Search This Blog

Showing posts with label Spoofing. Show all posts

The Four Major Types of Spoofing Attacks and How to Avoid Them

 

Spoofing is the act of concealing a communication or identity so that it appears to be from a reliable, authorized source. Spoofing attacks can take many forms, ranging from the common email spoofing attacks used in phishing campaigns to caller ID spoofing attacks used to commit fraud. 

As part of a spoofing attack, attackers may also target more technical elements of an organization's network, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service. 

Spoofing attacks typically prey on trusted relationships by impersonating a person or organization known to the victim. These messages may even be personalized to the victim in some cases, such as whale phishing attacks that use email spoofing or website spoofing. there are various types of spoofing attacks. Here are three of the most common.
  • IP spoofing attack
An IP spoofing attack occurs when an attacker attempts to impersonate an IP address in order to pretend to be another user. The attacker sends packets from a false source address during an IP address spoofing attack. These IP packets are sent to network devices and function similarly to a DoS attack. To overwhelm a device with too many packets, the attacker uses multiple packet addresses.
 
IP spoofing attacks, which are one of the more common types of spoofing attacks, can be detected using a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and detect abnormal traffic. This alerts  that something isn't right and allows you to investigate further.

If looking for IP addresses and flow data in particular that can lead you to illegal internet traffic. Detecting IP spoofing attacks early is critical because they frequently occur as part of DDoS (Direct Denial of Service) attacks, which can bring the entire network down.
  • Email Spoofing Attacks
Email spoofing attacks occur when an attacker sends an email that appears to be from another sender. The sender field is spoofing in these attacks to display bogus contact information. The attacker pretends to be this entity and then sends you an email asking for information. These attacks are frequently used to impersonate administrators and request account information from other members of staff.
 
Email spoofing attacks are perhaps the most dangerous because they directly target employees. Responding to the wrong email can give an attacker access to sensitive information. If you receive a spoofed email, your first line of defense should be to be skeptical of email display names.

Attackers frequently spoof display names, so double-check the email address. If the email contains any links, you can open them in a new window to see if they are legitimate. It's also a good idea to look for spelling mistakes and other inaccuracies that could indicate the sender isn't legitimate.
  • DNS Spoofing Attacks
DNS, or domain name system, attacks jumble up the list of public IP addresses. DNS servers maintain a database of public IP addresses and hostnames that are used to aid in network navigation. When a DNS attack occurs, the attacker alters domain names, causing them to be rerouted to a new IP address.

One example is when you enter a website URL and are directed to a spoofed domain rather than the website you intended to visit. This is a common method for attackers to introduce worms and viruses into networks.

It is a good idea to use a tool like dnstraceroute to detect a DNS spoofing attack. DNS spoofing attacks rely on an attacker spoofing the DNS response. Using dnstraceroute, you can see where the DNS request was answered. You'll be able to see the DNS server's location and whether someone spoofed the DNS response.

Hackers Mimic Google Translate to Launch Phishing Attacks

 

Threat analysts at Avanan, a Check Point Software firm, have unearthed a novel phishing campaign mimicking Google Translate in order to lure users. 

The hackers are employing the coding methodology to obfuscate phishing sites and make them look authentic to the victim as well as bypass security gateways. Threat actors also use social engineering techniques to convince users they need to respond immediately to an email or lose access to unread messages permanently. 

Subsequently, the victims are requested to click on a link incorporated in the email itself. Upon clicking on the link, the users are directed to an info stealer page that seems to be an authentic Google Translate page, with a pre-filled email field that requires only to fill login credentials. 

According to a blog post published last week, this is the standard modus operandi employed by hackers as it creates a sense of urgency and forces victims to act irrationally and recklessly by clicking on a malicious link or downloading a malicious attachment. Behind the scenes, the hackers are also employing a lot of JavaScript, including the Unescape command, to hide their true intentions. 

Unescape is a function in JavaScript that computes a new string as a single parameter and utilizes it to decode the string encoded by the escape function. The hexadecimal sequence in the string is replaced by the characters they represent when decoded through unescaped command. 

“This attack has a little bit of everything. It has unique social engineering at the front end. It leverages a legitimate site to help get into the inbox. It uses trickery and obfuscation to confuse security services,” Jeremy Fuchs, an Avanan cybersecurity threat analyst stated. 

To guard against these attacks, users need to be extra vigilant. The researchers recommended users scan the URLs found in messages before clicking on them to ensure the destination is legitimate.

Moreover, users can check the authenticity of emails by paying closer attention to grammar, spelling, and factual inconsistencies within an email. If the users are suspicious regarding where they're coming from or their intentions, they should just ask the original sender to be sure before taking further action.

Smash and Grab: Meta Takes Down Disinformation Campaigns Run by China and Russia

 

Meta, Facebook’s parent company has confirmed that it has taken down two significant but unrelated ‘disinformation operations’ rolling out from China and Russia. 

The campaigns began at the beginning of May 2022, targeting media users in Germany, France, Italy, Ukraine, and the UK. The campaign attempted to influence public opinions by pushing fake narratives in the west, pertaining to US elections and the war in Ukraine. 

The campaign spoofed around 60 websites, impersonating legitimate news websites, such as The Guardian in the UK and Bild and Der Spiegel in Germany. The sites did not only imitate the format and design of the original news sites but also copied photos and bylines from the news reporters in some cases. 

“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire […] They would then promote these articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal” Meta stated in a blog post. 

In the wake of this security incident, Facebook and Instagram have reportedly removed nearly 2,000 accounts, more than 700 pages, and one group. Additionally, Meta detected around $105,000 in advertising. While Meta has been actively quashing fake websites, more spoofed websites continue to show up.  

However, “It presented an unusual combination of sophistication and brute force,” claims Meta’s Ben Nimmo and David Agranovich in a blog post announcing the takedowns. “The spoofed websites and the use of many languages demanded both technical and linguistic investment. The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts.” 

“Together, these two approaches worked as an attempted ‘smash-and-grab’ against the information environment, rather than a serious effort to occupy it long term.” 

Both the operations are now taken down as the campaigns were a violation of Meta’s “coordinated inauthentic behaviour” rule, defined as “coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation”. 

Addressing the situation of emerging fraud campaigns, Ben Nimmo further said, “We know that even small operations these days work across lots of different social media platforms. So the more we can share information about it, the more we can tell people how this is happening, the more we can all raise our defences.”

PayPal Invoices Used for Data Theft

The past few months have seen an increase in the usage of convincing phishing emails made using an attack on PayPal's invoice system. Scammers are constantly seeking new ways to steal your personal information or money. 

Hackers send bogus invoices from PayPal's website using a free PayPal account they have registered. The emails' bodies contained spoof logos of companies like Norton to make their recipients believe they were authentic.

Emails from PayPal will likely be delivered to your inbox rather than your spam bin because they are not regarded as spam. Because it came from a real Paypal account, the email will appear to be trustworthy so users are advised to stay cautious and not fall for it. You won't receive a worthwhile service if you pay this charge, cybercriminals will receive your money and use it for their own gain. 

The PayPal invoices feature statements like "thank you for purchasing Norton Security Premium package, if you have not authorized this transaction, please call us with your credit card details." They resemble a related fraud that employed phony Quickbooks invoices and was disclosed earlier this month.

The scam, often known as a "double spear" assault, prompts users to call the number, at which point hackers attempt to get them to pay the invoice and steal their credit card information.

Phishing efforts are frequent and come in a variety of shapes, according to a written statement from PayPal.

PayPal stated that it has a zero-tolerance policy for attempted fraud on the platform and that its team is working relentlessly to protect its consumers.

"We are aware of this well-known phishing scheme and have added more measures to help mitigate this particular incidence," the company said. "Nevertheless, we advise clients to exercise constant vigilance online and to get in touch with Customer Service immediately if they believe they are a victim of a scam."

It's astonishing how well-adapted modern fraudsters are at using the very same technologies that financial institutions have long utilized to provide their consumers a sense of security while dealing online. 

Today's scamsters seem to be more interested in hacking your entire computer and online life with remote administration software than they are in stealing your PayPal password, which seems to be at the center of the majority of frauds these days.

Users are advised to follow the guidelines given below in order to safeguard themselves against the aforementioned scam. 
  • To prevent phishing emails from being sent to you, don't rely on email spam filters. Examine emails for warning signs, such as impending deadlines and scare tactics, to spot potential phishing frauds.
  • Use a recognized phone number or email address to get in touch with the service provider directly to confirm the validity of an invoice. To get in touch with the service provider, do not utilize the phone number or link provided in the invoice.
  • The simple notion that an email was delivered via a reputable website should not be used as proof of its validity. To make their schemes seem more credible, cybercriminals can exploit reliable websites.

Fraudsters Resorting to 'Synthetic Identity Fraud to Commit Financial Crimes

 

Identity theft is still a common tactic for hackers to damage the credit score. To steal even more and avoid discovery, an increasing number of fraudsters are turning to "synthetic identity fraud," which includes constructing spoof personalities to deceive financial institutions.

Michael Timoney, VP of Secure Payments at the Federal Reserve Bank of Boston stated, “This is growing. It’s got big numbers tied to $20 billion(Opens in a new window) plus (in losses), and we’re not really seeing a drop in it. Due to the pandemic, the numbers have gotten even higher."

Timoney described how the threat exploits a critical vulnerability in the US banking system at the RSA conference in San Francisco: when a customer applies for a credit card or a loan, many businesses do not always verify their identification. Timoney defined synthetic identity fraud as the use of multiple pieces of personally identifiable information to create a totally new person. 

He added, “It’s different from traditional identity theft because if someone stole my identity they would be acting in my name. I would go into my bank account and see my money is gone or I’d try to log into my account but I’d be locked out.” 

“Because of data breaches, there is so much information out there for sale. In other cases, the crooks will alter or make up the Social Security number and address data entirely, hoping the companies won't catch on. Once you apply for credit with your brand new identity, there is no credit file out there for you, but one gets created immediately. So right off the bat, you now have a credit file associated with this synthetic. So it sort of validates the identity. Now you got an identity and it has a credit record."  

The hacker will then strive to improve the credit rating of the spoof identity in order to secure larger loans or credit card limits before bailing without ever paying the lending agency. He added that the fraudster will settle their charges and request further credit. 

According to Timoney, the scammers have also been using the fraudulent personas to seek for unemployment benefits and obtain loans from the Paycheck Protection Program, which began during the pandemic to assist businesses in paying their employees. 

How to stop synthetic identity fraud?

To combat synthetic identity fraud, the United States is developing (Opens in a new window) the Electronic Consent Based Social Security Number Verification Service, which can determine whether a Social Security number matches one of these on record. However, Timoney stated that the system will only be offered to financial institutions and will not be open to other industries that provide credit to clients. 

In response, Timoney emphasized that it is critical for businesses to be on the lookout for warning indicators linked with synthetic identity fraud. This might include inconsistencies in the applicant's background. For example, consider a person who is 60 years old but has never had a credit history while having lived in the United States their whole life or an 18-year-old with a credit score of at least 800. 

Another method for detecting synthetic identity theft is to see if a loan application has any confirmed family members. One should be looking at a lot more than just the name, address, and Social Security number.

New Spear Phishing Campaign Targets Russian Dissidents

 

In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway. The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country. 

The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim. The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails. 

Various phishing methods

To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service. The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications." 

To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body. Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting. 

All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike. 

The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations: 
  • Portal of authorities of the Chuvash Republic Official Internet portal
  • Russian Ministry of Internal Affairs
  • ministry of education and science of the Republic of Altai
  • Ministry of Education of the Stavropol Territory
  • Minister of Education and Science of the Republic of North Ossetia-Alania
  • Government of Astrakhan region
  • Ministry of Education of the Irkutsk region
  • Portal of the state and municipal service Moscow region
  • Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks

 

Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

FBI: Fake Government Websites Used to Steal Private & Financial Data

 

The FBI has alerted the public in the United States that threat actors are proactively capturing sensitive financial and personal information from innocent victims via phoney and fraudulent unemployment benefit websites. 

Websites used in these assaults are built to seem just like official government platforms in order to deceive victims into giving over their information, infecting them with malware, and claiming unemployment benefits on their behalf. 

The federal law enforcement agency stated in a public service announcement published on Internet Crime Complaint Center's site, "These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits. The fake websites prompt victims to enter sensitive personal and financial information. Cyber actors use this information to redirect unemployment benefits, harvest user credentials, collect personally identifiable information, and infect victim's devices with malware.” 

"In addition to a loss of benefits, victims of this activity can suffer a range of additional consequences, including ransomware infection and identity theft." 

As per the FBI, 385 domains were detected, with eight of them spoofing government sites related to official unemployment benefits platforms. Domain and status are listed below:
  • employ-nv[.]xyz:  Active 
  • employ-wiscon[.]xyz: Inactive 
  • gov2go[.]xyz : Active 
  • illiform-gov[.]xyz : Active 
  • mary-landgov[.]xyz : Active 
  • Marylandgov[.]xyz: Inactive 
  • newstate-nm[.]xyz:  Active 
  • Newstatenm[.]xyz: Inactive 
There is also a possibility that the data obtained through these fake sites will end up in the hands of identity fraudsters, who would use it in different benefit fraud schemes. The US Federal Trade Commission (FTC) reported in February 2021 that the overall number of identity theft reports doubled in 2020 compared to 2019, with 1.4 million reports in a single year. 

The FTC stated, "2020’s biggest surge in identity theft reports to the FTC related to the nationwide dip in employment. After the government expanded unemployment benefits to people left jobless by the pandemic, cybercriminals filed unemployment claims using other people’s personal information." 

For example, the FTC received 394,280 reports of government benefits fraud attempts last year, the majority of which were connected to unemployment benefit identity theft fraud, compared to 12,900 reported in 2019. 

The Internal Revenue Service (IRS) also issued taxpayer guidelines in January on recognizing theft activities involving unemployment payments. The US federal revenue service stated, "The Internal Revenue Service today urged taxpayers who receive Forms 1099-G for unemployment benefits they did not actually get because of identity theft to contact their appropriate state agency for a corrected form." 

"Additionally, if taxpayers are concerned that their personal information has been stolen and they want to protect their identity when filing their federal tax return, they can request an Identity Protection Pin (IP PIN) from the IRS." 

The FBI also offered some advice on how to safeguard yourself against identity theft in the release and a few are listed below: 
  • To identify limitations, the spelling of web addresses should be verified. 
  • Check that the website you're visiting has an SSL certificate. 
  • Software upgrades are required; 
  • It is recommended that two-factor authentication be utilized. 
  • Avoid phishing emails at all costs.