Search This Blog

Showing posts with label phishing. Show all posts

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.

This Android-wiping Malware is Evolving into a Constant Threat

 

The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device. 

"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.

The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server. BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.

For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. This reduces harmful network traffic as well as interactions with the host device. 

In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients. After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server. 

This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp. Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps. 

BRATA's development 

In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down. BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices. 

In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations. Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics. 

It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device. 

For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.

Reverse Tunnelling & URL Shortening Services Used in Evasive Phishing

 

Researchers are detecting an increase in the usage of reverse tunnel services, as well as URL shorteners, for large-scale phishing operations, leaving malicious activity more difficult to detect. This strategy differs from the more typical practise of registering domains with hosting providers, who are more inclined to answer complaints and remove phishing sites. 

Threat actors can use reverse tunnels to host phishing websites locally on their own computers and route connections through an external service. They can evade detection by using a URL shortening service to produce new links as frequently as they desire. Many phishing URLs are renewed in less than 24 hours, making tracing and eliminating the domains more complex. 

CloudSEK, a digital risk prevention company, has seen a rise in the number of phishing efforts that combine reverse tunnelling and URL shortening services. According to a report shared with BleepingComputer by the business, researchers discovered more than 500 sites hosted and disseminated in this manner. CloudSEK discovered that the most extensively misused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare's Argo. They also saw an increase in the use of URL shortening services such as Bit.ly, is.gd, and cutt.ly. 

Reverse tunnel services protect the phishing site by managing all connections to the local server where it is housed. The tunnel service resolves any incoming connections and forwards them to the local computer. Victims who interact with these phishing sites have their personal data saved directly on the attacker's computer. Thus according to CloudSEK, the threat actor conceals the name of the URL, which is often a string of random characters, by utilising URL shorteners. 

As a result, a suspicious domain name is masked under a short URL. Opponents, according to CloudSEK, are disseminating these links using popular communication channels such as WhatsApp, Telegram, emails, SMS, or bogus social media pages. It is important to note that the abuse of these services is not new. 

In February 2021, for example, Cyble produced proof of Ngrok misuse. However, according to CloudSEK's results, the situation is worsening. CloudSEK discovered one phishing campaign that impersonated YONO, a digital banking platform provided by the State Bank of India. The attacker's URL was masked under "cutt[.]ly/UdbpGhs" and directed to the site "ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi," which made advantage of Cloudflare's Argo tunnelling service. 

This phishing page asked for bank account information, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. CloudSEK did not disclose the effectiveness of this operation, but it did point out that threat actors seldom use the same domain name for more than 24 hours, however, they do recycle the phishing page designs.

"Even if a URL is reported or blocked, threat actors can easily host another page, using the same template" - CloudSEK 

This sensitive information may be sold on the dark web or utilised by attackers to deplete bank accounts. If the information comes from a business, the threat actor might use it to execute ransomware attacks or business email compromise (BEC) fraud. 

Users should avoid clicking on links obtained from unknown or dubious sources to protect themselves from this sort of danger. Manually typing a bank's domain name into the browser is an excellent way to avoid being exposed to a bogus website.

Suspected Phishing Email Fraudster Arrested in Nigeria

 

A Nigerian man has been arrested by Interpol and African cops on suspicion of running a multi-continent cybercrime network that specialised in sending phishing emails to businesses. His alleged operation was behind so-called business email compromise (BEC), a combination of fraud and social engineering in which employees at targeted firms are duped into doing things like wiring money to scammers or sending sensitive information abroad. 

This is done by impersonating executives or suppliers and sending messages with instructions on where to deliver payments or data, often by getting into an employee's work email account. The 37-year-arrest old's is part of a year-long counter-BEC operation code-named Operation Delilah, which began with intelligence from cybersecurity firms Group-IB and Palo Alto Networks Unit 42, and Trend Micro. 

According to the groups involved, Op Delilah, which began in May 2021, is another success story from Interpol's Cyber Fusion Center, a public-private partnership between law enforcement and industry experts based in Singapore. The arrest, however, comes after the FBI issued a strong warning about BEC earlier this month, claiming that it is still the most costly threat to businesses throughout the world. Between June 2016 and December 2022, email scams cost businesses and people at least $43.3 billion. 

The FBI stated that BEC continues to develop and change, targeting small local companies to larger enterprises, and personal transactions, adding that it monitored a 65 per cent increase in identified global exposed losses, with victims in 177 countries, between July 2019 and December 2021. When law enforcement attempted to catch the suspected fraudster in this case, he fled Nigeria in 2021. He attempted to return to Nigeria in March 2022 but was recognised and detained as a result of the intelligence-gathering relationship. The intelligence was passed on to Nigerian police by Interpol's African Joint Operation against Cybercrime (AFJOC), which was assisted by law enforcement from Australia, Canada, and the United States. Nigerian cops eventually apprehended the man at Lagos' Murtala Mohammed International Airport. Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of suspected gang members. 

"The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and Interpol's private sector partners in combating cybercrime," Garba Baba Umar, assistant inspector general of the Nigeria Police Force, said in a statement this week. 

The security companies involved in the operation closely monitored the alleged Nigerian BEC crew under the name SilverTerrier, or TMT, and Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of these suspected gang members. Delilah was preceded by the Interpol-led Falcon I and Falcon II operations, which took place in 2020 and 2021 and resulted in the arrest of 14 members of the criminal gang. 

The earlier operations, as well as the most recent one, were assisted by Unit 42 and Group-IB, among other security analysts. TMT has been tracked by Group-IB since 2019. We're warned that by 2020, the criminals would have infiltrated more than 500,000 businesses in 150 nations. One of the defendants seized in Nigeria during Falcon II had more than 50,000 possible victim domain credentials on his laptop, according to Interpol. 

Meanwhile, Unit 42 researchers allege that the 37-year-old Nigerian detained as part of Delilah has been a criminal since 2015. 

The security analysts at Palo Alto Networks wrote in a blog, "We have identified over 240 domains that were registered using this actor's aliases. Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York city associated with a major financial institution when registering his malicious domains." 

They discovered that he has a stated affinity for ISRStealer, Pony, and LokiBot malware. He also prefers enormous gold, blingy jewellery, according to a social media snapshot of the alleged perp on the Unit 42 blog. According to the security researchers, the suspect is well-connected with other BEC criminals and also appears to share social media contacts with a trio detained in 2021 as part of Falcon II.

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam

 

Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

Phishing Scam Adds a Chatbot Like Twist to Steal Data

 

According to research published Thursday by Trustwave's SpiderLabs team, a newly uncovered phishing campaign aims to reassure potential victims that submitting credit card details and other personal information is safe. 

As per the research, instead of just embedding an information-stealing link directly in an email or attached document, the procedure involves a "chatbot-like" page that tries to engage and create confidence with the victim. 

Researcher Adrian Perez stated, “We say ‘chatbot-like’ because it is not an actual chatbot. The application already has predefined responses based on the limited options given.” 

Responses to the phoney bot lead the potential victim through a number of steps that include a false CAPTCHA, a delivery service login page, and finally a credit card information grab page. Some of the other elements in the process, like the bogus chatbot, aren't very clever. According to SpiderLabs, the CAPTCHA is nothing more than a jpeg file. However, a few things happen in the background on the credit card page. 

“The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed,” Perez stated.

The campaign was identified in late March, according to the business, and it was still operating as of Thursday morning. The SpiderLabs report is only the latest example of fraudsters' cleverness when it comes to credit card data. In April, Trend Micro researchers warned that fraudsters were utilising phoney "security alerts" from well-known banks in phishing scams. 

Last year, discussions on dark web forums about deploying phishing attacks to capture credit card information grew, according to Gemini Advisory's annual report. Another prevalent approach is stealing card info directly from shopping websites. Researchers at RiskIQ claimed this week that they've noticed a "constant uptick" in skimming activity recently, albeit not all of it is linked to known Magecart malware users.

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service

 

The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.

Ukrainian CERT Alerts Citizens of Phishing Attacks Using Hacked Accounts

 

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of new phishing attacks directed at Ukrainian citizens, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. 

The emails arrive with the subject line "" (meaning "Attention") and pretend to be from a domestic email service named Ukr.net, but the sender's email address is "muthuprakash.b@tvsrubber[.]com," according to the agency. The messages allegedly alert recipients of an unauthorised attempt to log in to their accounts from an IP address based in Donetsk, Ukraine, and urge them to change their passwords immediately by clicking on a link. 

CERT-UA noted in a Facebook post over the weekend, "After following the link and entering the password, it gets to the attackers. In this way, they gain access to the email inboxes of Ukrainian citizens." 

The fact that TVS Rubber is an automotive company situated in the Indian city of Madurai suggests that the phishing emails were distributed through an already compromised email account. In a further update, CERT-UA stated that it had discovered an additional 20 email addresses used in the attacks, some of which belonged to sysadmins and faculty members at the Ramaiah University of Applied Sciences, an academic institution in Bengaluru, India. 

An email address from Hodek Vibration Technologies Pvt. Ltd., an India-based automotive company that designs and manufactures dampers for cars, light and heavy commercial vehicles, and other industrial equipment, is also featured in the list. 

"All these mailboxes have been compromised and are being used by the Russian Federation's special services to carry out cyberattacks on Ukrainian citizens," the agency said. 

The news comes as NATO states unanimously approved to admit Ukraine as a "Contributing Participant" to the Cooperative Cyber Defence Centre of Excellence (CCDCOE), as Russia's military invasion of the country entered its second week and cyber strikes poured down on government and commercial targets. 

"Ukraine's presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations. Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training," Col Jaak Tarien, director of CCDCOE, said in a statement.

Phishing Attack Emerges as a Primary Threat Vector in X-Force Threat Intelligence Index 2022

 

IBM published its tenth X-Force Threat Intelligence Index last week unveiling phishing attacks as the primary threat vector in the past year, with manufacturing emerging as the most targeted sector. IBM security analysts spotted a 33% surge in attacks caused by vulnerability exploitation of Log4Shell, a point of entry that malicious actors relied on more than any other to launch their assaults in 2021, representing the cause of 44% of ransomware attacks. 

The 2022 Threat Intelligence Index was compiled from billions of data points, ranging from network and endpoint detection devices, incident response engagements, phishing kits, and domain name tracking. It was revealed that threat actors employed phishing in 41% of attacks, surging from 2020 when it was responsible for 33% of attacks. Interestingly, click rates for the average targeted phishing campaign surged nearly three-fold, from 18% to 53% when phone phishing (vishing) was also employed by malicious actors. 

The X-Force report highlights the record-high number of vulnerabilities unearthed in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Cybercriminals from across the globe were so quick to exploit Log4j that it occupied the number two spot on the X-Force top 10 lists of most exploited vulnerabilities in 2021, despite only being discovered in December last year. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator. 

Additionally in the UK, nearly 80% of users received a malicious call or text last year. To counter the threat, regulator Ofcom published new guidelines this week which will require more proactive work from operators to root out the use of spoofed numbers. 

“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest. In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices,” researchers explained. 

To mitigate the risks, researchers advised organizations to update their vulnerability management system, identify security loopholes, and prioritize vulnerabilities based on the likelihood they will be abused.

Kimsuky Hackers Employ Commodity RATs with Custom Gold Dragon Backdoor

 

Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, employing commodity open-source remote access tools distributed with their own backdoor, Gold Dragon. Kimsuky, also known as TA406, is a North Korean state-sponsored hacker group that has been actively engaging in cyber-espionage efforts since 2017. The organization has shown amazing operational adaptability and threat activity diversity, participating in malware distribution, phishing, data harvesting, and even cryptocurrency theft. 

Beginning in January 2021, TA406 began delivering malware payloads through phishing emails that led to 7z archives. These archives contained an EXE file with a double extension that made it appear to be a .HTML file. If the file is opened, it will launch a scheduled activity called "Twitter Alarm," which will allow the actors to drop new payloads every 15 minutes. When run, the EXE opens a web browser to a PDF version of a valid NK News item housed on the actor's infrastructure, hoping to fool the victim into thinking they're reading a post on a news site. 

Kimsuky used xRAT in targeted assaults against South Korean entities in the most recent campaign, as discovered by experts at ASEC (AhnLab). The campaign began on January 24, 2022. xRAT is a free and open-source remote access and administration program that may be downloaded from GitHub. Keylogging, remote shell, file manager operations, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the functions provided by the malware. 

A sophisticated threat actor may choose to deploy commodity RATs for basic reconnaissance activities and do not require much configuration. This enables threat actors to concentrate their efforts on designing later-stage malware that necessitates more specialized functionality dependent on the security tools/practices available on the target. 

Kimsuky often deploys Gold Dragon as a second-stage backdoor after a fileless PowerShell-based first-stage assault that employs steganography. This malware has been recorded in a 2020 report by Cybereason and a 2021 analysis by Cisco Talos researchers, therefore it is not new. However, as ASEC describes in its study, the variation found in this latest campaign has additional functions such as the exfiltration of basic system information. 

The malware no longer leverages system processes for this operation, instead installs the xRAT tool to manually steal the required information. The RAT disguises itself as an executable called cp1093.exe, which copies a regular PowerShell process (powershell_ise.exe) to the “C:\ProgramData\” path and executes via process hollowing.

Attackers Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks

 

A classic phishing tactic using mislabeled files is being used to deceive Microsoft 365 users into revealing their credentials. Malicious actors are dusting off Right-to-Left Override (RLO) attacks to fool victims into running files with altered extensions, as per cybersecurity researchers at Vade. Victims are requested to enter their Microsoft 365 login details when they open the files. 

In the previous two weeks, Vade's threat analysis team has discovered more than 200 RLO attacks targeting Microsoft 365 users. The technique of assault was: 

Within the Unicode encoding system, the RLO character [U+202e] is a special non-printing character. The symbol was created to support languages like Arabic and Hebrew, which are written and read from right to left. 

The special character, which can be found in the Windows and Linux character maps, can be used to mask the file type. The executable file abc[U+202e]txt.exe, for example, will display in Windows as abcexe.txt, misleading people to believe it is a.txt file. 

The threat has been present for more than a decade, and CVE-2009-3376 was first identified in 2008 in Mozilla Foundation and Unicode technical reports. 

"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers. 

RLO spoofing was previously a common technique for hiding malware in attachments. According to Vade researchers, the approach is currently being used to phish Microsoft 365 business users in order to gain access to a company's data. The team encountered one RLO attack in which an email was delivered with what seemed to be a voicemail.mp3 attachment. 

Researchers stated, "This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file."
  
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."

Intuit Alerted About Phishing Emails Threatening to Delete Accounts

 

Customers of accounting and tax software supplier Intuit have been warned of an ongoing phishing attack masquerading the organisation and attempting to mislead victims with fraudulent account suspension notifications. 

Customers who were notified and told that their Intuit accounts had been disabled as a result of a recent server security upgrade prompted Intuit to issue the advisory. 

The attackers stated in the phishing messages, masquerading as the Intuit Maintenance Team, "We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season." 

To regain access to their accounts, the receivers need to visit https://proconnect.intuit.com/Pro/Update right away. By clicking the link, they will most likely be redirected to a phishing site controlled by the attacker, which will seek to infect them with malware or steal their financial or personal information. 

Those who hesitate before clicking the embedded link are warned that they risk losing access to their accounts permanently. The financial software company stated the sender "is not associated with Intuit, is not an approved agent of Intuit, nor is their use of Intuit's brands authorised by Intuit," and that it isn't behind the emails. 

Customers who have received phishing emails are advised not to click any embedded links or open attachments, according to the maker of TurboTax and QuickBooks. 

To avoid being infected with malware or redirected to a phishing landing page that would try to steal the credentials, it's best to delete the emails. Customers who have already opened attachments or clicked links in phishing emails should take the following steps: 
  • Delete any downloaded files immediately. 
  • Scan their systems using an up-to-date anti-malware solution. 
  • Change their passwords
On its support page, Intuit also provides information on how users can safeguard themselves from phishing assaults. 

QuickBooks clients were also cautioned in October about phishing attacks that used bogus renewal charges as bait. Fraudsters contacted QuickBooks users via websites in the same month, telling them to upgrade to prevent their databases from being destroyed or corporate backup files automatically erased, with the intent of taking over their accounts.  

IT Personnel Equally Susceptible to Phishing Attempts as the General Population

 

In a cyber threat survey wherein 82,402 IT employees from four different companies participated, it was discovered that even they are not immune to cyber threats. The study was designed to know how IT workers respond to the emails that simulated one of the four commonly used phishing tactics. 

According to the report, 22% of recipients that received Phishing emails that impersonate HR announcements and statements or ask for assistance with invoicing get the most attention and clicks from the employees. 

Matthew Connor, F-Secure Service Delivery Manager and lead author of the report, said that he noticed that the study's most notable discovery was that workers from IT sectors seemed equal or even more susceptible to phishing attempts than the general public. 

“The privileged access that technical personnel has to an organization’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern…,”
 
"...Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing,” Connor said. 

According to the statistics, the email that was asking the recipient to help with an invoice (referred to as CEO Fraud in the report) was the second most fraudulent email that receives 16% clicks from recipients. 

Furthermore, the study identified the least frequently clicked emails and these include Service Issue Notification and document Share notifications emails that received 7% and 6% clicks from the recipients. 

Furthermore, the study had discovered that these departments were no better at reporting phishing threats than others. IT and DevOps were ranked third and sixth out of nine departments in terms of reporting.

Finland Alerted About Facebook Accounts Compromised via Messenger Phishing

 

The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations. 

According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS. If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them. 

Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list. 

“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described. 

The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts: 
• They start by sending a message through Facebook Messenger from the previously compromised friend's account. 
• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros. 
• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry. 
• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account. 

The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers." 

Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users. 

Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks. These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.

20K WordPress Sites Exposed by Insecure Plugin REST-API

 

The WordPress WP HTML Mail plugin is prone to a high-severity issue that can lead to code injection and the distribution of persuasive phishing emails. It is used by over 20,000 sites. 

'WP HTML Mail' is a plugin that allows creating customized emails, contact form notifications, and other messages that online platforms deliver to their users. 

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all functional with the plugin. While the volume of sites that utilise it isn't big, many of them have a large audience, causing the vulnerability to impact a large number of people. 

According to research by Wordfence's Threat Intelligence team, an unauthenticated actor might use the vulnerability dubbed "CVE-2022-0218" to change the email template to include arbitrary information. 

Cybercriminals can also utilise the same flaw to send phishing emails to anyone who has registered on the hacked sites. The problem is with how the plugin registers two REST-API routes for retrieving and updating email template settings. 

Unauthorized users can call and execute the functions since these API endpoints aren't appropriately protected from unauthorised access. 

In its report, Wordfence explains in detail: “The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.” 

Aside from phishing assaults, an adversary might inject harmful JavaScript into the email template, which would run whenever the site administrator accessed the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the entire takeover of the site. 

On December 23, 2021, Wordfence detected and reported the vulnerability to the plugin's creator, but they didn't hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security fix addressed the vulnerability. 

As a result, all WordPress site owners and administrators should make sure they have the newest version of the 'WP HTML Mail' plugin installed.

Hacker Hacked Multiple High-profile FIFA 22 Accounts by Phishing EA Support Agents

 

Electronic Arts (EA) has cited "human error" within its customer experience team for a recent wave of high-profile FIFA Ultimate Team account takeovers, with some individuals falling victim to a socially engineered phishing attack. 

EA initiated an inquiry after several top traders in FIFA's Ultimate Team game complained that their accounts had been taken over and emptied of points and thousands of dollars in-game currency last week. Phishers were able to hack less than 50 top trader accounts by "exploiting human error" among EA's customer care employees, according to a post on the company's website on Tuesday. 

The company stated, “Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.” 

Ultimate Team is an online soccer game in which players create virtual squads of real-life competitive players and compete against other online teams. Top traders acquire a substantial amount of in-game currency and points by exchanging individuals and forming diverse teams. 

EA eventually identified was a situation described online by traders who posted screenshots of unusual account behaviour, such as attackers calling EA's customer service via the live chat feature and demanding that an account's email address be altered. While many of these requests were ignored, at least one customer service representative eventually gave in to pressure and altered an account holder's email address. This necessitated the staffer circumventing security processes that require extra verification from account owners, according to a Twitter user and Ultimate Team trader called FUT Donkey, who stated his account had been hacked. 

Response & Impact: 

In response to the incident, EA will require "EA advisors and individuals who assist with the service of EA accounts" to get individual re-training, as well as additional team training primarily focused on security, practices, and phishing techniques, according to the company. 

EA will also add stages to the account ownership verification procedure in FIFA Ultimate Team, including "mandatory managerial permission for all email change requests," according to the company. 

According to the company's article, it will also upgrade its customer experience software to clearly evaluate and identify suspicious behavior and at-risk accounts to further restrict the potential for human mistakes in the account update process. 

The incident should serve as a warning to other gaming platforms: Hackers that attack these sites will continue to show off their skills, just as top traders compete for accolades and currency within the game, according to another security specialist in an email to Threatpost. 

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify stated, “Gamers and streamers are a massive global trend across social media platforms, capturing the attention of millions who want to know their secret techniques on how they get to the next level.” 

“Hacking is now also becoming a glorified streamed event with the world’s top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold.” 

Unfortunately for gaming platforms, he noted in his email that this new trend will "certainly grow and manifest in the year ahead."

Dridex Targeted Employees with Fake Job Termination Emails

 

A new Dridex malware phishing campaign is using fake employee termination as a lure to open a malicious Excel document, which then trolls them with a season's greeting message.

TheAnalyst, a threat researcher, shared a screenshot of the false employment termination notice on December 22, linking it to a Dridex affiliate. The suspicious email informed the target that their employment will end on December 24, and also that the decision could not be reversed. A password-protected Excel file attached offered further information. 

When a receiver accessed the file, a blurred form with a button to "Enable Content" appeared, allowing the file to run an automated script through its macros function, a technology designed to aid automation that has been misused for years for harmful purposes. After clicking the button, a pop-up window displayed with the words "Merry X-Mas Dear Employees!" 

Dridex is a trojan that was first discovered in 2014 and is related to credential theft. It spreads via email phishing campaigns. According to the US Treasury Department, it has been used to steal more than $100 million from banking institutions in 40 nations. 

Dridex is thought to have been created by Evil Corp., a Russian hacker gang that has become one of the most notorious and prolific cybercrime organizations in recent years. In December 2019, the US government sanctioned the organization and indicted its alleged founders, Maksim Yakubets and Igor Turashev, for their roles in developing Bugat, the predecessor malware to Dridex. 

A response to TheAnalyst's tweet including the false termination notice observed that in some copies of the email, the "Merry X-Mas" pop-up replaced the word "Employees" with racial insults. The racist content with this particular Dridex campaign extends back to a few months, according to TheAnalyst. 

For example, a phishing email sent out to targets during Black Friday mentioned shooting "black protesters" with a license. "If you find this message to be inappropriate or offensive, please click the complaint button in the attached document and we will never contact you again," the message stated. 

According to TheAnalyst, cybercriminals frequently insert racist email addresses inside the malware payloads to insult researchers. This element of the campaign is not visible to the campaign's targets, but it is visible to researchers who seek out, study, and expose phishing campaigns.

Scam Phishing Network Costs Victims $80m Per Month

 

Researchers discovered a sophisticated phishing attack that costs millions of people across the world around $80 million per month. 

The campaign, according to security firm Group-IB, targets consumers in over 90 countries, including the United States, Canada, South Korea, and Italy. It sends out fraudulent surveys and giveaways from well-known companies in order to acquire their personal and financial information. According to the firm, a single network targets over 10 million victims and 120 brands. 

“Fraudsters trap their victims by distributing invitations to partake in the survey, after which the user would allegedly get a prize. Each such offer contains a link leading to the survey website. For ‘lead generation,’ the threat actors use all possible legitimate digital marketing means: contextual advertising, advertising on legal and completely rogue sites, SMS, mailouts, and pop-up notifications,” Group-IB explained. 

“To build trust with their victims, scammers register look-alike domain names to the official ones. Less frequently, they were also seen adding links to the calendar and posts on social networks. After clicking the targeted link, a user gets in the so-called traffic cloaking, which enables cyber-criminals to display different content to different users, based on certain user parameters.” 

While the victim is being sent to this 'branded survey,' information about their experience is being gathered and used to personalise a final harmful link that can only be opened once, making it more difficult to identify and shut down the scam. 

Group-IB noted, “At the final stage, the user is asked to answer questions to receive a prize from a well-known brand and to fill out a form asking for their personal data, which is allegedly needed to receive the prize. The data required usually includes the full name, email, postal address, phone number, bank card data, including expiration date and CVV.” 

Dmitriy Tiunkin, the vendor's head of digital risk protection in Europe, called the current situation a "scamdemic." The firm discovered 60 separate networks, each with over 70 domain names, running similar targeted links.