Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Phishing. Show all posts
User Privacy
Credential Phishing iPhone Users Mobile Security Phishing Campaign User Privacy

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
Read more »
Third Party Vendors
American Airlines Credential Phishing Data Breach Pilot Credentials Southwest Airlines Third Party Vendors

American and Southwest Airlines Witness Data Breach


This Friday, two of the world’s largest airlines, American Airlines and Southwest Airlines confirmed a data breach where their Pilot Credentials, a third-party software that controls the pilot recruitment and application for numerous airlines, were compromised.

Apparently, the incident took place on May 3, targeting primarily the third-party vendor. No impact on the airlines’ own network or systems has been reported.

What Transpired?

On April 30, the threat actor gained unauthorized access to the Pilot Credentials’ systems and stole files comprising data supplied by a few candidates in the pilot and cadet recruiting process.

According to the official information shared with Maine’s Office of the Attorney General, the breach impacted 5745 pilots and applicants of American Airlines, whereas Southwest reported that around 3009 individuals’ information was compromised.

"Our investigation determined that the data involved contained some of your personal information, such as your name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s)," says the American Airline.

The airlines will now drive all pilot and cadet candidates to self-managed internal portals, even though there is no proof that the pilots' personal information was intentionally targeted or exploited for fraudulent or identity theft purposes.

"We are no longer utilizing the vendor, and, moving forward, Pilot applicants are being directed to an internal portal managed by Southwest," Southwest Airlines stated. Both Airlines further notified law enforcement pertaining to its authorities in case of data breaches and are cooperating with the ongoing investigation of the issue.

Recent Years Have Seen More Such Cases

Another case of a data breach that came to light was when American Airlines was targeted back in September 2022. This breach impacted around 1,708 customers and airline employees.

Prior to this, the airline was a victim of a phishing attack that resulted in the compromise of the email accounts of numerous of its employees. The breach included employees’ and customers’ credentials like their names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and/or certain medical information.

Further investigation on the matter indicated that the threat actors involved in these breaches may as well have utilized the employees’ compromised accounts to launch more phishing attacks.

Read more »
QuickBhooks
BEC 3.0 Credential Phishing cyber attack Cyber Attacks Phishing Attacks QuickBhooks

'BEC 3.0' Is Here With Tax-Season QuickBooks Cyberattacks

Researchers from Avanan, a Check Point company, have identified a new wave of business email compromise (BEC) attacks, which they refer to as "BEC 3.0." 

In these attacks, cybercriminals sign up for free accounts with legitimate services and use email addresses from domains that are unlikely to be flagged by scanning tools. This evolution in phishing tactics demonstrates how cybercriminals continue to adapt and evade security measures as detection improves. 

The Researchers have discovered evidence of similar attacks coming from PayPal and Google, as well as previous attacks from legitimate QuickBooks accounts. 

These attacks are coupled with carefully written and socially engineered emails that lack the typical bad grammar or typos found in phishing emails. This makes them more difficult for users to spot, as the sender's address, links, spelling, and grammar are all legitimate, deviating from typical phishing hygiene tricks. 

Phishing attacks remain a primary initial access vector due to attackers' increasing use of legitimate SaaS and cloud offerings, such as LinkedIn, Google Cloud, AWS, etc., to host malicious content or direct users to it. 

In the recent QuickBooks attack, victims are informed about the renewal of Norton LifeLock subscriptions and are prompted to call a phone number for verification or cancellation. This detail may not raise suspicion even among savvy email users, as Norton LifeLock is commonly used by both consumers and businesses. 

The phishing campaign in question not only harvests payment credentials but also victims' phone numbers for future attacks via chat apps like WhatsApp. The attackers are adept at creating messages that are convincing to end users and difficult for security protections to detect, as they come from legitimate sources like QuickBooks. 

By placing malicious content within a safe receptacle, such as a legitimate website, the attackers can easily evade detection by security services. Standard checks like domain, SPF, and DMARC may not be effective in detecting these attacks, making them highly deceptive and challenging to prevent. 

To counter the evolving tactics of attackers in phishing attacks, organizations need to enhance their security protections and educate employees about new types of phishing attacks, such as BEC 3.0. This may involve changing the approach to employee education, such as being cautious of all links and verifying phone numbers through Google searches. 

Implementing policies for independent verification of actions requested in BEC emails and data-protection policies can also help detect suspicious activities. Additionally, utilizing browser security that traces links through their intended actions can be beneficial in preventing compromise from advanced phishing attacks.
Read more »
Sophos
Credential Phishing Cyber Security iOS MFA Phishing Attacks Ransomware Attacks. Scam Sophos

Sophos 2023 Threat Report: Cryptocurrency Will Fuel Cyberattacks

The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.

Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.

A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.

Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.

Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.

Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.

Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.

Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.

In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.

As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.

Read more »
User Privacy
Credential Phishing Cyber Attacks Facebook Ads Phishing Attacks URL Spoofing User Privacy

Millions of Facebook Users' Credentials Were Stolen via Authentic App Services

 

The phishing effort used Facebook and Messenger to deceive millions of consumers into visiting advertising pages and websites where personal account information was exposed. 

The phishing campaign used messages through messenger to entice users to open the link, thus the pop-up requested for account credentials, which unsuspecting consumers provided by filling out the phishing form with their login and password. The campaign operators used the hacked accounts to send more hacker messages to their friends, earning a lot of money through internet advertising fees.

The effort peaked in April-May 2022 but has been active since at least September 2021, as per PIXM, a New York-based AI-focused cybersecurity business. Since one of the identified phishing pages included a link to a publicly accessible traffic monitoring app (whos.amung.us) without authentication, PIXM was able to track down the threat actor and map the campaign. 

Over 405 different usernames were uncovered by PIXM, each of which was linked to a distinct phishing landing page. In 2022, one username, teamsan2val, got 6.3 million views, up 128 percent from 2021. All of these usernames had a total of 399,017,673 sessions. The phishers also informed an OWASP researcher who claimed they made roughly $150 for every thousand visitors from the United States. This equates to $59.85 million in total revenue.

These 405 usernames, as per the researchers, are merely a small portion of the total number of accounts employed in the effort. The second wave of redirections begins after the victim inputs the credentials on the phishing landing page, bringing visitors to advertising pages, survey forms, and so on. These redirects provide referral revenue for the threat actors, which is believed to be in the millions of dollars at this scale. One may deduce three things about the malicious attacks going on based on these new discoveries and disclosures. These are the attacks: 
  • Software-based
  • Growing at an exponential rate 
  • Vulnerable populations are targeted

On all landing pages, PIXM discovered a common code snippet that contained a reference to a website that had been seized as part of an investigation against a Colombian individual named Rafael Dorado. It's unclear who took control of the domain and posted the message.

A reverse whois search turned up links to a real web development company in Colombia, as well as ancient websites selling Facebook "like bots" and hacking services. 

The results of PIXM's inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, although many of the identified URLs have been offline.
Read more »
Vulnerabilities and Exploits
Apple Devices Credential Phishing iOS security iPhone NFC cards Remote Code Execution Threat actors Vulnerabilities and Exploits

Even When Switched Off, iPhones are Vulnerable to Attack

 

The way Apple combines autonomous wireless technology such as Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) in the device, researchers determined that it could be exploited by attackers to target iPhones even when they are turned off. 

Such features—which have access to the iPhone's Secure Element (SE), which stores sensitive information—stay on even when modern iPhones are turned off, as per a team of researchers from Germany's Technical University of Darmstadt. This allows attackers to "load malware onto a Bluetooth chip that is performed when the iPhone is off," according to a research study titled "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone."

As per Jiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick of the university's Secure Mobile Networking Lab, attackers can gain access to secure information such as a user's credit card data, banking details, or even digital car keys on the device by compromising these wireless features. Researchers noted that while the risk is real, exploiting the circumstance is not that simple for would-be attackers. Threat actors will still need to load malware onto the iPhone when it is turned on for subsequent execution when it is turned off. This would require system-level access or remote code execution (RCE), which they might gain by exploiting known weaknesses like BrakTooth. 

The main cause of the problem is the existing implementation of low power mode (LPM) for wireless chips on iPhones. The experts distinguished between the LPM which these processors employ and the power-saving program that iPhone users can use to save battery life. Because LPM support is built into the iPhone's hardware, it cannot be deleted with system upgrades, and has "a long-term impact on the broader iOS security paradigm," according to the researchers.

Analysts disclosed their findings to Apple before publishing the study, but they claim the company did not respond to the difficulties revealed by their findings. It is recommended that one possible solution would be for Apple to implement "a hardware-based switch to disconnect the battery" so that these wireless parts would not have power while an iPhone is turned off.
Read more »
Telecom
Credential Phishing Dark Web Data Breach Finance Healthcare Malicious actor Ransomware Attacks. Stock market Telecom

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.
Read more »
Whatsapp Phishing
Credential Phishing cyber attack Cyber Attacks Whatsapp Phishing

WhatsApp Voice Message Phishing Campaign

 

Recently Armorblox researchers have discovered that the new WhatsApp phishing campaign is targeting users by impersonating WhatsApp's voice message feature, in one of their latest researches.

At least 27,655 email addresses have been targeted by a phishing campaign spoofing WhatsApp's voice message attempting to spread information-stealing malware. This phishing campaign is designed to lead the users through a series of steps that will ultimately end with the installation of an information-stealing malware infection which further will open the way to credential theft. 

Following the incident, researchers released a statement in which they have explained the entire fraudulent process and also warned to identify signs of fraudulent activity for users to better protect themselves from phishing attempts. 

The researchers said that the malicious actors are using the "Whatsapp Notifier" service with an address owned by the Center for Road Safety of the Moscow Region, which notifies recipients regarding a new private message, with the email including a "Play" button, as well as the duration of the audio clip and details regarding the creation of the message. 

Clicking on the "Play" button will redirect recipients to a website that will trigger an allow/block prompt for JS/Kryptic trojan installation, with users lured to click "Allow" to confirm that they are not a robot. Selecting "Allow" would then prompt the installation of the information-stealing malware.

Looking into the issue for Digital Journal Josh Rickard, Security Automation Architect at Swimlane said “Phishing attacks are one of the most common methods of cyberattacks and, unfortunately, have become all too easy for cybercriminals to leverage.” In terms of how this form of attack works, he continues: “ These types of social engineering attacks that exploit human error are highly effective and well-masked. In this case, WhatsApps’s voice message feature was manipulated in an attempt to spread information-stealing malware to over 27,000 email addresses associated with the app.”
Read more »
Subscribe to: Posts (Atom)