Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Tactics. Show all posts

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.

Understanding Blagging in Cybersecurity: Tactics and Implications

 

Blagging might sound intricate, resembling an elaborate hacking maneuver, yet it is remarkably simpler. Despite its less "high-tech" nature compared to other cybercrimes, blagging can inflict significant harm if businesses are unprepared.

Blagging involves crafty fraudsters attempting to deceive or manipulate individuals into divulging confidential information that should remain off-limits.

These blaggers fabricate convincing stories to coax their targets into revealing data that could fuel illicit activities like identity theft, corporate espionage, or extortion.

So, how does blagging work precisely? Here are some typical blagging tactics:

1. Impersonation: The perpetrator pretends to be someone else, such as a colleague, bank representative, or law enforcement officer. This engenders trust and raises the likelihood of the target sharing confidential information. For instance, they might make a call posing as an IT specialist needing a password to rectify a computer issue.

2. Fabricating Urgency: The scammer employs pressure by framing the request as time-critical. Threats to close accounts or initiate legal action are utilized to extract information swiftly, leaving the target with insufficient time to verify the request's legitimacy.

3. Phishing: Blaggers resort to phishing emails or links infused with malware to breach target systems and pilfer data. These emails are meticulously designed to mimic trustworthy sources, enticing victims to click or download.

4. USB Drop Attack: This stratagem entails leaving malware-laden devices like USB drives in public venues where victims are likely to discover and insert them. Parking lots and elevators serve as popular spots to entice unsuspecting individuals.

5. Name-Dropping: Scammers invoke names of genuine managers, executives, or contacts to create an illusion of authorization for accessing otherwise confidential information. This lends credibility to their dubious appeals.

6. Sympathy Ploys: Fraudsters play on the target's empathy by fabricating emotional narratives to manipulate them. They might claim to be single parents requiring funds in an account to feed their family.

7. Quid Pro Quo: Scammers promise incentives like bonuses, time off, or cash in exchange for information. These are hollow assurances employed to achieve their aims.

8. Tailgating: Blaggers physically tail an employee into a building or restricted area to gain access. They rely on people holding doors open or not questioning their presence.

9. Elicitation: Blaggers engage in friendly conversations to surreptitiously extract information about systems, processes, or vulnerabilities. This innocuous approach is perilous due to its seemingly harmless nature.

The crucial point to remember is that these attackers are adept at deceit and will employ any means necessary to attain their objectives.

Defending Against Blagging Attacks

Given the array of cunning tactics utilized by blaggers, how can individuals and businesses shield themselves from these scams? Here are some essential strategies to counter blagging attacks:

1. Verify Claims: Never take claims at face value—always corroborate stories. If someone claims to be tech support or a colleague in need of information, hang up and call back using an official number to confirm legitimacy. Scrutinize email addresses, names, and contact details closely to ensure they match up.

2. Validate Requests: As an employee, investigate any unusual requests, even if they seem urgent or credible. Consider escalating it to a supervisor or submitting a formal request through established channels. Slow down interactions to allow for thorough investigation before divulging confidential data.

3. Limit Account Access: Employers should grant employees only the minimum access required for their tasks. For instance, customer service representatives likely don't need access to financial systems. This containment strategy mitigates potential damage if an account is compromised.

4. Report Suspicious Activity: If a request appears suspicious or a story doesn't add up, voice your concerns. Alert security or management immediately if you suspect a blagging attempt. Monitor systems and user behavior closely for unusual activity.

5. Security Awareness Training: Well-informed employees are more resistant to blagging attempts. Continuous education fortifies the human defense against social engineering. Real-world scenarios and examples should be integrated into training, including simulated phishing emails and unexpected visitors.

6. Layered Security: Employ multiple overlapping security measures instead of relying on a single point of defense. This encompasses physical security controls, perimeter defenses, endpoint security, email security, access controls, and data loss prevention tools.

7. Remain Vigilant: Blagging targets not only businesses but also individuals. Vigilance is necessary to thwart seemingly innocuous calls or emails from scammers posing as various entities. Recognizing blagging techniques and red flags is paramount.

For business proprietors, comprehensive security awareness training and robust technical defenses are instrumental in neutralizing this threat. With the appropriate safeguards in place, blaggers can be effectively deterred.

This Android-wiping Malware is Evolving into a Constant Threat

 

The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device. 

"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.

The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server. BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.

For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. This reduces harmful network traffic as well as interactions with the host device. 

In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients. After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server. 

This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp. Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps. 

BRATA's development 

In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down. BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices. 

In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations. Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics. 

It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device. 

For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.

Fraudsters Resorting to 'Synthetic Identity Fraud to Commit Financial Crimes

 

Identity theft is still a common tactic for hackers to damage the credit score. To steal even more and avoid discovery, an increasing number of fraudsters are turning to "synthetic identity fraud," which includes constructing spoof personalities to deceive financial institutions.

Michael Timoney, VP of Secure Payments at the Federal Reserve Bank of Boston stated, “This is growing. It’s got big numbers tied to $20 billion(Opens in a new window) plus (in losses), and we’re not really seeing a drop in it. Due to the pandemic, the numbers have gotten even higher."

Timoney described how the threat exploits a critical vulnerability in the US banking system at the RSA conference in San Francisco: when a customer applies for a credit card or a loan, many businesses do not always verify their identification. Timoney defined synthetic identity fraud as the use of multiple pieces of personally identifiable information to create a totally new person. 

He added, “It’s different from traditional identity theft because if someone stole my identity they would be acting in my name. I would go into my bank account and see my money is gone or I’d try to log into my account but I’d be locked out.” 

“Because of data breaches, there is so much information out there for sale. In other cases, the crooks will alter or make up the Social Security number and address data entirely, hoping the companies won't catch on. Once you apply for credit with your brand new identity, there is no credit file out there for you, but one gets created immediately. So right off the bat, you now have a credit file associated with this synthetic. So it sort of validates the identity. Now you got an identity and it has a credit record."  

The hacker will then strive to improve the credit rating of the spoof identity in order to secure larger loans or credit card limits before bailing without ever paying the lending agency. He added that the fraudster will settle their charges and request further credit. 

According to Timoney, the scammers have also been using the fraudulent personas to seek for unemployment benefits and obtain loans from the Paycheck Protection Program, which began during the pandemic to assist businesses in paying their employees. 

How to stop synthetic identity fraud?

To combat synthetic identity fraud, the United States is developing (Opens in a new window) the Electronic Consent Based Social Security Number Verification Service, which can determine whether a Social Security number matches one of these on record. However, Timoney stated that the system will only be offered to financial institutions and will not be open to other industries that provide credit to clients. 

In response, Timoney emphasized that it is critical for businesses to be on the lookout for warning indicators linked with synthetic identity fraud. This might include inconsistencies in the applicant's background. For example, consider a person who is 60 years old but has never had a credit history while having lived in the United States their whole life or an 18-year-old with a credit score of at least 800. 

Another method for detecting synthetic identity theft is to see if a loan application has any confirmed family members. One should be looking at a lot more than just the name, address, and Social Security number.

Microsoft: Credit Card Stealers are Switching Tactics to Conceal the Attack

 

Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code. 

Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information. Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading. 

By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system. The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in. 

The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained. 

Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants. 

Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."    

However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.

Misinformation is a Hazard to Cyber Security

 

Most cybersecurity leaders recognize the usefulness of data, but data is merely information. What if the information you've been given is actually false? Or it is deception? What methods does your cybersecurity program use to determine what is real and what isn't?

Ian Hill, Global Director of Cyber Security with Royal BAM Group defined misinformation as "inaccurate or purposely misleading information." This might be anything from misinformation to deceptive advertising to satire carried too far. So, while disinformation isn't meant to be destructive, it can cause harm. 

The ideas, tactics, and actions used in cybersecurity and misinformation attacks are very similar. Misinformation takes advantage of our cognitive biases and logical fallacies, whereas cyberattacks target computer systems. Information that has been distorted, miscontextualized, misappropriated, deep fakes, and cheap fakes are all used in misinformation attacks. To wreak even more harm, nefarious individuals combine both attacks. 

Misinformation has the potential to be more damaging than viruses, worms, and other malware. Individuals, governments, society, and corporations can all be harmed by misinformation operations to deceive and damage people. 

The attention economy and advertisement-centric business models to launch a sophisticated misinformation campaign that floods the information channels the truth at unprecedented speed and scale. Understanding the agent, message, and interpreter of a specific case of information disorder is critical for organizations to stop it. Find out who's behind it — the "agent" — and what the message is that's being sent. Understanding the attack's target audience — the interpreter — is just as critical.

Misconceptions and deceptions from basic phishing scams, cyberattacks have progressed. Misinformation and disinformation are cybersecurity risks for four reasons, according to Disinfo. EU. They're known as the 4Ts:

  •  Terrain, or the infrastructure that disseminates falsehoods 
  •  Misinformation tactics, or how the misinformation is disseminated
  •  The intended victims of the misinformation that leads to cyberattacks, known as targets.
  •  Temptations, or the financial motivations for disseminating false information in cyberattacks.
 
Employees who are educated on how threat actors, ranging from an amateur hacker to a nation-state criminal, spread false information will be less likely to fall for false narratives and harmful untruths. It is now up to cybersecurity to distinguish between the true and the fraudulent.

Zix: Attackers Increasingly Adopting New Techniques to Target Users

 

Cybercriminals are continuously expanding their toolkit by experimenting with new strategies and approaches in order to improve their effectiveness against both technological and human adversaries. 

According to research released by Zix, attackers are increasingly adopting new tactics to target users. The research covered several examples and also examined numerous consistent attack techniques and patterns that tend to affect organizations across the globe. 

“Cybercrime is exploding in 2021 and if there is anything that could be learned over the past year, it is that threat hunters are essential,” stated Troy Gill, Manager of Research at Zix. 

“Companies cannot wait for potential threats to emerge but must proactively identify security incidents that may go undetected by automated security tools. As we enter into the back half of the year, we will continue to see phishing, Business Email Compromise (BEC) and ransomware attackers become more sophisticated and bad actors asking for higher bounties to release data they have compromised.” 

The most common techniques employed by attackers: 

-Customized phishing attacks are on the upswing: Between Q1 and Q2, phishing assaults increased in frequency and sophistication, with campaigns becoming particularly tailored to specific users through the use of CAPTCHAs and web certificate data. Many websites, such as Spotify and DocuSign, were utilized to attract consumers. 

-New attack trends have surfaced: Email threats have grown in the first half of 2021, with 2.9 billion emails quarantined through June. URL and text-based cyberattacks increased steadily in the first half of the year, whereas email-based attacks dropped in the first five months before spiking in June.  

-BEC (business email compromise) attacks have become the most extensively employed technique: Businesses were determined to be the most susceptible and sought after by attackers, according to the research. Hackers have been seen eavesdropping in on discussions from inside a hacked account before delivering more personalized messages in an attempt to extract financial data or passwords.