Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data scam. Show all posts

Scammers Target Indian Users Posting Complaints on Social Media

 

The latest report from Cyble Research and Intelligence Labs (CRIL) revealed that scammers are targeting Indian residents who submit complaints on social media accounts belonging to various local firms.

Fraudsters keep an eye out on Twitter and other social media sites for customers asking for reimbursements for problems they may have had with services offered by businesses like the Indian Railway Catering and Tourism Corporation. 

Researchers claim that once fraudsters discover a victim's contact details, they would start a scam. 

"When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts," CRIL stated. 

Users of other popular Indian brands and organisations, including e-commerce platform Flipkart, payment service provider MobiKwik, budget airline Spicejet, and various banks, were targeted in addition to the IRCTC. 

In one case, after posting a complaint on the IRCTC's Twitter account, a user was contacted by someone impersonating an IRCTC customer service representative. While the user in this case refused to provide their information to the scammer, CRIL stated that fraudsters would use a variety of techniques to defraud victims.

Scammers, for example, may attempt to link a victim's mobile number or account via the Unified Payments Interface (UPI), send a Google form to collect sensitive information or forward a WhatsApp link to a malicious website.

"Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp," the researchers added.

Fraudsters, according to the researchers, use malicious APK files with names like "IRCTC customer.apk," "online complaint.apk," or "complaint register.apk" to trick victims into revealing their banking credentials. 

They also want the victim's UPI details, credit/debit card information, and one-time passwords used for two-factor authentication. CRIL discovered one such phishing website that asked victims to enter basic information such as their name, mobile number, and complaint query before prompting them to enter sensitive banking information. It also requested the victim to install a malicious application that would allow it to steal incoming text messages from the infected device. 

According to CRIL, the scheme was perpetrated by "a group of financially motivated scammers" based in India. While it was first observed in late 2020, researchers say it has only recently begun targeting social media complaints to identify potential victims. 

"It is critical that users are aware of these scams and exercise caution when providing personal information or downloading files online," CRIL warned. 

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.