Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.
Also, the report noted that the finance sector is subject to attacks on the software supply chain.
Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.
One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.
In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”
QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.
The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”
According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.
Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.
One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage.
There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.
"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.
Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like:
Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.
Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.
Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.
According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.
The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.
However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.
In 2022, threat actors conducted malicious activity by using IPFS for email phishing campaigns. They upload HTML files containing phishing forms to IPFS and use gateways as proxies so that users can access the files whether or not an IPFS client is installed on their devices. In addition, the scammers included file access links through a gateway into phishing messages forwarded to targeted victims.
A distributed file system is used by attackers to reduce the cost of hosting phishing pages. Moreover, IPFS makes it impossible to erase files that have been uploaded by third parties. One can request that a file's owner delete it if they want it to totally disappear from the system, but cybercriminals will almost certainly never comply.
IPFS gateway providers manage to tackle IPFS phishing attacks by consistently deleting links to fraudulent or suspicious files.
Still, the detection or deletion of links at the gateway level do not always happen as quickly as blocking phishing emails, cloud files, or document. The URL addresses initially came to light in October 2022. As of right now, the campaign is still ongoing.
The objective of phishing letters with IPFS links is often to gain the victim's account username and password, the reason why they barely contain very creative content. What is interesting about this tactic is where the HTML page links go.
The recipient's email address is contained in the URL parameter. The email address given in the login box and the corporate logo at the top of the phishing form will both change, once modified. This way, one link can be utilized in a number of phishing campaigns targeting a variety of users.
In late 2022, Kaspersky discovered two – 15,000 IPFS phishing letters a day for most of the time. This year, IPFS campaigns have begun to escalate, reaching more than 24,000 letters a day in January and February. February became the busiest month in terms of IPFS phishing activities, where researchers discovered a whooping 400,000 letters, a 100,000 increase from November and December 2022.
In regards to this, Roman Dedenok, a security expert at Kaspersky commented “Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observes an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at the IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.”
BEC attack is a type of cybercrime wherein the threat actor poses as a trusted figure in order to dupe the victims to give off money or entice them into exposing confidential company information.
However, according to Ryan Mer, CEO of eftsure Africa, a KYP platform provider, “robust financial controls together with strong server, IT, and email monitoring processes aren’t enough if staff aren’t savvy to the psychological tricks scammers use to manipulate people, making them more vulnerable to tricker and deception.”
Mer rejects the idea that hackers target solely credulous, unskilled professionals. “The misconception that only foolish individuals fall victim to cybercrime and payment fraud is dangerous because it leads to complacency in the highly educated who occupy senior positions within organizations. Criminals engaging in payment are often well-skilled, well-resourced and armed with enough industry knowledge to appear legitimate.”
Human tendencies to be cooperative, avoid conflict, and find quick and efficient solutions to problems are used as a bait by threat actor to obtain information or persuade their victims to take certain actions.
A popular tactic is to pretend to be someone they know or trust in order to gain the trust of a potential victim. Examples include a worker receiving a letter from the financial director of a company telling them to make a quick payment to a vendor or an HR manager receiving a polite email from a worker asking that their bank information be altered for payroll purposes.
While scammers are becoming more creative, a tried-and-true strategy that hackers frequently use is making their victims feel as though they need to act quickly. According to Mer, phishing emails and business email compromise scams are made to increase employees' likelihood of complying with potential threats they are supposed to notify.
“Scammers lure victims into acting quickly before they have time to think rationally about the activities they’re undertaking. Implementing processes that require staff to slow down and double-check any actions that involve payments is vital,” he says.
A new point of contact, a change in email address, or a change in banking information are examples of abrupt changes in customer or supplier business procedures that, he continues, should be viewed with care and thoroughly investigated before agreeing with an urgent request.
The continuous evolution in Cybercrime is making it a moving target. South Africa ranked third globally in terms of the number of cybercrime victims, according to Interpol's most recent African Cyberthreat Assessment Report, which was published in 2021. This crime costs the nation a staggering 2.2 billion yearly.
“Ongoing education on the latest scams and the tactics used to execute them is crucial for South African companies. In addition, independent third-party verification systems like eftsure can offer a much-need extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error,” notes Mer.
Researchers from Blackberry detailed how this group meticulously prepared a phishing campaign targeting attendees of the upcoming Pakistan International Maritime Expo & Conference (PIMEC) in a blog post on February 9.
PIMEC is set to be held over the course of the following weekend. It is a Pakistan navy initiative that will provide opportunities to the maritime industry both in the public and private sectors to display products and develop business relationships.
"The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level," reads the government press release. "Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations."
NewsPenguin lures its victims via spear-phishing emails that are apparently attached to a Word document, in a pretense of being an “Exhibitor Manual” for the PIMEC.
Although this file’s name should have been a warning sign, i.e. “Important Document. doc” its contents— which included official seals and the same aesthetic as other materials released by the event's organizers — appear to have been lifted verbatim from the materials themselves.
Initially, the document opens in a protected view. To read the page, the victim must then click "enable content," which starts a remote template injection attack. For a fact, Remote template injection attacks ingeniously avoid easy detection by infecting an associate template rather than a document. It is "a special technique that allows the attacks to fly under the radar[…] especially for the [email gateways] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective," says Dmitry Bestuzhev, a threat researcher at BlackBerry.
The blog post refers to the executable with the generic name "updates.exe" as the payload at the end of the attack flow. The most noteworthy feature of this never-before-seen espionage weapon is how far it goes to avoid notice and scrutiny.
For instance, in order to evade making any loud noises in the targeted network area, the malware tends to operate at the slowest pace, taking around five minutes before each command.
Additionally, the NewsPenguin malware initiates a chain of actions to monitor whether it is operating a virtual machine or sandbox. Cybersecurity experts like trapping and analyzing malware in these network environments, isolating any unwanted effects from the rest of a computer or network.
No known threat actors could be linked by the researchers to NewsPenguin. Having said that, the team has been operating for some time.
Despite PIMEC only taking place this weekend, the domains linked to the campaign were already registered in June and October of last year.
"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization[…] This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while," the authors of the report said.
The authors add that NewsPenguin has been "continuously improving its tools to infiltrate victim systems."
The broader image begins to emerge due to the attack's premeditation and the victims' profiles. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."