Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Job Scam. Show all posts

Using Employment Offers, North Korean Hackers Target Security Researchers

 

Security experts have been the victim of a hacking campaign by threat actors associated with the North Korean government that use cutting-edge methods and malware in an effort to infiltrate the organizations the targets work for, according to researchers.

As per researchers from security company Mandiant, they first became aware of the activity in June of last year while monitoring a phishing attempt that was aimed at a US-based client in the technology sector. By using three new malware families—Touchmove, Sideshow, and Touchshift—the hackers in this effort aimed to infect targets. In addition, while operating inside the cloud environments of their targets, the hackers in these assaults displayed new ability to evade endpoint detection technologies.

In order to communicate with their victims using WhatsApp, the attackers utilize social engineering to persuade them to do so. It is at this point that the malware payload 'PlankWalk' with a C++ backdoor, which aids in infiltrating the corporate environment of the target, is delivered.

In this operation, Mandiant believed UNC2970 targeted specifically security researchers. The North Korean threat actor, UNC2970, repeatedly breached US and European media organizations, prompting a reaction from Mandiant. In an effort to lure the targets and deceive them into installing the new virus, UNC2970 used spearphishing with a job advertisement theme.

Historically, UNC2970 has sent spearphishing emails with themes of employment recruitment to certain target organizations. The hackers approach their targets over LinkedIn and pose as recruiters for jobs before launching their attack. They eventually switched to WhatsApp to carry on the recruitment process, sharing a Word document with malicious macros.

Mandiant claims that these Word papers may occasionally be styled to fit the job descriptions they are marketing to their targets.The trojanized version of TightVNC is fetched using remote template injection performed by the Word document's macros from infected WordPress websites that act as the attacker's command and control servers.

The malware loads an encrypted DLL into the system's memory once it has been executed using reflection DLL injection.The loaded file is a malware downloader called 'LidShot,'which performs system enumeration and launches PlankWalk, the last payload that establishes a foothold on the compromised device.

Previously, North Korean hackers used phony social media identities that claimed to be vulnerability researchers to target security experts working on vulnerability and exploit development. Companies should also take into account other security measures, such as restricting macros, utilizing privileged identity management, conditional access policies, and security warnings. A dedicated admin account should be used for delicate administration tasks, and a another account should be used for email sending, web browsing, and similar activities.





Cobalt Strike Beacon Using Job Lures to Deploy Malware

Cisco Talos researchers have detected a new malware campaign that is using job lures to deploy malware. The threat actors are weaponizing a year-old remote code execution flaw in Microsoft Office, infecting victims with leaked versions of Cobalt Strike beacons. 

According to the researchers, the attacks were discovered in August 2022. It begins with phishing emails regarding the U.S. Government's job details or a New Zealand trade union. The emails comprise of a multistage and modular infection chain with fileless, malicious scripts. 

On opening the attached malicious Word file, the victim was infected with an exploit for CVE-2017-0199, a remote code execution vulnerability in MS Office, that allows the threat actor to control the infected systems. As a result, the attacker deploys a chain of attack scripts that leads up to the Cobalt Strike beacon installation. 

"The payload discovered is a leaked version of a Cobalt Strike beacon[...]The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic" states Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a new analysis published on Wednesday. 

In addition to discovering the Cobalt Strike beacon as the payload in this campaign, the researchers have also observed the usage of the Redline information-stealer and Amadey botnet executables as the payloads. 

The Modus Operandi has been called “highly modularized” by the experts, the attack stands out for it leverages Bitbucket repositories to deploy malicious content that serves as a kickoff for downloading a Window executable, responsible for the installation of Cobalt Strike DLL beacon, says the Cybersecurity researchers. 

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory[...]Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain." states the researchers. 

Considering the growing phishing and malware attacks, the Cisco Talos team suggested users protect themselves with measures, such as updating their software and not opening any attachments in unsolicited messages. Besides, the team also suggests that administrators monitor their network security. 

Fraudulent UK Visa Scams Circulate on WhatsApp


According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 


Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.


Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Singapore Cops Arrest 39 for Suspected Role in Job Scam

 

Singapore police have arrested 35 men and four women, aged between 16 and 65 over their alleged role in job and phishing scams involving Singapore Bicentennial commemorative notes. 

The individuals were nabbed during an islandwide anti-scam enforcement operation between Nov 22 and 26 that saw a total of 113 individuals investigated for their suspected role in over 900 jobs and phishing scams that led to more than S$20mil (RM61.87mil) in losses. 

According to Singapore police, the suspects had allegedly sold their bank accounts or gave their Singpass credentials to criminal syndicates in return for as much as $5,000 for each bank account sold or $400 for each set of Singpass credentials sold. However, most of them did not receive the money promised to them.

“Some were also found to have allegedly rented out their bank accounts to scammers or assisted them in carrying out bank transfers and withdrawals,” Singapore police stated, adding that investigations are ongoing. 

The victims were tricked after chancing upon advertisements offering quick cash on social media platforms and chat applications. The job scam required victims to order items from online platforms to improve sales volume. They would then be made to pay for the items via funds transfer to various bank accounts.

At the initial stage, victims would receive payment on top of a good commission, said the police. However, a real twist comes when victims spent large sums on their orders, and their job contact becomes uncontactable. Those targeted by the phishing scams received text messages from scammers informing them of their eligibility to receive free Singapore Bicentennial commemorative notes and would be directed to URL links that were allegedly spoofed. 

When victims clicked on the link, they would be redirected to malicious websites similar to the homepage of a purported bank’s Internet banking website and get fooled into coughing their banking details.

“Victims would only realize they had been scammed when they discovered unauthorized transfers of monies out of their bank accounts,” said the police. 

The police warned the public to remain vigilant and be wary of job advertisements that promise the convenience of remote working at an “unreasonably high salary”. The job seekers were also reminded not to click on URL links provided in unsolicited emails and text messages. 

“Legitimate businesses will not require job seekers to utilize their bank accounts to receive monies on behalf of the businesses. These acts are common ruses used by scammers to lure individuals into carrying out illicit payment transfers on their behalf. Always verify the authenticity of the information with the official website or sources, and never disclose personal or Internet banking details and one-time passwords to anyone, Singapore police advised.