Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label phishing techniques. Show all posts
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
Subscribe to: Posts (Atom)