed virtual private networks (VPNs), prepaid gift cards to register web domains, prepaid phones, and encrypted applications to interact with their targets, and false invoices to explain the huge wire transfers they obtained from their victims to mask their genuine identities during their fraud schemes. 

"To date, law enforcement has identified at least 150 fraudulent websites created as part of the scheme," the Justice Department stated. 

"At least 70 victims of the fraud scheme nationwide, including in New Jersey, collectively transmitted approximately $50 million that they believed to be investments." 

The charge of wire fraud conspiracy, which Giltman consented, carries a possible sentence of 20 years in jail, while the charge of securities fraud carries a maximum sentence of five years in prison. Both are punishable by fines of $250,000 or double the gross gain or loss from the offence, whichever is greater. Giltman is scheduled to be sentenced on May 10, 2022. 

Stay Vigilant

The FBI's Criminal Investigative Division and the Securities and Exchange Commission cautioned investors in July 2021 that scammers posing as registered financial professionals such as brokers and investment advisers were posing as them. 

The July alert came after FINRA issued a similar fraud alert the same week regarding broker imposter frauds involving phishing sites that impersonate brokers and faked SEC or FINRA registration documents. 

"Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC stated. 

Investors should first use the Investor.gov search engine to see if people marketing investment possibilities are licensed or registered, and then ensure they're not scammers by contacting the seller using independently confirmed contact information from the firm's Client Relationship Summary (Form CRS).

Consumers Warned of Rising Delivery Text Scams

 

Consumers are being advised to be wary of delivery scam texts while purchasing online for Christmas and Boxing Day sales. 

New research from cybersecurity firm Proofpoint shows that delivery 'smishing' scams are on the rise during the busiest shopping season of the year, according to UK Finance. So far in Q4, more than half (55.94%) of all reported smishing text messages impersonated parcel and package delivery firms. In Q4 2020, only 16.37 percent of smishing efforts were made. 

In comparison to Q4 2020, Proofpoint saw a considerable decrease in different types of smishing frauds in Q4 2021. Text scams mimicking financial institutions and banks, for example, accounted for 11.73 percent of all smishing attacks in 2021, compared to 44.57 percent in 2020. 

The information comes from Proofpoint's operation of the NCSC's 7726 text message system. Customers can use this method to report suspicious texts. 

Delivery smishing scams typically begin with a fraudster sending a bogus text message to the recipient alerting them that the courier was unable to make a delivery and demanding a charge or other information to rearrange. The consumer will be directed to a fake package delivery company's website, where they will be asked to provide personal and financial information. 

Following the significant development in online shopping during COVID-19, this form of scam has become increasingly common. Over two-thirds (67.4%) of all UK texts were reported as spam to the NCSC's 7726 text messaging system in the 30 days to mid-July 2021, according to Proofpoint. 

Which? revealed a very clever smishing fraud involving an extremely convincing DPD fake website in a recent investigation. 

Katy Worobec, managing director of economic crime at UK Finance, commented: “Scrooge-like criminals are using the festive season to try to trick people out of their cash. Whether you’re shopping online or waiting for deliveries over the festive period, it’s important to be on the lookout for scams. Don’t let fraudsters steal your Christmas – always follow the advice of the Take Five to Stop Fraud campaign and stop and think before parting with your information or money.” 

Steve Bradford, senior vice president EMEA at SailPoint, stated: “The sharp rise in text message scams – or smishing, which has increased tenfold compared to last year, should be a stark warning to the public. With parcel delivery scam texts expected to spike this Christmas, it’s clear cyber-criminals are using every opportunity available to target victims using new methods. This comes as more businesses use SMS to engage with customers, to accommodate the digital-first mindset that now characterizes many consumers. But this also opens the doors to threat actors able to masquerade as popular websites or customer service support."

“Consumers must be extra vigilant and refrain from clicking any links in text messages that they’re unsure about. It’s also crucial they are keeping their data, identities, and banking information safe – for example, by not taking pictures of their credit card and financial information, since photos often get stored in the cloud, which risks potential exposure to malicious actors.”

Shiba Inu Crypto Exploited by Scammers for their Scams

 

Since the Shiba Inu cryptocurrency, meme-based digital money, has struck its all-time high in October, it didn't take too long for fraudsters to capitalize on the craze. Shiba Inu token is a decentralized cryptocurrency established by an unidentified person or group identified as "Ryoshi" in August 2020. 

As per the information shared, live YouTube videos offering phony token giveaways had racked up hundreds of thousands of views, whilst Telegram groups supporting similar frauds have also proliferated. 

Tenable has uncovered numerous Shiba scams that all employ a remarkably identical strategy. Accounts live-stream outdated material from a June event involving Jack Dorsey and Elon Musk, a well-known figure amongst crypto enthusiasts, with on-screen directions for consumers to deposit an arbitrary amount of currency into a wallet in exchange for the promise of receiving twice as much or more. 

According to Satnam Narang, a researcher at Tenable, scammers have gained $239,000 in cryptocurrency since October 20 based on a study of internet wallet addresses related to dubious Shiba Inu-themed pages. 

Although Shiba may be one of the newest virtual currencies to draw attackers looking to prey on investors, it is merely the most recent step of a growing problem. In total, the FTC recorded more than $80 million in recorded consumer losses from cryptocurrency fraud in May. Victims' damages are not covered by the federal government since cryptocurrency exchanges lack the same statutory protections as standard finance exchanges. 

Customers have been reporting scams since at least May, as per the Shiba Inu token's official Reddit page. And phony-freebies aren't the only way crooks are taking advantage of the coin to deceive would-be investors. 

Tenable discovered one effort in which scammers lured customers to a phishing URL posing as the cryptocurrency wallet Trust. It's uncertain whether the link succeeded in duping any victims into disclosing their wallet information. 

The fraudulent giveaways reported by CyberScoop received over 500,000 views in total. Several streams originated from the very same Thailand-based account, "SHIBA INU." All of the live-streamed videos were in the top 10 search results, frequently outranking a cautionary video about the fraud with only 1,400 views. 

Scams involving the coin have become so prevalent that Shiba developers published a video on Twitter on Sunday, 21st of November, advising customers to avoid giveaway videos and not disclose their wallet addresses. In addition, the developers released a video warning of suspicious behavior on Telegram, in which fraudsters spoof accounts and establish bogus users.

Scammers in Russia Offer Free Bitcoin on a Hacked Government Website

 

The website of the Russian government was recently hacked. The fraudsters started a phoney Bitcoin (BTC) scheme, which they then re-published after being taken down several times. An unnamed gang of hackers began promoting the Free BTC Giveaway scam on the Ryazan administration's website, according to the local Russian news source Izvestia. 

Hackers had disputed the distribution of 0.025 BTC to everyone who installed the specified programme on their device in the aforementioned scam. In addition, the hackers added in the re-post that five lucky winners will each receive an extra $1,000. As of late, all messages, including the second post, have been removed. 

The Russian government has tightened its grip on all crypto-crime in the country. Last month, Russia's Federal Financial Monitoring Service in Moscow, known as Rosfinmonitoring, launched the latest cryptocurrency tracing system. This will deanonymize traders' identities by further analysing their actions and movements. The tracing system in Russia, according to Rosfinmonitoring, is focused on combating money laundering and terrorist funding rackets.

In 2021, the global volume of cryptocurrency-related fraud grew substantially. According to specialists from the IT security firm Zecurion, losses in the first half of this year were an estimated $1.5 billion, which is two to three times more than the sum recorded in the same period last year. According to a study released, the Russian Federation is responsible for 2% of the total — some $30 million, or over 2.2 billion rubles.

The Central Bank of Russia (CBR) said in July that in the first six months of the year, it had discovered 146 financial pyramid schemes. In comparison to the same period in 2020, the number is 1.5 times greater. According to the regulators, consumers with poor financial literacy are frequently duped into investment schemes involving cryptocurrency or crypto mining. According to the CBR, the increase is due to increased activity by "unfair market participants" and increased investment demand in Russia. 

The primary reasons for the increase, according to analysts, are consumers' increasing exposure to digital assets as well as a desire to earn rapid profits in a burgeoning industry with few rules amid instability in traditional financial markets. They also predict crypto fraud to continue to climb this year, with an annual increase of 15% expected.