Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Tax Preparers
Cyber Fraud EFIN IRS Scam Tax Tax Preparers

Email Scam Under the Name of IRS Try to gain EFIN of Tax Preparers

 

A lot of people are familiar with the US Internal Revenue Service (IRS) scam letters about the tax season that are phishing for money. Now, in a virtual version of the fake IRS letter, a different kind of IRS scam aims for tax practitioners. 

The IRS has instructed tax practitioners to seek for the scam that tries to obtain the E-Filing Identification Number (EFIN) of a victim. Here, intruders use a fake email to attack the identity and customer information of tax preparers. Besides, attackers can impersonate the tax preparer and submit fake tax returns to receive refunds, if they have the data. 

The hoax started with a scam email, as per the IRS. The message claimed to have come from 'IRS tax e-filing.' This was an e-mail that went under the heading - ‘Verifying your EFIN before e-filing.’ The e-mail informs the tax preparer that certain documents are to be sent to check and get approved by the e-file staff. It then requests a copy of its EFIN and the license number of its driver. To make the situation more urgent, the email warns that, unless you comply, the IRS will disable e-filing access for the tax preparer. 

This season, many other major tax scams have also been identified by the IRS and other sources. For example, the IRS cautioned taxpayers in early February against threatening 'ghost' preparers of the tax return who are refusing to sign the returns they are making. Every return prepared needs the Preparer Tax Number and it should be signed by the tax preparers as well. The IRS says that the lack of signature may suggest the fraudulent activity of the tax preparer. They may be promising, depending on the size of those refunds, for example, big refunds charging huge fees and accordingly. 

Through investing in their e-mail security defense, organizations can protect themselves and their users against such an IRS scam. One way they could do this is to develop a safety education program and educate employees about some of the most common kinds of publicly available tax-based phishing emails and other scams. Organizations should continuously test their employees to keep their employees informed of this IRS scam and similar attacks. Threat intelligence should be used to keep up with the latest tax scams. 

Furthermore, the IRS advised the tax preparers to avoid undertaking any of the email steps. It's best to delete the email and not respond in any way.
Read more »
URL Spoofing
Data Breach Taxpayers UK URL Spoofing

Taxpayers Personal Data Exposed Online in the UK

 

Different local councils in the UK have conveyed SMS to a huge number of citizens to encourage them to cover outstanding sums. The messages contained links to online databases that facilitated lists of different citizens whose information shouldn't be available to any other person. Lamentably, there was no security or any type of verification to keep the leak from occurring, so a large number of UK taxpayers have had their complete names, home addresses, and outstanding debts exposed.

The blunder was the work of Telsolutions Ltd., an organization that has given the contact and communication services to the local councils, which was contracted to urge tax defaulters to pay up. This is a typical strategy that is trailed by private and public entities around the world. Other than the psychological repercussions for the recipients of these messages, there is also the danger of data exposure.  

Other than SMS, the council tax services likewise use emails and surprisingly recorded voice messages. The entirety of this makes the space for tricksters to move in also, as taxpayers having to deal with official communications with their state through third-parties is the ideal setting for trickery. The information of this exposure reached The Register, who checked and affirmed that the information was indeed accessible via the sent short links. The entirety of the shared URLs have been taken offline now as both Telsolutions and some of the authorities were informed about the mistake. However, as the UK press webpage affirms, web crawlers have already caught some of these public entries, empowering individuals to search others and see their addresses, tax debts, etc.

After investigating the enumerable URLs, it was found that London's Bexley Council, a client of the Telsolutions service, had implemented no authentication at all. Anybody could unreservedly see the full details of an alleged tax defaulter in the borough without proving their identity. To see the data of another taxpayer, the recipient should have simply followed the URL from the SMS, modify the alphanumeric characters, and click a button labeled "proceed". 

Altogether, apparently, 14 councils have followed the same erroneous method after trusting the particular service provider. That incorporates Barnet, Bexley, Brighton, Cardiff, Coventry City, Greenwich, Lambeth, Redbridge, Southampton City, and Walsall.
Read more »
Russian Hackers
Cyber Crime Cyber Crime Report Russian Hackers

Russian Kryuchkov pleaded guilty to conspiring to hack Tesla's computer network

 Tesla CEO Elon Musk commented in Russian on the news that Russian Egor Kryuchkov had pleaded guilty on Twitter on Friday

According to the federal prosecutor's office in the state of Nevada, the verdict of Russian Egor Kryuchkov, who pleaded guilty to conspiracy to hack Tesla's computer network, will be sentenced on May 10.

"A Russian national pleaded guilty in federal court today to conspiracy to travel to the US to hire a Nevada-based employee to install software on the company's computer network," the document said.

It specifies that the Russian "pleaded guilty to one count of intentionally damaging a protected computer, and is scheduled to be sentenced on May 10."

According to the US Department of Justice, the Russian was trying to bribe a Tesla employee for $1 million to install the necessary software. The attackers intended to use the data to blackmail the company by threatening to make the information public. "This was a serious attack," Musk said at the time.

An employee with whom the Russian allegedly tried to negotiate in the summer of 2020 notified his management about this plan. It informed the US FBI.

The US Justice Department reported in August that Kryuchkov had been detained in Los Angeles, California, on charges of conspiracy to intentionally harm a protected computer. Initially, the Russian did not admit his guilt. His relatives and acquaintances said Kryuchkov had nothing to do with the IT industry and had never programmed.

However, on March 18, the US Department of Justice announced that the man had pleaded guilty to one count of deliberately damaging a protected computer.

It is worth noting that Tesla CEO Elon Musk commented in Russian on the news that Russian Egor Kryuchkov had pleaded guilty. Musk published a corresponding entry on Twitter on Friday.

The head of Tesla, following the rules of the pre-reform spelling of the Russian language, wrote the title of the novel by Fyodor Dostoevsky (1821-1881) "Crime and Punishment".

Musk had previously tweeted in Russian on several occasions. 

Read more »
US Department Of Justice
Cyber Crime Infraud Organiztion Macedonain Russian US Department Of Justice

US Sentences Russian, Macedonian For Roles in Transantional Cybercrime Enterprise

 

The United States has sentenced nationals from Russia and North Macedonia to prison for their roles in a transnational cybercrime operation that was responsible for theft of $568 million worldwide, according to a Justice Department statement. 

Sergei Medvedev, 33, of Russia, pleaded guilty in the District of Nevada to one count of racketeering conspiracy in June 2020 and was sentenced on Friday to 10 years in prison. According to court documents, Medvedev was a co-founder of Infraud along with Syvatoslav Bondarenko of Ukraine. From November 2010 until Infraud was taken down by law enforcement in February 2018, Medvedev was an active participant in the Infraud online forum. 

Medvedev was running an “escrow” service to facilitate illegal transactions among Infraud members. For several years, Medvedev served as Infraud’s administrator, handling day-to-day management, deciding membership, and meting out discipline to those who violated the enterprise’s rules.

Mark Leopard, 31, of North Macedonia, pleaded guilty in the district of Nevada to one count of racketeering conspiracy in November 2019 and was sentenced today to five years in prison. According to court documents, Leopard joined Infraud in June 2011, offering his services as an ‘abuse immunity’ web hoster to Infraud members who wished to design websites to sell contraband. 

Unlike a legitimate host, Leopard would knowingly cater to websites offering illegal goods and services, ignoring any abusive reports from Internet users. He hosted a number of sites for Infraud members in this fashion, providing the infrastructure that allowed his co-conspirators to profit off their criminal activities.

The enterprise, which boasted over 10,000 members at its peak and operated for more than seven years under the slogan ‘IN Fraud We Trust’. Infraud was responsible for the sale and/or purchase of over four million compromised credit and debit card numbers and the actual loss associated with Infraud was in excess of $568 million, the Us Department of Justice said.

“Today’s sentence should serve as a warning to any web host who willingly looks the other way for a quick buck – and that the United States will hold these bad actors accountable, even when they operate behind a computer screen halfway across the world,” Acting Assistant Attorney General Nicholas McQuaid said.
Read more »
Website
2 weeks Cyber Attacks MangaDex Website

Due to a Cyber Attack, MangaDex Website Taken Down for 2 Weeks

 

A few days ago, on 17th March, MangaDex found that a malicious actor, who already had access to an administrative account, had hacked the site. They said a malicious player has been able to access an administrative account by using a session token in an older database leak via flawed session management configuration. They further moved on to locate and patch the vulnerable section of code, also sweeping session data worldwide to prevent further attempts at, using the same technique. 

After the breach, they spent several hours analyzing the code and began patching. This occurred alongside the opening of the site following the breach, as we mistakenly believed that the actor could not access it. As a precaution, their infrastructure has been monitored in case the assailant is returned. 

Afterward, the attacker even sent an email with the "MangaDex has a DB leak. I suggest you tell their staff about it,” message to a few users according to the website's official notice. Since then, MangaDex has been maintaining the website and its users to prevent further disruption and security problems. 

Fortunately, MangaDex was pretty transparent regarding the violation and was providing information via Twitter instead of trying to hush up the details. However, the team recommends taking immediate actions to secure one’s online identity. Further, a database breach is also yet to be verified by them. So, if one uses the same password for all sites, they may want to change their passwords on other sites also. 

That being said, MangaDex affirmed that the new website — MangaDex v5 — will stay offline for a full rewrite that can take two weeks to complete. This decision took into consideration many other alternatives, such as the reintroduction of the website in its present state which could be vulnerable under MangaDex to further attacks. The new website will only have the basic features. This implies that only when MangaDex v5 is launched, users can read and upload and follow – like the website of the OG. 

The team confirmed that MangaDex v3 is back, though with several features that allow users to export bookmarks. A bug bounty program may also be developed for the team for v5. This helps MangaDex to patch all exploits in the code so that attackers will not be able to break the website.
Read more »
Windows
Android devices Cyber Attacks Google iOS Windows

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”
Read more »
Privacy
Android Apps App Permissions Mobile Security Threats Privacy

Beware of Android Apps While Giving Access to Your Mobile Data

 

Have you ever thought about privacy while giving access to the app makers about your contact list, camera, recording, location, calls on your android phone? Or the issue of security and privacy doesn’t matter anymore, especially in the virtual world. 

According to CyberNews, apps in the health and fitness, communications, and productivity sections require the highest number of dangerous permissions on average. 

The most popular requirement of 99% of top android apps is to gain full network access and to view network connections, which permits an app to connect to the Internet, while 72% of apps asked for permission to view wifi connections.

Nearly, 75% of apps ask to read external storage and modify or delete external storage. On the other hand, 36% of apps ask for permission to use your camera such as photography, parenting, dating, etc. Surprisingly, the apps in the categories of gaming, astrology, and personalization also ask for camera permissions. 

Have you guessed the percentage of apps that record your conversations? If not, then the answer is 21%. Yes, out of the top 1020 Android apps nearly 215 asks for microphone access especially the apps in the categories of finance, lifestyle, and wallpapers. 

When it comes to calling, nearly 80 apps out of 1020 Android applications ask for permission to make direct calls. Luckily, most of these apps were from categories like communication, business, and social media. The interesting part is that even apps from the categories of gaming, photography, and wallpapers require access to your contact list. However, you should think twice about giving contact-related access to apps that do not need to use such information.

“It goes without saying that apps from any category might ask for dangerous permissions. For example, you’d expect a communication app to ask for access to your phone book and Android accounts, while a navigation app wouldn’t raise any eyebrows by asking to track your location,” says Vincentas Baubonis, CyberNews security researcher who analyzed the data. 

Four basic steps to minimize the risk 

• Only permit those apps that make sense. For example, if you give apps access to your microphone, they may be listening in, so be aware of what you’re giving them access to. 

• Try to download an app with all permissions disabled, you can still turn on the ones you want individually in the settings. 

• Try to download your apps from the Google play store because it identifies the apps that are potentially dangerous. 

• Turn off your location settings because a large amount of tracking comes from your location settings.
Read more »
Telegram Desktop App
Google malware Telegram Telegram Desktop App

Malware Campaign Targets Telegram Desktop Application

 

An independent security researcher based in Basel, Switzerland, Jannis Kirschner, began to look for the widely known Telegram desktop version on the internet on Sunday. The second Google result was an advertisement, which led him directly to malware cloaked as a Telegram for Windows desktop version. At first sight, it was sufficiently convincing for Kirschner to say that "almost fell for it myself." 

Malware vendors are habituated to use the same publicity tools that online businesses use to attract people. To stop such abuse, Google patrols its advertising ecosystem, but malware advertising is still an ongoing problem. Although a visit by telegramdesktop[dot]com to one of those sites now triggered an alert from the Google Safe Browsing service, that the two sites were unsafe and potentially still active and duplicated others. These include the telegraph[dot]net and the telegram[dot]org. The websites were reported to Google by Kirschner. 

Each of these three spoofed websites is Telegram's clones. All links on cloned sites are redirected to the legitimate Telegram domain, design.telegram.com. But one link is exchanged which is supposed to be the execution for the Telegram Desktop version of Windows. 

"A repo probably was a bad choice for delivering malware since it's very verbose (download numbers, time, and other documents)," Kirschner says. "The biggest opsec mistake was that they didn't clean one of the repo's metadata, which led me to discover commit messages and their e-mail [address]."

He further adds that "I believe that it is the same threat actor or group since the TTPs [tactics, techniques, and procedures] are the same, and all sites have been established in a very close timeframe using the same hoster and certificate authority." 

At least a temporary benefit is offered to host malware on platforms such as Bitbucket: surface links are often deemed to be genuine, and attackers are subject to a malicious reservoir that needs to be removed until someone reports it. The techniques help cover a technological filtering and manual screening campaign, but don't always measure properly, says Kirschner. 

A February 2020 report by the security firm Cybereason reported over half a dozen newcomers, crypto miners, ransomware, and other malware put on Bitbucket by bad actors. 

The telegramdesktop[dot]com website seems to be shared with Moldova. Kirschner says this domain was registered on 29 December 2020. A search in the Wayback Machine of the Internet Archive, reveals that telegramdesktop[dot]com was redirected to the rightful domain telegram.org in April 2018. However, according to DomainTools records, the domain expired in October 2018. 

"I assume that domain once belonged to Telegram themselves, expired and was taken over by the criminals now," Kirschner further says.
Read more »
SolarWinds Attack
Cyber Security PRODAFT SilverFish SolarWinds Attack

PRODAFT Accessed Servers of a SolarWinds Hacker

 

A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed. 
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.

PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report. 

SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts. 

Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."
Read more »
TrickBot
CISA FBI malware Malware Attack Microsoft TrickBot

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 
Read more »
Proofpoint
CopperStealer Facebook Hijacked malware Proofpoint

CopperStealer Malware Steals Social Media Credentials

 

Researchers discovered a certain malware that was so far unidentified which silently hijacked Facebook, Apple, Amazon, Google, and other web giants' online accounts and then used them for nefarious activities. 

Cybercriminals have launched a new campaign to rob Facebook login credentials from Chrome, Edge, Yandex, Opera, and Firefox using malware 'CopperStealer.' 

The threat actors have used unauthorized access to Facebook and Instagram business accounts to run nefarious commercials and provide further malware in subsequent malware advertising campaigns as per the blog post published by the researchers at cyber safety company Proofpoint. In late January, researchers were first notified of the malware sample. The first samples found dated back from July 2019. 

Furthermore, CopperStealer versions targeting other major service providers such as Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter have been discovered in the proven analytic evaluation. The malware aims to steal login credentials for some of the most famous internet services from large technological platforms and service providers. 

Researchers suspect that CopperStealer is a family that has originally been undocumented in the same malware class as SilentFade and StressPaint. Facebook attributed the invention of SilentFade to ILikeAD Media International Ltd, a Hong Kong-based company, and reported over $4 million in damages during the 2020 virus bulletin conference. 

Researchers found dubious websites, which include keygenninja[.]com, piratewares[.]com, startcrack[.]com and crackheap[.]net, that was advertised as 'KeyGen' or 'Crack' sites, which included samples from several families of malware, including CopperStealer. 

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software. However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers. 

Malware also helps to find and send the saved passwords on one’s browser and uses stored cookies in order to extract a Facebook User Access Token. Once the User Access token has been collected, the malware will request multiple Facebook and Instagram API endpoints to gain additional contexts including the list of friends, any user's pay-out, and research listing the user's pages. "CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks," says Sherrod DeGrippo, senior director of threat research at Proofpoint. "These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers."
Read more »
Subscribe to: Comments (Atom)