Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PHaas. Show all posts

Rise in Phishing Attacks Targeting US Schools Raises Concerns

 



Through a recent report by PIXM, a cybersecurity firm specialising in artificial intelligence solutions, public schools in the United States face a significant increase in sophisticated phishing campaigns. Threat actors are employing targeted spear phishing attacks, utilising stealthy patterns to target officials in large school districts, effectively bypassing Multi-Factor Authentication (MFA) protections.

Since December 2023, there has been a surge in MFA-based phishing campaigns targeting teachers, staff, and administrators across the US. The attackers, identified as the Tycoon and Storm-1575 threat groups, employ social engineering techniques and Adversary-in-the-Middle (AiTM) phishing to bypass MFA tokens and session cookies. They create custom login experiences and use services like dadsec and Phishing-as-a-Service (PhaaS) to compromise administrator email accounts and deliver ransomware.

The Tycoon Group's PhaaS, available on Telegram for just $120, boasts features like bypassing Microsoft's two-factor authentication. Meanwhile, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. The attacks involve phishing emails prompting officials to update passwords, leading them to encounter a Cloudflare Captcha and a spoofed Microsoft password page. If successful, attackers forward passwords to legitimate login pages, requesting two-factor authentication codes and bypassing MFA protections.

The attacks commonly target officials such as the Chief of Human Capital, finance, and payroll administrators. Some attempts involve altering Windows registry keys, potentially infecting machines with malicious scripts. The attackers conceal their tracks using stealth tactics, hiding behind Cloudflare infrastructure and creating new domains.

Despite using CAPTCHAs in phishing attacks providing a sense of legitimacy to end-users, there's potential for malicious trojan activity, including modifying Windows registry keys and injecting malicious files. These attacks can result in malware installation, ransomware, and data exfiltration.

Schools are the most targeted industry by ransomware gangs, with student data being a prominent prey of cybercrime. A concerning trend shows unprecedented data loss, with over 900 schools targeted in MOVEit-linked cyber attacks. Recent data leaks, such as the one involving Raptor Technologies, have exposed sensitive records belonging to students, parents, and staff, raising concerns about student privacy and school safety.

To protect against these phishing attacks, organisations are advised to identify high-priority staff, invest in tailored awareness efforts, caution users against suspicious links, and implement proactive AI-driven protections at the browser and email layers.

To take a sharp look at things, the surge in phishing attacks targeting US schools states the significance of cybersecurity measures and the need for increased awareness within educational institutions to safeguard sensitive information and ensure the privacy and safety of students and staff.


Malaysian Authorities Dismantle Phishing-as-a-Service Syndicate 'BulletProofLink'


Malaysian law enforcement officials have recently revealed their takedown of a phishing-as-a-service (PhaaS) operation, dubbed BulletProofLink.

Based on intelligence indicating the threat actors behind the platform were based in the nation, the Royal Malaysia Police announced the operation, which was carried out on November 6, 2023, with cooperation from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI).

During the course of the operation, eight individuals between the age of 29 and 56, including the mastermind of the syndicate, have been detained at various places in Sabah, Selangor, Perak, and Kuala Lumpur.

Also, the authorities have seized servers, computers, jewelry, automobiles, and crypto wallets containing nearly $213,000.

BulletProofLink

BulletProofLink, also known as BulletProftLink, is well-known for providing other actors with ready-to-use phishing templates for credential harvesting campaigns on a subscription basis. The login pages of popular services including American Express, Bank of America, DHL, Microsoft, and Naver are imitated by these templates.

As per an analysis by Microsoft conducted back in September 2021, BulletProofLink is also involved in ‘double theft,’ where a threat actor steals credentials then transferring it to both the core developers and their clients, creating extra revenue streams.

According to a report by cybersecurity firm Intel471, "BulletProftLink is associated with the threat actor AnthraxBP who also went by the online nicknames TheGreenMY and AnthraxLinkers."

"The actor maintained an active website advertising phishing services. The actor has an extensive underground footprint and operated on a number of clear web underground forums and Telegram channels using multiple handles."

According to experts, BulletProftLink’s online storefront has been active since at least 2015, and as of April 2023, have approximately 8,138 active clients and 327 phishing pages templates.

Intel 471 adds that, "PhaaS schemes like BulletProftLink provide the fuel for further attacks[…]Stolen login credentials are one of the primary ways that malicious hackers gain access to organizations."

An additional indicator of threat actors' ongoing adaptation to disruptions and their adoption of more sophisticated strategies is the use of intermediary links by AiTM attacks to documents hosted on file-sharing services such as DRACOON, which contain URLs pointing to infrastructure controlled by adversaries.

"This new method can bypass email security mitigations since the initial link appears to be from a legitimate source and no files are delivered to the victim's endpoint as the hosted document containing the link can be interacted with via the file-sharing server within the browser," says Trend Micro.

The development occurs after Milomir Desnica, a 33-year-old citizen of Serbia and Croatia, entered a guilty plea in the United States for running a drug trafficking platform on the dark web called Monopoly Market and for planning to supply over 30 kilograms of methamphetamine to clients in the United States.

The discovery coincides with the plea deal that 33-year-old Milomir Desnica, a citizen of Serbia and Croatia, entered into for running a drug trafficking platform on the dark web called Monopoly Market and for planning to supply over 30 kilograms of methamphetamine to consumers in the US.  

Microsoft Discovered a Massive Phishing-as-a-Service Operation

 

On September 21, Microsoft's security team announced that it has discovered a huge operation that delivers phishing services to cybercrime gangs via a hosting-like infrastructure that the OS maker equated to a Phishing-as-a-Service (PHaaS) model. 

The service, known as BulletProofLink, or Anthrax, is now being promoted on underground cybercrime forums. The service is an extension of "phishing kits," which are compilations of phishing websites and templates that seem like login forms from well-known firms. 

BulletProofLink takes this to the next level by including built-in hosting and email-sending capabilities. Customers pay an $800 charge to register on the BulletProofLink site, and the BulletProofLink administrators manage everything else. 

The part of the service includes establishing up a web page to host the phishing site, installing the phishing template itself, configuring domain (URLs) for the phishing sites, sending the actual phishing emails to desired victims, collecting credentials from attacks, and then delivering the stolen logins to "paying customers" at the end of the week. 

If criminal networks wish to change up their phishing templates, the BulletProofLink group has a different marketplace where threat actors may buy new templates to utilise in their assaults for $80 to $100 per template.

According to The Record, there are approximately 120 distinct phishing templates accessible on the BulletProofLink shop now. 

As per Microsoft, this method is increasing popularity among phishing attackers because: 
  • It removes the requirement for an attacker to get huge collections of single-use domains. 
  • It enables phishing operators to maximise the number of unique domains available to them by establishing dynamically created subdomains as a prefix to the base domain for every email. 
  • The generation of unique URLs presents a challenge to mitigation and detection systems that depend only on exact domain and URL matching. 
In addition, the website provides lessons to assist users in using the service. However, Microsoft researchers discovered that the business has also been robbing its own clients by storing duplicates of all acquired credentials, which the group is suspected to commercialize later by selling the credentials on underground markets. 

Microsoft summed up the complete operation as technically complex, with the group frequently hosting its phishing websites to hacked sites. In certain cases, the BulletProofLink gang was seen manipulating the DNS records of compromised sites to create subdomains on trustworthy sites to host phishing pages. 

Microsoft stated, placing the BulletProofLink PHaaS in context, “In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run.”