Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label fake error messages. Show all posts
fintech companies
Cyber Security digital financial crime Digital Payment fake error messages Fintech fintech companies

Zoho Books Dispute Highlights Third-Party Payment Error Impacting FlexyPe Transactions

 

A conflict involving the fintech firm FlexyPe and the accounting platform Zoho has highlighted potential dangers when external tools connect to financial platforms. Problems emerged following inconsistencies found in FlexyPe's payment logs, which it first linked to flaws within Zoho Books. 

Out of the blue, FlexyPe's Azeem Hussain shared that a hands-on review of financial records showed some transaction failures wrongly labeled as completed. Because of this mismatch, around ₹3.8 lakh appeared logged in Zoho Books as paid - though the money never arrived. While checking entries line by line, the team spotted the gap between system data and real bank inflows. Since then, corrections have been made to reflect what actually moved through the accounts. 

Still nothing arrived, yet Zoho claimed otherwise, Hussain noted - wondering just how many months slipped by undetected. Processing vast numbers of transactions every day, the company now examines its finances more deeply, tracing back twenty-four months to uncover further mismatches that might exist. Still, Zoho pushed back hard against the allegations, insisting the fault lay elsewhere. 

Its official statement pointed to a different source: problems emerged not from inside its own systems. Instead, trouble began when Cashfree Payments - handling payments externally - marked failed attempts as complete. This mismatch fed faulty data into FlexyPe’s records. The result? Discrepancies piled up where numbers should have balanced. Zoho pointed out how its staff helped FlexyPe trace the core problem, while mentioning Cashfree’s public admission of the flaw. 

Although the inquiry wasn’t finished, FlexyPe aired accusations online - a move Zoho called premature. Because of this, the firm views those statements as inaccurate, which might lead to legal steps. Now, questions arise about timing, given the early release of unverified details by one party. Cashfree Payments addressed the matter, stating they found the problem within their system and are now moving forward with corrective steps. 

While building a lasting answer, a short-term adjustment went live to keep FlexyPe running smoothly. Even after clear explanations, legal steps are being prepared by Hussain to claim back money lost because of the event. What happened shows why checking records carefully matters - especially when outside software plays a key role in handling finances. When companies depend more on linked systems, this event shows how small connection mistakes might trigger serious problems in operations and costs.
Read more »
Windows malware
fake error messages malware PowerShell malware ransomware distribution social engineering attacks Windows malware

Crafty Criminals Use Fake Error Messages to Deploy Malware via PowerShell

 

Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader
ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration
cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions
In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature. 
Read more »
Subscribe to: Comments (Atom)