Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label phishing. Show all posts
USA
Cyber Attacks FBI phishing Road Toll SMS Phishing USA

Nationwide Scam Targets Road Toll Users via SMS Phishing Scheme

 



The Federal Bureau of Investigation (FBI) has alerted the public to a widespread SMS phishing scam sweeping across the United States. The scam, which began in early March 2024, specifically targets individuals with fraudulent messages regarding unpaid road toll fees.

What Does The Scam Entails?

Thousands of Americans have already fallen victim to this harrowing scam, with over 2,000 complaints flooding the FBI's Internet Crime Complaint Center (IC3) from at least three states. The deceptive messages typically claim that the recipient owes money for outstanding tolls, urging them to click on embedded hyperlinks.

The perpetrators behind these attacks employ sophisticated tactics to deceive their targets. By impersonating legitimate toll services and altering phone numbers to match those of the respective states, they create a false sense of authenticity. However, the links provided within the messages lead to fake websites designed to extract personal and financial information from unsuspecting victims.

Cautionary Advice

Authorities are urging individuals who receive such messages to exercise caution and take immediate action. The Pennsylvania Turnpike, one of the affected toll services, has advised recipients not to click on any suspicious links and to promptly delete the messages. Similarly, the Pennsylvania State Police have issued warnings about the scam, emphasising the dangers of providing personal information to fraudulent sources.

To safeguard against falling prey to this scam, the FBI recommends several preventive measures. Victims are encouraged to file complaints with the IC3, providing details such as the scammer's phone number and the fraudulent website. Additionally, individuals should verify their toll accounts using the legitimate websites of the respective toll services and contact customer service for further assistance. Any suspicious messages should be promptly deleted, and if personal information has been compromised, immediate steps should be taken to secure financial accounts and dispute any unauthorised charges.

What Is Smishing?

Smishing, a blend of "SMS" and "phishing," is a form of social engineering attack wherein fraudulent text messages are used to deceive individuals into divulging sensitive information or downloading malware. In this instance, the scam preys on individuals' concerns regarding unpaid toll fees, exploiting their trust in official communication channels.

As the SMS phishing scam continues to proliferate, it is imperative for individuals to remain vigilant and sceptical of unsolicited messages. By staying informed and taking proactive measures to protect personal information, users can mitigate the risks posed by such malicious activities. Authorities are actively investigating these incidents, but it is crucial for the public to be proactive in safeguarding their financial and personal information from exploitation.


Read more »
X
malware Netflix phishing URLs Websites X

X's URL Blunder Sparks Security Concerns

 



X, the social media platform formerly known as Twitter, recently grappled with a significant security flaw within its iOS app. The issue involved an automatic alteration of Twitter.com links to X.com links within Xeets, causing widespread concern among users. While the intention behind this change was to maintain brand consistency, the execution resulted in potential security vulnerabilities.

The flaw originated from a feature that indiscriminately replaced any instance of "Twitter" in a URL with "X," regardless of its context. This meant that legitimate URLs containing the word "Twitter" were also affected, leading to situations where users unknowingly promoted malicious websites. For example, a seemingly harmless link like netflitwitter[.]com would be displayed as Netflix.com but actually redirect users to a potentially harmful site.

The implications of this flaw were significant, as it could have facilitated phishing campaigns or distributed malware under the guise of reputable brands such as Netflix or Roblox. Despite the severity of the issue, X chose not to address it publicly, likely in an attempt to mitigate negative attention.

The glitch persisted for at least nine hours, possibly longer, before it was eventually rectified. Subsequent tests confirmed that URLs are now displaying correctly, indicating that the issue has been resolved. However, it's important to note that the auto-change policy does not apply when the domain is written in all caps.

This incident underscores the importance of thorough testing and quality assurance in software development, particularly for platforms with large user bases. It serves as a reminder for users to exercise caution when clicking on links, even if they appear to be from trusted sources.

To better understand how platforms like X operate and maintain user trust, it's essential to consider the broader context of content personalization. Profiles on X are utilised to tailor content presentation, potentially reordering material to better match individual interests. This customization considers users' activity across various platforms, reflecting their interests and characteristics. While content personalization enhances user experience, incidents like the recent security flaw highlight the importance of balancing personalization with user privacy and security concerns.


Read more »
Social Media attacks
Cyber Security Linkedln Perception Point phishing Social Media attacks

LinkedIn Users Targeted in Complex Phishing Scheme

 

LinkedIn Users Targeted in Complex Phishing Scheme A concerning security threat has emerged for users of the professional networking platform LinkedIn. Known as the "Microsoft Two-Step Phishing Campaign," this attack involves hackers using compromised profiles to deceive users and steal their sensitive information. 

It Starts With Exploiting Trust 

The attack begins innocently enough, with hackers taking control of LinkedIn profiles that users trust within their professional networks. These profiles appear normal but are actually manipulated by the attackers, who exploit the trust between users and their connections. 

Let’s Understand The Attack Tactic: Two Steps to Success 

The heart of this attack involves two stages. First, hackers combine stolen user accounts with a tricky phishing attack. They use a sneaky program called Snake, which targets not only LinkedIn but also Facebook users. Snake pretends to send legitimate messages but actually tricks users into downloading harmful software. 

Once installed, Snake quietly steals users' browsing data, giving hackers access to their accounts and compromising their security. This method shows how social media platforms, like LinkedIn, can unwittingly help cybercriminals steal important information and breach corporate systems. 

Furthermore, Perception Point's Enterprise Browser Security extension quickly caught a sneaky attack pretending to be Microsoft. It used sophisticated textual and image recognition AI models and found these suspicious key indicators: 

Logo Similarity: It found an image that was almost identical to the real Microsoft logo. 

Favicon Impersonation: The attack tried to fool users by using a small icon that looked like the one Microsoft uses for Outlook. 

Phoney Login Page: The attackers set up a login page that pretended to be from Microsoft. It asked for email addresses and passwords. 

URL Analysis: The extension checked the website's reputation and details like when it was created. It also looked for any weird stuff in the code. 

What It Means for You 

This new campaign highlights the urgent need for better security measures, especially on platforms like LinkedIn. As more people and businesses rely on these sites for networking, they must stay alert to the risks posed by hackers. This incident also shows how cybercriminals are constantly changing their tactics. 

To stay safe, it is essential for users and companies to not only have strong security systems in place but also to educate themselves about potential threats. In response to this growing danger, social media companies and cybersecurity experts must work together to develop strategies to protect users from phishing attacks and other online threats. 
Read more »
Privnote
Cryptocurrency Breach Data Breach Data Theft malicious phishing Privnote

Privnote Secure Messaging App Is Under Phishing Threat

 

Privnote.com, launched in 2008, revolutionized secure messaging with its encryption technology. It allows users to send messages with a unique link, ensuring privacy as the content self-destructs after reading. However, its popularity among cryptocurrency enthusiasts also drew the attention of malicious actors who engaged in phishing activities. 

Phishers exploit Privnote's model by creating clones, such as privnote[.]co, that mimic its functionality. These clones surreptitiously replace cryptocurrency addresses when users create notes containing crypto wallets. Thus, unsuspecting users fall victim to sending funds to the phisher's address instead of the intended recipient. 

GitHub user, fory66399, lodged a complaint last month against MetaMask, a cryptocurrency wallet, alleging wrongful flagging of privnote[.]co as malicious. Threatening legal action, fory66399 demanded evidence and compensation. However, MetaMask's lead product manager, Taylor Monahan, swiftly debunked these claims by providing screenshots showing the fraudulent activities of privnote[.]co. 

According to DomainTools.com, the domain privatenote[.]io has changed hands between two individuals: Andrey Sokol from Moscow and Alexandr Ermakov from Kiev, over two years. While these names may not be the real identities of the scammers, they provide clues to other sites targeting Privnote since 2020. 

Furthermore, Alexandr Ermakov is linked to several other domains, including pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io, as per DomainTools. This suggests a potential network of fraudulent activities associated with Privnote, emphasizing the need for caution in identifying phishing attempts. 

Let’s Understand Suspicious Activities on Privnote: 

Domain Registrations: The domain pirvnota[.]com saw a change in registration details from Andrey Sokol to "BPW" and "Tambov district" as the registrant's state/province. This led to the discovery of pirwnote[.]com, along with other suspicious domains like privnode[.]com, privnate[.]com, and prevnóte[.]com, all linking to the same internet address. Interestingly, pirwnote[.]com is now selling security cameras from a Hong Kong-based internet address. 

Deceptive Legitimacy: Tornote[.]io appears to have undergone efforts to establish credibility. A Medium account has published numerous blog posts endorsing Tornote as a secure messaging service. However, testing reveals its malicious intent, as it also alters cryptocurrency addresses in messages. 

Search Engine Manipulation: Phishing sites manipulate search engine results to appear prominently for terms like "privnote." Currently, a Google search for "privnote" lists tornote[.]io as the fifth result. These sites rotate cryptocurrency addresses every five days to evade detection. 

According to the Privnote website, it is a web-based service focused on privacy, allowing users to create encrypted notes shared via unique one-time-use HTTPS links. Notes and their contents are processed securely in users' browsers, with no readable data stored on Privnote's servers. 

IP addresses are processed solely for communication and promptly deleted thereafter. Personal data within notes remains encrypted and inaccessible to Privnote. The service uses cookies for functional and non-functional purposes, respecting user privacy preferences. Privnote does not target children under 16 and commits to regularly updating its Privacy Policy.
Read more »
phishing
Chineses Hackers Cyber Crime iMessage iPhone PaaS phishing

Darcula: The Emergence of Phishing-as-a-Service and Its Worldwide Impact

 

In the ever-evolving landscape of cybercrime, phishing-as-a-service (PaaS) has emerged as a formidable threat, enabling cybercriminals to orchestrate sophisticated attacks with ease. Among the myriad PaaS platforms, Darcula stands out for its technical sophistication, global reach, and pervasive impact. 

Darcula, a Chinese-language platform, has garnered attention from cybersecurity researchers for its role in facilitating cyberattacks against more than 100 countries. With over 19,000 phishing domains created, Darcula represents a significant escalation in the capabilities and reach of phishing operations. At the core of Darcula's operation is its ability to provide cybercriminals with easy access to branded phishing campaigns. 

For a subscription fee of around $250 per month, individuals gain access to a wide range of phishing templates targeting global brands and consumer-facing organizations. From postal services to financial institutions, Darcula's phishing campaigns cover a broad spectrum of sectors, exploiting the trust of unsuspecting victims to steal sensitive information. 

What sets Darcula apart is its technical sophistication and innovative approach to phishing. Unlike traditional phishing kits, Darcula leverages advanced tools and technologies commonly used in application development, including JavaScript, React, Docker, and Harbor. This allows cybercriminals to create dynamic and convincing phishing websites that are difficult to detect and defend against. 

Moreover, Darcula utilizes iMessage and RCS (Rich Communication Services) for text message phishing, enabling scam messages to bypass traditional SMS firewalls and reach a wider audience. This tactic represents a significant challenge for cybersecurity defenses, as it allows phishing messages sent via Darcula to evade detection and exploit unsuspecting victims. While Darcula primarily targets Chinese-speaking cybercriminals, its impact extends far beyond linguistic boundaries. 

The platform's global reach and extensive network of phishing domains pose a significant threat to organizations and individuals worldwide. With an average of 120 new domains hosting Darcula phishing pages detected daily, the scale of this operation is unprecedented, making it a top priority for cybersecurity professionals and law enforcement agencies alike. 

Defending against Darcula and similar PaaS platforms requires a multifaceted approach. Enterprises and individuals must remain vigilant against phishing attempts, avoiding clicking on links in unexpected messages and verifying the authenticity of communication from trusted sources. Additionally, employing commercial security platforms to block access to known phishing sites can help mitigate the risk of falling victim to Darcula-based attacks. 

Darcula represents a new frontier in the world of cybercrime, highlighting the growing sophistication and global reach of phishing-as-a-service platforms. By understanding the tactics and techniques employed by Darcula and remaining vigilant against evolving threats, organizations and individuals can better defend against cyberattacks and safeguard sensitive information in an increasingly digital world.
Read more »
phishing
Cyber Security E-Commerce Fake Website Online Shopping phishing

E-Commerce Scam: Read These 5 Tips to Stay Safe from Fake Sites

scam

The e-commerce industry has witnessed tremendous growth in the last decade, and it's likely to rise. Tech behemoths like Apple lead the market, but most businesses these days sell goods and services online, including local stores.

Not only has it changed the way of doing business, but e-commerce has also caused a rapid change in shopping consumer habits. Today, buying what you need is just a click away, you can shop from the comfort of your home, that's the trend now. It is evident that online shopping provides a level of ease that traditional retail can't match, however, e-commerce is without a doubt more risky. 

The e-commerce industry is a hotspot of cyber threats, from phishing attacks to false advertising and credit card skimming scams. As a conscious user, we must know how to protect ourselves. These five helpful tips can help you decide if you're on a fake site before you "add to cart" your favorite product. 

Verify the URL

The URL (Uniform Resource Locator) is the address of a webpage. Hackers make fake sites that look almost the same as the original, they use a domain name that's nearly identical to the site domain they are faking. 

The first thing you should look for is if there are any errors or extra characters in the URL.

For instance, an attacker might make a fake site at flippkartt.com, to scam people into thinking they are using the original Flipkart site. But the real URL will look like "https://flipkart.com/." The URL of the fake site would be "http://flippkartt.com/." You might observe there is a difference in the protocol. The original site uses HTTPS (Hypertext Transfer Protocol Secure), while the fake uses HTTP (Hypertext Transfer Protocol). 

The HTTPS prefix means your data is encrypted in transit, but takes more time and cost to set up, so the scammers don't try. 

In a nutshell, most phishing scams work like this. It all comes down to cloning a real business and stealing sensitive info from users. It is always important to check the URL before you proceed. 

The content and design

A real business website would not have grammatical and spelling mistakes. Few scammers might hustle to proofread the content of their fake site, but not all do that. If you visit a site and notice it has mistakes and typos, chances are it's a scam. 

Similarly, a real business won't publish low-quality images or poor designs. Scammers will do that because they don't have an image to maintain. 

The scammer would scrape photos from the web using software, or just put random images that aren't related to the product. This is your sign to stay away from the fake website. 

Don't fall for too-good-to-be-true offers

The iPhone 15 is currently costing around 72000 INR. Suppose you see the product online selling for 30000 INR, it is most likely a scam. 

It is an easy bait as buyers like to crack deals, and in a rush, fall prey to the scam. Scammers know that huge discounts work as a glue trap for economically struggling buyers. So next time, make sure you see the right price before rushing to "add to cart" on an online shopping website. 

Read the About Us page

A legit e-commerce site will always have an elaborate "About Us" page, the buyer can clearly understand the business's goals, mission, etc. with the help of given info. Sometimes, "About Us" also includes info regarding careers, team members, and ownership. Lastly, there's a detailed privacy policy and a contact form for interested customers and media professionals. 

With time, the scams have upped their games as scammers now use AI to scale their attacks, however only a few bother to make a legit "About Us" page. If you notice that an online shopping site doesn't have these elements, and it's lacking transparency, you should avoid it. Don't spend your money without checking these pages. 

Read the reviews

You should always go through an online store's reviews before buying a product. A legit business will always have a review somewhere. You can start with Google reviews, just type the business name and go to the reviews section. Bingo, you can now check what others say about the store. 

If you can't find even a single review, the store might not be fake, but it's best to avoid it. You can also check what others are saying on social media. Twitter and Reddit are some common sites where users share their experiences. It barely takes a minute, but can save you from a scam. 

Read more »
Private Keys
Crypto Scam Cyber Attacks Ethereum Financial Exploit phishing Private Keys

Crypto Phishing Scams: $47M Lost in February

 


In February, cybercriminals orchestrated a series of sophisticated crypto phishing scams, resulting in a staggering $47 million in losses. These scams, often initiated through social media platforms like X (formerly Twitter), saw a dramatic 40% surge in victims compared to January, with over 57,000 individuals falling prey to their deceitful tactics. Despite the increase in victims, the overall amount lost decreased by 14.5%, indicating a slight reprieve amidst the relentless onslaught of crypto-related scams.

Leading the charge in terms of losses were Ethereum (ETH) and the layer-2 network Arbitrum (ARB), accounting for three-quarters and 7.4% of the total losses, respectively. ERC-20 tokens, a popular form of cryptocurrency, constituted a staggering 86% of the assets pilfered by cybercriminals, highlighting their preference for easily transferable digital assets.

At the heart of these scams lies a cunning strategy: impersonating legitimate entities, such as well-known crypto projects, to trick unsuspecting users into divulging sensitive information like private keys. These keys serve as a gateway to users' digital wallets, which are subsequently raided by the scammers, leaving victims reeling from substantial financial losses.

Scam Sniffer, a prominent anti-scam platform, shed light on the prevalent use of fake social media accounts in these fraudulent schemes. By impersonating X accounts of reputable crypto projects, phishers exploit users' trust in official channels, coaxing them into unwittingly surrendering their private keys.

The year 2023 witnessed a staggering $300 million in losses due to crypto phishing scams, ensnaring over 320,000 users in their intricate web of deception. In recent times, scammers have adopted a new tactic, luring users with enticing "airdrop claim" links, which, unbeknownst to the victims, serve as traps to drain their wallets of funds.

Even high-profile entities like MicroStrategy have fallen victim to these scams, with their social media accounts compromised to disseminate phishing airdrop links. Additionally, the email services of reputable Web3 companies have been hijacked to distribute fraudulent airdrop claim links, resulting in significant financial losses for unsuspecting victims.

To shield themselves from falling prey to these scams, users are urged to exercise utmost vigilance and meticulously scrutinise any suspicious communication. Signs such as typographical errors, content misalignment, and grammatical inconsistencies should serve as red flags, prompting users to exercise caution when engaging with crypto-related content online.

By staying informed and adopting proactive measures, individuals can practise safety measures against these malicious schemes, safeguarding their hard-earned assets from falling into the clutches of cybercriminals.


Read more »
Vulnerabilities and Exploits
AI technology phishing Social Engineering Tesla Vulnerabilities and Exploits

Thinking of Stealing a Tesla? Just Use Flipper Zero

Thinking of Stealing a Tesla? Just Use Flipper Zero

Researchers have found a new way of hijacking WiFi networks at Tesla charging stations for stealing vehicles- a design flaw that only needs an affordable, off-the-shelf tool.

Experts find an easy way to steal a Tesla

As Mysk Inc. cybersecurity experts Tommy Mysk and Talal Haj Bakry have shown in a recent YouTube video hackers only require a simple $169 hacking tool known as Flipper Zero, a Raspberry Pi, or just a laptop to pull the hack off. 

This means that with a leaked email and a password, the owner could lose their Tesla car. The rise of AI technologies has increased phishing and social engineering attacks. As a responsible company, you must factor in such threats in your threat models. 

And it's not just Tesla. You'll be surprised to know cybersecurity experts have always cautioned about the use of keyless entry in the car industry, which often leaves modern cars at risk of being hacked.

Hash Tag Foolery

The problem isn't hacking- like breaking into software, it's a social engineering attack that tricks a car owner into handing over their information. Using a Flipper, the experts create a WiFi network called "Tesla Guest," the same name Tesla uses for its guest networks at service centers. After this, Mysk created a fake website resembling Tesla's login page. 

After this, it's a cakewalk. In this case, hackers broadcast networks around a charging station, where a bored driver might be looking to connect over WiFi. The owner (here, the victim) connects to the WiFi and fills in their username and password on the fake Tesla website. 

The hacker uses the provided login credentials and gains access to the real Tesla app, which prompts a two-factor authentication code. The victim puts the code into the fake site, and hackers get access to their account. 

Once you've trespassed into the Tesla app, you can create a "phone key" to unlock and control the car via Bluetooth using a smartphone. Congratulations, the car is yours!

Mysk has demonstrated the attack in a YouTube video

Tesla can fix the flaw easily but chooses not to

Mysk says that Tesla doesn't alert the owner if a new key is created, so the victim doesn't know they've been breached. And the bad guy doesn't have to steal the car right away, because the app shows the location of the car. 

The Tesla owner can charge the car and take it somewhere else, the thief just has to trace the location and steal it, without needing a physical card. Yes, it's that easy. 

Mysk tested the design flaw on his own Tesla and discovered he could easily create new phone keys without having access to the original key card. But Tesla has mentioned that's not possible in its owner manual

Tesla evades allegation

When Mysk informed Tesla about his findings, the company said it was all by design and "intended behaviour," underplaying the flaw. 

Mysk doesn't agree, stressing the design to pair a phone key is only made super easy at the cost of risking security. He argues that Tesla can easily fix this vulnerability by alerting users whenever a new phone key is created. 

But without any efforts from Tesla, the car owners might as well be sitting ducks. 

A sophisticated computer/machine doesn't always mean it's secure, the extra complex layers make us more vulnerable. Two decades back, all you needed to steal a car was getting a driver's key or hot-wiring the vehicle. But if your car key is a bundle of ones and zeroes, you must rethink the car's safety.


Read more »
US Schools
CAPTCHA Security cyber attack Cyber Attacks PHaas phishing Scam Storm-1575 Tycoon US Schools

Rise in Phishing Attacks Targeting US Schools Raises Concerns

 



Through a recent report by PIXM, a cybersecurity firm specialising in artificial intelligence solutions, public schools in the United States face a significant increase in sophisticated phishing campaigns. Threat actors are employing targeted spear phishing attacks, utilising stealthy patterns to target officials in large school districts, effectively bypassing Multi-Factor Authentication (MFA) protections.

Since December 2023, there has been a surge in MFA-based phishing campaigns targeting teachers, staff, and administrators across the US. The attackers, identified as the Tycoon and Storm-1575 threat groups, employ social engineering techniques and Adversary-in-the-Middle (AiTM) phishing to bypass MFA tokens and session cookies. They create custom login experiences and use services like dadsec and Phishing-as-a-Service (PhaaS) to compromise administrator email accounts and deliver ransomware.

The Tycoon Group's PhaaS, available on Telegram for just $120, boasts features like bypassing Microsoft's two-factor authentication. Meanwhile, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. The attacks involve phishing emails prompting officials to update passwords, leading them to encounter a Cloudflare Captcha and a spoofed Microsoft password page. If successful, attackers forward passwords to legitimate login pages, requesting two-factor authentication codes and bypassing MFA protections.

The attacks commonly target officials such as the Chief of Human Capital, finance, and payroll administrators. Some attempts involve altering Windows registry keys, potentially infecting machines with malicious scripts. The attackers conceal their tracks using stealth tactics, hiding behind Cloudflare infrastructure and creating new domains.

Despite using CAPTCHAs in phishing attacks providing a sense of legitimacy to end-users, there's potential for malicious trojan activity, including modifying Windows registry keys and injecting malicious files. These attacks can result in malware installation, ransomware, and data exfiltration.

Schools are the most targeted industry by ransomware gangs, with student data being a prominent prey of cybercrime. A concerning trend shows unprecedented data loss, with over 900 schools targeted in MOVEit-linked cyber attacks. Recent data leaks, such as the one involving Raptor Technologies, have exposed sensitive records belonging to students, parents, and staff, raising concerns about student privacy and school safety.

To protect against these phishing attacks, organisations are advised to identify high-priority staff, invest in tailored awareness efforts, caution users against suspicious links, and implement proactive AI-driven protections at the browser and email layers.

To take a sharp look at things, the surge in phishing attacks targeting US schools states the significance of cybersecurity measures and the need for increased awareness within educational institutions to safeguard sensitive information and ensure the privacy and safety of students and staff.


Read more »
Synergia operation
Cyber Security cybercriminal arrests Cybersecurity digital space protection global C2 servers Interpol Law Enforcement Online Security phishing Ransomware Synergia operation

Interpol's Operation 'Synergia' Secures Numerous Cybercriminal Arrests, Disrupts Global C2s

 

An international operation aimed at countering the rising threat of phishing, banking malware, and ransomware attacks globally has successfully dismantled command-and-control (C2) servers across Africa and the Middle East. Led by Interpol, the Synergia operation engaged 60 law enforcement agencies, including 17 from the Middle East and Africa (MEA) region. 

Notably, significant takedowns occurred in South Sudan and Zimbabwe, resulting in four arrests. Kuwait law enforcement collaborated with Internet Service Providers (ISPs) to identify victims, conduct field investigations, and provide technical guidance to mitigate the impacts of cyber threats.

Collaborating with local law enforcement and cybersecurity firms such as Group-IB, Kaspersky, ShadowServer, Team Cymru, and TrendMicro, Interpol executed the operation from September to November. The global initiative led to the arrest of 31 individuals and the identification of 70 additional suspects.

Beyond the MEA region, the operation yielded notable results worldwide:

- Europe witnessed the majority of C2 server takedowns, resulting in 26 arrests.
- The Hong Kong and Singapore Police successfully took down 153 and 86 servers, respectively.
- Bolivia mobilized various public authorities to identify malware and vulnerabilities.

Synergia also uncovered malicious infrastructure and resources in over 50 countries, spread across 200 web hosting providers globally. Currently, 70% of the C2 servers have been taken offline, with the remainder under investigation.

Bernardo Pillot, Assistant Director to the Interpol Cybercrime Directorate, emphasized the collaborative efforts of multiple countries and partners, underscoring the commitment to safeguarding the digital space. By dismantling the infrastructure supporting phishing, banking malware, and ransomware attacks, the operation aims to create a more secure online environment for users worldwide.
Read more »
phishing
2FA bypass Account security Accounts Argentina Cyber Security Cybersecurity Digital Payment financial services fraud prevention Hacked online money transfer Payoneer phishing

Accounts on Payoneer in Argentina Compromised in 2FA Bypass Incidents

 

A significant number of Payoneer users in Argentina have reported unauthorized access to their 2FA-protected accounts, resulting in the theft of funds while they were asleep. Payoneer, a financial services platform facilitating online money transfer and digital payments, is particularly popular in Argentina for its ability to enable earnings in foreign currencies without adhering to local banking regulations.

Starting last weekend, users with 2FA-protected accounts experienced sudden loss of access or discovered empty wallets upon login, with losses ranging from $5,000 to $60,000. Prior to the incidents, victims received SMS messages requesting approval for a password reset on Payoneer, which they did not authorize. Some users claim they did not click on the provided URLs, and a few only noticed the SMS after the funds were stolen.

The stolen funds were reportedly sent to unfamiliar email addresses using the 163.com domain. Investigations reveal that many affected users were customers of mobile service providers Movistar and Tuenti, with the majority using Movistar. Suspicions arose regarding a recent Movistar data leak, but the leaked data did not include user email addresses necessary for Payoneer password resets.

One theory suggests a breach in the SMS provider delivering OTP codes, granting threat actors access to codes sent by Payoneer. However, an official statement from Movistar denies responsibility for messages sent through its network and mentions blocking the numbers used in the smishing campaign.

Payoneer, while acknowledging the issue, has not provided specific details about the attack, attributing it to phishing and cooperating with authorities. Tech reporter Juan Brodersen received a statement from Payoneer blaming users, alleging they clicked on phishing links in SMS texts and entered login details on fraudulent pages. Affected users refute this, accusing Payoneer of deflecting responsibility and not addressing potential platform errors or vulnerabilities.

Despite Payoneer's SMS-based 2FA and password recovery process, which relies solely on SMS codes, users argue that the platform should not have had access to later OTP codes required for transactions if the attack was purely phishing-based.

The exact mechanism of the attack remains unclear, with various hypotheses under consideration. Payoneer users in Argentina are advised to withdraw funds or disable SMS-based 2FA and reset passwords until the situation is clarified.

In an update on January 20, a Payoneer spokesperson acknowledged instances of fraud where customers were lured into clicking on phishing links, leading to compromised account credentials or mobile phones. The company asserted swift action to contain fraud attempts and emphasized collaboration with regulators, mobile carriers, and law enforcement agencies. While restitution details vary, Payoneer is actively working to protect customers' funds and recover possible losses.
Read more »
phishing
Critical Infrastructure Cyber Security Cyber-attacks ISRO phishing

Cybersecurity Challenges Faced by ISRO: Chief S Somanath

The Indian Space Research Organisation (ISRO) has been facing over 100 cyber-attacks daily, according to a statement by ISRO Chief S Somanath. The attacks are mostly phishing attempts and malware attacks. 

During the concluding session of the 16th edition of the c0c0n, a two-day international cyber conference in Kerala’s Kochi, Somanath stated that rocket technology, which employs advanced software and chip-based hardware, is more susceptible to cyber-attacks.

ISRO’s Cybersecurity Challenges

"The organization is equipped with a robust cybersecurity network to face such attacks," said Mr. Somnath. "Earlier, the way of monitoring one satellite has changed to a way of software monitoring many satellites at a time. This indicates the growth of this sector. During COVID, it was possible to launch from a remote location which shows the triumph of technology."

During the concluding session of the c0c0n, Kerala Revenue Minister P Rajeev stated that the state government is capable of providing sufficient security to the cyber arena, making it a model for cyber security governance. He stated that The Kerala state government is capable of ensuring cybersecurity and supporting the sector by establishing a Digital University in the state. Additionally, K-Fone ensures internet access in every household in Kerala.

The ISRO is responsible for India’s space program and has been instrumental in launching several satellites and missions. The organization has been targeted by hackers in the past, with reports of cyber-attacks dating back to 2017. The recent statement by the ISRO Chief highlights the increasing threat of cyber-attacks on critical infrastructure.

ISRO’s Cybersecurity Measures

The ISRO has taken several measures to improve its cybersecurity posture. In 2020, the organization launched a cybersecurity policy aimed at protecting its critical infrastructure from cyber threats. The policy outlines guidelines for secure coding practices, access control, incident management, and other security-related aspects.

"We can face the challenges posed by cyber criminals using technology like artificial intelligence with the same technology. There should be research and hard work towards this end," Mr. Somnath said.


Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
threats
Awareness Budget Cyber Security Cyberattacks CyberCrime Data Education Internet National Cyber Security Centre phishing Protection Ransomware Schools SonicWall Students threats

Fortifying Cybersecurity for Schools as New Academic Year Begins

 

School administrators have received a cautionary alert regarding the imperative need to fortify their defenses against potential cyberattacks as the commencement of the new academic year looms. 

The National Cyber Security Centre has emphasized the necessity of implementing "appropriate security measures" to safeguard educational institutions from potential threats and to avert disruptions.

While there are no specific indicators of heightened threats as schools prepare to reopen, the onset of a fresh academic term underscores the potential severity of any cyberattacks during this period. 

Don Smith, the Vice President of the counter-threat unit at Secureworks, a cybersecurity firm, has highlighted the current transitional phase as an opportune moment for cybercriminals. He pointed out that the creation of new accounts for students and staff, as well as the school's approach to portable devices like laptops and tablets, can introduce vulnerabilities.

Smith explained, "Summer is a time when people are using their devices to have fun, play games, that sort of thing. If you've allowed teachers and pupils to take devices home, or let them bring their own, these devices may have picked up infections and malware that can come into the school and create a problem."

Last September, six schools within the same academy trust in Hertfordshire suffered internal system disruptions due to a cyberattack, occurring shortly after the new term had started. 

Additionally, just recently, Debenham High School in Suffolk fell victim to a hack that temporarily crippled all of its computer facilities, prompting technicians to work tirelessly to restore them before the commencement of the new term.

Schools are generally not the primary targets of concentrated cyberattack campaigns, unlike businesses, but they are considered opportunistic targets due to their comparatively less robust defenses. 

Don Smith emphasized that limited budgets and allocation priorities may result in schools having inadequate cybersecurity measures. Basic digital hygiene practices, such as implementing two-factor authentication and keeping software up to date, are crucial for safeguarding vital data.

Moreover, it is imperative for both students and teachers to be regularly educated about cybersecurity threats, including the importance of strong passwords, vigilance against suspicious downloads, and the ability to identify phishing attempts in emails. Mr. Smith noted that cybersecurity is no longer solely the responsibility of a small IT team; instead, all users are on the frontline, necessitating a general understanding of cybersecurity fundamentals.

A recent study revealed that one in seven 15-year-olds is susceptible to responding to phishing emails, especially those from disadvantaged backgrounds with weaker cognitive skills. Professor John Jerrim, the study's author, emphasized the need for increased efforts to help teenagers navigate the increasingly complex and perilous online landscape.

The National Cyber Security Centre, a division of GCHQ, has previously issued warnings regarding the growing prevalence of ransomware attacks targeting the education sector. Ransomware attacks involve criminals infiltrating a network and deploying malicious software that locks access to computer systems until a ransom is paid. Although ransomware attacks temporarily declined during the first quarter of 2023, they have been steadily increasing since then.

SonicWall, a cybersecurity company, emphasized that schools, being repositories of substantial data, are attractive targets for hackers pursuing financial and phishing scams. As schools rely more heavily on internet-based tools in the classroom, they must prioritize cybersecurity, both in terms of budget allocation and mindset, as the new school year approaches.

In response to these concerns, a spokesperson for the Department for Education affirmed that educational institutions bear the responsibility of being aware of cybersecurity risks and implementing appropriate measures. This includes establishing data backups and response plans to mitigate potential incidents.

"We monitor reports of all cyberattacks closely and in any case where there has been an attack, we instruct the department's regional team to offer support," they added. "There is no evidence to suggest that attacks like this are on the rise."
Read more »
Tactics
attacks Blagging Cyber Security Defenses Impersonation phishing Protection Scams Security Tactics

Understanding Blagging in Cybersecurity: Tactics and Implications

 

Blagging might sound intricate, resembling an elaborate hacking maneuver, yet it is remarkably simpler. Despite its less "high-tech" nature compared to other cybercrimes, blagging can inflict significant harm if businesses are unprepared.

Blagging involves crafty fraudsters attempting to deceive or manipulate individuals into divulging confidential information that should remain off-limits.

These blaggers fabricate convincing stories to coax their targets into revealing data that could fuel illicit activities like identity theft, corporate espionage, or extortion.

So, how does blagging work precisely? Here are some typical blagging tactics:

1. Impersonation: The perpetrator pretends to be someone else, such as a colleague, bank representative, or law enforcement officer. This engenders trust and raises the likelihood of the target sharing confidential information. For instance, they might make a call posing as an IT specialist needing a password to rectify a computer issue.

2. Fabricating Urgency: The scammer employs pressure by framing the request as time-critical. Threats to close accounts or initiate legal action are utilized to extract information swiftly, leaving the target with insufficient time to verify the request's legitimacy.

3. Phishing: Blaggers resort to phishing emails or links infused with malware to breach target systems and pilfer data. These emails are meticulously designed to mimic trustworthy sources, enticing victims to click or download.

4. USB Drop Attack: This stratagem entails leaving malware-laden devices like USB drives in public venues where victims are likely to discover and insert them. Parking lots and elevators serve as popular spots to entice unsuspecting individuals.

5. Name-Dropping: Scammers invoke names of genuine managers, executives, or contacts to create an illusion of authorization for accessing otherwise confidential information. This lends credibility to their dubious appeals.

6. Sympathy Ploys: Fraudsters play on the target's empathy by fabricating emotional narratives to manipulate them. They might claim to be single parents requiring funds in an account to feed their family.

7. Quid Pro Quo: Scammers promise incentives like bonuses, time off, or cash in exchange for information. These are hollow assurances employed to achieve their aims.

8. Tailgating: Blaggers physically tail an employee into a building or restricted area to gain access. They rely on people holding doors open or not questioning their presence.

9. Elicitation: Blaggers engage in friendly conversations to surreptitiously extract information about systems, processes, or vulnerabilities. This innocuous approach is perilous due to its seemingly harmless nature.

The crucial point to remember is that these attackers are adept at deceit and will employ any means necessary to attain their objectives.

Defending Against Blagging Attacks

Given the array of cunning tactics utilized by blaggers, how can individuals and businesses shield themselves from these scams? Here are some essential strategies to counter blagging attacks:

1. Verify Claims: Never take claims at face value—always corroborate stories. If someone claims to be tech support or a colleague in need of information, hang up and call back using an official number to confirm legitimacy. Scrutinize email addresses, names, and contact details closely to ensure they match up.

2. Validate Requests: As an employee, investigate any unusual requests, even if they seem urgent or credible. Consider escalating it to a supervisor or submitting a formal request through established channels. Slow down interactions to allow for thorough investigation before divulging confidential data.

3. Limit Account Access: Employers should grant employees only the minimum access required for their tasks. For instance, customer service representatives likely don't need access to financial systems. This containment strategy mitigates potential damage if an account is compromised.

4. Report Suspicious Activity: If a request appears suspicious or a story doesn't add up, voice your concerns. Alert security or management immediately if you suspect a blagging attempt. Monitor systems and user behavior closely for unusual activity.

5. Security Awareness Training: Well-informed employees are more resistant to blagging attempts. Continuous education fortifies the human defense against social engineering. Real-world scenarios and examples should be integrated into training, including simulated phishing emails and unexpected visitors.

6. Layered Security: Employ multiple overlapping security measures instead of relying on a single point of defense. This encompasses physical security controls, perimeter defenses, endpoint security, email security, access controls, and data loss prevention tools.

7. Remain Vigilant: Blagging targets not only businesses but also individuals. Vigilance is necessary to thwart seemingly innocuous calls or emails from scammers posing as various entities. Recognizing blagging techniques and red flags is paramount.

For business proprietors, comprehensive security awareness training and robust technical defenses are instrumental in neutralizing this threat. With the appropriate safeguards in place, blaggers can be effectively deterred.
Read more »
Tips
Authentication Cloud Defense Cyber Security Fraud MFA Multi-Factor Authentication (MFA) Online phishing Phishing Prevention Prevention Privacy Protection Scams Security Tips

Defend Against Phishing with Multi-Factor Authentication

 

Phishing has been a favored attack vector for threat actors for nearly three decades, and its utilization persists until it loses its effectiveness. The success of phishing largely hinges on exploiting the weakest link in an organization's cybersecurity chain—human behavior.

“Phishing is largely the same whether in the cloud or on-prem[ise], in that it’s exploiting human behavior more than it’s exploiting technology,” said Emily Phelps, director at Cyware.

These attacks primarily aim to pilfer credentials, granting threat actors unfettered access within an organization's infrastructure. Yet, successful cloud-based phishing assaults might be more intricate due to the nuanced ownership of the environment.

Phelps explained that in an on-premise scenario, a compromised ecosystem would be under the jurisdiction of an organization's security and IT team. However, in the cloud—like AWS or Azure—a breached environment is managed by respective organizations yet ultimately owned by Amazon or Microsoft.

Cloud Emerges as the Preferred Phishing Arena

As an increasing number of applications gravitate toward cloud computing, threat actors are unsurprisingly drawn to exploit this realm. Palo Alto Networks Unit 42's report unveiled a staggering 1100% surge in newly identified phishing URLs on legitimate SaaS platforms from June 2021 to June 2022.

The report delineated a tactic where visitors to legitimate web pages are enticed to click a link directing them to a credential-stealing site. By leveraging a legitimate webpage as the principal phishing site, attackers can modify the link to direct victims to a new malicious page, thereby sustaining the original campaign's efficacy.

Cloud applications provide an ideal launchpad for phishing assaults due to their ability to bypass conventional security systems. Cloud-based phishing is further facilitated by the ease of luring unsuspecting users into clicking malevolent email links. Beyond SaaS platforms, cloud applications such as video conferencing and workforce messaging are also being increasingly exploited for launching attacks.

The Role of Phishing-Resistant MFA

Among the most robust defenses against credential-stealing phishing attacks is multifactor authentication (MFA). This approach incorporates several security factors, including something known (like a password), something possessed (such as a phone or email for code reception), and/or something inherent (like a fingerprint). By requiring an additional code-sharing device or a biometric tool for authentication, MFA heightens the difficulty for attackers to breach these security layers.

In the event of a user falling prey to a phishing attack and credentials being compromised, MFA introduces an additional layer of verification inaccessible to threat actors. This may involve SMS verification, email confirmation, or an authenticator app, with the latter being recommended by Phelps.

However, as MFA proves effective against credential theft, threat actors have escalated their strategies to compromise MFA credentials. Phishing remains one of their favored methods, as cautioned by the Cybersecurity and Infrastructure Security Agency (CISA):

"In a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.”

To counter this, CISA endorses phishing-resistant MFA as a strategy to enhance overall cloud security against phishing attacks. Fast ID Online/WebAuthn authentication stands out as a popular option. It operates through separate physical tokens linked to USB or NFC devices or embedded authenticators within laptops and mobile devices.

An alternative approach, albeit less common, is PKI-based phishing-resistant MFA, employing security-chip embedded smart cards linked to both an organization and the individual user. While highly secure, this method necessitates mature security and identity management systems.

While any form of MFA contributes to safeguarding cloud data against phishing, relying solely on commonly used code-sharing methods falls short. Threat actors have devised ways to manipulate users into revealing these codes, often relying on users' inconsistent MFA setup practices. Adopting phishing-resistant MFA and incorporating multiple layers of authentication offers the utmost security against this prevalent cyber threat.
Read more »
Threat Landscape
Business Security Cyber Security Online Safety phishing ransomware attacks Singapore Threat Landscape

Phishing and Ransomware Attacks Continues to Hurt Singapore Businesses

 

Phishing efforts and ransomware remained a significant threat to organisations and individuals in Singapore in 2022, despite indicators that cyber hygiene is improving in the city-state, according to a new report from the country's Cyber Security Agency (CSA).

In contrast to the 3,100 incidents handled in 2021, around 8,500 phishing attempts were reported to the Singapore Cyber Emergency Response Team (SingCert) last year, according to the Singapore Cyber Landscape (SCL) 2022. 

Given its low cost and lax usage constraints, top-level domains ending in ".xyz" are favoured by threat actors in more than half of the recorded cases. 

Banks and other financial institutions were the most frequently impersonated companies in phishing attacks. These businesses are frequent targets because they store sensitive and valuable data such as user names and login credentials. 

According to the CSA, the rise in reported phishing attempts followed global trends. Several cyber security providers noted that phishing activities had increased in 2022. In total, SingCert assisted in the removal of 2,918 harmful phishing websites last year. Organisations in Singapore have also been hit by the global ransomware threat, which shows no signs of decreasing.

In contrast to the 137 incidents reported in 2021, 132 ransomware cases were reported to the CSA last year. While the number of reported ransomware attacks has decreased slightly, it is still alarming that small and medium-sized businesses (SMEs) have been hit, particularly those in manufacturing and retail, which may have valuable data and intellectual property (IP) that cybercriminals are interested in stealing. 

There was also a reduction in infected infrastructure, which the CSA described as compromised systems used for harmful reasons such as executing distributed denial of service (DDoS) attacks or spreading malware and spam. In 2022, the CSA discovered 81,500 infected systems in Singapore, a 13% decrease from 94,000 in 2021. 

Despite a high increase in contaminated infrastructure worldwide, Singapore's global proportion of infected infrastructure declined from 0.84% in 2021 to 0.34% in 2022. Although the drop in infected infrastructure in Singapore indicates an increase in cyber hygiene levels, the absolute number of infected systems in Singapore remains high, according to the CSA. 

Colbalt Strike, Emotet, and Guloader were the top three malware infections on locally hosted command and control servers, while Gamarue, Nymaim, and Mirai were the top three malware infections on locally hosted botnet drones, accounting for about 80% of Singapore IP addresses infected by malware in 2022. 

CSA also noted potential threats in its research, such as those related with the expanding deployment of artificial intelligence, which might be leveraged by both cyber attackers and defenders. While machine learning can provide real-time insights about cyber threats, it can also be utilised for malicious purposes, such as highly focused spear-phishing efforts. 

"2022 saw a heightened cyber threat environment fuelled by geopolitical conflict and cybercriminal opportunism as Covid-19 restrictions began to ease," noted David Koh, commissioner of cyber security and CEO of CSA.

"As with many new technology, emerging technologies such as chatbots have two sides. While we should be optimistic about the opportunities it presents, we must also manage the risks that come with it. "The government will continue to increase its efforts to protect our cyberspace, but businesses and individuals must also play a role," he added.
Read more »
phishing
Cyber Attacks CyberCrime DDoS Email Microsoft 365 Microsoft Outlook Outlook phishing

Outlook Services Paralyzed: Anonymous Sudan's DDoS Onslaught

 


In the last few days, several distributed denial-of-service (DDoS) attacks have been launched against Microsoft Outlook, one of the world's leading email providers. Anonymous Sudan, a hackers' collective, has launched DDoS attacks against Microsoft Outlook. The attacks, which aim to disrupt services and create concerns about various issues, have disrupted Outlook users worldwide. Additionally, online platforms are quite vulnerable to cyber threats because they are hosted online. 

Several outages have been reported today on Outlook.com for the same reason as yesterday's outages. Anonymous Sudan, an Internet hacking collective, claims that it performs DDoS attacks against the service on hackers' behalf. 

It has been claimed, however, that the hacktivist group Anonymous Sudan is responsible for the attack. They assert that they are conducting a distributed denial of service (DDoS) attack on Microsoft's service in protest of US involvement in Sudanese internal affairs by operating cyberattacks against its infrastructure. 

Approximately 1 million Outlook users across the globe have been affected by this outage, which follows two more major outages yesterday. Due to this issue, Outlook's mobile app cannot be used by users in a wide range of countries as users cannot send or receive emails. 

There have been complaints on Twitter about Outlook's spotty email service. Users assert that it has impacted their productivity as a result. 

It was announced over the weekend that the hacktivist group would be launching a campaign against the US as a response to the US interference in Sudanese internal affairs recently as part of its anti-US campaign. They cited the visit made by Secretary of State Antony Blinken to Saudi Arabia last week, in which he discussed the ongoing humanitarian situation in the country. 

There has also been an announcement by the White House that economic sanctions will be imposed on various corrupt government entities in Sudan, including the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF), which are considered responsible for the escalation of the conflict. 

In response to this, Anonymous Sudan launched a distributed denial of service attack in late November, targeting the ride-sharing platform Lyft, in an attempt to overload a site or server with bot requests, thereby essentially bringing it to a standstill. 

It is also worth noting that several regional healthcare providers across the country were also taken offline during the weekend campaign.

Email communication was interrupted by several disruptions, including delayed or failed delivery of messages, intermittent connectivity problems, and slow response times. This was as a result of this issue. Individual users were inconvenienced by these interruptions; however, businesses that rely on Outlook for their day-to-day operations were also facing challenges as a result of these disruptions. This attack demonstrates the vulnerability of online platforms and emphasizes the need for robust cybersecurity measures to guard against threats of this nature. This is to ensure online platforms remain secure. 

In many tweets posted to Twitter by Microsoft, the company has alternated back and forth between saying they have mitigated the issue and that the issue is back again, implying that these outages are caused by technical issues. 

A group called Anonymous Sudan is claiming responsibility for the outages, claiming they are out to protest the US infiltrating Sudanese internal affairs through its involvement in the DDoS attacks against Microsoft and claim responsibility for the outages as well.

As a result of the continuous DDoS attacks on Microsoft Outlook and Microsoft 365 services, the group has been taunting Microsoft in its statements in the past month. 

There is increasing evidence that Microsoft Outlook continues to suffer crippling attacks from Anonymous Sudan, which frequently result in the suspension of service and the growth of concerns about the security of the online environment due to DDoS attacks launched by Anonymous Sudan. It has been observed that these deliberate disruptions hurt the user experience and the online platform. This is because these disruptions expose them to cyber threats. 

This ongoing situation only confirms the importance of cybersecurity measures to safeguard critical online services. The necessity of introducing these measures would be essential to ensure their protection in the future. Additionally, it raises questions about the platform's ability to cope with persistent and coordinated attacks on its cybersecurity system. 

The case between Anonymous Sudan and Microsoft in a world where cybersecurity threats are increasing by the day, serves as a timely reminder of the importance of continuous vigilance. This is to prevent these threats from becoming stronger as they progress in a direction not fully understood by users.
Read more »
TOTPs
Cyberattacks CyberCrime Microsoft PaaS Password PayPal phishing Privacy TOTPs

Convincing Phishing Pages are Now Possible With Phishing-as-a-Service

 


In several phishing campaigns since mid-2022, a previously unknown phishing-as-a-service (PaaS) offering named "Greatness" has been used as a backend component for various spam campaigns. In addition to MFA bypass, IP filtering, and integration with Telegram bots, Greatness includes features found in some of the most advanced PaaS offerings. These features include integration with some of the most advanced PaaS offerings. 

Phishing attacks are mostly social engineering attacks. Depending on who conducts the attack, they can target a wide range of people. There is a possibility that these emails are spam or scam emails looking to access PayPal accounts. 

There is also the possibility of phishing being an attack specifically targeted at a particular individual. Attackers often tailor their emails to speak directly to you and include information only available from an acquaintance. When an attacker gains access to your data, he or she usually obtains this information. Even if the recipient is very cautious in their responses, it is very difficult for them to avoid being a victim when an email of this kind is sent. Based on research conducted by PhishMe Research, over 97% of all fraudulent emails sent to consumers contain ransomware. 

As a result of the availability of phishing kits like Greatness, threat actors, rookies, and professionals alike, now can design convincing login pages that comply with the account registration process of various online services while bypassing the two-factor authentication protections offered by the service.

As a result of this, the fake pages that appear to be authentic behave as a proxy for the attacker to harvest credentials entered by victims and time-based one-time passwords (TOTPs). 

In addition to the possibility of conducting phishing through text messages, social media, and phone calls, the term 'phishing' is most commonly used in the context of attacks that appear via email. Oftentimes, phishing emails can reach thousands of users directly and disguise themselves among the myriad of benign emails that are received by busy users every day. As a result of attacks, malicious code may be installed on systems (such as ransomware), systems may be sabotaged, and intellectual property may be stolen. 

The focus of Greatness is, for now, limited to Microsoft 365 phishing pages, which allows its affiliates to create highly convincing decoy and login pages, using Greatness' attachment and link builder. The attack incorporates features such as pre-filling the victim's email address and showing the victim's appropriate company logo and background image, which were derived from the actual Microsoft 365 login page in which the victim worked or worked for the target organization. The complexity of the software makes Greatness a particularly attractive option for businesses that do phishing. 

A geographic analysis of the targets in a number of the various campaigns that are ongoing and have been conducted in the past revealed the majority of victims to be companies based in the U.S., U.K., Australia, South Africa, and Canada, with manufacturing, health care, and technology sectors being the most frequently targeted industries. There are slight differences in the exact distribution of victims between each campaign and each country in terms of the sector and location. 

Whenever affiliates deploy and configure the phishing kit provided by Greatness, they can access its more advanced features without technical knowledge. They may even take advantage of the service's more advanced features even if they are unskilled. There are two types of phishing kits. One uses an API to generate phishing claims. The other uses a phishing kit to perform a "man-in-the-middle attack" and generate phishing claims. 

In the latest UK government survey titled "Cyber Security Breaches Survey 2021", the UK government reports that phishing remains the "most common attack vector" when it comes to attack attempts involving their systems. Even though phishing is still being used due to its continued success, up to 32% of employees click on a phishing email link while up to 8% of employees are unaware of the sending. 

The risk of a data breach or malware infection is greatly increased when an individual clicks on a link in a phishing email and then enters their login credentials to access company resources. There are always going to be several levels of privilege escalation, even when an employee has lower access privileges. Cybercriminals put a lot of effort into making their phishing attack vector as convincing as possible to increase their chances of success. 

With the emergence of the Greatness product, Microsoft 365 users are at higher risk of being compromised. Phishing pages can appear more convincing and effective against businesses. Approximately 90% of the affiliates of Greatness target businesses according to the data that Cisco Talos collected. A study of the targeted organizations across several campaign campaigns indicates that manufacturing is the sector given the most attention. This is followed by the healthcare and technology sectors. 

The threat was first observed during mid-2022, and according to VirusTotal, a spike in activity was experienced in December 2022 and March 2023. This was a time when attachment samples increased considerably. 

As part of the attack chain, malicious emails often contain HTML attachments which are executed on opening. This code often contains obfuscated JavaScript code which redirects the recipient to a landing page with their email address pre-filled and prompts them for a password and two-factor authentication code to access the site. 

The credentials entered are forwarded via Telegram to the affiliate's Telegram channel. They will be used to gain unauthorized access to the accounts being accessed. 

If a victim opens an attachment that contains an HTML file, the web browser will execute some narrow JavaScript code that will establish a connection to the attacker's server to get the HTML code of the phishing page. In turn, the attacker's server will display the phishing page to the user in the same browser window. An image of a spinning wheel is displayed on the screen in the code, pretending to show that the document is being loaded, with a blurred image. 

The PaaS is then responsible for connecting to Microsoft 365 and impersonating the victim to log into the victim's account. As a result, if the service detects that MFA is being used, it will prompt the victim to authenticate by using their chosen MFA method (e.g., SMS code, voice call code, push notification, according to the website). 

After a service receives the MFA, the service will continue to impersonate the victim behind the scenes to complete the login process. This will enable it to collect authenticated session cookies associated with the victim. The affiliates will then receive these updates through their Telegram channel or via an email directly from the web panel, depending on which method they choose. 

As it works in conjunction with the API, the phishing kit creates a "man-in-the-middle" attack, asking the victim for information, which is then passed to the legitimate login page in real time, and is further logged by the API. 

If the victim uses MFA (Master Key Authentication), the PaaS affiliate can steal the user passwords and usernames associated with the account and the authenticated session cookies. This is one of the reasons why the Telegram bot is used - it notifies the attacker as soon as possible about valid cookies so that they can make a quick move if the target looks interesting. This likely is one of the reasons why authenticated sessions typically expire after a while, which is one of the reasons the bot is utilized.
Read more »
Subscribe to: Posts (Atom)