Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Phishing Campaign. Show all posts
Subscription Abuse
Cyber Fraud Identity Theft PayPal Scam Phishing Campaign Subscription Abuse

PayPal Subscriptions Exploited in Sophisticated Email Scam

 

Hackers have found a clever way to misuse PayPal's legitimate email system to send authentic looking phishing scams that are able to bypass security filters and look genuine to the end users.

Over the last few weeks, users are complaining that they are receiving emails from PayPal's legitimate address "service@paypal.com" informing that their automatic payment has expired. The emails successfully pass all the usual security checks such as DKIM and SPF authentication and have proved to be coming directly from PayPal’s mail servers. 

One of the reasons these messages are potent is that the scammers have altered the Customer Service URL to take users to their own websites from where they can see fake purchase notifications, claiming victims have purchased high-priced electronics such as MacBooks, iPhones, or Sony devices for USD 1,300 to 1,600.

The spam text message contains Unicode characters which can make the words bold or in different fonts, all this is to help to get round spam filters and keyword detection. Instead, the messages tell recipients to call a phony “PayPal support” phone number to cancel or dispute the alleged charges. 

BleepingComputer's analysis of logs and transactions shows that the PayPal Subscriptions feature is being abused by scammers. When merchants hold a subscriber's subscription, they can do so with their own mechanism, and PayPal, in turn, will notify subscribers via email. PayPal seems to be vulnerable to a subscription metadata attack - perhaps in an API or legacy platform - which lets attackers insert arbitrary text in the Customer Service URL field (it normally only accepts valid URLs). 

The scammers can forge emails and register a fake subscriber account for an email address associated with Google Workspace mailing list. When these accounts receive the notification from PayPal, the mailing list service sends what looks like a legitimate e-mail from PayPal to the list of "victims", making it looks more and more like a scam.

Safety measures

Recipients should ignore these emails and avoid calling the provided phone numbers. These tactics historically aim to facilitate bank fraud or trick victims into installing malware on their devices . PayPal confirmed awareness of the scam and recommends customers contact support directly through the official PayPal app or website if they suspect fraudulent activity. Users concerned about account compromise should log into their PayPal account directly rather than clicking email links to verify whether any unauthorized charges actually occurred.
Read more »
Social Engineering
Cyber Fraud Phishing Campaign RMM Tools Social Engineering

Hackers Weaponize Trusted IT Tools for Full System Control

 

Malicious actors are weaponizing legitimate Remote Monitoring and Management (RMM) tools, turning trusted IT software into a means for unauthorized system access. This strategy represents a significant shift from traditional malware attacks, as it exploits programs like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to gain full remote control over a victim's computer, bypassing many conventional security measures because the software itself is not inherently malicious.

Modus operandi 

The core of this attack methodology lies in social engineering, where attackers trick individuals into installing these legitimate RMM applications under false pretenses. Security researchers have noted a significant increase in telemetry for detections labeled RiskWare.MisusedLegit.GoToResolve, indicating a rise in this type of threat. The attackers employ various deceptive tactics, including using misleading filenames for the installers.

One common method involves sending phishing emails that appear legitimate. For instance, an email sent to a user in Portugal contained a link that, when hovered over, pointed to a file hosted on Dropbox. By using a legitimate file-hosting service like Dropbox and a trusted RMM tool, attackers increase the likelihood of bypassing security software that might otherwise flag suspicious links or attachments .

In other cases, attackers set up fraudulent websites that perfectly mimic the download pages of popular free utilities like Notepad++ and 7-Zip, tricking users into downloading the malicious RMM installer instead of the software they were seeking.

When a victim clicks the malicious link, it delivers an RMM installer that has been pre-configured with the attacker’s unique "CompanyId." This hardcoded identifier automatically links the victim's machine directly to the attacker’s control panel.

This setup allows the attacker to instantly spot and connect to the newly compromised system without the need for stolen credentials or the deployment of additional malware . Because RMM tools are designed to run with administrative privileges, and their network traffic is often allowed by firewalls and other security solutions, the malicious remote access blends in with normal IT administrative traffic, making it extremely difficult to detect.

Mitigation tips

To defend against this evolving threat, it is crucial to be vigilant about the source of all software downloads .

  • Download carefully: Always download software directly from the official developer's website or verified sources.
  • Verify before installing: Check file signatures and certificates before running any installer to ensure they are from a trusted publisher.
  • Question unexpected prompts: If you receive an unexpected prompt to update software, verify the notification through a separate, trusted channel, such as by visiting the official website directly .
  • Stay updated: Keep your operating system and all installed software up to date with the latest security patches.
  • Recognize social engineering: Learn to identify the deceptive tricks attackers use to push malicious downloads .
Read more »
User Security
blob URIs Cyber Fraud Fake Login Phishing Campaign User Security

Cybercriminals Employ Display Fake Login Pages in Your Browser

 

Cofense Intelligence cybersecurity researchers have discovered a new and increasingly successful technique that attackers are using to deliver credential phishing pages straight to users' email inboxes. 

This technique, which first surfaced in mid-2022, makes use of "blob URIs" (binary large objects-Uniform Resource Identifiers), which are addresses that point to temporary data saved by your internet browser on your own computer. Blob URIs have legitimate uses on the internet, such as YouTube temporarily storing video data in a user's browser for playback.

A key feature of blob URIs is their localised nature; that is, a blob URI created by one browser cannot be viewed by another, even on the same device. This inherent privacy feature, while advantageous for legal online services, has been abused by attackers for malicious objectives.

Cofense Intelligence's report, which was shared with Hackread.com, claims that security systems that monitor emails are unable to easily detect the malicious phoney login pages since Blob URI data isn't on the regular internet. As a result, the link in a phishing email does not lead directly to a fraudulent website. Instead, it directs you to a real website that the security systems trust, such as OneDrive from Microsoft. 

Subsequently, the user is directed to an attacker-controlled hidden webpage. The phoney login page is then created in your browser by this hidden website using a blob URI. This page can steal your username and password and send it to the cybercriminals even though it is only saved on your system. 

This poses a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyse website content to detect phishing efforts, the researchers explained. AI-powered security models may not yet be sufficiently trained to differentiate between benign and malevolent usage due to the novelty of phishing attacks employing blob URIs. 

The lack of pattern recognition makes automated detection more difficult and raises the possibility that phishing emails will evade protection, especially when paired with the popular attacker technique of employing several redirects.

Cofense Intelligence has detected many phishing attempts using this blob URI method, with lures aimed to fool users into logging in to fraudulent versions of popular services such as OneDrive. These entices include notifications of encrypted messages, urges to access Intuit tax accounts, and financial institution alerts. Regardless of the many initial pretexts, the overall attack flow is similar.

Researchers worry that this sort of phishing may become more common due to its ability to bypass security. As a result, even if links in emails appear to lead to legitimate websites, it is critical to exercise caution and double-check before entering your login details. Seeing "blob:http://" or "blob:https://" in the webpage address may indicate this new trick.
Read more »
threat report
2FA Cyber Attacks Phishing Campaign Roman Encryption threat report

Roman Encryption Employed In Nearly 9K Phishing Attacks

 

Unpredictability is a hallmark of cybersecurity work. I doubt you expected to read an article linking Julius Caesar, the ancient Roman ruler, to almost a million phishing attacks so far in 2025. But, here we are. The phishing threat continues to grow, motivated by the lure of disseminating infostealer malware and exemplified by more sophisticated efforts, as the FBI has warned. 

The majority of cybercriminals involved in phishing assaults are not malicious coding experts; rather, they are what you might refer to as low-level chancers, with little expertise but high aspirations for a lucrative payout. Phishing-as-a-service platforms, which eliminate the need for all that bothersome technical expertise, aid them in this evil undertaking. According to recently published research, Tycoon 2FA is the most popular of these platforms and that's where Julius Caesar comes in.

It should come as no surprise that phishing is a persistent menace to both consumers and organisations. These are no longer the simple "you've won the Canadian lottery" or "I'm a Nigerian Prince and want to give you money" hoaxes of the past, but, thanks to AI, they've become much more difficult to detect and, as a result, much tougher to resist. As previously stated, the use of phishing-as-a-service platforms to accelerate attack formulation and deployment is especially problematic. 

Barracuda Networks security researchers released a report on March 19 outlining a whopping one million attacks in January and February alone. This figure becomes even more concerning when you consider that one platform, Tycoon 2FA, accounted for 89% of them. 

Nuch of this seems to be recent, with an outbreak in the middle of February, according to Deerendra Prasad, an associate threat analyst in Barracuda Network's threat analyst team, who stated that an investigation "revealed that the platform has continued to develop and enhance its evasive mechanisms, becoming even harder to detect.”

The malicious scripts used to prevent defenders from analysing the phishing pages have been updated to help evade discovery, Prasad said. The new script is not in plain text, but—wait for it—encrypted using a shifting substitution cipher. Indeed, there is something called a Caesar Cipher. This works by replacing every plaintext letter in a string with another that is a specified number of letters down the alphabet. 

To be honest, it's about as simple as it gets, because decrypting such messages requires only the shift number. It is named after Julius Caesar, who was known to use encryption to keep his personal communication private while in transit. "This script is responsible for several processes," Prasad told me, "such as stealing user credentials and exfiltrating them to an attacker-controlled server.”
Read more »
Phishing Campaign
Amazon Prime Cyber Fraud Email scam Financial Scam Phishing Campaign

Amazon Prime Phishing Campaign Siphons Login And Payment Info

 

The Cofense Phishing Defence Centre (PDC) has uncovered a new phishing campaign aimed particularly at Amazon Prime members, trying to steal login passwords, security answers, and payment details. The attacker sends out a well-crafted email mimicking Amazon, encouraging users to update their payment details owing to an "expired" or "invalid" payment method.

The Cofense PDC claims that the threat was sent by email that looked like a genuine Amazon Prime warning the victim that their payment method had expired or was no longer acceptable. Phishing attempts are evident when an email with the spoof sender name "Prime Notification" comes from an unrelated domain. 

The email tries to generate a false sense of urgency, which leads people to click on a fake link. When victims click, they are taken to a bogus Amazon security verification screen. "One of the first red flags recipients should look for is the URL, as it reveals that they have been redirected to Google Docs instead of Amazon's legitimate website," the report reads. 

Once the user has passed the false security screen, they are directed to a fraudulent Amazon login page designed to harvest passwords. "Users should always double-check when logging into websites and ensure that additional security measures, such as multi-factor authentication, are enabled," the researchers added.

After submitting their credentials, victims are prompted to provide additional verification information, such as their mother's maiden name, date of birth, and phone number. The phishing attack is not limited to login credentials. Users are also prompted to input their billing address and payment details, which includes credit card information.

"By obtaining the recipient's residential details, threat actors can submit a request to change the victim's address with postal services, redirecting mail and packages to another location," the report further reads.

In a similar vein, hackers can carry out illegal activities using credit card information that has been stolen. Cofense cautions that "threat actors could use the information to initiate and authorise multiple transactions if these details are compromised." If victims believe the card details has been taken, they are advised to get in touch with their banks right away.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
Russian Hacker
APT29 AWS Cyber Attacks Phishing Campaign Russian Hacker

Amazon Identified Internet domains Exploited by Russian APT29

 

The leading advanced persistent threat group in Russia has been phishing thousands of targets in businesses, government agencies, and military institutions. 

APT29 (also known as Midnight Blizzard, Nobelium, and Cozy Bear) is one of the world's most prominent threat actors. It is well known for the historic breaches of SolarWinds and the Democratic National Committee (DNC), which are carried out by the Russian Federation's Foreign Intelligence Service (SVR). It has recently breached Microsoft's codebase and political targets in Europe, Africa, and beyond. 

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" notes Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

In the same vein, the Computer Emergency Response Team of Ukraine (CERT-UA) recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA discovered that the campaign had expanded across "a wide geography."

It is not surprising that APT29 would target sensitive credentials from geopolitically influential and diversified organisations, according to Narang. However, "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.” 

AWS and Microsoft

Malicious domain names that were intended to seem to be linked to Amazon Web Services (AWS) were used in the August campaign. The emails received from these domains simulated to give recipients advice on how to set up zero trust architecture and combine AWS with Microsoft services. Despite the charade, AWS stated that neither Amazon nor its customers' AWS credentials were the target of the attackers.

The attachments to those emails revealed what APT29 was really looking for: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol. RDP is a common remote access technique used by regular consumers and hackers. 

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection [upfront],'" Narang added. 

Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. But that wasn't all: the files contained a number of other malicious parameters, such that when a connection was established, the perpetrator gained access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, as well as the ability to execute custom malicious scripts.
Read more »
Phishing Campaign
Azure Cyber Security Honeypots Microsoft Phishing Campaign

Microsoft Builds Fictitious Azure Tenants to Lure Phishers to Honeypots

 

Microsoft employs deceptive tactics against phishing actors, creating realistic-looking honeypot tenants with Azure access and luring attackers in to gather intelligence on them. 

Tech giant can use the acquired data to map malicious infrastructure, gain a better understanding of sophisticated phishing operations, disrupt large-scale campaigns, identify hackers, and significantly slow their activity. 

Ross Bevington, a key security software engineer at Microsoft known as Microsoft's "Head of Deception," described the strategy and its negative impact on phishing activities at the BSides Exeter conference. 

Bevington developed a "hybrid high interaction honeypot" on the now-defunct code.microsoft.com to gather threat intelligence on actors ranging from rookie hackers to nation-state outfits targeting Microsoft infrastructure. 

Illusion of phishing success 

Currently, Bevington and his team combat phishing by employing deception techniques that exploit full Microsoft tenant environments as honeypots, which include custom domain names, thousands of user accounts, and activities such as internal communications and file-sharing. 

Companies or researchers often set up a honeypot and wait for threat actors to take note of it and take action. A honeypot not only diverts attackers from the real environment, but it also allows for the collection of intelligence on the tactics used to infiltrate systems, which can then be used to the legitimate network. 

In his BSides Exeter presentation, the researcher describes the active strategy as visiting active phishing sites identified by Defender and entering the honeypot renters' credentials. Because the credentials are not safeguarded by two-factor authentication and the tenants include realistic-looking information, attackers can easily get access and begin spending time hunting for evidence of a trap. 

Microsoft claims to monitor over 25,000 phishing sites every day, providing about 20% of them with honeypot credentials; the others are prevented by CAPTCHA or other anti-bot techniques. 

Once the attackers log into the fake tenants, which occurs in 5% of cases, extensive logging is enabled to follow every activity they perform, allowing them to learn the threat actors' methods, approaches, and procedures. IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and the phishing kits they employ are all part of the intelligence gathered. 

Furthermore, when attackers attempt to interact with the fake accounts in the environment, Microsoft blocks responses as much as feasible. The deception technology now takes an attacker 30 days to realise they have breached a fictitious environment. Microsoft has regularly gathered actionable data that other security teams could use to construct more complex profiles and better defences.
Read more »
Subscribe to: Comments (Atom)