Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label email security. Show all posts
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
US Department of Defense
Cybersecurity Data Breach email security US Department of Defense

Defense Department Notifies 20,000 People of Data Breach Due to Email Leak

 


It has surfaced that the U.S. Department of Defense (DOD) has reached out to around 20,600 individuals to inform them about a data breach that took place last year. The breach, disclosed in a letter sent on February 1, 2024, brings to light an unintentional exposure of multiple email messages by the Defense Intelligence Agency, the DOD's military intelligence branch. This incident occurred between February 3 and February 20, 2023, and has raised concerns about the security of personal information.

This breach was traced back to an unsecured U.S. government cloud email server hosted on Microsoft's cloud service for government clients. The server, due to a misconfiguration, was accessible without a password, potentially putting sensitive information at risk. The compromised server contained around three terabytes of internal military emails, including data related to U.S. Special Operations Command (SOCOM) and personnel information.

The breach was first identified by security researcher Anurag Sen, who discovered the exposed data online. After seeking assistance from TechCrunch, the information was reported to SOCOM on February 19, leading to the server's securement on February 20. The DOD is now in the process of notifying affected individuals about the incident.

According to DOD spokesperson Cdr. Tim Gorman, the affected server was promptly removed from public access, and the service provider resolved the issues that led to the exposure. The DOD continues to collaborate with the service provider to enhance cyber event prevention and detection. However, it remains unclear why the DOD took a year to investigate the incident and notify those affected.

The exposed emails were accessible using only a web browser and included sensitive, unclassified information such as questionnaires from prospective federal employees seeking security clearances. Microsoft, the cloud service provider, has not yet responded to requests for comment on the matter.

In the aftermath of the breach, it's crucial for individuals to remain vigilant and take necessary precautions to protect their personal information. The incident underscores the importance of cybersecurity measures and highlights potential risks associated with misconfigurations in cloud services.

As the DOD strives to improve its cybersecurity protocols, ongoing communication with affected individuals and transparency about the incident are paramount. Readers are encouraged to stay informed about cybersecurity best practices and be cautious with online data to mitigate potential risks in an increasingly interconnected digital world.


Read more »
strong passwords
Anti-Malware Credit Cards Cyber Monday scams Cyber Security debit cards email security Multi-factor authentication Online Scams spoofed domains strong passwords

Cyber Monday Scams: Stay Vigilant and Protect Yourself from These Sneaky Tricks

 

With the shopping holiday of Cyber Monday just around the corner, Brits are being urged to exercise heightened caution against online scams. The prevalence of online scams has surged in recent years, and scammers have become increasingly adept at defrauding unsuspecting shoppers.

On Friday, Felicity Oswald, the chief of the National Cybersecurity Center (NCSC), cautioned that cybercriminals will be out in full force, intent on "scamming people out of their hard-earned cash."

"The growing availability and capability of technology like large language models is making scams more convincing," she explained.

According to the NCSC, shoppers lost over £10 million to online scams during the festive period last year, which included Black Friday and Cyber Monday. City A.M. spoke to Oz Alashe MBE, a cybersecurity expert and CEO of CybSafe, who shared his top tips for staying safe from online scams during the shopping weekend.

"Cyber Monday is not just a time for bargain hunters; it's also a breeding ground for criminals to prey on financial information and sensitive data," he remarked.

"People need to be equipped with the knowledge and understanding to identify these threats before they cause harm. A crucial aspect of this lies in adopting secure behaviors and implementing effective cyber hygiene practices to safeguard consumers, their friends, and their families."

Here are five of the most common online scams to watch out for:

1. Malicious emails and texts

Cybercriminals exploit major shopping events to bombard people with emails and text messages promoting deals and discounts. When you receive such messages, scrutinize the sender's address. Does it appear legitimate? Only click on links if you are absolutely certain of their authenticity. If not, delete them immediately!

2. Spoofed domains

Criminals create replica websites of legitimate brands to trick shoppers into divulging their financial information.

Always double-check the URL of the websites you visit, and exercise caution with links received via email, text, or social media promotions. If you have doubts, search for the brand online to verify if the advertised deals are available on their official website.

3. Prioritize credit cards over debit cards for purchases

Credit cards offer better fraud protection if your information is compromised, making them a valuable tool against online scams.

If you discover unauthorized charges on your credit card, you should be reimbursed for the entire amount spent, provided you notify your provider promptly.

4. Check return policies and read reviews before purchasing from unfamiliar sites

Scam websites often lack return policies or impose strict return windows. Investigate whether there are reviews mentioning fraud or counterfeit products. If something seems suspicious, trust your instincts and avoid the site.

5. Empower yourself to combat online scams

Educate yourself about the tactics employed by cybercriminals, and then consider how you can enhance your security.

Enable multi-factor authentication on online accounts that offer the service. Create strong, unique passwords. Employ anti-malware and email security solutions, and always maintain backups of your critical data. These practices will significantly strengthen your online security.
Read more »
Sensitive data
Compliance Cyber Essentials scheme Data Breach Data protection Electoral Commission email security government-backed schemes Hackers Information Security IT audit IT Security IT Systems Sensitive data

Electoral Commission Fails Cyber-Security Test Amidst Major Data Breach

 

The Electoral Commission has acknowledged its failure in a fundamental cyber-security assessment, which coincided with a breach by hackers gaining unauthorized access to the organization's systems. 

A whistleblower disclosed that the Commission received an automatic failure during a Cyber Essentials audit. Last month, it was revealed that "hostile actors" had infiltrated the Commission's emails, potentially compromising the data of 40 million voters.

According to a Commission spokesperson, the organization has not yet managed to pass this basic security test. In August of 2021, the election watchdog disclosed that hackers had infiltrated their IT systems, maintaining access to sensitive information until their detection and removal in October 2022. 

The unidentified attackers gained access to Electoral Commission email correspondence and potentially viewed databases containing the names and addresses of 40 million registered voters, including millions not on public registers.

The identity of the intruders and the method of breach have not yet been disclosed. However, it has now been revealed by a whistleblower that in the same month as the intrusion, the Commission received notification from cyber-security auditors that it was not in compliance with the government-backed Cyber Essentials scheme. 

Although participation in Cyber Essentials is voluntary, it is widely adopted by organizations to demonstrate their commitment to security to customers. For organizations bidding on contracts involving sensitive information, the government mandates holding an up-to-date Cyber Essentials certificate. In 2021, the Commission faced multiple deficiencies in their attempts to obtain certification. 

A Commission spokesperson acknowledged these shortcomings but asserted they were unrelated to the cyber-attack affecting email servers.

One of the contributing factors to the failed test was the operation of around 200 staff laptops with outdated and potentially vulnerable software. The Commission was advised to update its Windows 10 Enterprise operating system, which had become outdated for security updates months earlier. 

Auditors also cited the use of old, unsupported iPhones by staff for security updates as a reason for the failure. The National Cyber Security Centre (NCSC), an advocate for the Cyber Essentials scheme, advises all organizations to keep software up to date to prevent exploitation of known vulnerabilities by hackers.

Cyber-security consultant Daniel Card, who has assisted numerous organizations in achieving Cyber Essentials compliance, stated that it is premature to determine whether the identified failures in the audit facilitated the hackers' entry. 

He noted that initial signs suggest the hackers found an alternative method to access the email servers, but there is a possibility that these inadequately secured devices were part of the attack chain.

Regardless of whether these vulnerabilities played a role, Card emphasized that they indicate a broader issue of weak security posture and likely governance failures. The NCSC emphasizes the significance of Cyber Essentials certification, noting that vulnerability to basic attacks can make an organization a target for more sophisticated cyber-criminals.

The UK's Information Commissioner's Office, which holds both Cyber Essentials and Cyber Essentials Plus certifications, stated it is urgently investigating the cyber-attack. When the breach was disclosed, the Electoral Commission mentioned that data from the complete electoral register was largely public. 

However, less than half of the data on the open register, which can be purchased, is publicly available. Therefore, the hackers potentially accessed data of tens of millions who had opted out of the public list.

The Electoral Commission confirmed that it did not apply for Cyber Essentials in 2022 and asserted its commitment to ongoing improvements in cyber-security, drawing on the expertise of the National Cyber Security Centre, as is common practice among public bodies.
Read more »
Phishing Attacks
Cyber Security Email Attacks Email Breach email security Firefox Malicious actor Phishing Attacks

Firefox Browser Enhances Email Security with New Built-in Tools

Mozilla Firefox, a well-known web browser, has significantly improved the protection of users' email addresses in an age where internet privacy and security have elevated worries. The addition of additional built-in technologies has made Firefox even more capable of protecting your online identity.

The latest feature, known as 'Email Masks,' is designed to keep your email address safe from prying eyes and potential phishing attacks. This innovation has been widely welcomed by the online community and security experts alike.

Email Masks work by allowing users to generate a unique and temporary email address, often referred to as an alias or a mask. Instead of using your primary email address for online services, you can create a disposable one within Firefox. This means that even if a website you've registered with gets hacked or sells your data, your actual email address remains hidden and secure.

To use this feature, simply right-click on the email field when signing up for a new service or website, and Firefox will offer the option to generate an Email Mask. You can then choose an alias that suits the purpose, and all emails sent to this alias will be forwarded to your primary inbox.

What makes Email Masks even more impressive is their flexibility. You can easily disable or delete a mask if you no longer wish to receive emails from a particular source. This ensures that you have complete control over your digital identity and who can reach your primary email address.

Furthermore, Firefox has integrated its popular Relay service into the browser. Firefox Relay helps you manage these Email Masks efficiently and provides an additional layer of security by forwarding only the legitimate emails while filtering out spam and potential threats.

This move aligns with Mozilla's commitment to prioritizing user privacy and security. By offering these tools natively within the browser, Firefox makes it more convenient for users to protect themselves against phishing attempts and data breaches.

The strategies used by cybercriminals change as the internet does. These new features highlight Mozilla's pro-active approach to user protection and show their commitment to staying ahead of these dangers.

Read more »
User Security
Cyber Security email security Internet Remote Security User Security

Safeguarding Your Digital Life: Navigating the Evolving Landscape of Cybersecurity

digital security

In today's interconnected world, the Internet has become an indispensable resource, particularly for the younger generation. Gone are the days of flipping through encyclopedias or visiting travel agencies to book flights or hotels.

The Internet has revolutionized the way we accomplish tasks, offering unprecedented convenience and opportunities, such as remote work and instant mobile transactions. However, this rapid evolution also brings forth numerous threats from cybercriminals. As we dive deeper into the digital age, it becomes increasingly crucial to address these dangers and fortify our digital security.

The Growing Cybersecurity Landscape

The realm of cybercrime has evolved significantly since the days of floppy disk viruses and the 1988 Morris worm, which infected the early Internet. Today, cyberattacks have escalated by 38% in 2022 compared to the previous year, averaging 1,168 attacks per week per organization, as highlighted in the 2023 Security Report from Check Point Software Technologies Ltd.

This concerning trend is expected to worsen in the coming years, necessitating our preparedness to combat these threats effectively.

1. Neglecting Passwords

One of the most common yet detrimental mistakes we make is recycling passwords across various accounts. We often use the same password for both personal and work-related emails, compromising sensitive data.

Sharing passwords, such as those for streaming services or online platforms, further exacerbates the problem. Millions of users fall victim to account breaches each year due to poor password management. To mitigate these risks, it is essential to create robust passwords with a minimum of 12 characters, including a combination of uppercase and lowercase letters, numbers, and special characters.

Regularly updating passwords and avoiding reuse across multiple accounts or platforms is highly recommended.

2. Update, Update, Update

Frequent software and device updates are crucial for enhancing usability and addressing potential vulnerabilities. However, we often delay or disregard these updates, considering them inconvenient or time-consuming.

Unknown to us, postponing updates unknowingly leaves us susceptible to cyberattacks. By regularly updating our devices, we can preemptively safeguard against many potential vulnerabilities.

3. Falling Prey to Disinformation

While data theft remains a prevalent focus of cyberattacks, recent trends reveal an uptick in hacktivist practices and state-sponsored threats. These practices often involve spreading disinformation through fake news or biased messages designed to incite discord.

To counteract this, it is advisable to gather information from multiple sources and verify news or chain messages before blindly disseminating them. The common sense remains one of the cornerstones of internet security.

4. Using Free Wireless Networks

To conserve personal data usage, it has become commonplace to connect to public Wi-Fi networks in restaurants, airports, hotels, and other public spaces. However, security researchers have repeatedly demonstrated the lack of security in such networks.

It is best to avoid connecting to unknown networks. If necessary, limit usage to basic browsing and refrain from entering passwords or using sensitive applications like banking or payment platforms.

5. Reviewing Privacy Policies and Permissions

How often do we truly read the terms and conditions of data usage? The lengthy and complex nature of these texts often leads us to accept all terms without scrutiny. While this expedites our access to applications, it can pose significant security risks and compromise our data.

Cybercriminals may exploit popular applications to distribute malicious code, while unscrupulous developers may include hidden clauses for unauthorized data collection, storage, or trading. Taking a few minutes to review permissions and conditions before installing a program can help prevent deception or exposure of personal information.

6. Browsing and Trusting Unsafe Websites

Identifying fraudulent websites can be done by looking for subtle errors like typos, poorly written text, or low-quality images. However, the most effective method involves scrutinizing the website's URL.

Look for security indicators such as SSL certificates, denoted by a padlock icon next to the web address. Additionally, remain vigilant for irregular characters or subdomains that may signify potential risks.

While the Internet remains a relatively young tool, we have accumulated substantial experience to protect ourselves from cyber attackers. Education and common sense remain pivotal in creating a secure digital space for everyone.


Read more »
User Security
BIMI Data Leak Privacy Data Safety email security Mobile Security Security Bug User Security

Security Expert's Tweet Prompts Significant Modification to Google Email Authentication

 

Google stated last month that Gmail users would start noticing blue tick marks next to brand logos for senders taking part in the program's Brand Indicators for Message Identification. BIMI and its blue tick mark were intended to take a stand against email impersonation and phishing by giving clients further assurance that branded senders are who they say they are.

Less than a month after the launch of BIMI, scammers managed to get beyond its security measures and successfully impersonate companies, sending emails to Google users that claimed to be from the logistics firm UPS. 

Now Google claims that it is tightening its BIMI verification procedure and is blaming an unknown "third-party" for enabling the usage of its services in ways that evaded its security protections and sent faked messages to inboxes. The eye-watering intricacy of the contemporary email environment is demonstrated by the fact that experts claim email providers, including Microsoft, may still be facilitating this kind of behaviour and are not doing enough to solve it. 

Security researchers argue that the way BIMI is being used makes it possible for bad actors to use the system to more effectively spoof well-known businesses, increasing the likelihood that end users may click on a malicious link or open a dubious attachment as part of a phishing assault. 

 
According to the 2023 Verizon Data Breach Investigations Report, phishing accounts for about half of all social engineering attacks and causes tens of millions of dollars in losses each year. A number of protocols, including SPF, DKIM, and others, have been implemented over time to solve email sender verification, but these protocols are insufficient answers that deal with diverse facets of a complicated issue.

By displaying in Gmail the "validated logos" of participating brands and "increasing confidence in the source of emails for recipients," BIMI was developed by an industry working group in 2018 and first adopted by Google in July 2021. The company stated this in its roll-out. The concept was that by requiring the DMARC, SPF, or DKIM email authentication standards, BIMI would provide brand senders an extra level of recognition and confidence. 

It's not surprising that scammers are targeting BIMI, according to Alex Liu, a cybersecurity expert and PhD candidate at the University of California, San Diego, who has investigated the flaws in email verification systems. According to Liu, historically, con artists have been the first to adopt new protocols. She added that it is now the responsibility of companies like Microsoft to secure their mail servers and make sure that BIMI isn't misused.

The controversy over how BIMI is being implemented started with a series of tweets from Chris Plummer, a cybersecurity expert from New Hampshire, who called Google's BIMI implementation potentially "catastrophic" and warned that it could increase the likelihood that users will act on the contents of a message that has been incorrectly verified.

“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer stated. 

In a study released earlier this year, Liu and a group of co-authors described how mechanisms designed to stop the spoofing of sender domains struggle when confronted with emails that have been forwarded, a technique frequently used by major organisations that rely on BIMI to send bulk emails. 

Plummer discovered the BIMI vulnerability after receiving an email appearing to be from UPS in his Gmail inbox. Something didn't feel right, he told a local news source, and Plummer confirmed that the email was not from UPS. On May 31, he filed a bug complaint with Google, but the firm "lazily" closed it as "won't fix - intended behaviour," Plummer tweeted. "How is a scammer impersonating @UPS in such a convincing way 'intended,'" Plummer wrote in the tweet, which has since been viewed almost 155,000 times.

“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”

The next day, after Plummer filed an appeal, Google switched direction and informed him that it was reviewing his report again. "Thank you so much for pressing on for us to take a closer look at this!" a company wrote in a note, designating the bug a "P1" priority. 

“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop, a cybersecurity news portal, in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.” 

According to a Google representative, the DKIM requirement should be fully implemented by the end of the week. This is a change from the previous policy, which demanded either DKIM or a different standard called the Sender Policy Framework. Both of these standards are used by email providers, among other things, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. Google appreciates Plummer's efforts to draw their notice to the issue, the spokeswoman continued. 

Jonathan Rudenberg, a security researcher, reproduced the BIMI problem using Microsoft 365 by sending counterfeit emails from a Microsoft email system to a Gmail account after Plummer first brought it to their attention on Twitter. Rudenberg then filed a bug report with Microsoft. 

Microsoft, meanwhile, maintains that it is Google's obligation to resolve the issue, not its own. In response to Rudenberg's bug report, Microsoft's Security Response Centre informed Rudenberg that the problem did not pose an immediate threat that requires urgent attention and that the "burden" of guaranteeing security rests with the end-user's email provider, in this case, Google.
Read more »
Youtube
Cybersecurity email security online threats Phishing scam Youtube

Don't Get Hooked: How Scammers are Reeling in YouTube Users with Authentic Email Phishing

YouTube phishing scam

Are you a YouTube user? Beware of a new phishing scam that has been making rounds lately! In recent times, YouTube users have been targeted by a new phishing scam. The scammers use an authentic email address from YouTube, which makes it difficult to differentiate between a genuine email and a fraudulent one. 

What is a phishing scam?

Phishing scams are fraudulent attempts to obtain sensitive information, such as usernames, passwords, and credit card details, by disguising themselves as trustworthy entity in electronic communication. Typically, scammers use social engineering techniques to trick users into clicking on a malicious link or downloading malware.

What is the new YouTube phishing scam?

The new YouTube phishing scam involves the use of an authentic email address from YouTube. The email appears to be from YouTube's support team, and it informs the user that their channel is at risk of being deleted due to a copyright infringement violation. 

The email contains a link to a website where the user is asked to enter their YouTube login credentials. Once the user enters their login credentials, the scammers can access the user's account and potentially steal sensitive information or perform unauthorized actions.

How to identify the new YouTube phishing scam?

The new YouTube phishing scam is difficult to identify because the email address used by the scammers appears to be genuine. However, there are a few signs that you can look out for to identify the scam:

  • Check the sender's email address: Even though the email address appears to be genuine, you should always check the sender's email address carefully. In most cases, scammers use a similar email address to the genuine one but with a few minor differences.
  • Check the content of the email: The new YouTube phishing scam typically informs the user that their channel is at risk of being deleted due to a copyright infringement violation. However, if you have not received any copyright infringement notice, then you should be cautious.
  • Check the link in the email: Always check the link in the email before clicking on it. Hover your mouse over the link and check if the URL is genuine. If you are unsure, do not click on the link.

How to protect yourself from the new YouTube phishing scam?

To protect yourself from the new YouTube phishing scam, follow these tips:

  • Enable two-factor authentication: Two-factor authentication adds an extra layer of security to your account. Even if the scammers obtain your login credentials, they will not be able to access your account without the second factor of authentication.
  • Do not share your login credentials: Never share your login credentials with anyone, even if the email appears to be from a genuine source.
  • Report suspicious emails: If you receive a suspicious email, report it to YouTube immediately. This will help to prevent other users from falling victim to the scam.
  • Keep your software up to date: Keep your operating system and software up to date to ensure that you have the latest security patches and updates.

Stay cautious

The new phishing scam using an authentic email address is a serious threat to YouTube users. However, by following the tips mentioned in this blog, you can protect yourself from falling victim to the scam. Always be vigilant and cautious when dealing with emails that request sensitive information. Remember, if you are unsure, do not click on the link.


Read more »
User Security
email security Mobile Security Phishing Scams Pretexting Attack User Privacy User Security

What is a Pretexting Attack, and How can you Avoid it?

 

Pretexting is one of the most prevalent methods employed by cybercriminals, despite the fact that you may not frequently hear the phrase. 

The strategy is crucial to phishing fraud. These attacks, in which malicious messages are conveyed to unsuspecting victims, are a widespread hazard. Phishing accounts for 90% of all data breaches, according to CISCO's 2021 Cybersecurity Threat Report. 

What exactly is a pretexting attack? 

The underlying framework of social engineering tactics is pretexting. Meanwhile, social engineering is the process through which fraudsters persuade people into undertaking specific acts. 

In the context of information security, this typically takes the form of phishing scams, which are messages from a purportedly legitimate sender asking the receiver to download an attachment or click a link that brings them to a fraudulent website. 

Social engineering can also be used to induce various types of data breaches. A fraudster, for example, might access an organization's grounds posing as a delivery person, and then slip into a secure area of the property. 

All of these social engineering techniques have one thing in common: the attacker's request appears to be legitimate. In other words, they have the pretext to contact people - therefore 'pretexting'. Because gaining the victim's confidence is vital to the attack's success, the attacker will conduct research on their target and fabricate a plausible narrative to increase their credibility. 

Modus operandi 

In pretexting scams, the fraudster establishes a relationship with the victim in order to earn their trust.

Consider the following scenario: your company's financial assistant receives a phone call from someone pretending to be from a current supplier. The finance assistant delivers all the details the caller requires after a series of phone calls in which the caller describes the need to verify financial information as part of a new process. 

In this case, the caller developed a friendship with the victim and used a convincing tale to deceive the target into disclosing the information. 

In other instances, building the target's confidence over time is unnecessary. This is frequently the case if the attacker has compromised or is spoofing a senior employee's account. The prospect of an urgent message from a director is frequently sufficient to ensure that the employee complies with the request. 

Prevention tips 

Avoiding interactions with messages from unknown or dubious senders is the most efficient strategy to protect yourself and your organization from scammers. 

The goal of scammers is to deceive individuals into clicking on links or downloading contaminated attachments. Any communication requesting you to do one of these things should be approached with extreme caution. 

If you're ever unsure whether a message is real, seek secure ways to confirm it. If you receive a request from an employee, for example, speak with them in person, by phone, or over an instant messaging application. Although you may be hesitant to do this for a senior employee, especially if their message indicates that the request is urgent or that they will be in meetings all day, it is better to be safe than sorry. 

Your organization's information security policy should include instructions similar to this to ensure that you are adhering to best practices. This guidance should be reinforced in any information security worker awareness training you receive.
Read more »
spying
Cyber Security Data Safety data security Email Safety Email scam email security Email Tracking Pixels Online Privacy Spy Pixels spying

How these Invisible Images Enable Companies Eavesdrop on your Email — Here’s all you need to know

 

The emails are eavesdropping on you. Most of the billions of emails that arrive in our inboxes every day contain hidden trackers that can tell the recipient when you open them, where you open them, how many times you've read them, and much more — a privacy nightmare that many call "endemic." Fortunately, you can take measures to safeguard yourself and your inbox. 

Advertisers and marketing firms, in particular, embed tracking pixels in their promotional emails to keep track of their mass campaigns. Senders can learn which subject lines are the most "clickable," and which of their targets are potential customers, based on how people interact with them.

Though this is beneficial from an analytics standpoint, it is frequently done covertly and without consent.  There is a simple way to disable email tracking. Continue reading to learn more about these troublesome little pixels and how to get rid of them.
 
Email tracking pixels:

The email tracking pixel is a surprisingly simple concept that allows anyone to secretly collect a plethora of information about you as soon as you interact with their messages.

When someone wants to know if you read their email, they insert a tiny 1 pixel by 1 pixel image into it. When you open the email, it sends a ping to the server where the image is stored and records your interaction. The sender can tell your location by checking where that network ping was launched and what type of device was used, in addition to whether or not you clicked their email and how many times you clicked it.

There are two possible explanations for why you never notice that tracking graphic. For starters, it's insignificant. Second, it's in GIF or PNG format, enabling the company to keep it transparent and invisible to the naked eye. A sender will frequently conceal this in their signature. As a result, that fancy font or flashing company logo at the bottom of a commercial email may be more than just a cosmetic presence.

More importantly, studies have revealed that by pairing your location and device specifications, advertisers and other malicious actors can link your email activities with your browser cookies. This opens a can of worms because it allows them to identify you wherever you go online and connect your email address.

Most email clients, including Gmail and Outlook, do not have this feature built-in, but you can use third-party tools. It's recommended to use the Chrome and Firefox extensions Ugly Email for Gmail. It places an "eyeball" icon next to emails containing tracking pixels and prevents them from spying on you. If you use Yahoo or Outlook, you can also use Trocker, which marks emails with trackers on their websites.

These extensions, however, are only available on your computers. You'll need to subscribe to a premium email client like HEY to detect email trackers on your phone.

How to block email tracking pixels?

Email trackers are easy to detect because they rely on hidden media attachments. The simplest method is to simply disable image loading in your email apps by default and only do it manually for emails you trust or when there is an attachment to download.

1. Adjust your existing inbox: On Gmail, the option to block external images is available under Settings > Images > Ask Before Displaying External Images on the web and mobile apps. On Outlook apps, it’s found under Options > Block External Images on mobile and Options > Trust Center > Automatic Download on desktop.

Though Apple Mail also lets you accomplish this from Preferences > Viewing > Load remote content in messages, you can directly block trackers on it as long as you’re on macOS Monterey. Head over to Mail > Preferences > Privacy and check the “Protect Mail Activity” box. 

2. Get yourself a private relay email address: The issue with the methods discussed previously is that they only block tracking pixels after the email has already arrived in your inbox — they don't remove them entirely. To ensure that you never open an email containing trackers by accident, you'll need a proxy address that scans your messages and eliminates any malware before they show up in your inbox.

Another advantage is that you can keep your personal email address private and only provide a relay ID to websites, newsletters, and other services. There are numerous free services that provide a proxy email address. 

Email Protection from DuckDuckGo is recommended. It allows you to create a new custom relay address, which secures your mail before forwarding it to your personal inbox by booting the trackers and encrypting any unsecured links in the body. DuckDuckGo adds a small section at the top of forwarded emails that tells you whether it found any trackers in it and, if so, which companies were responsible for it.

To sign up for the DuckDuckGo app on an Android or iPhone, go to Settings > Email Protection. You can get started on a desktop with the DuckDuckGo browser extension or its Mac browser.


Read more »
User Privacy
Cyber Security Email Fraud email security Phishing email User Privacy

Five Important Tips for Keeping Your Email Safe

 

Whether it’s on our smartphones or desktops – we can’t really function today without scanning our emails on a daily basis. However, we often undermine the hacker's abilities and think we're immune to scams. take the privacy and security of our inboxes and emails for granted. 

Email scam is often the easiest way for malicious hackers to trick individuals into giving personal and private data. According to the FBI, email frauds are the most expensive type of cybercrime, costing American billions of dollars in losses. 

According to Google Safe Browsing, there are now nearly 75 times as many phishing sites as there are malware sites on the internet. Interestingly, 20% of all employees are likely to click on phishing email links, and, of those, a whopping 68 percent go on to enter their credentials on a phishing website. 

So how can we mitigate this and safeguard our emails? Here are 5 simple steps that can assist in protecting your email account and steer clear of threat actors. 

1. Apply a strong and unique password 

This one may seem cliche, but never employ a password that contains your name, date of birth, user name, email address, or any other piece of information that can be easily accessed by hackers. Your password needs to be six characters or longer. Employ different passwords for each of your accounts, never the same one. 

You can store all your passwords in multiple ways, including on a piece of paper, hard drive, password manager, or otherwise. If you're using a password manager app, keep in mind that these can be prone to hacks, as they rely on internet connections and software programs to store your data, both of which can be abused by hackers. 

2. Post minimal personal information on social media 

Recognize the privacy settings you have. Always scan the default privacy settings before posting anything on a social media platform. The default privacy settings on multiple social media platforms are often lenient and may permit the sharing of information with a big online community. A social networking platform’s settings should be adjusted before sharing any content there. 

3. Employ a spam filter 

Spam filters help you keep spam emails from your inbox or flag spam emails so that you are aware of them. Relying on the software and configuration, some spam filters can automatically eliminate junk emails and thwart web bugs that track your activity and system information. 

4. Block Suspicious Addresses 

While some scammers may only try to contact you once or twice, others will make repeated attempts at getting in touch. This is why you should block email addresses that you have confirmed to be dangerous. It's usually pretty quick and easy to block an email address, but the process may differ slightly depending on the provider you're using. It can usually be done by highlighting a specific email and choosing the Block option, or by going into your email account settings. 

5. Use Antivirus Software 

It is highly recommended that you install and maintain good and well-respected antivirus software on your desktop, smartphone, or tablet to mitigate infection. Search all email attachments with an antivirus program before downloading them, even if they come from someone you know.
Read more »
RFP
Cyber Attacks email security HIPS IT Ministry NIC RFP

Increasing Cyber Attacks Prompt the IT Ministry to Beef Up the E-mail Security

 


A new report released by the Ministry of Electronics and Information Technology (MeitY) has suggested that the ministry is looking into strengthening the security of its email system in light of the increasing number of cyberattacks.

NIC has issued a Request for Proposals (RFP) to select a system integrator to maintain the existing email setup, add additional security framework support, and integrate an additional infrastructure into the existing setup. The government is seeking to select a system integrator that will be able to perform these tasks.

There is a Network Information Centre (NIC), under the jurisdiction of MeitY, which meets the government's information and communication technology (ICT) requirements at all levels, designs and develops IT systems for the government, and so forth.

"With the rapid adoption of emerging technologies, here comes a new generation of cyberattacks that are complex and targeted. As a result, cyberattacks targeting government email infrastructure are increasing exponentially," reported the NIC.

"To address the issue of advanced threats and cyberattacks, the security of the existing email service will have to be enhanced to provide a secure communication channel, deploying state-of-the-art security software and features to ensure effective and reliable communication," the NIC said in its RFP.

It has been reported that Moneycontrol has contacted the NIC with additional questions in this regard and the article regarding the same will be updated when a reply will be received from the NIC.

As part of the proposed additional security, it will be necessary to acquire threat intelligence software that supports the integration of third-party security to secure virtual machines from viruses, malware, etc.

The software must be able to detect malware that is not only capable of highlighting threat indicators but also capable of analyzing them.

It was stated in the RFP that "the information should include, among other things, background information on the threat actors and attack methods associated with specific indicators and artefacts that are linked to the threat actors."

As part of the threat intelligence collection process, it should also be capable of providing threat intelligence reports. These may include information such as the goal of the cyber attacker, variants of the threat, the outcome of a cyberattack, and so on.

The security measures for the government's email infrastructure will also include the implementation of HIPS (host intrusion prevention system), which monitors security across physical and virtual servers.

According to the RFP, the company will also acquire a security gateway that supports email security solutions that integrate inbound and outbound defences against email threats. These defences integrate inbound and outbound security analytics.

The RFP stated: "Potentially, the solution should be able to protect the company from zero-day and targeted attacks and be able to dynamically analyze messages attachments for malware without sending files to the cloud," according to the document.

"It is essential that the email security appliance be able to produce a PDF file containing a print-safe version of a message attachment that has been detected as malicious or suspicious."


Analyzing the security situation


Apart from that, the system integrator should also conduct an audit of the email architecture. This includes evaluating the email solution, changes in the design, changes in the operating system, and so on, as well as an assessment of the whole email environment.

There will also be a requirement for the system integrator to conduct a data audit of the email platform that is used by the government. According to the NIC, this is following any major feature changes, patch upgrades, and security fixes that are scheduled for the upcoming month.

Cyberattacks on government entities have increased in recent years


There has been an increase in the number of cyberattacks on the government, especially on the email infrastructure that the government uses as a communication tool.

According to a report in the Indian Express in December, several employees of various central ministries received mysterious emails from the nic. in the domain, which implied the death of Gen. Bipin Rawat had been caused by an "internal hand." From the nic. in the domain, the email claimed to be from a secret service agent.

A phishing attempt was carried out through compromised domain email IDs to try and lure officials of the Centre into clicking on the unsolicited link.

There was a similar cyberattack that took place in October last year when Prime Minister Narendra Modi visited the United States. A compromised email account belonging to the government was used in the attack.


Read more »
Hyperscraper
Cyber Security email security Google TAG Hyperscraper

Hyperscraper: A New Tool that Iranian Hackers Use for Stealing E-mails


State Sponsored Threat 

Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts. 

The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion. 

Simple but effective email scraper

In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development. 

Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020. 

The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account. 

How does Hyperscraper work?

Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them. 

Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details. 

Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. 

Google TAG Experts' Analysis 

When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread. 

Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service. 

While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process. 

How does threat actor use Hyperscraper?

The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface. 

If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser, 

Victims have been notified 

Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks. 

"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers. 







Read more »
Sharpext
email security Gmail Kimsuky Privacy Sharpext

Hackers Use Malware To Spy on Emails


Gmail users should keep a watch out for the recently found email spying software called SHARPEXT. The malware was found by Volexity, a cybersecurity firm. The spying malware targets AOL and Google account holders and can read/download their personal e-mails and attachments.

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 

Read more »
Vulnerabilities and Exploits
Cisco DoS Vulnerabilities email security Malicious Emails Vulnerabilities and Exploits

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).
Read more »
Technology
data security email security Microsoft New Technology Office 365 Technology

Office 365 Provides Email Protection Against Downgrade and MITM Attacks

Microsoft adds SMTP MTA Strict Transport Security (MTA-STS) support feature in Exchange Online to improve Office 365 customers' email security. Redmond disclosed MTA-STS's release in September 2020. after mentioning that it was also adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based verification of Known Entities). The Exchange Online Transport Team has been validating and implementing and is now ready to disclose support for MTA-STS for all outgoing messages via Exchange Online. 

Office 365 now has MTA-STS, which means that emails sent by users with Exchange Online will be sent over connections having authentication and encryption. It will protect the mails from threat actors and hacking attempts. The new feature improves Exchange Online email security and resolves various SMTP security problems, it includes out-of-date TLS certificates, poor secure protocols support, and certifications not trusted by third parties or same server domain names. Before MTA-STS, emails sent via unsafe TLS connections were vulnerable to external threats like man-in-the-middle and downgrade attacks. 

Exchange Team says "downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server. MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies." Microsoft offers assistance on adopting MTA-STS, this includes hosting of the policy files on the domain web infrastructure. 

DANE for SMTP support 

Redmond is currently working on starting DANE for SMTP with DNSSEC support, it provides better security for SMTP connections compared to MTA-STS. Microsoft has secured various domains for email transmission as a domain owner including primary domains such as hotmail.com and outlook.com and live.com. It means that connections from senders supporting MTA-STS are prevented from man-in-the-middle attacks. 

Microsoft says "you can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method."

Read more »
Remote Access Trojan
email security malware Phishing Campaign Remote Access Trojan

To Spread STRRAT Malware, Phishing Campaign Impersonates Shipping Giant Maersk

 

A new phishing campaign employing bogus shipping delivery lures installs the STRRAT remote access trojan on the computers of unsuspecting victims. Fortinet identified the new campaign after detecting phishing emails mimicking Maersk Shipping, a worldwide shipping behemoth, but utilising seemingly authentic email addresses. 

STRRAT is a multi-functional Remote Access Trojan that dates to at least mid-2020. It is unusually Java-based and is normally sent to victims via phishing email. Previous STRAAT operations, like other phishing attacks, used an intermediary dropper (e.g., a malicious Excel macro) attached to the email that downloaded the ultimate payload when viewed. Instead of using that method, this sample attaches the final payload directly to the phishing email. 

In the case of Maersk Shipping, the message eventually goes through "acalpulps[.]com" before being delivered to the final recipient after leaving the sender's local infrastructure. This domain was only registered in August 2021, which makes it questionable. Furthermore, the domain utilised in the "Reply-To" address, "ftqplc[.]in," was recently registered (October 2021), making it highly suspicious as well. The email body urges the recipient to open attachments regarding a pending shipment. 

A PNG image and two Zip archives are directly attached to the sample email. "maersk.png" is simply an image file. However, the two Zip archives “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” include an embedded copy of STRRAT. When one of these archives is unzipped, the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” is displayed. However, when you open the file in Jar Explorer, a few things become clear. 

Firstly, this package contains a significant number of Java class files. Second, the strings in the class "FirstRun" appear to be scrambled or encoded. Lines beginning with "ALLATORIxDEMO" denote the presence of the Allatori Java Obfuscator. 

STRRAT malware first collects basic information about the host system, such as its architecture and any anti-virus software that are operating on it, before checking local storage and network capability. STRRAT can collect user keystrokes, enable remote control operation, steal passwords from web browsers such as Chrome, Firefox, and Microsoft Edge, steal passwords from email clients such as Outlook, Thunderbird, and Foxmail, and launch a pseudo-ransomware module to simulate an infection. 

Trojans like STRRAT are frequently overlooked because they are less sophisticated and more randomly distributed. However, this phishing attempt proves that even little threats can cause significant damage to organizations.
Read more »
Subscribe to: Posts (Atom)