Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Email scam. Show all posts
Phishing Campaign
Amazon Prime Cyber Fraud Email scam Financial Scam Phishing Campaign

Amazon Prime Phishing Campaign Siphons Login And Payment Info

 

The Cofense Phishing Defence Centre (PDC) has uncovered a new phishing campaign aimed particularly at Amazon Prime members, trying to steal login passwords, security answers, and payment details. The attacker sends out a well-crafted email mimicking Amazon, encouraging users to update their payment details owing to an "expired" or "invalid" payment method.

The Cofense PDC claims that the threat was sent by email that looked like a genuine Amazon Prime warning the victim that their payment method had expired or was no longer acceptable. Phishing attempts are evident when an email with the spoof sender name "Prime Notification" comes from an unrelated domain. 

The email tries to generate a false sense of urgency, which leads people to click on a fake link. When victims click, they are taken to a bogus Amazon security verification screen. "One of the first red flags recipients should look for is the URL, as it reveals that they have been redirected to Google Docs instead of Amazon's legitimate website," the report reads. 

Once the user has passed the false security screen, they are directed to a fraudulent Amazon login page designed to harvest passwords. "Users should always double-check when logging into websites and ensure that additional security measures, such as multi-factor authentication, are enabled," the researchers added.

After submitting their credentials, victims are prompted to provide additional verification information, such as their mother's maiden name, date of birth, and phone number. The phishing attack is not limited to login credentials. Users are also prompted to input their billing address and payment details, which includes credit card information.

"By obtaining the recipient's residential details, threat actors can submit a request to change the victim's address with postal services, redirecting mail and packages to another location," the report further reads.

In a similar vein, hackers can carry out illegal activities using credit card information that has been stolen. Cofense cautions that "threat actors could use the information to initiate and authorise multiple transactions if these details are compromised." If victims believe the card details has been taken, they are advised to get in touch with their banks right away.
Read more »
pharma scam
Alkem Laboratories Cyber Fraud Cyber Security Email scam Financial Fraud Online Scam pharma scam

Alkem Laboratories Falls Victim to Rs 22.31 Crore Cyber Fraud

 

The pharmaceutical industry has been rocked by a major cyber fraud case, with Mumbai-based Alkem Laboratories suffering a financial loss of Rs 22.31 crore due to an elaborate scam. Fraudsters posed as executives from Alkem’s U.S. subsidiary, Ascend Laboratories LLC, to execute the scheme.

According to a Hindustan Times report, the incident began on October 27, 2023, when Alkem’s Mumbai office received an email seemingly from Amit Ghare, the head of international operations at Ascend Laboratories. The email claimed that a recent payment to Alkem would lead to significant tax liabilities. To circumvent these taxes, the company was asked to refund the amount to a different bank account.

On November 17, 2023, another email, allegedly from Mary Smith, Ascend Laboratories' accounting manager, provided details of a U.S.-based bank account for the refund. Acting on these instructions, Alkem’s treasury manager, Manoj Mishra, transferred Rs 51.30 crore to the specified account via a SWIFT transaction.

The fraud came to light on November 15, 2023, when Alkem received another email, supposedly from Ghare, requesting a refund of Rs 90 crore. Growing suspicious, Alkem officials contacted Ghare, who confirmed he had not sent the request. Further investigation revealed that the earlier emails originated from compromised email accounts with subtle alterations in the email addresses.

According to HT, U.S. authorities were able to recover Rs 28.98 crore from the stolen amount, which was returned to Alkem. However, the company still suffered a loss of Rs 22.31 crore.

Alkem Laboratories has reported the incident to the authorities, and an ongoing investigation aims to identify and apprehend the fraudsters while recovering the remaining funds. The company has also implemented enhanced cybersecurity measures to safeguard against similar threats, as reported by The Free Press Journal.
Read more »
User Security
Cyber Fraud Email scam Fraudulent Scheme Milwaukee User Security

Milwaukee Residents Warned of Parking Ticket Scam

 

A fraudulent text message claiming to notify residents about an overdue City of Milwaukee parking penalty has been flagged as a scam and should be deleted, city authorities announced earlier this week.

According to Ald. Lamont Westmoreland, the scam operates by sending recipients a text message stating that a parking ticket must be resolved to avoid late charges. The message urges recipients to click on a link.

Westmoreland warned that clicking the link could expose the user’s phone to malware or ransomware. He also advised anyone who has shared credit or debit card information through the scam to contact their financial institution immediately to ensure their accounts are secure.

The fraudulent text message includes the city’s logo and seal, along with a URL containing “milwaukee.com,” according to a screenshot shared by Westmoreland. These elements make the message appear legitimate, increasing the likelihood of deception.

City's Official Statement

The Department of Public Works clarified that the city does not issue parking penalties via text message. Official tickets are delivered either by registered mail or by being physically placed on the vehicle.

The department urged residents not to click on links or share personal information in response to such messages. Victims of the scam are encouraged to report the incident to the Milwaukee Police Department.

If you have questions about parking tickets, you can contact the city directly at 414-344-0840. Ald. Westmoreland expressed disappointment over the scam, stating: “It’s really sad that scammers are resorting to using what appears to be a legit city source to run a scam like this, but it is not surprising.”

Read more »
User Security
Cyber Crime Email scam Indian Citizens Threat Landscape User Security

Threat Actors Are Sending Fraudulent Legal Notices to Target Indians

 

The Indian authorities have issued an urgent warning to residents over the widespread circulation of counterfeit emails impersonating Rajesh Kumar, CEO of the Indian Cyber Crime Coordination Centre (I4C). 

These fraudulent emails, with misleading subject lines like "Urgent Notification!" and "Court Notification," falsely accuse recipients of cybercrime and pressure them to respond. The PIB Fact Check team has identified these emails as fraudulent, emphasising that they were sent with malicious purpose to trick recipients and exploit their fears. 

Fake email threat

The bogus emails exploit the logos of prominent Indian institutions, such as the Indian Cyber Crime Coordination Centre (I4C), Intelligence Bureau (IB), and Delhi Police, as proof of legitimacy. They also represent themselves by using the names and contact information of senior officials to deceive recipients. These fake emails have been sent to government offices, people, and organisations, posing as official correspondence. 

In a tweet from its official handle, @PIBFactCheck, the bureau clarified that these emails are absolutely fraudulent and deceitful. "It is vital to note that neither the undersigned nor this unit originated such emails. Furthermore, no permission has been obtained for the creation or distribution of such content," the release noted. 

Cybercrime impact in India 

Concern over the rise in cybercrime in India is growing. Avinash Mohanty, the commissioner of police for Cyberabad, claims that cybercrime makes up more than 30% of the commissionerate's cognisable offences and that it may soon reach 50%. It is alarming to learn that every minute, Indian residents lose between 1.3 and 1.5 lakh rupees to hackers. This startling statistic emphasises the importance of raising awareness and vigilance against online fraud and scams. 

The recovery rate for cybercrime damages in the nation remains dismally low, averaging less than 20%. This increases the financial and emotional toll on sufferers. The increase in cybercrime impacts not only individuals and businesses, but also government institutions, which have been targeted in cases of espionage and data breaches.

In recent years, India has had a number of high-profile data breaches, the most significant of which involved Aadhaar, the country's unique citizen identification system. This breach affected over a billion Indians' personal information, including bank account numbers, addresses, and fingerprints. In 2024, the cost of data breaches in India would exceed two million US dollars, illustrating the increasing sophistication of cyberattacks and their devastating consequences.
Read more »
Phishing Attack
Bitcoin Cyber Attacks data security Email Phishing Email scam FTC Phishing Attack

Protect Yourself from Phishing Scams Involving Personal Data and Bitcoin Demands

 

A new phishing scam is emerging, where hackers send threatening emails to people with personal details like images of their homes and addresses. This scam tricks recipients into believing their privacy is compromised, urging them to pay money or Bitcoin to avoid exposure. According to cyber expert Al Iverson, scammers often use public sources like Google Maps and data from previous breaches to craft these threatening messages. He recommends confirming any images on Google Maps and checking email legitimacy to ensure the message isn’t a scam. 

One victim, Jamie Beckland, shared his experience, revealing that the scammers falsely claimed to have video evidence from spyware on his computer. Beckland, like others, was targeted with demands for Bitcoin in exchange for silence. Fortunately, by cross-referencing the address and photo in the email with Google Maps, he realized the threat wasn’t credible. To avoid falling for such scams, it’s critical to scrutinize email addresses and domains. Iverson advises checking SPF, DKIM, and DMARC results, which help verify the sender’s legitimacy. Scammers often spoof email addresses, making them appear familiar, but most don’t actually have access to sensitive data—they’re simply trying to scare people into paying. 

Zarik Megerdichian, founder of Loop8, strongly warns against clicking any unfamiliar links in these emails, especially those related to payments. Bitcoin and similar transactions are irreversible, making it crucial to avoid engaging with scammers. If you suspect financial information is at risk, Megerdichian advises reporting the incident to the Federal Trade Commission (FTC) and closely monitoring your accounts. Yashin Manraj, CEO of Pvotal Technologies, recommends changing passwords immediately if you suspect your data has been compromised. Moving sensitive accounts to a new email address can provide added protection. He also suggests notifying local authorities like the FBI, while ensuring that family members are informed of the scam to prevent further risks. 

Lastly, Manraj emphasizes that you should never engage with scammers. Responding to emails only increases your vulnerability, adding your information to target databases. To further protect yourself, isolating your home network, using a VPN, and avoiding public forums for help are essential steps in safeguarding your information from potential future attacks. These phishing scams, though threatening, rely on fear and manipulation. By taking steps to verify email legitimacy, securing your accounts, and staying cautious, you can avoid falling victim to these tactics.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
User Privacy
Cyber Fraud Data Safety Email scam Smishing Campaign SMS Phishing User Privacy

Smishing: SMS Phishing Attacks And How to Thwart Them

 

Smishing is a fast growing version of one of the most established and lucrative scams on the internet. Smishing, like other forms of phishing, aims to trick you into revealing sensitive data and information; however, instead of email, cybercriminals use text messaging or short message services (SMS) to interact with you. Smish attempts are frequently delivered as regular SMS to mobile phone subscribers, but they can also be sent via popular messaging apps. 

Smishing is a type of social engineering in which fraudsters exploit emotions such as fear, sympathy, curiosity, or greed to induce others to reveal personal or business information. They manage this by sending fake messages to your phone or other mobile device that appear to be from a trustworthy source, such as a delivery service, utility supplier, bank, or government agency.

The information they seek could include usernames, passwords, bank account numbers, credit card numbers, vendor names, and other confidential data. The data is subsequently sold on the dark web by cybercriminals, who can also employ it to steal identities, empty bank accounts, or reroute funds to themselves.

Smishing is more tempting to cybercriminals since users are more likely to trust texts over other kinds of communication. In fact, people respond to 45 percent of their texts, but only 6 percent of their emails receive a response. This is most likely due to years of email oversaturation; inboxes bombarded with promotional offers and spam have been trained users to be wary. 

Prevention tips

Here are five ways to prevent scammers from stealing private data: 

  • Never click on hyperlinks in texts from suspicious or unknown numbers. If the link is a brief, shortened URL, this is twice as true. Shorter URLs are frequently cited as a telltale sign that fraudsters are attempting to conceal obviously fake URLs in SMS messages. 
  • Be cautious; if you are persuaded to pay or disclose personal information, take a moment to confirm that the source is authentic and trustworthy. 
  • Never respond to texts from unknown or suspect numbers, especially if they ask you to do so. This notifies scammers that your phone number is active, and you may be added to spam lists and harassed further
  • To protect against malware concealed in smishing URLs, keep your phone's operating system up to date at all times.
  • Pay attention to telltale signs of social engineering, such as urgent messages or get-rich-quick schemes. If something appears to be too good to be true, it most likely is.
Read more »
Sensitive data
Data Breach Email scam Malicious Software Ransomware attack Sensitive data

Commscope Ransomware Attack Exposes Sensitive Employee Data

Hackers have once again targeted a company, this time Commscope, and stolen sensitive employee data during a ransomware attack. According to reports, the hackers have published the stolen data online, including personal information, job titles, and email addresses of Commscope employees.

The attack on Commscope, a US-based network infrastructure provider, highlights the continued threat of cybercrime and the vulnerabilities that companies face in terms of data protection. Cybersecurity experts warn that companies need to be proactive in their approach to cyber defense and invest in robust security measures to prevent such attacks.

The hackers behind the Commscope attack have not been identified, but it is believed that they used ransomware to gain access to the company's systems. Ransomware attacks involve the use of malicious software to encrypt a company's data, making it inaccessible until a ransom is paid.

The publication of the stolen data online has caused concern for the affected employees, who now face the risk of identity theft and other cybercrimes. This incident serves as a reminder that companies must not only focus on preventing cyber attacks but also prepare for the aftermath, including data recovery and notification of affected individuals.

In the wake of this attack, Commscope has urged its employees to be vigilant and monitor their personal accounts for any suspicious activity. The company has also stated that it is working with law enforcement and cybersecurity experts to investigate the incident and mitigate the damage.

This attack on Commscope highlights the need for companies to take a proactive approach to cybersecurity, including implementing robust security measures, conducting regular risk assessments, and training employees to be aware of potential threats. With the increasing sophistication of cyber attacks, companies must remain vigilant and invest in cyber defense to protect their data and reputation.

Read more »
white hat hacking
Backdoor Data Breach Email Hacking Email scam Supply Chain Attack User Privacy white hat hacking

Data Breached on Toyota Supplier Portal

Eaton Zveare, a US-based researcher proactively informed Toyota of the breach found in the Global Supplier Preparation Information Management System (GSPIMS) of the corporation.

According to Zveare, the problem stemmed from installing JWT, or JSON Web Token, authentication that could have given anyone with a working email address access to any account.

JWT is a session token that is created when a user logs onto a website and is used to verify the user's access to secure APIs or portions of the website. The automaker's web platform, known as GSPIMS, enables remote login and management of the company's global supply chain for employees and suppliers.

The researcher could predict an email address by scanning the internet for Toyota personnel who might be involved in the incident. Corporate Toyota email addresses are simple to guess because they use the format firstname.lastname@toyota.com.

Then, Zveare created a legitimate JWT using that email address and utilized it to access the GSPIMS. He used the same way to access a system administrator account he found after performing some portal reconnaissance.

The company avoided a potentially disastrous leak thanks to Zveare's effective disclosure practices, yet the reward for disclosing this vital issue was $0.Despite following the rules of disclosure and rescuing the company from a potentially disastrous leak, It acts as a strong deterrent to investing more time and energy in investigating the infrastructure security of Toyota, he adds. Due to this, similar, exploitable application weaknesses can go unnoticed—at least by 'white hat' researchers like Zveare.

An administrator of the GSPIMS system has access to private data such as secret documents, project schedules, vendor rankings, and customer data for 14,000 users. To allow this option, it appears that the code that creates the JWT based on email address was developed; nevertheless, this backdoor into the network was also created.


Read more »
spying
Cyber Security Data Safety data security Email Safety Email scam email security Email Tracking Pixels Online Privacy Spy Pixels spying

How these Invisible Images Enable Companies Eavesdrop on your Email — Here’s all you need to know

 

The emails are eavesdropping on you. Most of the billions of emails that arrive in our inboxes every day contain hidden trackers that can tell the recipient when you open them, where you open them, how many times you've read them, and much more — a privacy nightmare that many call "endemic." Fortunately, you can take measures to safeguard yourself and your inbox. 

Advertisers and marketing firms, in particular, embed tracking pixels in their promotional emails to keep track of their mass campaigns. Senders can learn which subject lines are the most "clickable," and which of their targets are potential customers, based on how people interact with them.

Though this is beneficial from an analytics standpoint, it is frequently done covertly and without consent.  There is a simple way to disable email tracking. Continue reading to learn more about these troublesome little pixels and how to get rid of them.
 
Email tracking pixels:

The email tracking pixel is a surprisingly simple concept that allows anyone to secretly collect a plethora of information about you as soon as you interact with their messages.

When someone wants to know if you read their email, they insert a tiny 1 pixel by 1 pixel image into it. When you open the email, it sends a ping to the server where the image is stored and records your interaction. The sender can tell your location by checking where that network ping was launched and what type of device was used, in addition to whether or not you clicked their email and how many times you clicked it.

There are two possible explanations for why you never notice that tracking graphic. For starters, it's insignificant. Second, it's in GIF or PNG format, enabling the company to keep it transparent and invisible to the naked eye. A sender will frequently conceal this in their signature. As a result, that fancy font or flashing company logo at the bottom of a commercial email may be more than just a cosmetic presence.

More importantly, studies have revealed that by pairing your location and device specifications, advertisers and other malicious actors can link your email activities with your browser cookies. This opens a can of worms because it allows them to identify you wherever you go online and connect your email address.

Most email clients, including Gmail and Outlook, do not have this feature built-in, but you can use third-party tools. It's recommended to use the Chrome and Firefox extensions Ugly Email for Gmail. It places an "eyeball" icon next to emails containing tracking pixels and prevents them from spying on you. If you use Yahoo or Outlook, you can also use Trocker, which marks emails with trackers on their websites.

These extensions, however, are only available on your computers. You'll need to subscribe to a premium email client like HEY to detect email trackers on your phone.

How to block email tracking pixels?

Email trackers are easy to detect because they rely on hidden media attachments. The simplest method is to simply disable image loading in your email apps by default and only do it manually for emails you trust or when there is an attachment to download.

1. Adjust your existing inbox: On Gmail, the option to block external images is available under Settings > Images > Ask Before Displaying External Images on the web and mobile apps. On Outlook apps, it’s found under Options > Block External Images on mobile and Options > Trust Center > Automatic Download on desktop.

Though Apple Mail also lets you accomplish this from Preferences > Viewing > Load remote content in messages, you can directly block trackers on it as long as you’re on macOS Monterey. Head over to Mail > Preferences > Privacy and check the “Protect Mail Activity” box. 

2. Get yourself a private relay email address: The issue with the methods discussed previously is that they only block tracking pixels after the email has already arrived in your inbox — they don't remove them entirely. To ensure that you never open an email containing trackers by accident, you'll need a proxy address that scans your messages and eliminates any malware before they show up in your inbox.

Another advantage is that you can keep your personal email address private and only provide a relay ID to websites, newsletters, and other services. There are numerous free services that provide a proxy email address. 

Email Protection from DuckDuckGo is recommended. It allows you to create a new custom relay address, which secures your mail before forwarding it to your personal inbox by booting the trackers and encrypting any unsecured links in the body. DuckDuckGo adds a small section at the top of forwarded emails that tells you whether it found any trackers in it and, if so, which companies were responsible for it.

To sign up for the DuckDuckGo app on an Android or iPhone, go to Settings > Email Protection. You can get started on a desktop with the DuckDuckGo browser extension or its Mac browser.


Read more »
phishing
Cyber Fraud Email Fraud Email scam Fraud Nigeria phishing

Suspected Phishing Email Fraudster Arrested in Nigeria

 

A Nigerian man has been arrested by Interpol and African cops on suspicion of running a multi-continent cybercrime network that specialised in sending phishing emails to businesses. His alleged operation was behind so-called business email compromise (BEC), a combination of fraud and social engineering in which employees at targeted firms are duped into doing things like wiring money to scammers or sending sensitive information abroad. 

This is done by impersonating executives or suppliers and sending messages with instructions on where to deliver payments or data, often by getting into an employee's work email account. The 37-year-arrest old's is part of a year-long counter-BEC operation code-named Operation Delilah, which began with intelligence from cybersecurity firms Group-IB and Palo Alto Networks Unit 42, and Trend Micro. 

According to the groups involved, Op Delilah, which began in May 2021, is another success story from Interpol's Cyber Fusion Center, a public-private partnership between law enforcement and industry experts based in Singapore. The arrest, however, comes after the FBI issued a strong warning about BEC earlier this month, claiming that it is still the most costly threat to businesses throughout the world. Between June 2016 and December 2022, email scams cost businesses and people at least $43.3 billion. 

The FBI stated that BEC continues to develop and change, targeting small local companies to larger enterprises, and personal transactions, adding that it monitored a 65 per cent increase in identified global exposed losses, with victims in 177 countries, between July 2019 and December 2021. When law enforcement attempted to catch the suspected fraudster in this case, he fled Nigeria in 2021. He attempted to return to Nigeria in March 2022 but was recognised and detained as a result of the intelligence-gathering relationship. The intelligence was passed on to Nigerian police by Interpol's African Joint Operation against Cybercrime (AFJOC), which was assisted by law enforcement from Australia, Canada, and the United States. Nigerian cops eventually apprehended the man at Lagos' Murtala Mohammed International Airport. Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of suspected gang members. 

"The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and Interpol's private sector partners in combating cybercrime," Garba Baba Umar, assistant inspector general of the Nigeria Police Force, said in a statement this week. 

The security companies involved in the operation closely monitored the alleged Nigerian BEC crew under the name SilverTerrier, or TMT, and Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of these suspected gang members. Delilah was preceded by the Interpol-led Falcon I and Falcon II operations, which took place in 2020 and 2021 and resulted in the arrest of 14 members of the criminal gang. 

The earlier operations, as well as the most recent one, were assisted by Unit 42 and Group-IB, among other security analysts. TMT has been tracked by Group-IB since 2019. We're warned that by 2020, the criminals would have infiltrated more than 500,000 businesses in 150 nations. One of the defendants seized in Nigeria during Falcon II had more than 50,000 possible victim domain credentials on his laptop, according to Interpol. 

Meanwhile, Unit 42 researchers allege that the 37-year-old Nigerian detained as part of Delilah has been a criminal since 2015. 

The security analysts at Palo Alto Networks wrote in a blog, "We have identified over 240 domains that were registered using this actor's aliases. Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York city associated with a major financial institution when registering his malicious domains." 

They discovered that he has a stated affinity for ISRStealer, Pony, and LokiBot malware. He also prefers enormous gold, blingy jewellery, according to a social media snapshot of the alleged perp on the Unit 42 blog. According to the security researchers, the suspect is well-connected with other BEC criminals and also appears to share social media contacts with a trio detained in 2021 as part of Falcon II.
Read more »
Zimbra
Bugs Email scam Email Source Infrastructure Flaw Spear Phishing Campaign Vulnerabilities and Exploits XSS Flaw zero Day vulnerability Zimbra

Zero-Day Vulnerability Exploited in Zimbra Email Platform to Spy on Users

 

As part of spear-phishing campaigns that began in December 2021, a threat actor, most likely of Chinese origin, is proactively trying to attack a zero-day vulnerability in the Zimbra open-source email infrastructure. 

In a technical report published last week, cybersecurity firm Volexity described the espionage operation, codenamed "EmailThief," stating that successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user's Zimbra session. 

The incursions, which commenced on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the moniker TEMP HERETIC, with the attacks focused on European government and media organizations. The zero-day vulnerability affects Zimbra's most recent open-source edition, version 8.8.15. 

The assaults are said to have been carried out in two stages, with the first stage targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. Multiple waves of email messages were sent out after that to lure users into clicking on a fraudulent link. The attacker used 74 different Outlook.com email identities to send the messages out over two weeks, with the initial recon emails having generic subject lines ranging from invitations to charity auctions and refunds for airline tickets. 

Steven Adair and Thomas Lancaster noted, "For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook." 

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, providing constant access to a mailbox, sending phishing messages from the hijacked email account to spread the infection, and even facilitating the installation of new malware. 

The researchers stated, "None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups."  

"However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor." 

Further the company recommended, "Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15."  
Read more »
Software Vulnerability
ATM Hacking Banking Phishing Cyber Attacks Email scam Lazarus Group North Korean Hackers Scam Software Vulnerability

Lazarus, Cobalt, and FIN7 Cyber Groups Allegedly Opened Fire on the Financial Industry

 

A study titled "Follow the Money" by Outpost24's Blueliv that addressed the financial sector, aims to identify and follow groups that are big perpetrators of financial theft and fraud. The Lazarus, Cobalt, and FIN7 threat groups were determined to be the most common threat actors targeting financial institutions. As the Covid-19 pandemic has further aggravated the situation by disrupting training and operations, it's no surprise that cyber attacks on financial institutions are on the rise. 

Attacking banks provide various possibilities for profit for cybercriminals through extortion, theft, and fraud, while nation-states and hacktivists also target the financial industry for political and ideological leverage. The Strategic Technologies Program investigates the evolution of cyber risks to the financial system, as well as legal and regulatory attempts to improve its defenses.

Lazarus is a North Korean state-sponsored advanced persistent threat (APT) group that has been linked to high-profile assaults on Sony Pictures Entertainment, the Bangladesh Bank via SWIFT, and the WannaCry ransomware epidemic in 2017. Banks, casinos, financial investing software producers, and crypto-currency enterprises are among the companies involved. 

The group's virus has lately been discovered in 18 nations around the world. A vulnerability in one of the targeted organization's servers is discovered by the Lazarus team. It infects a website that was accessed by employees of a particular organization, uses malware to access the target's IT infrastructure, and finds a server running SWIFT software. This group tries to drain the company's accounts by downloading new malware that could communicate with SWIFT software. 

Cobalt has been linked to attacks against financial institutions around the world, resulting in the theft of millions of dollars, since at least 2016. It first appeared on the scene with an ATM jackpotting attack on a Taiwanese bank. Despite the arrests, the gang is believed to be still functioning. To break into networks, the Cobalt group uses social engineering—users open infected attachments from phishing emails that are disguised to look like messages from reputable corporations and regulatory agencies. These attachments contain a document file that either downloads or contains a dropper in a password-protected archive from a remote server.

Another important, profit-driven threat group is FIN7, which specializes in Business Email Compromise (BEC) and the deployment of Point-of-Sale (PoS) malware designed to steal large amounts of customer credit card information from businesses. While banking and finance cybersecurity tactics are evolving, there are still numerous improvements that can be addressed, according to Blueliv.
Read more »
Scams
Cyber Fraud Email scam Frauds Future trends phishing Phishing and Spam Scams

Bracing for Evolving Phishing Frauds

 

Phishing scams are still the most common type of cybercrime. Unfortunately, as social engineering attacks get more advanced, this tendency is likely to continue in 2022. The numbers are worrisome and the phishing attacks account for more than 80% of all security issues reported. 

In fact, phishing attacks have been successful in 74 percent of firms in the United States. Companies must be watchful and proactive by implementing a defense strategy as phishing will remain the favoured method of attack for cybercriminals in the coming year. Phishing attacks have the potential to compromise infrastructure and organizations will need to plan ahead and anticipate investing more money in preventative measures in 2021 than they did in 2021. 

Phishing takes a new turn 

As cybercriminals get more sophisticated, here are some of the tactics that businesses should be aware of. It will be considerably difficult to distinguish between spoof and legitimate emails. Email recipients may be alarmed by clever subject lines. Email recipients may be alarmed by clever subject lines such as "Changes to your health benefits" or "Unusual login detected." 

Other common methods of attack include denied memberships, fraudulent subscription calls-to-action, and billing and payment warnings. Furthermore, fraudsters are becoming more sophisticated in their use of false links. Users who aren't paying attention may be scammed into clicking on links that lead to harmful websites. Phishing assaults will be elevated to a new level as a result of social engineering attempts. Artificial intelligence-based tactics, such as copying someone's voice to elicit sensitive information, will become more common. 

A good offense is the best defense

The good news for businesses is that they can use artificial intelligence (AI), email security, and cybersecurity training to protect themselves from more sophisticated phishing assaults. Investing in AI-based preventative tools that track and examine email communications is the first line of defence. 

A strong AI solution examines variables like the devices' external senders and employees, who they message, what time of day they communicate, and where they communicate from. This data is then used to create trusted email sender profiles, which are subsequently compared to incoming emails to authenticate the sender and detect and avoid sophisticated phishing efforts. Artificial intelligence-based monitoring software may even scan photos for fake login sites and altered signatures, then immediately quarantine malicious emails so that the end-user never sees them. 

Another preventative step is email security. Technology that displays warning banners and identifies problematic emails is beneficial since it allows users to quarantine or mark messages as safe with a single click. Passwords that have been compromised can be used to launch cyberattacks. Single sign-on (SSO), multifactor authentication (MFA), and password management are all included in an identity and access management (IAM) tool. 

Another option to mitigate the security concerns associated with passwords is to use passwordless authentication. This method confirms a user's identity by utilizing biometrics, such as fingerprints, and one-time passwords, which require users to enter a code that is either emailed, transmitted through SMS, or received via an authenticator app. 

Finally, a company is only as powerful as its employees, emphasising the importance of cybersecurity training. The first line of defence is employees. An organization's odds of experiencing a cybersecurity incident can be reduced by up to 70% by boosting security awareness. Security awareness training should always be included in onboarding, and phishing simulation campaigns should be run regularly, at least once a month. 

While this may appear excessive, research reveals that four to six months after each training session, trained employees begin to forget what they learned. With hybrid workplaces becoming increasingly widespread post-pandemic, over half of the remote workers use email as their major mode of contact, demonstrating the importance of security awareness training. 
 
According to the FBI, firms in the United States lost more than $1.8 billion in costs due to business email compromise (BEC) or spearphishing last year. Phishing scams resulted in adjusted losses of more than $54 million, according to the FBI. Given that phishing remains a popular type of intrusion, it's reasonable to assume that number will continue to rise. 

Organizations may help defend their businesses from being hacked by utilising AI's complete functionality to construct a powerful security platform that detects threats, as well as strengthened email security measures and employee training.
Read more »
Windows10
BazarBackdoor BazarLoader Email scam malware phishing Ransomware Trojan Attacks virus Windows10

BazarBackdoor Abused Windows 10 Application Feature in 'Call me back' Attack

 

In a new phishing campaign spreading the BazarBackdoor malware, a Microsoft Windows 10 app feature is being exploited.

On Thursday, Sophos Labs experts reported that the attack was detected when spam emails were sent to the cybersecurity firm's own employees — but these emails weren't just any spam; they were written with at least a minimal amount of social engineering. 

One of the emails, from the non-existent "Adam Williams," a "Sophos Main Manager Assistant," requested to know why a researcher hadn't addressed a customer's complaint. The email also included a PDF link to the message to make resolution easy. The link, however, was a hoax that demonstrated a "new" approach for spreading the BazarBackdoor malware. 

Sophos researcher Andrew Brandt explained, "In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link." 

Sophos stated to be "unfamiliar" with this strategy, which involves exploiting the Windows 10 App installation process to transmit malicious payloads. The phishing bait directs prospective victims to a website that uses the Adobe brand and invites them to click on a button to preview a PDF file. When users move the mouse over the link, the prefix "ms-appinstaller" appears. 

This link then links to a text file called Adobe.appinstaller, which in turn points to a larger file called Adobe_.7.0.0_x64appbundle, which is hosted on a different URL. A warning notification appears and a notice that software has been digitally signed with a certificate issued several months ago. (The certificate authority has been notified of the misuse by Sophos.) 

The victim is then urged to approve the installation of "Adobe PDF Component," and if they comply, the BazarBackdoor malware is installed and launched in seconds. BazarBackdoor is similar to BazarLoader in that it connects via HTTPS, but it is distinguished by the volume of noisy traffic it creates. BazarBackdoor can exfiltrate system data and has been connected to Trickbot and the probable deployment of Ryuk ransomware. 

Brandt stated, "Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."
Read more »
Phishing Attacks
Cyber Fraud Email scam Fake Sites Fraud Mails Phishing and Spam Phishing Attacks

Intuit Alerted QuickBooks Customers About Ongoing Phishing Attacks

 

QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges. 

According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired. 

"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained. 

All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them. 

Customers who have already opened attachments or followed links in the phishing emails should do the following: 
  • Delete any downloaded files as soon as possible. 
  • Scan their systems with an updated anti-malware solution. 
  • Reset their passwords. 
  • On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks. 
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month. 

According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October. While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts. 

To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk. Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names. 

If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade. 

Copyright scams and account takeover attacks 

In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason. Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers. 

The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam. 

In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit." 

As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.
Read more »
Email scam
Brute Force Attacks Business Email Compromise Credential Phishing Cyber Attacks Email Account Compromise Email scam

Credential Phishing and Brute Force Attacks Continue to Surge



Financial and reputational aspects of organizations across the globe are taking a severe hit as they witness advanced email threats from unprecedented email attacks that continue to escalate, as per a recent report by Abnormal Security. Unsuspecting victims fall prey to the schemes which are devised to make the malicious emails land directly into their inboxes evading security mechanisms. 

As threat actors continue to work around various phishing techniques, cyber-attacks via credential phishing and brute force continue to remain effective attack vectors. Advanced email threats such as 'Business Email Compromise' attacks are designed to safely bypass secure email gateways and other conventional security infrastructure allowing the operators to steal in billions each year.  

After gaining access to email accounts, attackers can leverage these accounts to target other associated employees including business partners, vendors, and co-workers. Consequently, it allows them to infiltrate other parts of the compromised organization. Cybercriminals use these credential phishing and brute force attacks to obtain sensitive information such as usernames, passwords, and passphrases. 

The report enlists in its key findings that 5% of all organizations fell prey to brute force attacks in early June 2021, while 73% of all sophisticated threats were credential phishing attacks. 

Since Q4 2020, business email compromise attacks underwent a rise by 22% whereas 61% of companies witnessed a vendor email compromise attack this quarter. Alongside, the experts also made a prediction that there is a 60% probability of an account takeover attack being successful each week for firms having over 50,000 employees. 

While commenting on the matter, Evan Reiser, CEO, Abnormal Security, said, “Socially-engineered attacks are dramatically rising within enterprises worldwide, creating unprecedented financial and reputational risks. These never-before-seen attacks are becoming more sophisticated with every passing day. They don’t contain indicators of compromise, such as links, attachments, and reputational risks, so they evade secure email gateways and other traditional email infrastructure, landing in inboxes where unsuspecting employees fall victim to their schemes, which include ransomware. To effectively protect against these attacks, we can no longer rely only upon established threat intelligence. To baseline good behavior, we need to look further to comprehensively understand employee and vendor identities and their relationships, all with deep context, including content and tone. Any subtle deviations from this baseline expose the possibility of a threat or attack.” 

Furthermore, the report highlights the rise of impersonation, and how cybercriminals are employing it to trick users into submitting sensitive data. Experts remark that the impersonation of internal systems namely IT Support and IT Help Desk has risen 46% in the last two quarters. 

Socially engineered credential phishing and account takeover attacks are surfacing as a major concern for enterprises worldwide because these attacks could potentially provide the access required to carry out other ransomware and malware-based attacks.
Read more »
Scammers
Cyber Fraud Email scam phishing Phishing emails Scammers

Pay Attention: These Unsubscribe Emails Only Lead to Further Spam

 

Scammers send out fake 'unsubscribe' spam emails to validate legitimate email addresses for future phishing and spam campaigns. 

Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don't specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient's email address is real and vulnerable to phishing scams and other nefarious activity. 

If they get the needed confirmation, they’ll bombard it with various spam emails. The campaign is simple in design - the victim will get a basic email with this call to action in it asking whether the consumer wants to unsubscribe or subscribe: 

“Please confirm your Subscribe (sic) or Unsubscribe. Confirm Subscribe me! Unsubscribe me! Thank you!” 

If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer. 

After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance. 

BleepingComputer created a new email account for testing purposes, which they never used on any website or service. When they responded to multiple confirmation emails received on another email account using the new email address. After sending unsubscribe/subscribe responses from the new account, their new account was bombarded with spam emails within a few days. 

This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds. 

It was also stated that these attacks aren't restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop. 

Consumers should never click any links they receive in an email unless they are fully certain of the sender's validity and the link's integrity, according to security experts. No credible company will ever send an email with only the alternatives to "Subscribe or Unsubscribe" and without any information.
Read more »
Phishing emails
Business Email Compromise Cyberattack Email scam Phishing and Spam Phishing Attack Phishing emails

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”
Read more »
Twitter
Cyber Crime Email scam Google Drive Twitter

Google Drive Notifications Used to Send Malicious Links to Hundreds of Thousands of Users

 

Cybercriminals have now resorted to utilizing a legitimate Google Drive collaboration feature to trick users into clicking on pernicious links. 

As per recent reports the attacks have been originated from Google Drive's collaboration feature, which enables users to make push notifications or emails that invite people to share a Google doc. Attackers are mishandling this feature to send mobile users Google Drive notifications, inviting them to collaborate on documents, which at that point contained 'malicious links'. 

Since they are sent through Google Drive, the notifications originate from Google's no-reply email address, causing them to appear more legitimate. Different cycles of the attacks are sent using email (rather than by notifications) and incorporate the malignant link directly in the email. The Google Drive notifications accompany various lures. 

Many imply to be "personal notifications" from Google Drive, with one lure named "Personal Notification No 8482" telling the victim they haven't signed into their account for some time. These undermine that the account will be deleted in 24 hours except if they sign in using a (malicious) link. Another, named "Personal Notification No 0684," tells users they have an "important notice" of a financial transaction that they can see for their own in their account, using a link. 

The attack has focused on countless Google users, as per WIRED. The report said that the notifications are being sent in Russian or broken English. 

These links take victims to malevolent scam websites. WIRED detailed that one such site flooded users with notifications to click on links for "prize draws," while different sites mentioned that victims click on such links to "check their bank account." 

Targeted users took to Twitter to the caution of the scams, with one Twitter user saying that 'the only red flag' of the scam was that he wasn't anticipating a shared doc.

 


With the generality of working from home due to the Covid pandemic, attackers are progressively utilizing collaboration and remote-work tools, including Google offerings. 

Nonetheless, a Google spokesperson told WIRED that the company is dealing with new security measures and is currently making strong efforts for detecting Google Drive spam.

Read more »
Subscribe to: Posts (Atom)