Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fake Sites. Show all posts

Fraudulent Browser Updates Are Propagating BitRAT and Lumma Stealer Malware

 

Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware like BitRAT and Lumma Stealer (aka LummaC2). 

"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"cybersecurity company eSentire stated in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.”

The attack chain begins when potential targets visit a fake website with JavaScript code that redirects them to a fraudulent browser update page ("chatgpt-app[.]cloud"). The redirected web page includes a download link to a ZIP archive file ("Update.zip") located on Discord that is automatically downloaded to the victim's device.

It's worth noting that threat actors frequently use Discord as an attack vector, with Bitdefender's recent study revealing more than 50,000 unsecured connections propagating malware, phishing campaigns, and spam during the past six months.

Another JavaScript file ("Update.js") is included in the ZIP archive file, and it executes PowerShell scripts responsible for downloading further payloads, such as BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. 

This method also retrieves PowerShell scripts for persistence and a.NET-based loader, which is generally used to start the final-stage malware. According to eSentire, the loader is most likely represented as a "malware delivery service" because it is used to spread both BitRAT and Lumma Stealer. 

BitRAT is a feature-rich RAT that enables attackers to collect data, mine cryptocurrency, download additional malware, and remotely control infected systems. Lumma Stealer, a commodity stealer malware offered for $250 to $1,000 per month since August 2022, can take data from online browsers, cryptocurrency wallets, and other sensitive information. 

"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the company noted, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact.”

While such attacks typically employ drive-by downloads and malvertising techniques, ReliaQuest reported last week that it identified a new variant of the ClearFake campaign that tricked consumers into copying, pasting, and manually executing malicious PowerShell code under the guise of a browser update. 

Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to resolve the issue by following a series of steps that include copying and pasting obfuscated PowerShell code into a PowerShell terminal. 

"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company added.

Attackers Use a Poisoned Google Search to Target Chinese-speaking Individuals

A new nefarious campaign has been discovered that promotes malicious websites and fake installers by using tainted Google Search results. FatalRAT is primarily targeting Chinese people in East and Southeast Asia. The IOCs of the threat activities did not correspond to any previously identified threat group. 

According to telemetry data collected by ESET researchers, the campaign began in May 2022 and lasted until January 2023. The most targeted victims were found in China, Hong Kong, and Taiwan, with attacks also occurring in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar. Attackers promoted their rogue websites hosting trojanized installers via Google paid advertisements. These advertisements have now been removed.
 
To host the malicious websites, attackers enrolled several equivalents to legitimate typosquatting domains (such as telegraem[.]org) from (telegram[.]org). These bogus domains host websites that look exactly like the real ones, and they all point to the same IP address. This IP address is associated with a server that hosts multiple fake websites and tainted installers, as well as actual installers and the FatalRAT loader.

Since Chinese language versions of genuine software applications are not available in China, the websites and installers are disguised. Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youda are among the spoof apps.

The tainted installers were hosted on an Alibaba Cloud Object Storage Service, which isolated them from the server where websites are hosted. Advanced Installer is used to create and digitally sign the installers, which are MSI files.

When run, these installers would drop and execute a genuine installer, a malicious loader, an updater, and, eventually, the FatalRAT payload. When infected, the malware gives the attacker complete control of the victimized device, allowing them to remotely execute commands, harvest data from web browsers, run files, and capture keystrokes.

According to researchers, the tactics used in this attack are not highly sophisticated; however, attackers have made several attempts to make it appear to be one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. When clicking on links promoted as advertisements, users must be mindful and perform multiple mental checks.

Scammers Employing Stolen Credit Card Data to Design Fake Websites

 

Cybersecurity researchers at ReasonLabs have unearthed a massive global multi-million dollar fraudulent scheme, operating since 2019. The number of victims including major firms like Amazon Web Services, Mastercard, and Visa is in the range of tens of thousands. 

Scammers methodology 

The fraudsters employed two types of websites, dating sites and customer support portals. When visiting the alleged firm’s websites, the researchers identified that the corporate sites either didn’t exist or had fake email addresses. The sites, although operational, didn’t receive massive traffic and were ranked very low in Google Search results, as their motive wasn’t to lure individuals, but allegedly to serve as a money laundering gateway. 

According to ReasonLabs cofounder and chief technology officer Andrew Newman, the domain structure and content of the websites were identical, indicating that were designed by automated tools. The customer support portals either use a fake identity or are created to impersonate real brands.  

The biggest hurdle of the fraudulent scheme was the registration of these fake sites as payment acquirers with the processors, who would typically classify them as “high risk”. To avoid being blacklisted, these sites introduced a 24/7 support chat system and a working telephone line, outsourced to a genuine support center provider. The sites also included a toll-free number for users if they want to cancel their payments which typically is not available on fraudulent websites. 

The researcher believes the scheme is operated from the middle of Europe or Russia, but the firm hasn't been able to fully verify the fraudsters' location. 

Tens of millions of dollars siphoned 

Once the legitimacy of the sites was approved, the scammers would tap into the pool of millions of stolen payment cards on the dark web (CC dumps), and charge them on the sites. The targeted cardholders were typically from the United States, but cards from French-speaking nations were also identified. 

Small amounts were being charged from the cards through recurring payments, using generic names blending with the victims’ spending habits. In some cases, the scammers charge the users back via the integrated “cancel subscription” system to artificially lower the charge-back rate and make their business seem authentic. 

By siphoning little amounts, this fraudulent scheme has been able to operate since 2019 without being discovered while generating tens of millions of dollars in revenue. The researchers randomly investigated several of the 275 fake websites, and unfortunately, they are all operating at the time of writing the article. Payment processors and law enforcement have reported the operation and are expected to take action soon.

Alert! Scam Pixelmon NFT Website Hosts Password-stealing Malware

 

A bogus Pixelmon NFT site tempts visitors with free tokens and collectables while infecting them with spyware that steals their cryptocurrency wallets. Pixelmon is a popular NFT project with plans to create an online metaverse game where users can gather, train, and battle other players with pixelmon pets. 

The project has attracted a lot of attention, with nearly 200,000 Twitter followers and over 25,000 Discord members. Threat actors have replicated the original pixelmon.club website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest. Instead of providing a demo of the project's game, the malicious site provides executables that install password-stealing malware on a device. 

The website is selling a package named Installer.zip that contains a faulty executable that does not infect customers with malware. However, MalwareHunterTeam, which was the first to identify this malicious site, detected other dangerous files transmitted by it, allowing to see what malware it was spreading. Setup.zip, which contains the setup.lnk file, is one of the files sent by this fraudulent site. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw's system32.hta file. 

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is no longer widely used. Security researcher Fumik0_, who has previously examined this malware family, confirmed this. When launched, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware's command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device. 

Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with certain names, which it subsequently sends to the threat actor. The C2 commands the malware to seek for and steal numerous files, including text files, cryptocurrency wallets, backups, codes, password files, and authentication files, as seen in the malware setup below. Because this is an NFT site, visitors are expected to have bitcoin wallets installed on their PCs. 

As a result, threat actors focus on looking for and stealing cryptocurrency-related files. While the site is presently not distributing a functioning payload, BleepingComputer has observed evidence that the threat actors have been modifying the site in recent days, as payloads that were available two days ago are no longer available. 

One can expect this campaign to continue to be active, and working threats to be added soon, based on the site's activity. Due to the high number of fraudsters attempting to steal the bitcoin from NFT projects, one should always double-check that the URL they are viewing is indeed associated with  their interested project.

$50 Million Lost to Fraudsters Impersonating as Broker-Dealers

 

A California man admitted his involvement in a large-scale and long-running Internet-based fraud scam that allowed him and other fraudsters to drain about $50 million from hundreds of investors.

Between 2012 and October 2020 Allen Giltman, 56, and his co-conspirators constructed phoney websites to collect money from people via the internet by advertising various investment opportunities (mainly the purchase of certificates of deposit). 

According to court documents, "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims. At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist." 

They advertised the phoney investment sites in Google and Microsoft Bing search results for phrases like "best CD rates" and "highest cd rates." The scammers pretended to be FINRA broker-dealers in interactions with victims seeking investment possibilities, claiming to be employed by the financial companies they imitated on the scam sites. 

They employed virtual private networks (VPNs), prepaid gift cards to register web domains, prepaid phones, and encrypted applications to interact with their targets, and false invoices to explain the huge wire transfers they obtained from their victims to mask their genuine identities during their fraud schemes. 

"To date, law enforcement has identified at least 150 fraudulent websites created as part of the scheme," the Justice Department stated. 

"At least 70 victims of the fraud scheme nationwide, including in New Jersey, collectively transmitted approximately $50 million that they believed to be investments." 

The charge of wire fraud conspiracy, which Giltman consented, carries a possible sentence of 20 years in jail, while the charge of securities fraud carries a maximum sentence of five years in prison. Both are punishable by fines of $250,000 or double the gross gain or loss from the offence, whichever is greater. Giltman is scheduled to be sentenced on May 10, 2022. 

Stay Vigilant

The FBI's Criminal Investigative Division and the Securities and Exchange Commission cautioned investors in July 2021 that scammers posing as registered financial professionals such as brokers and investment advisers were posing as them. 

The July alert came after FINRA issued a similar fraud alert the same week regarding broker imposter frauds involving phishing sites that impersonate brokers and faked SEC or FINRA registration documents. 

"Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC stated. 

Investors should first use the Investor.gov search engine to see if people marketing investment possibilities are licensed or registered, and then ensure they're not scammers by contacting the seller using independently confirmed contact information from the firm's Client Relationship Summary (Form CRS).

FBI: Fake Government Websites Used to Steal Private & Financial Data

 

The FBI has alerted the public in the United States that threat actors are proactively capturing sensitive financial and personal information from innocent victims via phoney and fraudulent unemployment benefit websites. 

Websites used in these assaults are built to seem just like official government platforms in order to deceive victims into giving over their information, infecting them with malware, and claiming unemployment benefits on their behalf. 

The federal law enforcement agency stated in a public service announcement published on Internet Crime Complaint Center's site, "These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits. The fake websites prompt victims to enter sensitive personal and financial information. Cyber actors use this information to redirect unemployment benefits, harvest user credentials, collect personally identifiable information, and infect victim's devices with malware.” 

"In addition to a loss of benefits, victims of this activity can suffer a range of additional consequences, including ransomware infection and identity theft." 

As per the FBI, 385 domains were detected, with eight of them spoofing government sites related to official unemployment benefits platforms. Domain and status are listed below:
  • employ-nv[.]xyz:  Active 
  • employ-wiscon[.]xyz: Inactive 
  • gov2go[.]xyz : Active 
  • illiform-gov[.]xyz : Active 
  • mary-landgov[.]xyz : Active 
  • Marylandgov[.]xyz: Inactive 
  • newstate-nm[.]xyz:  Active 
  • Newstatenm[.]xyz: Inactive 
There is also a possibility that the data obtained through these fake sites will end up in the hands of identity fraudsters, who would use it in different benefit fraud schemes. The US Federal Trade Commission (FTC) reported in February 2021 that the overall number of identity theft reports doubled in 2020 compared to 2019, with 1.4 million reports in a single year. 

The FTC stated, "2020’s biggest surge in identity theft reports to the FTC related to the nationwide dip in employment. After the government expanded unemployment benefits to people left jobless by the pandemic, cybercriminals filed unemployment claims using other people’s personal information." 

For example, the FTC received 394,280 reports of government benefits fraud attempts last year, the majority of which were connected to unemployment benefit identity theft fraud, compared to 12,900 reported in 2019. 

The Internal Revenue Service (IRS) also issued taxpayer guidelines in January on recognizing theft activities involving unemployment payments. The US federal revenue service stated, "The Internal Revenue Service today urged taxpayers who receive Forms 1099-G for unemployment benefits they did not actually get because of identity theft to contact their appropriate state agency for a corrected form." 

"Additionally, if taxpayers are concerned that their personal information has been stolen and they want to protect their identity when filing their federal tax return, they can request an Identity Protection Pin (IP PIN) from the IRS." 

The FBI also offered some advice on how to safeguard yourself against identity theft in the release and a few are listed below: 
  • To identify limitations, the spelling of web addresses should be verified. 
  • Check that the website you're visiting has an SSL certificate. 
  • Software upgrades are required; 
  • It is recommended that two-factor authentication be utilized. 
  • Avoid phishing emails at all costs.

Intuit Alerted QuickBooks Customers About Ongoing Phishing Attacks

 

QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges. 

According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired. 

"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained. 

All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them. 

Customers who have already opened attachments or followed links in the phishing emails should do the following: 
  • Delete any downloaded files as soon as possible. 
  • Scan their systems with an updated anti-malware solution. 
  • Reset their passwords. 
  • On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks. 
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month. 

According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October. While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts. 

To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk. Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names. 

If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade. 

Copyright scams and account takeover attacks 

In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason. Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers. 

The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam. 

In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit." 

As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.

Microsoft Discovered a Massive Phishing-as-a-Service Operation

 

On September 21, Microsoft's security team announced that it has discovered a huge operation that delivers phishing services to cybercrime gangs via a hosting-like infrastructure that the OS maker equated to a Phishing-as-a-Service (PHaaS) model. 

The service, known as BulletProofLink, or Anthrax, is now being promoted on underground cybercrime forums. The service is an extension of "phishing kits," which are compilations of phishing websites and templates that seem like login forms from well-known firms. 

BulletProofLink takes this to the next level by including built-in hosting and email-sending capabilities. Customers pay an $800 charge to register on the BulletProofLink site, and the BulletProofLink administrators manage everything else. 

The part of the service includes establishing up a web page to host the phishing site, installing the phishing template itself, configuring domain (URLs) for the phishing sites, sending the actual phishing emails to desired victims, collecting credentials from attacks, and then delivering the stolen logins to "paying customers" at the end of the week. 

If criminal networks wish to change up their phishing templates, the BulletProofLink group has a different marketplace where threat actors may buy new templates to utilise in their assaults for $80 to $100 per template.

According to The Record, there are approximately 120 distinct phishing templates accessible on the BulletProofLink shop now. 

As per Microsoft, this method is increasing popularity among phishing attackers because: 
  • It removes the requirement for an attacker to get huge collections of single-use domains. 
  • It enables phishing operators to maximise the number of unique domains available to them by establishing dynamically created subdomains as a prefix to the base domain for every email. 
  • The generation of unique URLs presents a challenge to mitigation and detection systems that depend only on exact domain and URL matching. 
In addition, the website provides lessons to assist users in using the service. However, Microsoft researchers discovered that the business has also been robbing its own clients by storing duplicates of all acquired credentials, which the group is suspected to commercialize later by selling the credentials on underground markets. 

Microsoft summed up the complete operation as technically complex, with the group frequently hosting its phishing websites to hacked sites. In certain cases, the BulletProofLink gang was seen manipulating the DNS records of compromised sites to create subdomains on trustworthy sites to host phishing pages. 

Microsoft stated, placing the BulletProofLink PHaaS in context, “In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run.”

Cyberattacks Zero in Tokyo Olympics as Games Begin

 

Malicious malware and websites have targeted both event organizers and regular spectators as the Tokyo Olympics' opening ceremony approaches. 

According to Tokyo-based Mitsui Bussan Secure Directions, this malware was published to the VirusTotal malware-scanning site on 20 July and has been identified by numerous antivirus software companies throughout the world. 

A fraudulent PDF file masquerades as a Japanese-language document on cyberattacks associated with the Olympics. When users open it, malware enters their computer and deletes the documents. The dubious PDF was allegedly sent to Japanese event officials by hackers in an effort to erase important Olympics-related data. 

Takashi Yoshikawa of MBSD cautioned concerning the "wiper" malware. The so-called Olympic Destroyer virus caused severe system interruptions at the 2018 Winter Games in Pyeongchang, South Korea. 

TXT, LOG, and CSV files, which can occasionally hold logs, databases, or password information, are targeted for deleting alongside Microsoft Office files. Furthermore, the wiper targets files generated using the Ichitaro Japanese word processor, leading the MBSD team to assume that the wiper was designed particularly for PCs in Japan, where the Ichitaro program is often installed. 

Yoshikawa added, "This is the type of attack we should be most concerned about for the Tokyo Olympics, and we need to continue keeping a close eye on this." 

Fraud streaming sites have also become a major source of concern for the Games, especially now that COVID-19 concerns have virtually prohibited viewers. The websites, which appeared when users searched for Olympic-related phrases on search engines like Google, require users to accept browser alerts so that malicious advertising can be shown. Numerous sites of this sort have previously been discovered by Trend Micro. 

In Japan, Olympic content is provided for free of cost on two official streaming service platforms: one operated by state broadcaster NHK, and the other named TVer, which is managed by commercial broadcasters. In the country, other streamers are not permitted. 

Trend Micro advises that clicking those links might expose the user to assault, advising viewers to watch the Olympics on officially recognized sites. Fake Olympics websites featuring important keywords like "Tokyo" or "2020" in their domain names are another concern. In a probable phishing attack, the login information of ticket purchasers and volunteers was also exposed online. Organizers are advising prudence in the wake of such dangers.