Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CAPTCHA Security. Show all posts

Rise in Phishing Attacks Targeting US Schools Raises Concerns

 



Through a recent report by PIXM, a cybersecurity firm specialising in artificial intelligence solutions, public schools in the United States face a significant increase in sophisticated phishing campaigns. Threat actors are employing targeted spear phishing attacks, utilising stealthy patterns to target officials in large school districts, effectively bypassing Multi-Factor Authentication (MFA) protections.

Since December 2023, there has been a surge in MFA-based phishing campaigns targeting teachers, staff, and administrators across the US. The attackers, identified as the Tycoon and Storm-1575 threat groups, employ social engineering techniques and Adversary-in-the-Middle (AiTM) phishing to bypass MFA tokens and session cookies. They create custom login experiences and use services like dadsec and Phishing-as-a-Service (PhaaS) to compromise administrator email accounts and deliver ransomware.

The Tycoon Group's PhaaS, available on Telegram for just $120, boasts features like bypassing Microsoft's two-factor authentication. Meanwhile, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. The attacks involve phishing emails prompting officials to update passwords, leading them to encounter a Cloudflare Captcha and a spoofed Microsoft password page. If successful, attackers forward passwords to legitimate login pages, requesting two-factor authentication codes and bypassing MFA protections.

The attacks commonly target officials such as the Chief of Human Capital, finance, and payroll administrators. Some attempts involve altering Windows registry keys, potentially infecting machines with malicious scripts. The attackers conceal their tracks using stealth tactics, hiding behind Cloudflare infrastructure and creating new domains.

Despite using CAPTCHAs in phishing attacks providing a sense of legitimacy to end-users, there's potential for malicious trojan activity, including modifying Windows registry keys and injecting malicious files. These attacks can result in malware installation, ransomware, and data exfiltration.

Schools are the most targeted industry by ransomware gangs, with student data being a prominent prey of cybercrime. A concerning trend shows unprecedented data loss, with over 900 schools targeted in MOVEit-linked cyber attacks. Recent data leaks, such as the one involving Raptor Technologies, have exposed sensitive records belonging to students, parents, and staff, raising concerns about student privacy and school safety.

To protect against these phishing attacks, organisations are advised to identify high-priority staff, invest in tailored awareness efforts, caution users against suspicious links, and implement proactive AI-driven protections at the browser and email layers.

To take a sharp look at things, the surge in phishing attacks targeting US schools states the significance of cybersecurity measures and the need for increased awareness within educational institutions to safeguard sensitive information and ensure the privacy and safety of students and staff.


Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

MyBB CAPTCHA Flaw Breaks Forum Validation Checks

 

MyBB has issued a warning to users that the latest version of the programme contains a CAPTCHA-breaking flaw that may affect forum functioning. 

The popular open-source software serves as the foundation for thousands of online forums. However, in June, version 1.8.27 accidentally introduced a programming vulnerability that affects CAPTCHA verification systems enabled by users. 

The project's developers warned on October 3 that the problem affects reCAPTCHA v3 and hCaptcha invisible, two services meant to prevent harmful bots from flooding web pages with false traffic. According to the MyBB developers, validation efforts performed using CAPTCHAs, when applied on a forum, “appear broken and the verification can reject or accept attempts incorrectly”. 

The problem, which has been reported on GitHub, was caused by the usage of the incorrect template and handlers for the CAPTCHAs. Incorrect pointers in reCAPTCHA v3 have resulted in a faulty image verification prompt, possibly allowing the system to be circumvented. 

In the context of hCaptcha, the incorrect handler may cause the feature to refuse all challenges. MyBB advises that users move to an alternative technique for applying CAPTCHAs on their forums temporarily or manually apply forthcoming updates available on GitHub. 

Version 1.8.27 is presently being stabilized, and a fix will be included in the next maintenance release.

Examine the builds 

In addition to the CAPTCHA fix, MyBB has requested forum managers to check their error logging configurations. A read-only feature released in MyBB 1.8.27 requires XHTML code validation as it is created to give forum administrators a chance to notice any errors in a configuration error report– ahead of the planned full release of this feature. 

Customized MyCodes, plugins, theme templates, or username styles that are incompatible with the next version may cause problems in the next build. 

The developers stated, “After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums.”

Hackers hiding malware behind Captcha







Hackers are hiding malware inside the Captcha to evade email security gateways. This technique helps attackers in establishing the authencity of the email. 

There are various social engineering methods that are used by the hackers in tricking users to believe them. 

A new email campaign using an email id @avis.ne.jp, alerts recipients that they received a voice message.  The voice attached with a preview tempts users to listen to the full message.

The email contains a play button, which directs users to the page that contains captcha, this step is to bypass the automated analysis tools and to bypass secure email gateways.

The malicious page asks users to select a Microsoft account to log in when the victim login all their credentials are captured.

“Both pages are legitimate Microsoft top-level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe,” reads Cofense report.

Before clicking on any link attached to the email, the user should investigate that the website is safe or not. 


Trojan bypasses captcha to dupe users

A new malware targeting android users have been identified which has the power to bypass user verifications to subscribe people into premium services.
The malware, identified as Trojan-SMS.AndroidOS.Podec can bypass captcha verification or advice of charge (this notifies users regarding charges and seeks payment authorization) and send messages to premium numbers or subscribe users to premium rate services.
The captcha recognition part is what makes this Trojan so devious, the malware communicates with an image to text translation provider called Antigate where a human translates the image for the captcha to text and relays it. The text is then inserted into the actions field, the verification thus happens without user consent and can be exploited to extort money regularly in a covert fashion. The users would have a hard time pointing the source for deduction in accounts.
Till now, it has been circulating in Russia and its neighbouring countries with the infection originating from servers of popular Russian networking site VKontakte or domains with imposing names like Apk-downlad3.ru, minergamevip.com, etc.
The malware is mostly spread through a number of groups on the social networks, all of which makes posts or give links providing cracked versions of popular android games. These groups are similarly managed with the same administrator.
The usage of keywords in descriptions of the groups, hosting of  fake sites all which are based on one idea places the group or sites at top of search results, indicating involvement of black SEO specialists.
Kaspersky Lab's analysts analysed the Trojan which in one case was masquerading as 'Minecraft Pocket Edition'. It operates on the notion that the users are guided by the lightness of the app to download it.
On launch, the application asks for administrator privileges, which if granted makes it impossible to be deleted by the user or a security solution. If the user rejects the request, the Trojan is repeated till privilege is granted. After receiving administrator privileges, the legitimate mine craft is downloaded. After installation the Trojan removes its own shortcuts, replaces it with the Minecraft shortcut and erases traces from the device administrator list. If somehow the users try to delete it, the mobile shuts down or screen locks or shows other erratic behaviour. The Trojan has the further potential to exploit super-user privileges, which some users might have.
Analysis of the malware shows diligent effort on the part of the cybercriminals. They have introduced garbage classes and obfuscation into the code and have also used an expensive legitimate code protector to make the access to the source code difficult. Moreover, while communicating for instructions the Trojan uses an adaptive list of control and command domains, thus even if one domain is blocked under suspicion others can be used. 
It is suspected that the Trojan is undergoing further development with newer capabilities being added.
In light of such circumstances as a user it is best to be wary of free services, avoiding suspicious links and downloading only from official sources like Google Playstore.
(For more information visit SecureList.)

CAPTCHA Security On popular sites hacked using Automated Tool


Researchers Elie Bursztein, Matthieu Martin and John C. Mitchel ,from Standford university developed an automated tool that can break the text-based anti spam test used in many popular sites. 

In order to block Spam comments and Automated registration, websites use CAPTCHA Security Test.
For example, whenever you register in forum, it will ask to enter the exact text in the image.  

They tested their tool against 15 popular websites.  13 out of 15 sites are vulnerable to Automated Attack.

Success rate on Visa's Authorize.net payment gateway is 66%. 70% success rate on Blizzard's World of Warcraft portal. Other interesting results were registered on eBay, whose CAPTCHA implementation failed 43% of the time, and on Wikipedia, where one in four attempts was successful. Lower, but still significant, success rates were found on Digg, CNN and Baidu -- 20, 16 and 5% respectively. Meguapload has success rate 93%(highest one).

The only tested sites where CAPTCHAs couldn't be broken were Google and reCAPTCHA.


After these test result come out, Authorize.net and Digg have switched to reCAPTCHA. 

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel have also developed techniques to break audio CAPTCHAs on sites like Microsoft, eBay, Yahoo and Digg, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.

Download Full report:
https://cdn.elie.net/publications/text-based-captcha-strengths-and-weaknesses.pdf