Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Financial Theft. Show all posts
Sensitive Information
Cloud Cyber Attacks fake websites Financial Scam Financial Theft Gift Card Hacking Microsoft Moroccan Cybercrime Phishing Attack Sensitive Information

Moroccan Cybercrime Group Storm-0539 Exploits Gift Card Systems with Advanced Phishing Attacks

 

A Morocco-based cybercrime group, Storm-0539, is making headlines for its sophisticated email and SMS phishing attacks aimed at stealing and reselling gift cards. Microsoft's latest Cyber Signals report reveals that this group is responsible for significant financial theft, with some companies losing up to $100,000 daily. 

First identified by Microsoft in December 2023, Storm-0539, also known as Atlas Lion, has been active since late 2021. The group employs social engineering techniques to harvest victims' credentials through adversary-in-the-middle (AitM) phishing pages. They exploit this access to register their own devices, bypass authentication, and maintain persistent access to create fraudulent gift cards. 

The group's attack strategy includes gaining covert access to cloud environments for extensive reconnaissance, targeting large retailers, luxury brands, and fast-food chains. They aim to redeem and sell gift cards on black markets or use money mules to cash out. This marks an evolution from their previous tactics of stealing payment card data via malware on point-of-sale (PoS) devices. 

Microsoft noted a 30% increase in Storm-0539's activities between March and May 2024, emphasizing their deep understanding of cloud systems to manipulate gift card issuance processes. In addition to stealing login credentials, Storm-0539 targets secure shell (SSH) passwords and keys, which are either sold or used for further attacks. The group uses internal company mailing lists to send phishing emails, enhancing their credibility and sets up new phishing websites by exploiting free trial or student accounts on cloud platforms. 

The FBI has warned about Storm-0539's smishing attacks on retail gift card departments, using sophisticated phishing kits to bypass multi-factor authentication (MFA). The group's ability to adapt and pivot tactics after detection underscores their persistence and resourcefulness. Microsoft urges companies to monitor gift card portals closely and implement conditional access policies to strengthen security. They highlight the effectiveness of using additional identity-driven signals, such as IP address and device status, alongside MFA. 

Meanwhile, Enea researchers have identified broader criminal campaigns exploiting cloud storage services like Amazon S3 and Google Cloud Storage for SMS-based gift card scams. These scams use legitimate-looking URLs to bypass firewalls and redirect users to malicious websites that steal sensitive information. 

Storm-0539's operations exemplify the increasing sophistication of financially motivated cybercriminals, borrowing techniques from state-sponsored actors to remain undetected. As these threats evolve, robust cybersecurity measures and vigilant monitoring are crucial to protect sensitive information and financial assets.
Read more »
Vulnerable Accounts
AI cybersecurity Bank Account Thfet cryptocurrency Cyber Fraud Cyberattacks Financial Theft GoldDigger Group IB malware Technology Vulnerable Accounts

GoldDigger Malware: The Covert Culprit Behind Vanishing Funds

 


Several Android banking apps have been observed to be vulnerable to a new malware strain capable of stealing money from them, which has been observed making the rounds. Group-IB recently discovered an Android Trojan that appears to target more than 50 Vietnamese banking apps, e-wallet services, and cryptocurrency wallets, with its primary objective being the theft of funds. 

Developed by the threat intelligence division at Group-IB, this Trojan named "GoldDigger" has been around since at least June 2023, and its digital footprints have been tracked since then. Two separate apps were used to deliver malware – one that impersonated a Vietnamese government portal and another one that impersonated a company in the energy sector.  

Researchers do not yet know the exact attack vector the attackers used, but speculation is that they may have reached out to victims using social media channels, email messages, and other common ways of communicating with them.  

In addition, they were using these channels to redirect victims to at least a dozen fake Google Play websites, where they presented them with the opportunity to install the apps on their smartphones. The app will then do what it normally does once it is installed on the device: ask for “Accessibility permissions” and then proceed.  

There is probably no better way to identify a malicious app than if it asks for excessive permissions - that is the most obvious way to do so. To get sensitive user information, such as passwords, GoldDigger will need to be granted some permissions by the victim to dig it out. Once it has found any of the 51 Vietnamese financial institutions' apps e-wallet apps or cryptocurrency wallet apps, it will then search for any of these apps on its own.  

The GoldDigger application will be able to detect and extract the login information for the accounts it is scanning for. This is essentially granting the attackers unrestricted access to the financial accounts it is scanning for. The researchers went on to explain that Virbox Protector is part of the feature set that they feel makes GoldDigger unique, a piece of integrated software that acts as an obfuscation and encryption system integrated into the program.  

In general, Virbox Protector is a legitimate application, however here, in this case, it has been used for nefarious purposes, leading to the tasks of cybersecurity researchers becoming a lot more challenging.  It is impossible to think exactly how many people have fallen for this scam and lost their money as a result. 

Still, to be on the safe side it is always best to download applications only from legitimate sources and to always be suspicious when a link or attachment is received through mail. Malware Targeting Android Devices in The Future GoldDigger is characterized by its use of Virbox Protector, a software program which specializes in obfuscating and encrypting data in an advanced manner. This is what sets GoldDigger apart from its competitors.  

To enhance the evasion of standard fraud detection mechanisms, malware developers have taken an inventive step by making it difficult for cybersecurity experts to decipher and understand their malevolent codes, allowing them to evade standard fraud detection systems. Group-IB has the Fraud Protection suite that can detect GoldDigger's presence, perhaps for more reasons than one.   
Read more »
Subscribe to: Posts (Atom)