Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Email Spoofing. Show all posts

How to Protect Yourself Against Phishing Extortion Scams Involving Personal Data

 

Imagine receiving an email with a photo of your house, address, and a threatening message that seems ripped from a horror movie. Unfortunately, this is the reality of modern phishing scams, where attackers use personal information to intimidate victims into paying money, often in cryptocurrency like Bitcoin. One victim, Jamie Beckland, chief product officer at APIContext, received a message claiming to have embarrassing video footage of him, demanding payment to keep it private. 

While such emails appear terrifying, there are ways to verify and protect yourself. Many images in these scams, such as photos of homes, are copied from Google Maps or other online sources, so confirming this can quickly expose the scam. To check if an image is pulled from the internet, compare it to Google Maps street views. Additionally, always scrutinize email addresses for legitimacy. Cybersecurity expert Al Iverson from Valimail advises checking for any small variations in the sender’s email domain and examining SPF, DKIM, and DMARC authentication results to determine if the email domain is real. 

Be cautious if a message appears to come from your own email address, as it’s often just a spoofed sender. Links in phishing emails can lead to dangerous sites. Founder of Loop8, Zarik Megerdichian, recommends extreme caution and encourages reporting such scams to the Federal Trade Commission (FTC). Monitoring your financial accounts, disputing unauthorized charges, and updating or canceling compromised payment methods are other essential steps. To reduce vulnerability, it’s wise to change your passwords, set up a VPN, and isolate your network. Yashin Manraj, CEO of Pvotal Technologies, suggests transferring critical accounts to a new email, informing your family about the scam, and reporting it to law enforcement, such as the FBI, if necessary. 

One of the best defenses against these types of scams is to control your data proactively. Only share essential information with businesses, and avoid giving excessive details to online services. Megerdichian emphasizes the importance of asking whether every piece of data is truly necessary, as oversharing can open the door to future scams. 

With these strategies, individuals can better protect themselves from extortion phishing scams. It’s crucial to stay vigilant and avoid interacting with suspicious emails, as this will help shield you from falling victim to increasingly sophisticated cyber threats.

Google Strengthens Gmail Security, Blocks Spoofed Emails to Combat Phishing

 

Google has begun automatically blocking emails sent by bulk senders who do not satisfy tighter spam criteria and authenticating their messages in line with new requirements to strengthen defences against spam and phishing attacks. 

As announced in October, users who send more than 5,000 messages per day to Gmail accounts must now configure SPF/DKIM and DMARC email authentication for their domains. 

The updated regulations also mandate that bulk email senders refrain from delivering unsolicited or unwanted messages, offer a one-click unsubscribe option, and react to requests to unsubscribe within two working days. 

Additionally, spam rates must be kept at 0.3%, and "From" headers cannot act like to be from Gmail. Email delivery issues, such as emails being rejected or automatically directed to recipients' spam folders, may arise from noncompliance. 

"Bulk senders who don't meet our sender requirements will start getting temporary errors with error codes on a small portion of messages that don't meet the requirements," Google stated. "These temporary errors help senders identify email that doesn't meet our guidelines so senders can resolve issues that prevent compliance.” 

In April 2024, we will start rejecting non-compliant traffic. Rejection will be gradual, affecting solely non-compliant traffic. We strongly recommend senders to utilise the temporary failure enforcement period to make any necessary changes to become compliant, Google added. 

The company also intends to implement these regulations beginning in June, with an expedited timeline for domains used to send bulk emails starting January 1, 2024.

As Google said when the new guidelines were first released, its AI-powered defences can successfully filter roughly 15 billion unwelcome emails per day, avoiding more than 99.9% of spam, phishing attempts, and malware from reaching users' inboxes. 

"You shouldn't need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email's source," noted Neil Kumaran, Group Product Manager for Gmail Security & Trust in October. "Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email.”

A Phishing Attack Impersonates the US DoL in Order to Steal Account Credentials

 

Many phishing attacks seek to defraud individuals by mimicking and imitating legitimate companies and organizations. A phishing email that looks to be from an official government agency is particularly deceiving since it exudes authority. Inky discovered a harmful campaign in the latter half of 2021 that spoofs the US Department of Labor in order to steal the account credentials of unwary victims. 

In a blog post published on Wednesday, Inky describes a series of phishing assaults in which the sender address on the majority of the emails looked to come from no-reply@dol.gov, the Department of Labor's legitimate domain. A couple of the emails were spoofed to appear to be sent from no-reply@dol.com, which is not the department's actual domain. The remainder came from a collection of newly formed look-alike domains, including dol-gov[.]com, dol-gov[.]us, and bids-dolgov[.]us. These phishing emails claimed to be from a senior DoL employee in charge of procurement and asked recipients to submit bids for "ongoing government projects." 

A PDF attachment accompanying the email appeared to be an official DoL document, complete with all the necessary images and branding. On the second page of the PDF, a BID button led to what looked to be the Department of Labor's procurement platform but was actually a rogue website impersonating the department. 

When the victim closed the document, they saw an exact replica of the official DoL website. The smart phishers simply copied and pasted HTML and CSS from the original site onto the phishing site. 

The website then displays a "Click here to bid" button as the following step in the process. Anyone who clicks on that button will be directed to a credential harvesting form with instructions on how to submit a bid using a Microsoft account or another business account. The victim would be informed that their credentials were incorrect after entering them. The credentials, however, had been stolen by the attacker. If the user tried to input their credentials again, they would be sent to the official DoL page, which would further trick them. 

The phishers were able to send their phishing emails via abused servers supposedly managed by a non-profit professional membership group in the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com). 

Inky suggested a few tips to safeguard customers from this type of phishing scam, such as the fact that US government domains normally end in .gov or .mil rather than .com or another suffix, the US government does not usually send cold emails to collect bids for projects, and to check SMTP server settings. SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign

 

A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers. 

According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes. 

While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too. 

The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.” 

According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.” 

Modus Operandi of the Attack:

According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance. 

The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity. 

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. 

Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business. 

The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it. An information stealer is executed when the victim opens the attachment and clicks on the files it contains. 

Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus. 

A Social-Engineering Bonanza: 

According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets. 

One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions. 

Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document. 

Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”

Banking Trojan 'Metamorfo' Now Targeting Online Users' Banking Services


Online banking users are being targeted by a trojan malware campaign going around the globe with the agenda of gaining illegal access to personal information such as credit card details and other sensitive data of users.

The banking trojan which has successfully affected more than 20 online banks goes by the name 'Metamorfo'. Several countries fell prey to the banking trojan including the US, Spain, Peru, Canada, Chile, Mexico, and Ecuador. Reportedly, earlier the attack was limited to Brazil-based banks only, however, the recent times witnessed a rapid increase in the number of these attacks; now encompassing other countries, according to the cybersecurity researchers at Fortinet.

In order to multiply their opportunities for financial gains, Cybercriminals have continued to resort to banking trojans and have refined the apparatus of the malware – in ways that make detection complicated. The latest research indicates that earlier the targeting was limited to the banking sector only but now as the leading banking trojans have expanded their reach, industries other than banking are also vulnerable to the attacks. The likely targets include cloud service providers, online tech stores, warehousing, mobile app stores, and e-commerce, according to the latest findings.

Metamorfo relies on email spoofing to set the attack into motion, it appears to contain information regarding an invoice and directs the victims to download a .ZIP file. As soon as the targeted user downloads and finishes the extraction of the file, it tends to allow Metamorfo to run on a Windows system. After the installation is completed, the malware starts running an Autolt script execution program. Although the scripting language is primarily designed for automating the Windows graphical UI, here the malware employs it to bypass the antivirus detection.

While explaining the functioning of the malware, ZDnet told, "Once running on the compromised Windows system, Metamorfo terminates any running browsers and then prevents any new browser windows from using auto-complete and auto-suggest in data entry fields.

"This prevents the user from using auto-complete functions to enter usernames, passwords, and other information, allowing the malware's keylogger functionality to collect the data the users are thus obliged to retype. It then sends that data back to a command-and-control server run by the attackers."

There are no revelations made about the keywords related to the targeted banks and other financial institutions, however, researchers expect the Metamorfo campaign still being active. To stay on a safer side, users are advised to keep their operating systems and software updated and patched timely.

DuckDuckGo Privacy Browser for Android Battling URL Spoofing Attacks



The latest version 5.26.0 of the DuckDuckGo Privacy Browser for Android which has over 5 million downloads is allowing hackers to execute URL spoofing attacks by exploiting a spoofing flaw in the address bar.
The vulnerability which attacks the app users has been discovered by the security researcher, Dhiraj Mishra, who immediately reported the flaw to the concerned security department via the associated bug bounty program provided by the vulnerability coordination and bug bounty platform, 'HackerOne'.
In a conversation with BleepingComputer, Dhiraj told, "this vulnerability was submitted to the browser security team via HackerOne on October 31st, 2018 initially this bug was marked as high the discussion went till May 27th, 2019, and they concluded this 'doesn't seem to be a serious issue' and marked the bug as informative, however, I was awarded a swag from DuckDuckGo."
In the vulnerable DuckDuckGo Privacy Browser for Android, the attackers execute this URL spoofing attack after altering the URL which is displayed onto the address bar of the infected web browser which is configured to trick victims into believing that the website being browsed is monitored by an authenticated source. However, in reality, the website would be controlled by the attackers carrying out the spoofing attack.
There is a high probability of the oblivious users to be unknowingly redirected to web addresses disguised as authenticated web portals which in actuality would be assisting malicious actors in accumulating the data of their potential victims either by phishing or by injecting malware into their systems through malvertising campaigns.
Earlier, in May, Arif Khan, security researcher, on detecting a similar vulnerability in the UC browser said, "URL Address Bar spoofing is the worst kind of phishing attack possible. Because it's the only way to identify the site which the user is visiting,"


Attackers Launched a Rapidly Changing Malware which uses .DOC Extension




A new malware has been discovered by security experts, they observed that it is constantly altering its behavioral patterns in an attempt to bypass the email security protection.

As dissemination of malware through email campaigns is becoming common day by day, email security providers are devising new ways to battle and terminate such malicious activities.

However, cybercriminals are employing subtle and sophisticated methods to bypass all the layers of security, which has led to a massive upsurge in successful malware campaigns.

In the aforementioned case, the infected emails are sent to the potential victims, which on being accessed leads to the downloading of a word template with a .doc extension.

Notably, the attack is configured quite differently than most of the attacks which make use of a single pattern with little customizations. In this attack, a number of different email addresses, subject headings, display name spoofs, body content, and URLs are used.

The attackers send the malspam email which entails an infected link which takes the user to a corrupted website that has the malware all set to sneak into the system and infect it.

Referencing from the findings of researchers at the only cloud-native security platform, Greathorn, “Initially, this attack pattern identified  at 12:24pm on Wednesday, February 20th, the attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, one at 12:24pm ET, one 2:05pm ET, and a third at 2:55pm ET, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs. “