Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing Campaign. Show all posts
threat report
2FA Cyber Attacks Phishing Campaign Roman Encryption threat report

Roman Encryption Employed In Nearly 9K Phishing Attacks

 

Unpredictability is a hallmark of cybersecurity work. I doubt you expected to read an article linking Julius Caesar, the ancient Roman ruler, to almost a million phishing attacks so far in 2025. But, here we are. The phishing threat continues to grow, motivated by the lure of disseminating infostealer malware and exemplified by more sophisticated efforts, as the FBI has warned. 

The majority of cybercriminals involved in phishing assaults are not malicious coding experts; rather, they are what you might refer to as low-level chancers, with little expertise but high aspirations for a lucrative payout. Phishing-as-a-service platforms, which eliminate the need for all that bothersome technical expertise, aid them in this evil undertaking. According to recently published research, Tycoon 2FA is the most popular of these platforms and that's where Julius Caesar comes in.

It should come as no surprise that phishing is a persistent menace to both consumers and organisations. These are no longer the simple "you've won the Canadian lottery" or "I'm a Nigerian Prince and want to give you money" hoaxes of the past, but, thanks to AI, they've become much more difficult to detect and, as a result, much tougher to resist. As previously stated, the use of phishing-as-a-service platforms to accelerate attack formulation and deployment is especially problematic. 

Barracuda Networks security researchers released a report on March 19 outlining a whopping one million attacks in January and February alone. This figure becomes even more concerning when you consider that one platform, Tycoon 2FA, accounted for 89% of them. 

Nuch of this seems to be recent, with an outbreak in the middle of February, according to Deerendra Prasad, an associate threat analyst in Barracuda Network's threat analyst team, who stated that an investigation "revealed that the platform has continued to develop and enhance its evasive mechanisms, becoming even harder to detect.”

The malicious scripts used to prevent defenders from analysing the phishing pages have been updated to help evade discovery, Prasad said. The new script is not in plain text, but—wait for it—encrypted using a shifting substitution cipher. Indeed, there is something called a Caesar Cipher. This works by replacing every plaintext letter in a string with another that is a specified number of letters down the alphabet. 

To be honest, it's about as simple as it gets, because decrypting such messages requires only the shift number. It is named after Julius Caesar, who was known to use encryption to keep his personal communication private while in transit. "This script is responsible for several processes," Prasad told me, "such as stealing user credentials and exfiltrating them to an attacker-controlled server.”
Read more »
Phishing Campaign
Amazon Prime Cyber Fraud Email scam Financial Scam Phishing Campaign

Amazon Prime Phishing Campaign Siphons Login And Payment Info

 

The Cofense Phishing Defence Centre (PDC) has uncovered a new phishing campaign aimed particularly at Amazon Prime members, trying to steal login passwords, security answers, and payment details. The attacker sends out a well-crafted email mimicking Amazon, encouraging users to update their payment details owing to an "expired" or "invalid" payment method.

The Cofense PDC claims that the threat was sent by email that looked like a genuine Amazon Prime warning the victim that their payment method had expired or was no longer acceptable. Phishing attempts are evident when an email with the spoof sender name "Prime Notification" comes from an unrelated domain. 

The email tries to generate a false sense of urgency, which leads people to click on a fake link. When victims click, they are taken to a bogus Amazon security verification screen. "One of the first red flags recipients should look for is the URL, as it reveals that they have been redirected to Google Docs instead of Amazon's legitimate website," the report reads. 

Once the user has passed the false security screen, they are directed to a fraudulent Amazon login page designed to harvest passwords. "Users should always double-check when logging into websites and ensure that additional security measures, such as multi-factor authentication, are enabled," the researchers added.

After submitting their credentials, victims are prompted to provide additional verification information, such as their mother's maiden name, date of birth, and phone number. The phishing attack is not limited to login credentials. Users are also prompted to input their billing address and payment details, which includes credit card information.

"By obtaining the recipient's residential details, threat actors can submit a request to change the victim's address with postal services, redirecting mail and packages to another location," the report further reads.

In a similar vein, hackers can carry out illegal activities using credit card information that has been stolen. Cofense cautions that "threat actors could use the information to initiate and authorise multiple transactions if these details are compromised." If victims believe the card details has been taken, they are advised to get in touch with their banks right away.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
Russian Hacker
APT29 AWS Cyber Attacks Phishing Campaign Russian Hacker

Amazon Identified Internet domains Exploited by Russian APT29

 

The leading advanced persistent threat group in Russia has been phishing thousands of targets in businesses, government agencies, and military institutions. 

APT29 (also known as Midnight Blizzard, Nobelium, and Cozy Bear) is one of the world's most prominent threat actors. It is well known for the historic breaches of SolarWinds and the Democratic National Committee (DNC), which are carried out by the Russian Federation's Foreign Intelligence Service (SVR). It has recently breached Microsoft's codebase and political targets in Europe, Africa, and beyond. 

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" notes Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

In the same vein, the Computer Emergency Response Team of Ukraine (CERT-UA) recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA discovered that the campaign had expanded across "a wide geography."

It is not surprising that APT29 would target sensitive credentials from geopolitically influential and diversified organisations, according to Narang. However, "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.” 

AWS and Microsoft

Malicious domain names that were intended to seem to be linked to Amazon Web Services (AWS) were used in the August campaign. The emails received from these domains simulated to give recipients advice on how to set up zero trust architecture and combine AWS with Microsoft services. Despite the charade, AWS stated that neither Amazon nor its customers' AWS credentials were the target of the attackers.

The attachments to those emails revealed what APT29 was really looking for: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol. RDP is a common remote access technique used by regular consumers and hackers. 

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection [upfront],'" Narang added. 

Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. But that wasn't all: the files contained a number of other malicious parameters, such that when a connection was established, the perpetrator gained access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, as well as the ability to execute custom malicious scripts.
Read more »
Phishing Campaign
Azure Cyber Security Honeypots Microsoft Phishing Campaign

Microsoft Builds Fictitious Azure Tenants to Lure Phishers to Honeypots

 

Microsoft employs deceptive tactics against phishing actors, creating realistic-looking honeypot tenants with Azure access and luring attackers in to gather intelligence on them. 

Tech giant can use the acquired data to map malicious infrastructure, gain a better understanding of sophisticated phishing operations, disrupt large-scale campaigns, identify hackers, and significantly slow their activity. 

Ross Bevington, a key security software engineer at Microsoft known as Microsoft's "Head of Deception," described the strategy and its negative impact on phishing activities at the BSides Exeter conference. 

Bevington developed a "hybrid high interaction honeypot" on the now-defunct code.microsoft.com to gather threat intelligence on actors ranging from rookie hackers to nation-state outfits targeting Microsoft infrastructure. 

Illusion of phishing success 

Currently, Bevington and his team combat phishing by employing deception techniques that exploit full Microsoft tenant environments as honeypots, which include custom domain names, thousands of user accounts, and activities such as internal communications and file-sharing. 

Companies or researchers often set up a honeypot and wait for threat actors to take note of it and take action. A honeypot not only diverts attackers from the real environment, but it also allows for the collection of intelligence on the tactics used to infiltrate systems, which can then be used to the legitimate network. 

In his BSides Exeter presentation, the researcher describes the active strategy as visiting active phishing sites identified by Defender and entering the honeypot renters' credentials. Because the credentials are not safeguarded by two-factor authentication and the tenants include realistic-looking information, attackers can easily get access and begin spending time hunting for evidence of a trap. 

Microsoft claims to monitor over 25,000 phishing sites every day, providing about 20% of them with honeypot credentials; the others are prevented by CAPTCHA or other anti-bot techniques. 

Once the attackers log into the fake tenants, which occurs in 5% of cases, extensive logging is enabled to follow every activity they perform, allowing them to learn the threat actors' methods, approaches, and procedures. IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and the phishing kits they employ are all part of the intelligence gathered. 

Furthermore, when attackers attempt to interact with the fake accounts in the environment, Microsoft blocks responses as much as feasible. The deception technology now takes an attacker 30 days to realise they have breached a fictitious environment. Microsoft has regularly gathered actionable data that other security teams could use to construct more complex profiles and better defences.
Read more »
Ukraine
Cyber Attacks National Security Phishing Campaign Targeted Attacks Ukraine

Ukraine Faces New Phishing Campaign Targeting Government Computers, Warns CERT

Ukraine Faces New Phishing Campaign Targeting Government Computers

The  CERT-UA (Computer Emergency Response Team of Ukraine) has issued a warning about a sophisticated phishing campaign targeting Ukrainian government computers. This campaign, which began in July 2024, has already compromised over 100 government systems, posing a significant threat to national security and data integrity.

The attackers behind this campaign are impersonating the Security Service of Ukraine (SSU), a tactic designed to exploit the trust and authority associated with this organization. By doing so, they aim to deceive recipients into believing that the phishing emails are legitimate and urgent. This method of social engineering is particularly effective in high-stakes environments where quick responses are often required.

The phishing emails contain a ZIP file attachment, which, when opened, reveals an MSI installer. This installer is loaded with a malware strain known as ANONVNC. Once installed, ANONVNC provides the attackers with remote desktop access to the infected computers. This level of access allows them to monitor activities, steal sensitive information, and potentially disrupt operations.

The Mechanics of the Attack

The phishing emails are crafted to appear as official communications from the SSU. They often contain subject lines and content that create a sense of urgency, prompting the recipient to open the attachment without due diligence. Once the ZIP file is opened and the MSI installer is executed, the ANONVNC malware is deployed.

ANONVNC is a remote access tool (RAT) that enables the attackers to take control of the infected computer. This includes the ability to view the screen, access files, and execute commands. The malware operates stealthily, making it difficult for users to detect its presence. This allows the attackers to maintain prolonged access to the compromised systems, increasing the potential for data theft and other malicious activities.

Broader Implications

By targeting government computers, the attackers are not only seeking to steal sensitive information but also to undermine the operational integrity of Ukrainian governmental functions. This can have a cascading effect, potentially disrupting public services and eroding trust in governmental institutions.

Moreover, the use of ANONVNC as the malware of choice highlights the evolving nature of cyber threats. Remote access tools are becoming increasingly sophisticated, enabling attackers to carry out complex operations with relative ease. This underscores the need for robust cybersecurity measures and continuous vigilance.

Read more »
User Privacy
Credential Phishing iPhone Users Mobile Security Phishing Campaign User Privacy

Novel Darcula Phishing Campaign is Targeting iPhone Users

 

Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.

With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.

One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.

Darcula's phishing service

Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents. 

Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit. 

The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information. 

The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment. The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.

According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those. Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday. 

Abandoning SMS 

Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL. The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS. Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.

According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage

Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.

Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
Read more »
Phishing Campaign
Data Privacy Info Stealer Malicious Files malware Phishing Campaign

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF

 

FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware. 

The attackers, as initially reported by Hackread, conceal themselves as a hotel reservation company rather than depending on complicated technical means. They send phishing emails with the subject "December Room Availability Query," which contain fake holiday season booking details. A downloader link included within the malicious PDF file initiates the phishing attempt. 

Following an investigation, FortiGuard Labs experts discovered a multi-stage process involving.NET executable files, PowerShell scripts, and fraudulent Windows Form presentations. The attackers expertly navigate through these steps, using techniques such as fake error messages to mask the successful execution of the MrAnon Stealer malware. 

The MrAnon Stealer runs in the background, employing cx-Freeze to compress its actions and bypass detection measures. Its meticulous approach includes screenshot capture, IP address retrieval, and sensitive information retrieval from various applications. 

MrAnon Stealer, according to FortiGuard Labs, can steal information from bitcoin wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. It specifically targets VPN clients such as NordVPN, ProtonVPN, and OpenVPN Connect. The attackers employ a Telegram channel as a means of exchange for command and control. Using a bot token, the stolen data is sent to the attacker's Telegram channel, along with system information and a download link.

As evidenced by the spike of requests for the downloader URL in November 2023, this malware campaign was aggressive and actively running, with a primary target on Germany. The hackers demonstrated a calculated strategy by switching from Cstealer in July and August to the more potent MrAnon Stealer in October and November. 

Users are strongly advised to take cautious, especially when dealing with unexpected emails containing suspicious files, as online vulnerabilities are at an all-time high. Vigilance and common sense are the keys to thwarting cybercriminal activities because they safeguard against the exploitation of human flaws and ensure online security.
Read more »
Subscribe to: Posts (Atom)