Search This Blog

Showing posts with label cybercriminals. Show all posts

Using Ransomware to Extort Employers by Impersonating a Gang


In a court in Fleetwood, Hertfordshire, a 28-year-old United Kingdom man has been found guilty of serving his employer with a forged document and unauthorized access to his computer with criminal intent. 

SEROCU has released a press release explaining the conviction of Ashley Liles, a 29-year-old IT Security Analyst at a company in Oxford that was the victim of a ransomware attack in February 2018. According to the press release, Liles worked as an IT Security Analyst at the time. 

The cybercriminals contacted the company's executive team to demand a ransom payment, the same plan used in many ransomware attacks.

As part of the company's internal investigation efforts and the incident response initiative, Liles, as well as other company members and members of the police, joined the investigation and incident response effort. 

As a result, during this period, it is said that Liles tried to enrich himself from the attack by tricking his employer into paying him a ransom instead of the actual external attacker to enrich himself. 

The SEROCU announcement reads, "Instead of pursuing a criminal case against the company, Liles also began a further and secondary attack against the company unbeknownst to the police, his colleagues, or his employer." 

In addition to accessing more than 300 times the private emails of a board member, he also altered the original blackmail email sent by the original attacker and changed the payment information provided by the original attacker. 

A plan had been hatched to take advantage of the situation by diverting the payment from the payment account and sending it to Liles' cryptocurrency wallet. 

In addition to creating an almost identical email address, Lite created another email address that looked almost identical to the original attacker, and sent emails to his employer asking for payment, said SEROCU. 

Although the company owner refused to pay the attackers, a later internal investigation that had been underway at the time revealed that Liles had access to private emails, as evidenced by the IP address of his home, suggesting that he was responsible for the attack. 

By the time SEROCU's cyber-crime team stormed into Liles' home to take his computer, Liles was well aware of the investigation and had wiped all data from his devices. However, restoring incriminating data from Liles' computer was still possible, even though he had realized the investigation was closing in on him. 

During the hearing at Reading Crown Court, Liles pleaded guilty five years after he first denied any involvement in the case and pleaded guilty a second time. There is going to be a court date for this rogue employee on July 11th, 2023, he will be sentenced at that time.

Accusing someone of hacking into a computer without their permission is punishable by up to two years in prison in the UK, while blackmail is punishable by up to 14 years in prison.

Hackers and Cybercriminals Use Dark Web Data to Train DarkBert AI


There is a paper released by a team of South Korean researchers describing how they developed a machine-learning model from a large dark web corpus collected by crawling Tor's network. It was obvious that there were many shady sites included in the data. These sites were from the crypto community, pornography, hackers, weapons, and other categories. Despite this, the team decided not to use the data in the manner it came due to ethical concerns. 

DarkBERT was trained with a pre-training corpus, which was polished through filtering before feeding to the model through dark learning so that sensitive data would not be included in training since bad actors could extract sensitive data from it.

Some think that DarkBERT would sound like a nightmare, but the researchers say that it is a promising project that will do more than help combat cybercrime; it will also contribute to the advancement of technology in the field, which has grown a lot through natural language processing.

The team used the Tor network to connect their model to the dark web by using the DarkBERT language model. This system allows access to the dark web without logging in. In the process, it created a raw database of the data it found and then put it into a search engine. 

There has been a recent explosion of large language models available in the marketplace, and more are appearing with each passing day. It is well known that most of the linguistic giants, such as OpenAI's ChatGPT and Google's Bard, are trained by examining text data from all over the internet including websites, articles, books, you name it   they train their new algorithms using that data. As such, their output consists of various geniuses that overlap. 

The researchers published a paper about their findings in the journal "DarkBERT: A Language Model for the Dark Side of the Internet." Using the Tor network as a launching point for their model, they collected raw data and created a database using the raw data collected. 

As of yet, no peer review has been conducted on this paper. DarkBERT is named after the LLM based on the Roberta architecture, which is where DarkBERT originated. Developed by Facebook researchers in 2019, this is an empirical model based on converters. 

The General Language Understanding Evaluation (GLUE) NLP benchmark produced state-of-the-art results due to Facebook's optimization method, as it is a benchmark that tests the general language understanding capabilities of NLP systems. 

Meta described Roberta as an "outstanding algorithm for pretraining natural language processing (NLP) systems that are robustly optimized", an improvement upon BERT, which Google released in 2018 for NLP pretraining. LLM was made open-source by Google, which led Meta to improve its performance. 

It has now been demonstrated that the South Korean researchers behind DarkBERT can accomplish even more because Roberta was released with inadequate training. Over 16 days, the researchers supplied Roberta with raw data from the dark web. They preprocessed data from the dark web and obtained DarkBERT from that information. 

They improved their original model by feeding Korean researchers dark web data over 15 days. This resulted in DarkBERT, an advanced research model. A top-level machine consisting of four NVIDIA A110 80GB GPUs and an Intel Xeon Gold 6348 CPU is included in the research paper as it is revealed that this machine was used to conduct the study.

How does DarkBERT work?

While DarkBERT's name may imply the opposite, DarkBERT is a system designed to protect and enforce the law. It is not intended to be used for evil purposes. 

Often, hackers and ransomware groups upload sensitive data to the dark web in hopes of selling it to other parties for profit. DarkBERT has been shown in a research paper to be useful to security researchers when it comes to automatically identifying such websites using automatic algorithms. In addition to crawling through the dark web forums, it can also be used to monitor any exchanges of illegal information that may be taking place on these forums. 

The public cannot access DarkBERT. DarkBERT was trained on sensitive data  but was not allowed to be released in its preprocessed form, which the researchers say is planned. However, they did not specify a date for when will it happen. 

It does not matter whether DarkBERT represents an artificial intelligence future where AI models are taught from targeted data so that they can be tailored to targeted tasks. As opposed to ChatGPT and Google Bard, both of which can perform multiple functions, DarkBERT is a weapon specifically designed for thwarting hackers and one that can be used by anyone. 

Even though there are numerous artificial intelligence chatbots out there, you need to be careful when using them. You may get a malware infection from fake ChatGPT applications or even risk exposing sensitive data like Samsung employees did recently. 

This is because when using these popular AI chatbots, you want to be sure you are getting to the right website, not just a random one. The software companies OpenAI, Microsoft, and Google have yet to release official apps for AI chatbots. This means you cannot use ChatGPT, Bing Chat, and Google Bard.

White House Cybersecurity Strategy warns of "Complex Threat Environment"


There was a national cyber-security strategy published by the White House on March 2. It contains a list of threats to U.S. networks terrestrially and in space related to Russian and Chinese hackers. 

"Evolving intelligence" suggests many options could be explored for potential cyberattacks against critical U.S. infrastructure, as President Biden warned on Monday. 

Anne Neuberger, Mr. Biden's deputy national security adviser for cyber and emerging technology, told reporters Monday afternoon that U.S. officials have observed "preparatory work" linked to nation-state actors, despite no evidence of any specific cyberattack threat. The fact that U.S. companies are scanning their websites and hunting for vulnerabilities may indicate an increase in vulnerability-hunting activities. 

On Thursday, the Biden administration released its nationally comprehensive cybersecurity strategy. This provides the steps required to ensure the nation's cyber ecosystem is protected from threats. 

A few key pillars will be emphasized in the strategy as it moves forward. In addition to cyberattacks, these efforts include disrupting and dismantling cyber criminals, establishing international partnerships, and protecting critical infrastructure from cyberattacks. 

The White House will still need to implement Space Policy Directive 5. This was issued by the previous administration in September 2020 and focuses on space systems protection. Although the updated document replaces the Trump administration's 2018 cybersecurity strategy, the White House will continue to implement that strategy. 

It was stated in the strategy that the first pillar will enhance cybersecurity requirements for critical sectors. This will secure critical infrastructure. Public-private partnerships and federal network modernization will also be formed to keep up with cyber security threats. 

It has been interesting to see bipartisan support for several cyber bills that Congress introduced and passed last year aimed at protecting critical infrastructure. These include critical infrastructure in the health and energy sectors. 

Moreover, Kemba Walden suggested that the government should utilize all resources at its disposal, including the military and law enforcement authorities. This will disrupt malicious cyber activity and pursue perpetrators. 

Walden assumed the role of acting director after Chris Inglis resigned due to health reasons. Biden named Inglis as the first director of cyber security for the nation in 2021 following a nomination by Biden. Inglis announced his resignation in mid-February.  

There is a second pillar of the strategy that focuses on disrupting and dismantling cyber criminals, such as nation-state threats.

To protect the country's national security and public safety, the government uses every available resource to "make it harder for them to pose a threat to national security." 

Increasing collaboration and partnership with foreign partners who share the same mission is the third pillar of the strategy. The administration announced today that to counter cyberattacks it will use international coalitions among "like-minded nations." 

SPD 5 was touted as a first step toward developing an accurate and comprehensive security policy for satellites and systems that connect them to the Internet. 

The role that space systems play as vital infrastructure, as well as providers of essential services, has caused experts to warn that a growing number of attacks are being launched against them. 

A major thrust of the National Cybersecurity Strategy is the realignment of incentives so that long-term investments are prioritized. It has been suggested in recent years that the biggest, most capable, and best-positioned actors in the digital ecosystem - whether in the public or private sectors - can and should take on an increased share of the burden to mitigate cyber risk in their respective industries. Public and private sector entities must have the resources, capabilities, and incentives to choose long-term solutions over temporary fixes when faced with trade-offs between short-term fixes and long-term solutions. 

In addition, the United States remains committed to international cyber partnerships. Defendable, resilient, and value-aligned digital ecosystems will be built with allies and partners. Keeping shared interests at the forefront means promoting an environment where all states are expected to behave responsibly in global cyberspace. On the other hand, a person who displays irresponsible behavior is not only a source of cost but also isolation.

A path is outlined in this strategy to ensure our digital future is secure. By implementing it, the administration will lay the foundation for reliable cyberinfrastructure. This will enable it to achieve its infrastructure, clean energy, equity, democracy, and economic opportunity goals. At the most fundamental level, it acknowledges that cyberspace exists not for its own sake but only to be used in pursuit of our highest goals. Hosted Malware on its Website


Malicious code was injected into's server, an online service that assists people with filing tax returns. This resulted in malware being delivered to users' computers. 

It was discovered that the software service, which is authorized by the Internal Revenue Service (IRS), despite not being operated by its agent, was serving malware for several weeks before it was cleaned up earlier this week. 

This is the official IRS format for filing tax documents online - or electronically - and usually without printing any documents. The IRS recommends this format for all federal tax filings. Even though external services can pose additional security risks, citizens can use software programs or websites to submit their tax returns.

US citizens' tax-filing deadline on April 18th is getting closer and closer. Cyber-criminals are exploiting the deadline to increase their malicious campaigns against tax-filing services and users to gain access to their private information. In recent weeks, the online platform has become one of the most popular sites for filing tax returns. As such, it has again become a victim of tax-related cybercrime. 

The security incident particularly affects and not IRS' e-file infrastructure or domains with the same sounding name or similar sounding domains. 

There is also additional JS code loaded from about amanewonliag dot online in addition to the base64 encoded script. If the user chooses to run the malware advertisement, they will be asked to download an executable file named "update.exe" or "installer.exe" depending on the browser they are using. 

Upon further inspection, researchers found a PHP backdoor in the executable binaries. Backdoors of this kind are designed to connect with IP addresses located in Tokyo, such as hosted by Alibaba Corporation. Similarly, when the malicious script popper.js pinged the infoamanewonliag domain, the same IP address hosted the infoamanewonliag domain. 

In mid-March, a Reddit user initially reported that the website had been compromised, with visitors being redirected to a fake 'network error' page as well as with a false browser update being served to them. 

If the user clicks on the link for a browser update, they will be served either the update.exe file or the installer.exe file, depending on the operating system. In a recent research paper published by the SANS Internet Storm Center, Johannes Ullrich pointed out that malicious files were being detected far less frequently than healthy files on VirusTotal. 

Furthermore, he discovered that 'update.exe' was signed with a valid certificate emanating from a company named Sichuan Niurui Science and Technology Co., Ltd.

In a follow-up post, Ullrich explains that the analysis of update.exe shows it to be a Python downloader, which fetches a PHP script, that establishes communication with the command-and-control server, which is further used to send messages to the attacker. 

Considering the analysis of a sample of the PHP script’s that was seen by MalwareHunterTeam, it was determined to be a backdoor malware. Threat actors can then access the device remotely through this method, allowing them to take control of it remotely. 

PHP scripts are installed in the background during malware distribution. 

The malware continually engages a remote command and control server that is controlled by threat actors every ten seconds to communicate with them. As soon as the malware receives a task to run on the device that is infected, it will begin working on it. 

As a backdoor, the eFile backdoor offered the very basics of what malicious software would provide, but it was still dangerous enough to give cybercriminals full access to a Windows PC with the backdoor, giving them the leverage to attack other systems on a corporate network. 

The company is yet to explain what happened. LockBit ransomware has been linked to a cyber gang named OLOC that claims to have already attacked the website in January 2022. 

According to the researcher, this malicious JavaScript code was also removed by eFile from the website on the 3rd of April. The attackers tried to eliminate the infection themselves before the incident, probably to cover up their tracks after the infection had been removed. There is apparent malicious code that has been injected into every page on as a part of the malware attack.

Million-Dollar Ransom Demanded by Ransomware Gang 


On the threat landscape in recent years, alarming numbers of ransomware groups sprung up. This is just as mushrooms grow from the ground after a shower. 

In recent months, an emerging ransomware group called 'Money Message' has appeared. This group targets victims worldwide and demands ransoms of up to a million dollars to safeguard confidential data. In addition to the Chinese airline with annual revenue of approximately $1 billion, there have been at least two other victims of the group's activities. A screenshot of the accessed file system is provided as proof that the group claims to have stolen data from the company. After that, five more successful ransomware attacks have been reported, the latest being on April 4. 

Money Message has currently listed two victims on its leak site - an Asian airline with over $1 billion in assets and an unnamed vendor of computer hardware that deals in personal computers. Ransomware encryptors are also written in C++ and contain a JSON configuration file embedded into the code. This file is used to determine the encryption process on the victim's device. 

In this configuration file, you can specify which folders will be blocked from encryption by this setting. As part of this document, you will also find information regarding what extensions should be added, what services and processes should be terminated, whether logging is enabled, as well as likely domain login names and passwords that would be used to encrypt other devices. The victim can contact the threat actors via a link provided. 

The victim will be able to reach a Tor negotiation site. Although Money Message uses an encryptor that is not as advanced as ChaCha20/ECDH encryption, its operation still encrypts devices and steals data even if the encryption method used is not very sophisticated. There is no append extension when encrypting files, however, you can change this according to the type of victim you are encrypting. As per Rivitna, a security researcher who has worked on encrypted files for more than a decade, the encryptor uses ChaCha20 and ECDH encryptions. 

In the latest posting from Money Message, the company has also been playing up the dramatics. This gang has put up a reveal counter on their website, which reportedly counts down to the moment that they reveal the target and that the data they have will be published. 

The ransomware then creates a ransom note titled ‘money_message.log’ that contains a link that is used as a means of negotiating with threat actors after encrypting the device. We will explore this further on. 

In addition, if the ransom is not paid, any stolen information will be published on the company's data leak site. This will enable you to receive a ransom refund. 

Upon publishing a document containing the information of travelers, Money Message published a report after three days. 

Additionally, an insurance company in the United States, as well as a distributor of iron and glass products were affected. Money Message extorted a lot of money from its users over the years, and when that ransom was not paid, the exfiltrated data was published in the public domain. 

As Money Message appears not to be a sophisticated malware threat, it is still a serious threat to businesses, as it targets them, steals data from them, and extorts them for money. 

As a result, a growing number of ransomware groups are frequently emerging highlighting the fact that there are more and more threats against organizations each day. Take measures to ensure that your privacy is protected by implementing proper security measures.   

German Police Raid FlyHosting, a DDoS-Friendly Hosting Provider


In a report, German authorities have seized Internet servers used by FlyHosting, a dark web company that offers DDoS-for-hire services. On November 20, 2022, FlyHosting posted an advertisement on a cybercrime forum to attract customers. The company stated that it is a German hosting company offering services to anyone searching for an environment to host malware, botnet controllers, or a DDoS-for-hire platform that can handle traffic spikes for hire. 

According to a statement issued today by the German Federal Criminal Police Office, they performed eight searches on March 30 to investigate criminal activity. Moreover, five individuals between the ages of 16 and 24 have been identified as suspected operators of "internet services" since 2021. As far as the suspects and the service in question were concerned, no names or other details were given by the German authorities. 

This statement indicates that previously unknown perpetrators used the Internet services provided by the suspects, in particular, for 'DDoS attacks'. These are attacks by which a large number of data packets are transmitted simultaneously via the Internet in an attempt to disrupt other data processing systems. 

According to a Telegram chat channel frequented by individuals interested or involved in the DDoS-for-hire industry, a raid on FlyHosting surfaced on Thursday morning. FlyHosting's customers have just heard the following news from Dstatcc. 

Several weeks ago, Flyhosting moved its system into an upgraded police room, according to the warning. As per the police, the support provided for DDO attacks, C&C/C2, and Stresser were not working properly. The police are expected to investigate files, payment logs, and IPs further. 

As a result of the DDoS attacks facilitated by the defendants in several cases since mid-2021, the websites of several companies as well as the Hesse Police have been overloaded in several cases. According to German authorities, the defendants' websites cannot operate fully because of these attacks. This means they will not be able to function at all times and in all places as a result of these attacks. 

There has been a report in the media that police have searched and seized the mobile phones, laptops, tablets, storage media, and handwritten notes of two unnamed defendants in connection with this case. Moreover, the police also confiscated servers in the Netherlands, Germany, and Finland that were provided by suspects. Germany's Hessen Police confirmed in response to questions in an interview that FlyHosting was the subject of the seizures.

There seems to be a broader clampdown on DDoS-for-hire services by law enforcement around the world, which is the probable reason for the raids on FlyHosting. Earlier this week, the National Crime Agency announced that it has been establishing phony DDoS-for-hire websites, which are intended to gather information on users as well as remind users that launching DDoS attacks is illegal. As a result, people seeking such services may become more paranoid due to this. 

There have been reports that the Department of Justice (DOJ) announced Operation Power Off in December 2022. This was an operation aimed at seizing more than four dozen domains responsible for over 30 million DDoS attacks. This operation has led to six U.S. men being charged with computer crimes for allegedly owning popular DDoS-for-hire companies that cybercriminals attacked.   

Fraudsters Are Difficult to Spot, Thanks to AI Chatbots


Researchers at the University of Rochester examined what ChatGPT would write after being asked questions sprinkled with conspiracy theories to determine how the artificial intelligence chatbot would respond. 

In recent years, researchers have advised companies to avoid chatbots not integrated into their websites in a report published on Tuesday. Officials from the central bank have also warned people not to provide personal information to online chat users because they may be threatened. 

It has been reported that cybercriminals are now able to craft highly convincing phishing emails and social media posts very quickly, using advanced artificial intelligence technologies such as ChatGPT, making it even harder for the average person to differentiate between what is trustworthy and what is malicious. 

Cybercriminals have used phishing emails for years to fool victims into clicking on links that install malware onto their computer systems. They also trick them into giving them personal information such as passwords or PINs to trick downloading viruses. 

According to the Office for National Statistics, over half of all adults in England and Wales reported receiving phishing emails in the past year. According to UK government research, businesses are most likely to be targeted by phishing attacks. 

The experts advise users to consider their actions before clicking on links in responses to unsolicited responses, emails, or messages to prevent themselves from becoming victimized by these new threats. 

As well as that, they advise our users to keep their security solutions up to date as well as ensure that they have a complete set of security layers that not just go beyond just detecting known malware that may exist on a device but also identify and block it. Behavioral identification and blocking are two of the layers of this system. 

Researchers from Johns Hopkins University said that personalized, real-time chatbots might enable conspiracy theories to be shared in increasingly credible and persuasive ways, using cleaner syntax and better translations, eliminating errors led by human error, and transcending copy-pasting jobs that are easily identifiable. As for mitigation measures, they claim none can be put in the phone can. 

OpenAI created a program called ChatGPT to predict human behavior. This is a follow-up to its first program aimed at analyzing follow-up behavior and predicting human behavior when human behavior is being observed. OpenAI had previously operated programs that filled online forums and social media platforms with spam comments and comments with grammatical errors as well as artificial intelligence. Following almost 24 hours of being allowed to exist on Twitter, Microsoft's chatbot will never update its status after it has been introduced on the social network after almost 24 hours after being allowed to run. In addition to this, trolls, who consider racist, xenophobic, and homophobic language offensive, attempted to teach the bot to spew racist and xenophobic language. This resulted in it spewing this language.

With ChatGPT, you have far more power and sophistication at your disposal. Whenever confronted with questions loaded with disinformation, the software of convincing, clean variations on the content without divulging any information about its source or origins. 

A growing number of data points show that ChatGPT, which dominated the market last year and became a sensation as soon as it was launched, is being used for cybercrime, with one of the first substantial commercial applications of large language models (LLM) in the creation of malicious communications, a phenomenon that has been growing rapidly across the globe. 

A recent report from cybersecurity experts at Darktrace suggests that more and more phishing emails are being authored by bots as a result of data mining. In this way, criminals can send more messages without worrying about spam filters detecting them. 

Many artificial intelligence platforms have been in the spotlight lately as the next big things in the technology world, including ChatGPT, Bard, and other projects from OpenAI, which are all making waves in the technology world. As smart systems increase in people’s daily lives, biases become more obvious and are more difficult to hide as they become more integrated into people’s lives. 

AI bias can be observed when the data used to train machine-learning models reflect systemic biases, prejudices, or unequal treatment in society, which reflect systemic discrimination and prejudice in society as a whole. The result is that AI systems may perpetuate existing biases and perpetuate discrimination. 

Due to the limited amount of human error in developing, training, and testing AI models, humans can only be blamed for the bias that exists.

Here's all you Need to Know About Snake Keylogger

In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

ChatGPT Scams Up Since Darktrace Released It


Since the release of ChatGPT, Darktrace, a British cybersecurity firm, has warned that since the release of this application, criminals have been using an increase in the use of artificial intelligence to create sophisticated scams that con employees and compromise systems at businesses all over the world. 

As the Cambridge-based firm reported, operating profits had dropped 92% in the half-year to December. Furthermore, he said that artificial intelligence had made it easier for "hacktivists" to target businesses with ransomware attacks. 

Since ChatGPT was launched last November, the company has seen an increase in the number of convincing and complex scams by hackers. It said it was experiencing an increased number of attacks. 

While Darktrace has observed a steady increase in email-based attacks over the last few months since the release of ChatGPT, those attacks that use false links to trick victims into clicking them have declined as a result of ChatGPT's presence. As the complexity of the English language increased, in addition to the volume of the text, punctuation, and sentence length, other factors also increased. 

The results of this study indicate that cybercriminals might not just redirect their focus to creating more sophisticated social engineering scams. Instead, they are also likely to exploit victims' trust. 

Darktrace, on the other hand, told us that the phenomenon had not yet been accompanied by the emergence of a new wave of cybercriminals. Instead, it has been merely an adjustment in tactics. 

In spite of the fact that ChatGPT has not significantly lowered entry barriers for threat actors, it believes it has assisted adversaries with developing more targeted, personalized, and ultimately, successful attacks by enabling adversaries to create more sophisticated phishing emails. 

Aside from reporting its quarterly results, Darktrace also noted that in the last three months of last year, the number of companies signing up for its security products had shown a "noticeable" decline. 

In addition, Poppy Gustafsson and Cathy Graham, both of which are the chief financial officers for the company, have all received share awards in accordance with the vesting terms of their share awards, which has forced them to reduce their forecasts of free cash flow for this year as a result of the tax bill. 

A company with a market capitalisation of £1.9 billion, much slower than the heady heights of almost £7 billion it achieved after flotation months ago, has announced that in the six months to the end of December, its customer base has risen by a quarter from 6,573 to 8,178. 

In an interview with The Wall Street Journal, Darktrace, whose stock has been under continuous attack by short-sellers who doubt that the company can deliver what it promises in the cybersecurity arena dominated by the US, said it is not concerned by the recent slump in new orders.

Police in Hong Kong and Interpol Discover Phishing Servers and Apps


In a crackdown on phishing syndicates that used 563 bogus mobile applications to spy on phones throughout the world and steal information from them, police in Hong Kong have taken down a local operation of an international group of fraudsters. 

Senior Superintendent Raymond Lam Cheuk-ho of the force's cyber security and technology crime bureau told the News that officers tracked down 258 servers around the world that were connected to the apps. 

Last February, Interpol and the Department of Homeland Security (DHS) began an 11-month joint operation that was codenamed "Magic Flame." 

As a result of this attack, there has been a rise in cybercrime across the world. As a result, some victims have lost their life savings as hackers gained access to their bank accounts and stole their personal information. 

Among those apps, Lam described were those planted with trojans and impersonating businesses like banks, financial institutions, media players, dating and camera apps, among others. 

Cybercriminals kept switching between different servers, some in Hong Kong and others elsewhere. The reason for this was to protect the city's 192 servers from detection. 

Upon discovering that subscribers to those servers were individuals who had set up their online accounts, The Post learned that they were individuals who lived on the Chinese mainland, the Philippines, and Cambodia. 

Hackers are using SMS messages resembling official messages and directing recipients to visit a link in phishing SMS messages that appear to be from official sources. 

Upon clicking the link, the recipient will download the fake applications to their smartphone. If hackers were able to exploit this, they would be in a position to steal the personal information of their victims. This includes their bank account details, credit card numbers, addresses, and photos. 

There would be servers in Hong Kong and elsewhere that would receive such data before it was transferred to another 153 servers located in other areas of the world. 

Wilson Fan Chun-yip, a superintendent at the cybercrime bureau, told the newspaper that the criminals could use the stolen data to make payments and shop online for victims via their accounts. 

Hackers can access all emails, texts, and voice messages, as well as listen to audio recordings and track the location of their targets. They were able to get a glimpse of the contents of their victims' smartphones by turning on their phones and listening to their conversations and eavesdropping on their conversations. 

According to the investigation, the servers contained the personal information of 519 people, mostly from Japan and South Korea, who owned cell phones that were stolen from different countries. Reports indicate that none of the victims were from Hong Kong. 

It is believed that an offshore gang was involved in this crime. This gang took advantage of the city's internet network to carry out its illegal activities,” Lam said at a press conference. 

However, no arrests were made in the city in addition to the incident. However, the police identified some suspects and reported their information to the relevant overseas law enforcement agencies through Interpol. 

After the joint operation with Interpol, Lam believed the syndicate had ceased its unlawful activities. 

There were 473 phishing attacks reported to Hong Kong police in the first ten months of last year, resulting in HK$8.9 million (US$1.1 million) in losses for the Hong Kong Police Department. An individual case resulted in a loss of HK$170,000 from a single transaction. 

According to the FBI, over the past three years, there have been 18,660 reports of cybercrime, a two-fold increase compared to 13,163 cases reported in 2021. Victims reported losing over HK$2.65 billion in losses due to the storm and also lost HK$1,985 million in property damage. 

A sevenfold increase in technology-based crimes was observed in Hong Kong between 2011 and 2021, according to the police. 

Cybercrime reports jumped from 2,206 in 2011 to 16,159 in 2021, while the amount of money jumped 20 times to HK$3.02 billion in 2021. 

In an email or text message, police encourage the public to stay alert. They also urge the public to ensure they do not click on any hyperlinks embedded in the email or text message. This can lead to a suspicious website or app. Furthermore, they urged the public to download only apps from official app stores and not from third-party websites. 

A search engine called "Scameter" was introduced by police to combat online and telephone fraud last September, accessible on the CyberDefender website, where the search engine may be used for free. 

A user can use the Scameter to check whether the risks of receiving suspicious telephone calls, making friend requests, advertising jobs, or visiting investment websites are worth it to them.

Northern European Criminals Copy the Lockbit Gang


The threat group, known as LockBit, is one of the most notorious ransomware groups operating currently. As a result, they have become very active on dark web forums. In addition, they are exploiting the negative publicity created by other ransomware groups to recruit more hardened cybercriminals for their agenda. 

The rate at which ransomware attacks have targeted companies in northern Europe has increased significantly. It appears that these attacks are being conducted using a device known as the LockBit locker. This is believed to be one of the tools used by a criminal affiliation program dubbed Gangrel. 

There is a wide range of industries that have been targeted by the LockBit group. It has caused significant disruptions and financial losses for a wide range of companies, from small to multinational. 

As a result of the nature of these new attacks, one of the most concerning characteristics is how they are being undertaken. A company's network is at risk from the LockBit Locker group. This group exploits a variety of advanced security techniques to gain initial access to the network through phishing and social engineering, among others. Having gained access to a network, attackers use a wide variety of tools and techniques to reach various parts of the network and steal sensitive information. These include sensitive system information. 

There has been an increase in attacks on small and medium-sized businesses in Belgium, as reported by Computerland in the country. There was, however, a report by the company that explained that the company was targeted by a group of cybercriminals using a variant of the LockBit locker malware. This variant appeared to have been used by the company. Following a thorough investigation, it was discovered that these attackers were unlikely to be connected with the LockBit group but rather were "wannabes" who had gained access to leaked versions of the malware. Despite not being the real LockBit Locker group, these micro-criminals were still able to inflict significant damage by encrypting a large number of internal files. 

There was, however, no impact on the company's computer system as a result of the intrusion, as backups had been made, and none of the client workstations were lost. 

The incident is one of many highlighting the dangers of outdated software and systems. This is true especially for less sophisticated actors, even in the criminal underground, where extortion practices seem to be gaining popularity. 

According to the report, in this case, the attackers were able to utilize the company's FortiGate firewall to gain access to the company's sensitive data. They did this by taking advantage of unpatched vulnerabilities. According to the Known Exploited Vulnerabilities Catalog maintained by the Center for Internet Security Awareness, unpatched FortiGate firewalls are prone to several vulnerabilities currently being exploited by cybercriminals. However, in these recent cases, the flaws exploited were the infamous "Fortifuck" flaws that date back as far as 2018. 

Unattended exposure through a branch internet gateway has allowed exploits to be made of these flaws to be discovered and exploited. As a result, these gateway sites are usually less well-protected than the central network, which may put attackers at an advantage in terms of gaining access to the network. 

The recent ransomware attacks against small and medium-sized businesses in North Europe are highly concerning for several reasons. Even though the criminal operators' lack of experience reduced their effectiveness, extended outages and data exfiltration were experienced by the targeted industries despite the reduced effectiveness of the criminal operators. 

Briefing on Threat Actors   

There is a well-known ransomware affiliation program known as LockBit, which started in September of 2019 and involves the developers of the malicious software hiring unethical penetration testing teams to spread the ransomware as a third party. There are a few gangs that have established double-extortion practices. The Stealbit malware was part of the toolkits used by this gang to support such attacks.

It is well known that during Lockbit's infamous career, a large number of small and medium businesses and large corporations such as Accenture and Royal Mail were targeted. During the infection process, the victim will be redirected to a gang payment site managed by the ransomware developers once they have infected the environment. The attackers threatened the victim that they would leak the victim's data to get her to pay more money.

A Credential Stuffing Attack Breaches PayPal Accounts


In December last year, hackers accessed the PayPal accounts of more than 1.6 million users of the online payment service. As a result, PayPal is now sending out data breach notifications to affected users. 

A large number of customer accounts of the company were compromised in this attack. With the help of credential stuffing, the hackers behind this attack were able to gain access to almost 35,000 accounts of this company. 

PayPal sent out a Warning of Security Incidents to affected customers on December 6th and 8th of last year. This warning stated that the attack took place from December 6th to 8th. When the attack took place, the company was able to detect its occurrence as well as implement the necessary steps to mitigate it. PayPal has also launched an internal investigation, there is a search underway for how the hackers responsible were able to gain access to PayPal customers' accounts in the first place. 

Despite the company's claim that the hackers were unable to carry out any transactions through the breached accounts, a lot of sensitive information about affected customers was stolen, such as their full names, dates of birth, physical addresses, Social Security numbers, and tax identification numbers, along with their full names and dates of birth. 

Based on PayPal's investigation, the hackers behind this attack used credential stuffing to access the accounts of PayPal's customers by gaining access to the credentials of PayPal's employees. A popular method of attacking data can be found on the dark web, but unlike a data breach, it uses accounts already in circulation. 

It is often the case that credential-stuffing attacks are orchestrated by using bots that have been programmed to enter passwords and usernames from data breaches. This is required to crack a user's account. There are several bots that attempt to use the same credentials for multiple online services with the hope that the passwords have not changed recently. 

Using the same password across multiple accounts can be dangerous for a user's security. A hacker can access your password by infiltrating a website or service. This is done by establishing a connection with their servers. This allows them to access the rest of the accounts using that password. 

When your PayPal account is hacked, what should you do next? 

If PayPal has notified you that your account was breached by hackers and you received a message that you must reset your password, the company has already done so. Thus, it is recommended that you create a strong, complex, and distinct password for your account the next time you log in so that your account remains safe. A password manager, such as KeePass, will be able to generate strong passwords for you, which can be incorporated into one of the most trustworthy password managers. In addition, many of these sites also allow their users to generate passwords online for free. 

To protect you from identity theft, PayPal is offering two years of free identity monitoring from Equifax. This is done using your name, birth date, address, and social security number. If, however, you wish to extend your protection even further, you may want to sign up for an identity theft protection service. 

It is also recommended that you enable two-factor authentication for your PayPal account, which will help prevent a hacker from gaining access to your account even if they obtain your login credentials, which can be crucial to the safety and security of your account. 

Despite the many risks involved, password reuse is still one of the biggest problems in the online world but hopefully, this unfortunate incident will get people to use strong, complex, and unique passwords - especially when it comes to their financial accounts. 

Cybercriminals are Targeting Gamers Next


In 2023, cybercriminals will be seeking out your money and data to steal from you. That is the news gamers, and metaverse pioneers need to be aware of. 

It has been reported that while the objectives of those looking to break into consumers' personal information and steal their financial information will remain the same next year, they will be targeting new people and redeveloping platforms to try to get around the defenses set in place. 

There will be a variety of online frontiers, including gaming platforms and virtual reality worlds, that will be open to cyber criminals. This is because more people and businesses learn, how to deal with traditional email phishing, texting scams, and social media scams. This, according to Kaspersky researchers, could be an opportunity for cybercriminals as more people and companies learn about them. 

According to Kaspersky Researcher, Sony's PlayStation Plus gaming subscription service is currently competing against Microsoft's GamePass service across the globe. There is an expectation that this will encourage a wider number of people to play online games in general. 

There is also a significant increase in criminal behavior associated with those accounts, and related scams are on the rise, Kaspersky said that it is not unlike the subscription-related fraud that has been happening lately.  

Unless you know where your data is being stored or who it has been shared with, it can be challenging to ensure it is safe and private. 

Jeremy Snyder, founder, and CEO of FireTail, a cybersecurity firm that specializes in providing threat-aware technology, noted that even the most basic online activities, such as ordering takeout through a meal delivery service, could involve three or more companies and that no one knows how secure each company's system will be. 

Snyder believes that a lack of visibility will be an imminent risk to security and privacy heading into 2023 and beyond. There is a great deal of data that companies are gathering and sharing these days. However, their knowledge of where that data is or who has access to it is often limited. 

Snyder asked, "Will 2023 mark the year that companies finally start recognizing how serious this problem is?" and if so, what would it look like? In response to that question, I would say, that, "I hope so." 

Wildix explained in its statement that it will also be the responsibility of consumers to think about where their data will be stored. Particularly when it comes to the collection of Internet of Things devices that they have. 

In a recent instance, he noted having seen Wi-Fi traffic being collected by a robotic vacuum sent to a power station in Mongolia daily. He wondered, "How much of that traffic is coming from things in your house you aren't aware of ?" Many things are overlooked that no one thinks about. 

As a consumer, it is also imperative to maintain a record of personal information shared on social media, according to Jeff Hodgin, vice president of products for CyberGRX. People who post on social media are promoting themselves as a brand through these posts. This is similar to how a company posts on social media. The more popular the brand, the more lucrative the target is for cybercriminals. 

"A person wishing to promote themselves should think about the risks involved before making such a move," said Hodgin. The person should ask themselves: "What is my exposure? What would be the consequences of a breach? How likely is that to occur?"

Use different Passwords for Different Accounts to Avoid Security Risks


Most people repeat the same password across several of their accounts or, what is more serious, set the same password for all their accounts in any way. There is no doubt that this is not a safe practice at all. Cybercriminals are gaining access to databases stolen from breached websites, according to Checkpoint, a provider of cybersecurity solutions. There is an underground market for databases that exist as a result of this lax behavior from cyber criminals. 

Harish Kumar, Head of Enterprise at Checkpoint wrote a blog post in which he warns that using the same password for personal and corporate accounts can be very dangerous since if hackers find a way to obtain credentials for personal accounts, they could potentially gain admin-level access to an organization. 

The report goes on to add that even though people know about the risks of recycling passwords, many of them continue to do so because they find it difficult to manage and memorize many passwords and they do not feel safe doing so. 

The state of passwords in India 

A report regarding password usage by Nordpass found that Indians struggle badly when it comes to passwords. According to the report, "password" was rated as the most popular password in the country, as well as "123456" and "12345678." Each of these password codes took less than a second to crack. This could be one of the reasons why, as of 2017, India ranks as the fourth country in the world when it comes to consumer losses due to cybercrime. However, it is not the only one. 

Several data theft cases have also been reported in India in the past few months. The rise in digital adoption is largely responsible for a jump like this. This can be attributed largely to the pandemic in general and its resultant push toward studying and working online. According to the cyber-security company, many new users of the Internet and companies are unaware of cybersecurity, which is increasing cybercrimes. 

According to Checkpoint, tougher security policies that impose stronger passwords are also counterproductive and, paradoxically, are viewed negatively. 

The benefits of lax cybersecurity for cybercriminals 

This is an extremely crucial point to note that Checkpoint's report emphasizes that attackers were able to quickly identify this negligence. They became aware that they could better utilize these resources on smaller websites with weaker security. 

There is an official requirement from the National Institute of Standards and Technology (NISST) that all passwords should be salted with at least 32 bits and hashed using a one-way key derivation function according to the report. However, many websites fail to adhere to this law, and some even store passwords in plain text. In this manner, hackers can then use the credentials they have stolen from those sites to log into more valuable websites and online services.

Furthermore, Checkpoint adds to note that cybercriminals who hack websites and steal passwords are more likely to be the ones who use them most effectively. This is compared to those who hack websites and take passwords. A more likely option for them would be to sell stolen credentials instead. Depending on whether they unlock admin-level access to an organization, some of these can sell for as much as $120,000 each. 

"Combination lists," which are vast compilations of many databases of stolen email addresses and passwords, are used to compile stolen passwords, a large number of which have already been compromised. There has been a report that describes the largest combo of usernames and passwords of all time, named RockYou2021. This combo contained over 8 billion unique sets of usernames and passwords, as of August 2016. 

Checkpoint states that these stolen credentials are utilized in credential-stuffing attacks against organizations. Cyberterrorists use credentials retrieved from one site after a data breach to log in to another that has been attacked, thus carrying out this type of cyberattack. An extremely common method of committing such attacks involves large-scale automated login requests that are carried out to access accounts such as those set up by users, banking, social media, and a variety of online accounts. 

Staying safe is easy if you know what to do 

A simple way to help keep your passwords safe is to make sure that you do not use them under any circumstances. A compromise of one account can easily lead to a compromise of the other, which will then lead to a chain of attacks. 

It is important to try to come up with creative word combinations. This is because special characters by themselves do not make highly secure passwords if one is a common keyword. A password such as "pass@123" contains letters, numbers, and a symbol, yet according to the Indian Government, it is the sixth most popular password out of the top 100. Also, if possible, you should use two-factor authentication to increase security.

Remove These Malicious Chrome Extensions With 1 Million Downloads


An extension for your browser can enhance your online experience in several ways. Translations, conversions, spellchecking, shopping, and blocking popup ads are some of the services they can assist you with. You can customize your browsing experience using these extensions, and you may even be able to alter the way websites are displayed. There are several popular extensions available for Chrome, but the dark mode is an example.

It is imperative to remember that not all extensions are safe. By giving them access to such information, such as your personal information, you are giving them a lot of power. 

Although some extensions store this data for convenience, others use it to track you or launch a cyberattack against your computer. A malicious Chrome extension was recently reported to have been downloaded 1.4 million times since it first appeared on our site.

The cybersecurity firm Guardio Labs reports that a newly discovered malicious advertising campaign has been discovered in which Chrome extensions are used to hijack web searches and embed affiliate links into any other websites you visit.

The company's security researchers have dubbed this advertising campaign "Dormant Colors" since all of the malicious extensions in question offer color customization options for Chrome, which makes them the right candidate for being dubbed a malicious advertising campaign. However, the extensions themselves do not include malicious code when installed. This is how they were able to bypass Google’s security checks and end up on the Chrome Web Store in the first place. 

Extensions for Google Chrome - Dormant Colors

Following a thorough investigation into this matter by Guardiothis campaign use ad, it was found that there were thirty different versions of these malicious browser extensions available on both the Chrome and Edge web stores with more than a million installations altogether. They have been removed from both web stores, as we mentioned before, but just in case, here is a complete list of all the products that have been removed:

• Action Colors 
• Power Colors 
• Nino Colors 
• More Styles 
• Super Colors 
• Mix Colors 
• Mega Colors 
• Get colors 
• What color 
• Single Color 
• Colors scale 
• Style flex 
• Background Colors 
• More styles 
• Change Color 
• Dood Colors 
• Refresh color 
• Imginfo 
• WebPage Colors 
• Hex colors 
• Soft view 
• Border colors 
• Colors mode 
• Xer Colors 

 Explanation of how to remove Chrome extensions manually 

There are several malicious extensions listed below that have since been removed, but you may need to manually remove them by clicking on the three dots menu at the top right-hand corner of your Chrome browser to remove them permanently. Upon clicking 'More', you will be taken to the More tools section where you will be able to access Extensions.

Making money by hijacking your browser to make money from clicks on the ads 

The cybercriminals behind this campaign use ads and redirects to trick unsuspecting users into installing their malicious extensions. This is done when they visit sites that offer the opportunity to play videos or download files. This is done so that they can then go one step further and download malicious extensions. 

There are two sites where you can watch videos or download programs. However, when you click the videos or download programs link, you are redirected to another site that requires you to add an extension before you can continue. It is quite likely that you will be prompted to install a color-changing extension when you click either the 'OK' button or the 'Continue' button. This extension initially seems harmless on the surface. 

The problem with these extensions is that once installed, their purpose is to redirect users to pages that redirect them to malicious scripts that side-load malicious scripts that show how to perform search hijacking for the extensions, but also that tell the extensions what sites affiliate links can be inserted on to generate affiliate revenue. The creator of these malicious extensions earns a lot of money from these advertisements, which are sold to third parties for profit, which is known as search data. 

It is also possible to use these Dormant Colors extensions for automatic redirects to the same page with affiliate links added to the URL of each page instead of redirecting users to an entirely different page. Whenever anyone purchases an extension on any of these sites, the developers of such an extension will receive a commission for their work. 

Guardia, in a blog post, tells that the malicious extension campaign may have the potential to spread further over the coming weeks. "As this campaign continues to run, it is shifting domains, generating a wide assortment of extensions, and re-inventing several color-and-style-changing functions you are sure to be able to do without."

It is also worth mentioning that the code injection technique analyzed here provides the mitigation and evasion measures necessary to contribute to further malicious activities in the future, especially since it is a huge infrastructure for mitigation and evasion. 

The most effective way to keep your browser from getting infected by malicious extensions 

The most appropriate time to make sure you have an effective antivirus solution installed on your laptop or PC is before you add any additions to your browser, especially if you plan on adding any new extensions to it. In this way, you will be able to protect yourself against malware infection or having your personal information stolen and misused. 

Additionally, when you install any extensions, be sure to only use trusted sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store, as these are both reliable sources. The fact that malicious extensions do slip through the cracks from time to time does not change the fact that you are still safer when you install browser extensions from an official store rather than from the web.

Additionally, you should always ask yourself whether or not you need an extension before downloading it. Do you need it, or do you just want to use it? When you come across an extension that seems too good to be true, then you can be certain that it is and is not worth downloading. In addition to checking the extensions in your browser regularly, you might also want to consider adding new ones. 

You need to regularly take a look at the extensions you have installed in your browser and make sure they are still relevant. Delete any of these that you no longer need. Also, keep an eye out for any new ones you may not have noticed you have added without your knowledge. Using browser extensions, you can add all kinds of new features and options to your browser that are not available in its built-in functionality. 

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign


Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.