Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credentials Harvesting. Show all posts

North Korean Hackers Target Crypto Users with Phony Job Offers

 

In an effort to commit cryptocurrency heists, North Korean hackers are exhibiting a "startup mentality," according to a report released on Wednesday by cybersecurity company Proofpoint. 

The Sunnyvale, California-based company claimed that in December, a group they call TA444, which is similar to the notorious hacking gang Lazarus, unleashed a massive wave of phishing assaults against the banking, education, government, and healthcare sectors in the United States and Canada. 

The group's emails adopted strategies that were distinct from the methods researchers had previously connected them with, such as attempts to obtain users' passwords and login information. 

According to the study, "this extensive credential harvesting operation is a variation from standard TA444 activities, which normally include the direct deployment of malware." 

The hackers generated information like job offers and salary modifications to entice targets and employed email marketing tools to get through phishing systems. In addition, they used LinkedIn, a social networking site, to communicate with victims before sending them links to malware, the report further reads. 

According to Proofpoint, the spam wave in December nearly doubled the number of emails the group sent over the whole year.

TA444 has a "startup attitude," according to Greg Lesnewich, senior threat researcher at Proofpoint, and is "trying a variety of infection chains to help grow its revenue streams." 

He claimed that the threat actor "embraces social media as part of their M.O. and quickly ideas new attack tactics." By bringing in movable money, TA444 "leads North Korea's cashflow generation for the leadership." 

North Korea, which is still subject to strict international sanctions, has grown more dependent on cybercrime to fund its illegal weapons programme. 

The astonishing heist of more than $600 million in bitcoin from an online video game network in March was perpetrated by a group with ties to Pyongyang, according to the FBI. 

On Monday, the FBI also declared that the Lazarus Group was in charge of a $100 million theft from Horizon Bridge, a cryptocurrency transfer service run by the American Harmony blockchain, in June. North Korea has stolen bitcoin assets worth $1.2 billion worldwide since 2017, with the majority of that value coming in 2022, as per South Korea's National Intelligence Service, which made the revelation last month. 

The spy service forewarned that Pyongyang was likely to speed up its efforts this year to obtain vital defence and intelligence technology from the South.

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign

 

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as pageguidelinesfacebook@outlook.com.

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.

Microsoft Accounts Attacked by Russian-Themed Credential Theft

 

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis. 

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:  

“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
Country/region: Russia/Moscow
IP address:
Date: Sat, 26 Feb 2022 02:31:23 +0100
Platform: Kali Linux
Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats. 

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.” 

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event. 

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers. 

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”