Search This Blog

Showing posts with label phishing. Show all posts

'Washing Checks' and 'Mailbox Phishing' Emerge as Popular Crimes

 

Fraudsters attempt to steal paper checks from mailboxes, "washing" them with nail polish remover and filling in new amounts and payees, causing victims and their banks, which usually foot the bill, to suffer indefinitely. The black market for "glass" — pilfered checks sold online with the assurance that they will clear at the bank — is becoming more widespread and sophisticated. 

Criminals are diversifying into the sale of stolen account numbers and identity theft, as well as the "arrow keys" used by mail carriers to open multiple boxes. Following the theft of the checks, a large amount of mail, including mail-in voter ballots, is dumped. Thieves either "fish" letters out of the mail slot or rob postal workers of their mail and arrow keys. 

"We see [sellers] offering $1,000 to $7,000 a key, depending on the number of mailboxes in the ZIP code," states David Maimon, a cybercrime expert at Georgia State University who has been tracking the surge.

As per Maimon, personal checks now "go up to $250" apiece, up from $125 to $175 previously this year. Washed business checks can now fetch up to $650, up from $250.
 
"It's gone berserk," says Frank McKenna, a banking fraud consultant who traces the phenomenon back to the pandemic-era surge in stolen stimulus checks and unemployment benefits.

Maimon's Evidence-Based Cybersecurity Research Group has been monitoring 60 black-market communication channels to study the online fraud ecosystem for more than two years. He claims that most illegal activity occurs on Telegram, though how-to videos on check-washing can also be found on YouTube.
 
While California, New York, New Jersey, and Florida are among the most affected, Maimon tells Axios that "we're seeing this spreading to distant states." And the data sold with a check has changed significantly: fraudsters now offer the check-Social writer's Security number as well as account balances obtained from the dark web.

"We're talking about a very sophisticated supply chain at this point. It's just mind-boggling how things have evolved."The United States Postal Service has placed warning signs on blue mailboxes, advising people to use online bill pay or bring their letters to a post office," he further added.

Because checks written in indelible ink cannot be washed, gel pens are marketed as "fraud prevention." Congress recently held a hearing on "rampant" mail theft, the scope of which is unknown. Banks are staffing up in check processing to combat fraud while blaming staffing cuts at the US Postal Inspection Service, the USPS' law enforcement arm.

"Check fraud has become so widespread due to brazen criminality and mail theft that many banks are struggling to collect on bad checks from other banks," the American Banker reports." Though fraud losses are skyrocketing at all banks, small banks appear to be bearing the brunt of check fraud," the news site said. 

"Banks typically reimburse their customers when a fraudulent or stolen check gets posted against their account, but getting repaid for a bad check has become a long, drawn-out affair."

The Postal Inspection Service is on the hot seat over the issue. The Postal Inspection Service, for its part, claims that it has made "significant security enhancements" to mailboxes and that postal inspectors made 1,511 arrests for mail theft in 2021, with 1,263 convictions.

"It's really frustrating that banks are being held liable because the Postal Service can't secure the mail," says Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association." These numbers may seem impressive at first blush, but they are not," he said in congressional testimony.

The bottom line is that "much more systematic data on this type of fraud is needed to better understand how it works, crack down on the activity, and prevent it from occurring in the first place," according to Maimon.

The Four Major Types of Spoofing Attacks and How to Avoid Them

 

Spoofing is the act of concealing a communication or identity so that it appears to be from a reliable, authorized source. Spoofing attacks can take many forms, ranging from the common email spoofing attacks used in phishing campaigns to caller ID spoofing attacks used to commit fraud. 

As part of a spoofing attack, attackers may also target more technical elements of an organization's network, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service. 

Spoofing attacks typically prey on trusted relationships by impersonating a person or organization known to the victim. These messages may even be personalized to the victim in some cases, such as whale phishing attacks that use email spoofing or website spoofing. there are various types of spoofing attacks. Here are three of the most common.
  • IP spoofing attack
An IP spoofing attack occurs when an attacker attempts to impersonate an IP address in order to pretend to be another user. The attacker sends packets from a false source address during an IP address spoofing attack. These IP packets are sent to network devices and function similarly to a DoS attack. To overwhelm a device with too many packets, the attacker uses multiple packet addresses.
 
IP spoofing attacks, which are one of the more common types of spoofing attacks, can be detected using a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and detect abnormal traffic. This alerts  that something isn't right and allows you to investigate further.

If looking for IP addresses and flow data in particular that can lead you to illegal internet traffic. Detecting IP spoofing attacks early is critical because they frequently occur as part of DDoS (Direct Denial of Service) attacks, which can bring the entire network down.
  • Email Spoofing Attacks
Email spoofing attacks occur when an attacker sends an email that appears to be from another sender. The sender field is spoofing in these attacks to display bogus contact information. The attacker pretends to be this entity and then sends you an email asking for information. These attacks are frequently used to impersonate administrators and request account information from other members of staff.
 
Email spoofing attacks are perhaps the most dangerous because they directly target employees. Responding to the wrong email can give an attacker access to sensitive information. If you receive a spoofed email, your first line of defense should be to be skeptical of email display names.

Attackers frequently spoof display names, so double-check the email address. If the email contains any links, you can open them in a new window to see if they are legitimate. It's also a good idea to look for spelling mistakes and other inaccuracies that could indicate the sender isn't legitimate.
  • DNS Spoofing Attacks
DNS, or domain name system, attacks jumble up the list of public IP addresses. DNS servers maintain a database of public IP addresses and hostnames that are used to aid in network navigation. When a DNS attack occurs, the attacker alters domain names, causing them to be rerouted to a new IP address.

One example is when you enter a website URL and are directed to a spoofed domain rather than the website you intended to visit. This is a common method for attackers to introduce worms and viruses into networks.

It is a good idea to use a tool like dnstraceroute to detect a DNS spoofing attack. DNS spoofing attacks rely on an attacker spoofing the DNS response. Using dnstraceroute, you can see where the DNS request was answered. You'll be able to see the DNS server's location and whether someone spoofed the DNS response.

DHL: Most-Spoofed Brand in Phishing

 

DHL is the most spoofed brand in phishing emails, according to Check Point. Between July and September 2022, crooks most frequently used the brand name in their attempts to steal personal and payment information from marks, with the shipping giant accounting for 22% of all global phishing attempts intercepted by the cybersecurity firm. 

On June 28, DHL informed customers that it was the victim of a "major global scam and phishing attack," and that it was "working hard to block the fraudulent websites and emails." In the phishing attempts, criminals used a tried-and-true phony message, falsely alerting customers that their package could not be delivered and requesting personal and payment information to proceed with the delivery.

These types of urgent requests — to change a password or, in this case, delivery or payment information — are especially effective at stealing credentials, as we saw with the recent Oktapus cybercrime spree.

Check Point discovered one phishing email that attempted to impersonate DHL and was sent from the address "info@lincssourcing[.]com." The report stated that crooks altered it to appear as if the sender was "DHL Express."

The subject line of the email, "Undelivered DHL(Parcel/Shipment)," as well as the message, attempted to dupe the victim into clicking on a malicious link claiming that they needed to update their delivering address in order to receive the package. Of course, the URL does not actually lead to DHL's website. Instead, it redirects them to a bogus, attacker-controlled website with a form asking the victim to enter their name and password, which the crooks then steal.

These stolen credentials can then be used to obtain additional account information, such as payment information, or simply sold to other identity thieves on dark-web forums. While DHL tops the list of stolen brands, Check Point reports that Microsoft is in second place for third-quarter phishing scams, accounting for 16% of all campaigns based on brand recognition. LinkedIn, which topped the list in both the first and second quarters of this year, fell to third place with 11 percent.

Victims are more likely to click on a malicious link that appears to be sent from a trusted brand, which feeds the phishing pool. It is a low-cost crime with a high return on investment for criminals. Last year, phishing attacks were by far the most commonly reported cybercrime, with 323,972 reported to the FBI and victims losing $44.2 million.

Check Point detailed another brand-spoofing phish example in which criminals used a fake OneDrive email to try to steal a user's Microsoft account information. The message was sent from "websent@jointak[.]com[.]hk," with "OneDrive" as a bogus sender name, and the subject: "A document titled 'Proposal' has been shared with you on Onedrive."

The Microsoft-brand phish, like the DHL spoof, attempts to trick the victim into clicking on a malicious link that spoofs a Microsoft web app login page and then enter their account password. As a general rule, users should avoid emails that request personal information or credit card information.

New Phishing Campaign Targets Saudi Government Service Portal

 

Multiple phishing domains imitating Absher, the Saudi government service portal, have been set up to provide citizens with fraudulent services and steal their credentials. CloudSEK cybersecurity researchers made the discovery and published an advisory about the threat on Thursday. 

"The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal," wrote the security experts. "The phishing website presents users with a fake login portal, compromising the login credentials." 

According to CloudSEK, after the bogus 'login,' a pop-up appears on the site requesting a four-digit one-time password (OTP) sent to the registered mobile number, which is most likely used to bypass multifactor authentication (MFA) on the legitimate Absher Portal. 

"Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal," CloudSEK clarified. 

After completing the bogus login process, the user is prompted to fill out a registration form, revealing sensitive personally identifiable information (PII), before being redirected to a new page where they are asked to select a bank. They are then taken to a bogus bank login portal designed to steal their credentials. 

"After submitting the internet banking login details, a loading icon pops up, and the page gets stuck, while the user banking credentials have already been compromised," the security researchers wrote.

According to CloudSEK, government services in the Saudi region have recently become a prime target for cyber-criminals looking to compromise user credentials and use them to launch additional cyber-attacks.

"Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia," the company wrote.

To lessen the impact of these attacks, CloudSEK urged government organizations to monitor phishing campaigns targeting citizens and to inform and educate them about the dangers, such as not clicking on suspicious links. The warning comes just weeks after CloudSEK discovered a separate phishing campaign targeting Saudi KFC and McDonald's customers.

Phishing Attack Spoofs Zoom to Steal Microsoft User Credentials

 

Phishing attacks work by imitating a well-known or trusted brand, product, or company, with the aim of duping recipients into disclosing sensitive account information. That was the case in a recent phishing campaign investigated by security firm Armorblox, in which the attacker impersonated Zoom in an attempt to compromise Microsoft user credentials. 

The phishing email, which was sent to over 21,000 users at a national healthcare company, had the subject line "For [name of recipient] on Today, 2022," with each user's actual name listed as the recipient. The email, which displayed the Zoom name and logo, stated that the person had two messages awaiting their response. The recipient had to click on the main link to read the alleged messages.

The main button would have directed users to a bogus landing page impersonating a Microsoft login page. The victims were directed at the site to enter their Microsoft account password in order to verify their identity before they could obtain the messages. To further silence them into a false sense of security, the landing page pre-populated the username field with the person's actual email address. Any Microsoft passwords entered on the page would, of course, be captured by the attackers.

The initial phishing email, sent from a valid domain, bypassed Microsoft Exchange email security controls because it passed the usual email authentication checks, such as DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication Reporting and Conformance. Instead, the emails were barred from being sent from reaching user inboxes by Armorblox security.

How to Protect Your Company from Phishing

Armorblox makes the following recommendations to help you protect your organisation and employees from these types of phishing attackers:

The email described in the report evaded Microsoft security measures, indicating that you should supplement your native email security with stronger and more layered tools. Consult Gartner's Market Guide for Email Security and Armorblox's 2022 Email Security Threat Report to find the right product.

Users are advised to:
  • Be wary of social engineering ploys.
  • Adopt proper password hygiene
  • Use multi-factor authentication

Malicious Actors Are Exploiting ‘App Mode’ in Chromium Browsers for Phishing Attacks

 

Thanks to a new phishing technique, malicious actors could siphon private details by merely impersonating legit login forms in Application Mode. 

The Application Mode feature can be accessed in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave. 

According to mr.d0x, a security researcher who has also unearthed the Browser-in-the-Browser (BitB) attack and Microsoft WebView2 phishing methods previously, desktop applications are normally harder to spoof, hence, victims don’t pay much attention to as compared to browser windows that are more widely exploited for phishing. 

Chrome's application mode is created to provide native-like experiences in a manner that causes the website to be launched in a separate browser window, while also showing the website's favicon and concealing the address bar. 

Additionally, the hacker-controlled malicious site can employ JavaScript to perform multiple operations, such as immediately closing the window when the victim inputs the credentials or resizing and positioning it to gain the desired result. 

It's worth noting that the methodology works on other operating systems as well, including macOS and Linux, making it a possible cross-platform threat. However, the effectiveness of the assault depends on the hacker gaining control over the computer before following up with this phishing technique, be it via malware or through directing the victim to enable it and run a Windows shortcut with the malicious URL. 

Meanwhile, Google is discontinuing support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies, and the feature is likely to be completely phased out in Chrome 109 or later on Windows, macOS, and Linux. 

"The --app feature was deprecated before this research was published, and we are taking its potential for abuse into account as we consider its future. Users should be aware that running any file provided by an attacker is dangerous. Google's Safe Browsing helps protect against unsafe files and websites,” Google stated.

“While Safe Browsing is enabled by default in Chrome, users may want to enable Enhanced protection, which inspects the safety of your downloads to better warn you when a file may be dangerous. Enhanced protection can be found in Chrome Settings > Privacy and security > Security.We encourage the security research community to continue to report issues and vulnerabilities through our vulnerability rewards program: g.co/chrome/vrp."

Telecom Giant Optus Suffers Data Breach, Leaking Info of Million Customers


Millions of customers suffer a data leak

Optus, an Australian telecom giant earlier this week confirmed that around 2.1 million of its present and past customers suffered data leaks that included their personal details,  at least one type of identification number, as a consequence of a data breach that happened late in September. 

Others believe that the Optus data breach incident has exposed the personal information of around 10 million people. Cybercrime in Australia has always been a pressing issue, it costs the country a minimum of $10 Million per year, and the figures can only go up. 

Due to exposing to hyper-personal information like DoB, driving license, passport, residential address, etc. Threat actors will misuse your information for applying for credit on your behalf without you knowing about it. 

What do criminals do with stolen data?

If cybercriminals find some agency willing to give credit, they'll immediately spend it, resulting in load default, it will put a black mark against your name, and you won't even know about it until you need the credit for yourself the next time. 

Optus said that it has contacted Deloitte for assistance, and will do an external forensic inquiry of the breach to know how the incident happened and how Optus can take preventive measures to stop it from happening again. 

Singtel, a telecommunication conglomerate in Singapore is the parent company of Optus, it also shares a few stakes in Bharti Airtel, the second largest telecommunication carrier in India. Singtel on its website said:

"Approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised."

What kind of information was leaked?

Singtel also said that the leak has impacted expired IDs and personal info of around 900,000 additional customers, stressing that leaked data doesn't include valid or current document ID numbers for around 7.7 million customers. Customers are advised to stay vigilant about possible smishing and phishing attacks. 

In the Optus incident involving the customers that are most affected, state law enforcement agencies and Australian police are working together on "Operation Guardian" to help with securing the identity of the impacted customers. 

The next step for Optus

Optus has informed the affected customers that their personal information has been compromised in the breach, also including Medicare IDs. Optus on 28 September disclosed- out of 9.8 million customer records leaked, the leak involved around 14,900 working Medicare IDs and 22,000 expired Medicare card numbers.

The data leak incident surfaced on September 22, involving a threat actor getting unauthorized access to customer details. The criminals used the alias "optusdata," and they leaked a small sample of the stolen data of 10,200 users, demanding Optus to pay a ransom of $1 million to stop more leaks. 

It raises a question for you: why can't I control my own identity? The answer, is you can, by limiting how and where you share your information. 

However, the Optus data leak has made us all doubt if we can trust any organization?  












North Korean Hackers Create Fake Job Offers to Target Industry Professionals Worldwide

 

ZINC, a sub-division of the notorious North Korean Lazarus hacking group, has been weaponizing open-source software with custom malware capable of data theft, espionage, financial gain and network disruption since June 2022. 

According to Microsoft threat analysts who unearthed a new phishing campaign, the malicious hackers have weaponized a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers to launch malware attacks against organizations in the aerospace, media, IT services, and defense sectors. 

Hackers exploiting social media platforms 

The next time you receive a text on LinkedIn, scan it twice. Microsoft warns that the APT group has been actively employing open-source software infected with trojans to target industry professionals located in India, Russia, the UK, and the USA. 

The hackers pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. Once the victims are convinced to move the conversation over from LinkedIn to WhatsApp, which provides encrypted communication, the hackers moved on to the next step. During the WhatsApp conversation, the targets receive malicious software that allows ZINC to install malware on their systems. 

LinkedIn’s threat prevention and defense team confirmed spotting bogus profiles designed by North Korean hackers mimicking recruiters working at prominent media, defense, and tech firms. It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016. 

Attacking methodology 

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the malicious KiTTY and PuTTY applications employs a sophisticated technique to ensure that only selected targets are compromised with malware and not others. 

To achieve this, the app installers do not drop malware directly but are installed only when the apps link to a specific IP address and employ login credentials given to the targets by fake recruiters. The malicious actors also employ DLL search order hijacking to install and decrypt a second-stage payload when this key ‘0CE1241A44557AA438F27BC6D4ACA246’ is presented for command and control.

Microsoft has published the full list of IoCs (indicators of compromise) discovered during investigations in their blog post and is urging the cybersecurity community to remain vigilant, given its extensive usage and use of authentic software products. 

"Zinc attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction," the company stated. “Zinc attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting."

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks

 

Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.

PyPI Alerts of First-ever Phishing Campaign Against its Users

 

The Python Package Index, PyPI, issued a warning this week about an ongoing phishing campaign aimed at stealing developer credentials and injecting malicious updates into the repository's packages.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.” states the warning.

The phishing messages are intended to trick recipients into clicking a link in order to comply with a new Google mandatory validation process for all packages. Recipients are urged to complete the validation process by September to avoid having their packages removed from PyPI.

When users click the link, they are taken to a Google Sites landing page that looks similar to PyPI's login page. After obtaining the user account credentials, the attackers were able to push malicious updates to legitimate packages.

“The phishing attempt and the malicious packages are linked by the domain linkedopports[.]com, which appears in the malicious package code and also functions as the location to which the phishing site tries to send the stolen credentials.” reads the analysis published by Checkmarx.

This campaign's malicious packages attempt to download and execute a file from the URL hxxps:/python-release[.]com/python-install.scr. The packages had a low detection rate at the time of discovery; the malicious code is digitally signed and unusually large (63MB) in an attempt to evade AV detection).

The researchers also discovered another domain associated with this attacker's infrastructure, "ledgdown[.]com," which was registered under the same IP address. This domain masquerades as the official website of the cryptocurrency assets app "ledger live."
`
“This is another step in the attacks against open source packages and open source contributors.” concludes the post. “We recommend checking your network traffic against the IOCs listed below and as always, encouraging contributors to use 2FA.”

PyPI announced that it is revising its eligibility requirements for the hardware security key programme in the aftermath of the phishing attack. Any maintainer of a critical project, regardless of whether they already have TOTP-based 2FA enabled, it said.

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Spanish Banking Trojan Attacks Various Industry Verticals

 

A new campaign aimed at delivering the Grandoreiro banking trojan has targeted organisations in the Spanish-speaking countries of Mexico and Spain. 

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which began in June 2022, have been observed to target the automotive, civil and industrial construction, logistics, and machinery sectors in Mexico and the chemicals manufacturing industries in Spain via multiple infection chains. 

The attack chain involves using spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive from which a loader disguised as a PDF document is extracted to trigger the execution. To activate the infections, the phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, mortgage loan cancellation, and deposit vouchers.

"This [loader] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the [command-and-control] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

The loader is also intended to collect system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and then exfiltrate the data to a remote server.

Grandoreiro is a modular backdoor with a plethora of functionalities that enable it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change. It has been observed in the wild for at least six years.

Furthermore, the malware is written in Delphi and employs techniques such as binary padding to increase binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication through subdomains generated by a domain generation algorithm (DGA).

The CAPTCHA technique, in specific, necessitates the victim to manually complete the challenge-response test in order to execute the malware in the compromised machine, implying that the implant is not executed unless and until the CAPTCHA is solved.

According to the findings, Grandoreiro is constantly evolving into sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access and posing significant threats to employees and their organisations.

The information comes just over a year after Spanish authorities apprehended 16 members of a criminal network in connection with the operation of Mekotio and Grandoreiro in July 2021.

Global Scam Operation "Classiscam" Expanded to Singapore

 

Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years  migrating to Europe. 

"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News. 

The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm. Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic. 

Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States. 

Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan. The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022. 

This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages. Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices. When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction. 

The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising. 

"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said. 

In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot. 

"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said. 

"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment." 

The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards. Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back. 

These calls are made by assistant employees posing as platform tech support professionals.  In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.

While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.

A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.

Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.

"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."

"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."

Alert! Large-Scale AiTM Attacks Targeting Enterprise Users

 

A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts. 

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." 

Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia. This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA). 

The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it. Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target. 

AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials. To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server. 

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated. 

This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session. According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information. 

Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

US Government Alerts Americans of Rising SMS Phishing Attacks

 

The Federal Communications Commission (FCC) has cautioned Americans about an increase in SMS (Short Message Service) phishing attacks aimed at stealing their personal information and money. Such attacks are also known as smishing or robotexts (as the FCC refers to them), and the fraudsters behind them may utilise a variety of enticements to fool you into disclosing sensitive information. 

"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said [PDF]. 

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June." 

Smishing baits reported to the FCC by American customers include statements concerning unpaid bills, package delivery concerns, bank account problems, or police enforcement activities. Links sending users to landing pages imitating bank websites and requesting them to authenticate a transaction or unlock frozen credit cards are among the most clever and persuasive baits used in text message phishing attempts. 

Phishing SMS messages may also be faked to make it look that the sender is someone you're more likely to trust, such as the IRS or a company one is familiar with. While some attackers will try to steal financial information, others are less fussy and will collect whatever personal information they can get their hands on to use in later frauds or sell to other bad actors. The FCC suggests the following methods to protect against SMS phishing attacks:
  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Be on the lookout for misspellings or texts that originate with an email address.
  • Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
  • If a business sends you a text you weren't expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

Hackers Target National Portal of India Via ‘Unprecedented’ Phishing Method

 

On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in. 

According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes. 

In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login. BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII). The new URL that emerges as a result of the BitB attack looks to be legitimate. 

"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted. 

The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.

"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated. 

The information entered by the victims into the form is sent to the attacker's server. Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds. 

When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window. Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page. The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page. 

"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.