Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BEC. Show all posts
SMB
BEC BEC frauds Cyber Attacks Information Information Security Ransomware attack SMB

SMB Cyber Threats: Information-Stealing Malware, Ransomware, and BEC

 

In today's digital landscape, small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. A recent report from cybersecurity firm Sophos sheds light on the top cyber threats facing SMBs, highlighting information-stealing malware, ransomware, and business email compromise (BEC) as the most prevalent dangers. 

These malicious programs are designed to clandestinely gather sensitive data and login credentials, posing significant risks to businesses that may not have robust cybersecurity measures in place. The insidious nature of infostealers lies in their ability to operate discreetly, often evading detection until substantial damage has been done. 

Christopher Budd, director of Sophos X-Ops, underscores the escalating value of stolen data among cybercriminals, particularly concerning SMBs. He elucidates a hypothetical scenario where attackers exploit infostealers to compromise a business's accounting software, thereby gaining access to critical financial information and potentially siphoning funds into their own accounts. 

This underscores the dire consequences of falling victim to information-stealing malware, which can have far-reaching financial and reputational implications for SMBs. Despite the prevalence of infostealers, ransomware remains the most significant threat to SMBs' cybersecurity. While Sophos reports that the number of ransomware attacks has stabilized, the evolution of ransomware tactics continues unabated. 

One alarming trend highlighted in the report is the rise of remote encryption attacks, wherein threat actors leverage unmanaged devices within a victim organization to encrypt files on other systems. This sophisticated approach underscores the adaptability and persistence of ransomware operators in their quest to extort businesses for financial gain. 

Following closely behind ransomware, BEC attacks represent another formidable threat to SMBs. These attacks involve cybercriminals engaging in deceptive email correspondence or even phone calls with victims to gather sensitive information or manipulate them into transferring funds. The increasing sophistication of BEC tactics poses significant challenges for SMBs, as attackers leverage social engineering techniques to bypass traditional cybersecurity defenses. 

To mitigate these cyber threats effectively, SMBs must adopt a multi-faceted approach to cybersecurity. This includes implementing robust endpoint protection solutions, regularly updating software to patch known vulnerabilities, and providing comprehensive employee training on cybersecurity best practices. 

Additionally, adopting measures such as multi-factor authentication and encryption can add layers of security to sensitive data and communications, making it more challenging for cybercriminals to exploit vulnerabilities.

The SMBs must remain vigilant in the face of evolving cyber threats and prioritize cybersecurity as a fundamental aspect of their business operations. By staying informed about emerging threats and investing in proactive cybersecurity measures, SMBs can fortify their defenses and safeguard their digital assets against malicious actors. With cyber threats continuing to evolve in sophistication and scale, proactive cybersecurity measures are essential for protecting the interests and integrity of SMBs in today's digital landscape.
Read more »
SEKOIA
BEC Cyber Security cyber threat Finance Sector Phishing Campaigns SEKOIA

Sekoia Reports: Latest in the Financial Sector Cyber Threat Landscape


France-based cybersecurity company Sekoia published a new report regarding the evolution in the financial sector threat landscape. 

Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.

Also, the report noted that the finance sector is subject to attacks on the software supply chain. 

Phishing as a Service Massively Hits the Sector

Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.

One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.

In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”

QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.

The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”

According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.

Multiple Supply Chain Risks

Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.

One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage. 

There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.

"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.

Financially Oriented Malware 

Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like: 

Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.

Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.

Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.

According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.

Reduce Cyber Threat Risks

The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.

However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.  

Read more »
UK Cyber Insurance Firm
BEC Cyber Attacks Cyber Insurance Ransomware attack UK Cyber Insurance Firm

Soaring Cyber Insurance Claims are Hurting firms with Ransomware Attacks and Compromised Emails

 

Cyber insurance is the world's fastest-growing insurance market, yet a recent surge in ransomware attacks and business email intrusions has resulted in large losses for cyber insurers and increased premiums. The UK insurance business is under growing scrutiny from regulators, therefore understanding how to manage cyber risk inside their own supply chains has become critical. 

This industry is crucial in risk management and safeguarding individuals and organisations from potential losses. However, as the insurance supply chain becomes more reliant on digital technology and interconnected systems, it becomes more vulnerable to cyber threats. Every business in the supply chain, from insurance carriers to intermediaries and third-party service providers, is a potential target for cyberattacks. 

SecurityScorecard, a cyber ratings service, revealed some critical information on the top 50 insurers by gross written premium to provide additional insight into the UK cybersecurity insurance market. Based on data from the SecurityScorecard platform, the research discovered that 50% of the top 50 UK insurers by gross written premium are vulnerable to third-party companies that have experienced a domain breach since January 26, 2023.

According to the research, 26% of the top 50 UK insurers have such low cyber ratings that they would have difficulty receiving cyber insurance for themselves. 

Of the top 50 insurers in the UK, 40% are rated A, 34% are rated B, 24% are rated C, 2% are rated D, 26% are rated C or lower for risk, 74% are rated B or higher for risk, and 28% have an active infection as a result of their public footprint. 

Before new regulations catch up with them, insurers should definitely do more to protect their online presence and the third-party suppliers they work with. 

How supply chain cybersecurity may benefit from security ratings 

Long before the regulations are set to take effect, cybersecurity ratings can assist in identifying these problems and resolving them. Ratings allow organisations to assess their cyber hygiene objectively and determine whether their security posture is advancing or degrading over time. 

An insurer's supply chain is made up of third parties, which enables it to operate more profitably, quickly innovate, and effectively. These include vendors, service providers, cloud hosting companies, and any other suppliers that support an organisation. They facilitate conducting business. Unfortunately, they also put businesses at risk. 

To mitigate threat, organisations must establish vendor portfolios and be able to detect common security vulnerabilities, rank suppliers and partners based on risk, and cooperate with the partners to address known vulnerabilities. Detecting and continuously monitoring the vendors will allow organisations to assess risk in real time and keep ahead of risks, making supply chains more resilient.
Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
Malicious actor
African Cyber Surge II BEC Cyber Crime Cyber Surge cybercrime gang Hackers Arrested Interpol Malicious actor

Interpol Operation: 14 Arrested, Allegedly Involved in Scamming Victims of $40 Million


Another Interpol operation detained 14 suspects and identified 20,674 suspected networks spread across 25 African nations that international law enforcement has connected to more than $40 million in losses due to cybercrime.

Operation Africa Cyber Surge II

The police operation, with combined efforts of Interpol, African law enforcement and private-sector security firms, commenced in April and lasted for four months. It was conducted in order to exterminate cyber malpractices like phishing, business email compromise (BEC) and other online scams. 

The international agency informed that the operation was conducted with the help and on-the-ground operational support of several infosec companies like Group-IB, Interpol and Uppsala Security. Their efforts helped in making three arrests in Cameroon related to an online scam involving the fake sale of artwork valued at $850,000.

Group-IB, that previously collaborated with Interpol on operations, gathered and communicated more than 1,000 indicators from its threat intelligence.

"Collaboration and intelligence sharing should be at the heart of cybersecurity operations, and Group-IB stands ready to make a further contribution to this end, in line with our core strategic mission of fighting against cybercrime in all its forms," Group-IB CEO Dmitry Volkov stated on Friday.

Information gathered by Group-IB and other private partners like Trend Micro, Kaspersky, and Coinbase aided in formulating some 150 Interpol analytical reports with data containing ‘intel on cyber threats’ from different countries. 

Details in the report included:

  • 3,786 malicious command and control servers
  • 14,134 victim IPs linked to data stealer cases
  • 1,415 phishing links and domains 
  • 939 scam IPs 
  • More than 400 other malicious URLs, IPs and botnets. 

The first phase of the operation was carried out between July 2022 and November 2022 and resulted in a number of investigations followed by operations against threat actors in the region. 

The most recent arrests come after months of similar cybercrime activities across Africa as international law enforcement works to dismantle cybercrime networks that operate out of various African nations.

Over 100 people were detained last week, according to Interpol, throughout the EU and Africa. Cops also recovered assets worth more than € 2.15 million ($2.4 million) that belonged to the Black Axe organized crime and cybercrime group.

In July 2023, cops in Côte d'Ivoire confirmed to have arrested a suspect, who was apparently a ‘key figure’ of cybercrime group – OPER1ER – responsible for defrauding banks and financial firms across 15 countries.

Interpol in a statement reported that the cybercrime group has defrauded the firms of a sum between $11 million to $30 million, with their targets spreading across Africa, Asia and Latin America.  

Read more »
WormGPT
AI Tool BEC Black hat Technology Threat Landscape WormGPT

AI Malware vs. AI Defences: WormGPT Cybercrime Tool Predicts a New Era

 

Business email compromise (BEC) attacks are being launched by cybercriminals with the assistance of generative AI technology, and one such tool used is WormGPT, a black-hat alternative to GPT models that has been designed for malicious goals. 

SlashNext said that WormGPT was trained on a variety of data sources, with a concentration on malware-related data. Based on the input it receives, WormGPT can produce highly convincing phoney emails by creating language that resembles human speech. 

Screenshots of malicious actors exchanging ideas on how to utilise ChatGPT to support successful BEC assaults are shown in a cybercrime form, demonstrating that even hackers who are not fluent in the target language can create convincing emails using gen AI. 

The research team also assessed WormGPT's potential risks, concentrating particularly on BEC assaults. They programmed the tool to generate an email intended to persuade an unsuspecting account manager into paying a fake invoice.

The findings showed that WormGPT was "strategically cunning," demonstrating its capacity to launch complex phishing and BEC operations, in addition to being able to use a convincing tone. 

The research study noted that the creation of tools highlights the threat posed by generative AI technologies, including WormGPT, even in the hands of inexperienced hackers.

"It's like ChatGPT but has no ethical boundaries or limitations," the report said. The report also highlighted that hackers are developing "jailbreaks," specialised commands intended to trick generative AI interfaces into producing output that may involve revealing private data, creating offensive content, or even running malicious code. 

Some proactive cybercriminals are even going so far as to create their own, attack-specific modules that are similar to those used by ChatGPT. This development could make cyber defence much more challenging. 

"Malicious actors can now launch these attacks at scale at zero cost, and they can do it with much more targeted precision than they could before," stated SlashNext CEO Patrick Harr. "If they aren't successful with the first BEC or phishing attempt, they can simply try again with retooled content." 

The growth of generative AI tools is adding complications and obstacles to cybersecurity operations, as well as highlighting the need for more effective defence systems against emerging threats. 

Harr believes that AI-aided BEC, malware, and phishing attacks may be best combated using AI-aided defence capabilities. He believes that organisations will eventually rely on AI to handle the discovery, detection, and remediation of these dangers since there is no other way for humans to stay ahead of the game. Despite its directive to block malicious requests, a Forcepoint researcher persuaded the AI tool to construct malware for locating and exfiltrating certain documents in April. 

Meanwhile, developers' enthusiasm for ChatGPT and other large language model (LLM) tools has left most organisations entirely unable to guard against the vulnerabilities introduced by the emerging technology.
Read more »
Lawyer
BEC Cloud-Based Cyber Security CyberCrime Lawyer

Check Lawyer's Demand Payment Mails: Fake Messages Surface

 


There has been an increase in the number of threats that are being posed by a newly formed threat group called Crimson Kingsnake. This threat group is impersonating law companies and debt recovery services to intimidate businesses into paying bogus overdue invoices. 

Business email compromise (BEC) is a cybercrime campaign that aims to harm businesses in the United States, Europe, Australia, and the Middle East by impersonating companies on websites hosted on domains that are very similar to the actual domains of the firms that it is impersonating, sending emails that include a company's actual address and VAT number, in addition to blind third-party impersonation techniques. 

Researchers from Abnormal Security, a company that provides cloud-based email security services, point out that all of this reinforces the legitimacy of the messages. Even though those emails look like forged emails, if the targets were to search for the names of lawyers or law firms on Google, they would not turn up anything suspicious. 

Since March, researchers from Abnormal Security noted in a report that they had discovered 92 domains that were associated with Crimson Kingsnake in their investigation. These domains are impersonating the domains of 19 legal eagles and debt collection agencies in the US, UK, and Australia.

According to a report by Abnormal Security, 92 domains linked to Crimson Kingsnake have been detected since March. 19 domains are impersonating 19 legal eagles and debt collection agencies in the US, UK, and Australia as well as two domains that are impersonating 19. Firms are composed of many international, multinational practices with an international presence, according to the authors. 

A growing number of organizations and individuals are becoming aware of the threat posed by the Crimson Kingsnake campaign. According to a report by Abnormal Security, a company that specializes in detecting email threats, the number of BEC attacks increased 84 percent year over year in the first half of the year. It is emphasized, however, that despite the low volume of BEC scams that occur, almost $2.4 billion in losses are expected to be caused by them in 2021. As compared to other forms of scams, which occur at a rate of less than one per 1,000 mailboxes. 

There were almost 20,000 victims of British Ebola, a number that matches the FBI's report released earlier this year adding that the number of victims continued to rise. 

According to Abnormal Security, blind third-party impersonation attacks are a subset of BEC attacks, which are different from those that involve internal employees. According to Abnormal Security, blind third-party impersonation attacks accounted for more than half of all breaches during the first half of 2022.

It is stated by the researchers that blind third-party impersonation attacks have no direct insight into vendor-customer relationships and financial transactions, whereas other forms of financial supply chain compromise do. Rather, the researchers say that they rely on the effectiveness of pure social engineering to succeed. 

In mobile spoofing campaigns, scammers are exploiting the fact that, like so many of the other types of social engineering attacks that have gained popularity in recent years, there are a lot of targets who are not paying close attention to emails they receive and simply comply with the email requests. 

Aside from that, these attackers often back up their claims with fake invoices that look authentic. These invoices contain bank account information and genuine details of the organization they are impersonating, on the front page of the invoice. They even go so far as to make fake email chains that have the names and addresses of the victim's associates so they can spread the word to them. 

A company was contacted through Crimson Kingsnake's campaign when, as an example, it received an email from an attorney at the international law firm Simon and Cromwell with the subject of "unpaid invoice," which is typical of advertising campaigns from such companies. Specifically, the message explained that the lawyer was representing a client and was seeking to collect payment on an unpaid invoice that was issued to your company. In addition, he stated that he had been advised to contact you about this matter and hoped that we could resolve it as soon as possible. 

A fake PDF invoice will be sent to the target if they reply to the email. During the creation of the fake PDF invoice, details regarding the target's account details for payment will be included. A false statement about the nature of the services rendered and the amount due to the law firm is contained in this document. There are several details about the bill, such as the invoice number, the account reference number, the bank account details, and the VAT (value-added tax) ID that represents the business's actual VAT number, which is a unique number for each taxable and non-taxable entity. Almost all regions of the world, including the UK, Europe, Australia, and some parts of Asia, use VAT numbers as well. 

According to the researchers, the invoices include information about whom to contact with any questions as well as a notification of rights. Given the complexity and details of the invoices, Crimson Kingsnake may be using altered versions of the legitimate invoices submitted by the impersonated firms. 

The US experts stressed that part of their information about the threat group indicates that at least some of its members may live in or around the UK. This is based on the information they have collected.

Occasionally, when an employee is questioned about the invoice sent by the threat group, the threat group will send another bogus email through his/her company's internal mail service. This email appears to be coming from an executive. A confirmation email is used to confirm the legitimacy of the invoice - sometimes referring to an action that should have taken place months before - and to authorize the payment. 

Even though the email from the impersonated executive is sent from a domain controlled by Crimson Kingsnake, its name displayed includes the executive's email address in parentheses. This is in parentheses. The fact that the source appears to be genuine makes the message appear more credible. 

A user-friendly and contextual email security platform, like Abnormal Security's, can help corporations reduce the threat of such BEC scams by offering behavior-based and context-aware security so that the platform can detect identities as well as context. Additionally, they should have a set of strong procedures for outgoing payments, especially when invoices concern a significant amount of money.

Cybersecurity awareness training for employees is a crucial part of combating any social engineering attack, as it is with any social engineering attack.
Read more »
Subscribe to: Posts (Atom)