Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Advanced Social Engineering. Show all posts

Worldwide Tailor-Made Massive Phishing Campaign

The spotlight turned towards a worldwide phishing campaign when an incident unfolded involving an Imperva staff member who was singled out and almost ensnared by a social engineering assault.

Imperva, situated in San Mateo, California, operates as a cybersecurity company. It specializes in offering protective solutions for corporate data and application software, ensuring that businesses are shielded from potential threats. 

It all began when he (an Imperva staff member) tried to sell a car seat on Yad2, a website for used items. Someone interested in buying messaged him on WhatsApp and introduced a fake payment service, using Yad2's look, and sent a link (hxxps://yad2[.]send-u[.]online/4765567942451). 

The fake site had the Yad2 logo and an orange button to get paid. Subsequently, the target was led to a payment page, which then transmitted the credit card information to the fraudsters. The website also featured a customer support chat feature that enabled the individual to communicate with Yad2. 

This expansive operation encompassed over 800 distinct fraudulent domains, taking on the guise of approximately 340 reputable global enterprises. Among these were prominent financial institutions, postal and courier services, and social media and e-commerce platforms. 

Renowned names like Facebook, Booking.com, and other frequently visited websites were among the imitated entities, all of which attract substantial user traffic. 

A campaign originating from Russian IP addresses has been detected, and it has been linked to around 800 distinct scam domains, all of which are outlined in the Indicators of Compromise (IOCs). The campaign's origins can be traced back to May 2022, and it continues to remain active, undergoing periodic updates. The comprehensive analysis uncovered phishing websites in over 48 languages, all engaged in the impersonation of more than 340 different companies. 

At its core, social engineering exploits the power of human interaction as an attack vector. Its primary objective revolves around influencing, manipulating, or deceiving individuals to disclose crucial information or obtain entry within an organization. 

This type of manipulation often capitalizes on people's willingness to help or their apprehensions of potential repercussions. For instance, an attacker might assume the role of a coworker grappling with an immediate problem, seeking permission for additional network resources.

'Muddled Libra' Targets BPO Sector with Advanced Social Engineering

 

The BPO industry is facing a persistent threat from a malicious actor called Muddled Libra. This threat actor employs advanced social engineering tactics to launch repeated attacks and gain unauthorized entry into BPO systems. 

Business process outsourcing (BPO) is the act of delegating specific business functions or processes to an external service provider. Frequently known as information technology-enabled services (ITES), BPO relies on the use of IT to enable and streamline outsourced operations within the contemporary business environment. 

The cybersecurity company has categorized cybercrime groups using the designation "Libra," which is inspired by the constellation theme. The threat actor referred to as "Muddled Libra" received this name due to the uncertainty surrounding its utilization of the 0ktapus framework. 

The intrusion set known as 0ktapus, or Scatter Swine, emerged in August 2022 and gained attention for its involvement in smishing attacks against numerous organizations. Prominent targets included Twilio and Cloudflare. 

Additionally, in the same year, CrowdStrike disclosed a series of cyberattacks that targeted telecom and BPO companies, starting as early as June 2022. These attacks employed a combination of credential phishing and SIM-swapping techniques. 

The incident cluster is currently under observation and referred to as Roasted 0ktapus, Scattered Spider, and UNC3944. The group initiates their attacks by utilizing smishing and the 0ktapus phishing kit to gain initial access. These attacks typically culminate in data theft and the establishment of long-term persistence. 

Another notable characteristic of their operations involves leveraging compromised infrastructure and stolen data to launch subsequent attacks on the victims' customers. In some cases, they even target the same victims repeatedly to replenish their dataset. 

Unit 42, which extensively investigated multiple Muddled Libra incidents between June 2022 and early 2023, described the group as persistent, methodical, and highly adaptable in its pursuit of objectives.  They swiftly adapt their attack strategies in response to obstacles encountered. 

"Unit 42 decided to name Muddled Libra because of the confusing muddled landscape associated with the 0ktapus phishing kit, since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone doesn't necessarily classify a threat actor as what Unit 42 calls Muddled Libra," senior threat researcher Kristopher Russo reported. 

Additionally, Muddled Libra demonstrates a preference for utilizing various legitimate remote management tools to maintain continuous access. They also manipulate endpoint security solutions to evade detection and exploit tactics such as MFA (multi-factor authentication) notification fatigue to pilfer credentials.