Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Phishing and Spam. Show all posts

Protecting Your Business from Cybercriminals on Social Media

 

Social media has transformed into a breeding ground for cybercriminal activities, posing a significant threat to businesses of all sizes. According to recent reports, more than half of all companies suffer over 30% revenue loss annually due to fraudulent activities, with social media accounting for about 37% of these scams. This is alarming because even established tech giants like Yahoo, Facebook, and Google have fallen victim to these attacks. For smaller businesses, the threat is even greater as they often lack the robust security measures needed to fend off cyber threats effectively. 

Phishing scams are among the most prevalent attacks on social media. Cybercriminals often create fake profiles that mimic company employees or business partners, tricking unsuspecting users into clicking on malicious links. These links can lead to malware installations or trick individuals into revealing sensitive information like passwords or banking details. In some instances, fraudsters might also impersonate high-level executives to manipulate employees into transferring money or sharing confidential data. Another common method is social engineering, where cybercriminals manipulate individuals into taking actions they otherwise wouldn’t. 

For example, they might pretend to be company executives or representatives, convincing lower-level employees to share sensitive information, such as financial records or login credentials. This tactic is especially dangerous since it often appears as legitimate internal communication, making it harder for employees to recognize the threat. Credential stuffing is another significant concern. In this form of attack, cybercriminals use stolen credentials from data breaches to gain unauthorized access to social media accounts. This can lead to spam, data theft, or the spread of malware through the company’s official accounts, jeopardizing both the business’s reputation and its customers’ trust. Negative campaigns pose a different yet equally damaging threat. 

Attackers may post false reviews, complaints, or misinformation to tarnish a company’s image, resulting in lost sales, reduced customer loyalty, and even potential legal costs if the business decides to pursue legal action. Such campaigns can have long-lasting effects, making it difficult for companies to rebuild their reputations. Targeted advertising is another avenue for cybercriminals to exploit. They create deceptive ads that mislead customers or redirect them to malicious sites, damaging the company’s credibility and resulting in financial losses. To safeguard against these threats, businesses must take proactive steps. Using strong, unique passwords for social media accounts is essential to prevent unauthorized access. 

Responding quickly to any incidents can limit damage, and regular employee training on recognizing phishing attempts and social engineering tactics can reduce vulnerability. Managing access to social media accounts by limiting permissions to a select few employees can minimize risk. Additionally, regularly updating systems and applications ensures that security patches protect against known vulnerabilities. 

By implementing these preventive measures, businesses can better defend themselves against the growing threats posed by cybercriminals on social media, maintaining their reputation, customer trust, and financial stability.

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

ByteDance Employees Seized User Data Of Two Journalists

The Chinese company ByteDance, which owns  TikTok, disclosed on Thursday that some of its workers had illegally collected the data of American TikTok users, which included two journalists.

According to an email from ByteDance general counsel Erich Andersen, employees of the company had access to the data as part of a failed investigation into information leaks earlier this year. The employees had access to two reporters' IP addresses and other information via their TikTok accounts, as well as the data of a limited number of individuals connected to the journalist. The company stated that they were searching for connections between two journalists—a former BuzzFeed reporter and a Financial Times reporter—and  ByteDance, however, they were unable to find any breaches.

The inquiry, which was initiated in response to a Forbes story, emphasizes the privacy and security dangers associated with TikTok that have been brought up by American lawmakers, state governors, and administrations for more than two years, and supports some of the information in that study. More than a dozen states have prohibited TikTok from being used on government-issued devices, and the business has been in extensive discussions with the administration about security and privacy policies that would prevent ByteDance and the Chinese government from possibly gaining access to user data in the United States.

Two employees in China and two in the US of ByteDance who were associated with the incident were sacked. Company representatives announced that they were taking extra precautions to safeguard user data. In an effort to identify the source of leaks, ByteDance traced several Forbes journalists, including those who had previously worked for BuzzFeed, according to a Forbes investigation. 

In an effort to completely remove user data from China, TikTok has taken efforts to disassociate itself from ByteDance and is currently in talks with the US government. The fate of those talks is still up in the air.





Data Security can be Enhanced Via Web Scraping

Web information aids security professionals in understanding potential weaknesses in their own systems, threats that might come from outside organizations' networks, and prospective threats that might come via the World Wide Web. 

In reality, automated tests that can find the presence of potential malware, phishing links, various types of fraud, information breaches, and counterfeiting schemes are performed using this database of public Web data.

Web scraping: What is it?

Large volumes of data can be automatically gathered from websites via web scraping. The majority of this data is unstructured and is shown in HTML format, t is transformed into structured data in a spreadsheet or database so that it can be used in a variety of applications.

These include utilizing online services, certain APIs, or even writing one's own code from scratch for web scraping. The company doing the scraping is aware of the sites to visit and the information to be collected. There are APIs on a lot of big websites, including Google, Twitter, Facebook, StackOverflow, etc., which let users access their data in a structured manner. 

How Do Web Scrapers Operate?

Web scrapers have the power to extract all the data from specified websites or the precise data that a user requires. If you wanted to find out what kinds of peelers were available, for instance, you might want to scrape an Amazon page, but you might only need information on the models of the various peelers, not the feedback from customers.

Therefore, the URLs are first provided when a web scraper intends to scrape a website. Then, all of the websites' HTML code is loaded. A more sophisticated scraper might also extract all of the CSS and Javascript parts. The scraper then extracts the necessary data from this HTML code and outputs it in the manner that the user has chosen. The data is typically stored as an Excel spreadsheet or a CSV file, but it is also possible to save it in other formats, such as JSON files.

Cybersecurity Via Web Scraping

1. Monitoring for Potential Attacks on Institutions

Some of the top firms' security teams use open Web data collecting networks to acquire data on potential online threat actors and analyze malware. 

Additionally, they continuously and automatically check the public domain for potentially harmful websites or links using Web scraping techniques. For instance, security teams can instantly recognize several phishing websites that aim to steal important customer or business data like usernames, passwords, or credit card information.

2. Scraping the Web for Cybersecurity 

Web data collecting is used by a variety of cybersecurity companies to evaluate the risk that various domains pose for fraud and viruses. In order to properly assess the risk, cybersecurity firms can utilize this to contact potentially harmful websites as a 'victim' or a legitimate user to see how the website might target an unwary visitor. 

3. Analysis and Reduction of Threats

Public Web data collecting networks are used by threat intelligence companies to get information from a variety of sources, including blogs, public social media channels, and hackers, in order to find fresh information on a range of potential dangers. 

Their insights are based on this Web data collecting, which they subsequently disseminate to a wide range of customers that want to strengthen their own system security.

Despite being utilized often in business, lawful web scraping is still a touchy subject. Where personal information is scraped, this is the most evident. Users of LinkedIn, for instance, are aggressively marketing their personal information since the platform essentially functions as a professional CV showcase. Less desirable is having those details gathered in bulk, compiled, and sold to random people.

An organization's visibility and capacity to respond to online threats across the large online terrain in real-time are both improved by integrating with Web data collecting networks.








Snowshoeing: How the Tactic can Spam Through Your E-mails

 

Cybercriminals employ a wide array of fraudulent techniques to entice users into falling for their email traps. One such infamous technique that draws attention while we speak of various scamming methods, is ‘Spam Emails’. 
 
Spam emails are one of the various pitfalls for netizens. These emails come with a multitude of capacities and can have numerous impacts on a user, even leading to severe scams. One of the spamming tactics used by spammers is 'Snowshoeing', which we will be discussing today. What is Snowshoeing? Snowshoeing is essentially spamming on a very large scale. In a snowshoeing campaign, the spammer may use multiple IP addresses in order to spread spam emails over various internet domains.  
 
Snowshoeing technique derives its name from how 'snow shoes' spread across a large surface area. If you use a regular shoe on snow, it will most likely result in you sinking or slipping on the ice. With snow shoes, a person's weight spreads out more evenly, they are designed to have that effect.  
 
Similarly, in Snowshoeing spamming, the attacker makes use of multiple IP addresses, rather than one, in order to consequently spread the spam load across various domains. This way, Snowshoeing spam could comparatively be very dangerous to its targets than many other spamming tactics. 
 

What Does Snowshoe Spamming Mean? 


Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes. Specialized spam trapping organizations are often hard-pressed to identify and trap snowshoe spamming via conventional spam filters.  
 
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide area to steer clear of filters, expertly navigating them.  

 
How does Snowshoeing work? 

 
Snowshoeing differs from other solicited bulk mail and criminal spams, as in Snowshoeing, the attacker leverages several fraudulent business names and fake identities than just one, changing voice-mails and postal drops on a regular basis.  
 
While a reputable mailer put a good effort to garner trust from an audience, and to develop a brand reputation by using legitimate business addresses, identified domains, and small, static, and easily identifiable selection of IPs, in order to present the audience with a legitimate identity. On the other hand, Snowshoe spammers make use of anonymous and unidentified "whois" records. 
 
To further spread the spam load, snowshoe spammers frequently utilise domain assortments, which may be connected to many providers and servers.   
 
Snowshoe spammers use anonymous domains, which makes it nearly impossible to track down the owner and report the spam. 
 

How to tackle Snowshoeing spam? 

 
In order to mitigate Snowshoe spamming, administrators may follow certain steps, such as applying policies hierarchically at the organization, group, or mailbox level. One may as well rewrite addresses. For complex, multi-domain environments, one may rewrite both inbound and outgoing addresses. 
 

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks

 

Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.

UK Water Provider Targeted by Clop Group Ransomware

The UK water supplier, South Staffordshire Water fell prey to a CLOP Ransomware attack. Following the attack, the company released a statement mentioning that the exploit had no effect on the systems that distribute water safely. 

South Staffordshire Water plc, also known as South Staffs Water, is a UK water supply firm that supplies water to a small portion of the West Midlands, Staffordshire, and other nearby counties in England.

Over 1,500 square kilometers in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire, South Staffordshire provides drinking water to about 1.3 million individuals and 35,000 commercial clients.

The company was able to offer Cambridge Water and South Staffs Water customers safe water because of the security measures in place. Additionally, South Staffordshire Water reassures its clients that all service teams are working normally, negating any possibility of prolonged disruptions as a result of the incident.

Alongside carefully collaborating with the relevant governmental and regulatory agencies, the company is looking into the issue. The supplier's identity was published to the Clop ransomware gang's Tor leak site along with a claim of responsibility for the attack.

The wrong firm extorted by hackers

The Clop ransomware gang's Tor leak site through a release on their onion website today stated that Thames Water was their target. They claimed to have gained access to SCADA systems that they could control to affect 15 million users.

The hackers contend that they acted appropriately by not encrypting their data and only stealing 5TB from the hacked systems. Further claims have it that they warned Thames Water of its network security flaws. However, after allegedly failing to reach an agreement on the ransom payment, the actors released the first sample of stolen information, which included passport images, screenshots from SCADA systems used for water treatment, driver's license images, etc.

In a statement released today, Thames Water formally refuted these assertions, further asserting that any accusations of Clop breaching its network were "cyber-hoaxes" and that its services were already at capacity. One significant aspect of the lawsuit is that, among the public material, Clop offers a table of usernames and passwords that includes the email addresses of South Staffordshire and South Staff Water.

This incident occurs as eight locations in the UK are enforcing water rationing rules and hosepipe bans because of extreme drought. Due to the extreme pressure that could be placed on water suppliers to pay the demanded ransom, cybercriminals don't choose their victims at random.

However, for this to happen, Clop must target its threats on the appropriate party. However, given the amount of attention the situation has received, it's likely too late for that at this point.

Microsoft: Phishing Alert Over Russian-Related Threats

As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.

In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.

Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.

Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent. 

Targets &Tactics

Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."

The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.

Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.

The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.

If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive. 

According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL.  Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."

Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.

The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.

Caution

According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."

The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.

As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.

The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.

Cloudflare Users Targeted by Hackers that Breached into Twilio


On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.



SVCReady: A New Loader Gets Ready

 

Recently, a team of researchers has found a brand new wave of phishing campaigns spreading a previously documented malware family called SVCReady. 

Based on HP Wolf Security telemetry, SVCReady which is in its early stage of development, has been in the light of cyber crimes since the end of April 2022, with the authors iteratively updating the malware several times last month. 

"The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. 

The malware is known for its unconventional way of targeting PCs- using shellcode hidden in the properties of Microsoft Office documents instead of PowerShell or MSHTA. 

The attackers send Microsoft Word document attachments to targets via email that contain Visual Basic for Applications (VBA) AutoOpen macros designed to execute the deployment of malicious payloads. 

After getting a command in the system, the malware tries to achieve persistence on the system. Following the goal the malicious actors copy the malware DLL to the Roaming directory, giving it a unique name based on a freshly generated universally unique identifier (UUID). 
Further, the malware creates a scheduled task called RecoveryExTask that runs the file copied to Roaming with rundll32.exe. 

The malware has the ability to capture systems information, capture screenshots, run shell commands, and download and execute arbitrary files. Reports also indicated that there are possibilities of malware having links with TA551. 

Additionally, HP said that it has noted overlaps between SVCReady and TA551 (aka Hive0106 or Shathak) malware, however, at present it cannot be confirmed if the same threat actor is behind the latest campaign. 

"It is possible that we are seeing the artifacts left by two different attackers who are using the same tools. However, our findings show that similar templates and potentially document builders are being used by the actors behind the TA551 and SVCReady campaigns,” Schläpfer noted.

Small Businesses Remain Vulnerable, With Rising Cyberattacks

 

Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

In 2021, the UK Government was Plagued by Hundreds of Spam Emails

 

The UK government was reportedly bombarded with billions of phishing emails last year, with large numbers of questionable and fraudulent links being clicked on by staff. Comparitech recently published a report on these fraudulent emails and got responses in the sort of freedom of information requests from 260 government agencies. 

According to Comparitech, 764,331 government employees got a total of 2.7 billion fraudulent emails, averaging 2,399 per employee. However, this indicates that the emails were most likely flagged as malicious and prohibited by the relevant government agency. 

In 2021, personnel opened 0.32 percent of malicious emails on average, with 0.67 percent of these events resulting in employees clicking on potentially dangerous links, as per research. According to Comparitech, this might suggest some UK government employees clicked on 57,736 questionable links last year. The firm reiterated whether any FOI responses have been unclear - were ignored to avoid overestimating this amount. 

357 million fraudulent emails were received by NHS Digital's 3,996 employees, amounting to 89,353 mails per employee. Other essential infrastructure services, such as railway supplier Network Rail Limited, received 223 million malicious emails, or 5,033 emails per employee, while tax authority HM Revenue & Customs received 27.9 million spam emails, or 415 emails per employee. 

In other cases, the researchers' attempts to better grasp the government's ransomware threat were hampered by respondents' lack of transparency. "One government department reported in 2021 it had identified 97 data theft over just 30 days. Seventy-one government agencies were also glad to announce why they had not been hit by ransomware in 2021 the remaining 187 didn't say whether or not they had. In 2021, only two government agencies disclosed it had been the victims of a successful ransomware attack," said Paul Bischoff of Comparitech.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

According to Arkose Labs, the Bots Target Financial Organizations

 

Children as young as five use internet channels for a variety of activities, so it isn't just adults who are essentially living online. The epidemic hastened the adoption of the internet by children for online lessons, entertainment, and socializing.

In the preface to a company's study paper, 2022 State of Fraud & Account Security Report, Kevin Gosschalk, founder and CEO of Arkose Labs, writes, "A familiar term heard in the last few years is 'data is the new oil." "Data is the precious resource who feeds the digital world, which today permeates so much of our daily lives. Work, socializing, education, and a variety of other activities all take place primarily in the digital realm."

Bloomberg Intelligence estimates the online "metaverse" might be worth $800 billion by 2024, according to the cybersecurity firm. "Fraudsters will have an immensely broader attack surface to target as a result of this." Threat actors can corrupt smart appliances, connected autos, and virtual reality gadgets in addition to PCs and mobile devices." 

According to the Arkose research, fraud assaults on financial institutions are increasing in frequency "as well as sophistication." Internet fraud has increased by 85 percent in recent months, and much more than a fifth of all internet traffic is a cyberattack. Not only fraudsters, but Master Fraudsters - the worst type of fraudster – are coming after gaming, internet streaming, and social media sites with all guns blazing. These are the most prominent and, as a result, the most harmful internet pastimes for youngsters. 

Although children are more comfortable with the internet and can navigate it like a pro, but are not always aware of the dangers which lurk there. They might not be able to spot situations where cybercrooks are attempting to take advantage of human gullibility. 

The Arkose Labs analysis also highlighted an 85 percent increase in login or registration stage attacks year over year. "Once an existing account has been hijacked, attackers can monetize it in a variety of ways," according to Gosschalk, "including stealing bank information, reselling credentials, redeeming collected loyalty points, and more." "Fake new accounts are employed in assaults like stock hoarding, content harvesting, and spam and phishing messaging," says the report.

Indeed, according to the Arkose Labs analysis, the average individual now has over 100 passwords. Abuse of financial information and credentials drove an 85 percent increase in login and registration invasions last year compared to 2020. 

The Arkose Labs analysis indicated such automated services assist in targeting more enterprises: bots utilizing "scraping" assaults helped compromise at least 45 percent of the traffic on travel sites. Meanwhile, phishing, fraud, and the promise of a free trial were used to increase the number of bogus accounts last year compared to 2020. Financial firms and financial institutions have been major targets for attacks.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Users at Citibank Attacked by a Massive Phishing Scam

 

Scammers impersonating Citibank are now targeting customers in an online phishing campaign. Thousands of bogus email messages were sent to bank customers, according to Bitdefender's Antispam Lab, with the intent of collecting sensitive personal information and internet passwords. 

Responding to unusual activities or an unauthorized login attempt, the accounts have been placed on hold. As a result, the attackers claim all users should authenticate existing accounts as soon as possible to avoid a permanent ban.

According to Bitdefender's internal telemetry, these campaigns are focused primarily on the United States, with 81 percent of the phishing emails sent ending up in the mailboxes of American Citibank customers. However, it has also reached the United Kingdom (7 percent), South Korea (4 percent), and a small number have indeed made it to Canada, Ireland, India, and Germany. When it comes to the origins of these phishing attacks, 40% of the phoney emails appear to have come from the United States, while 13% came via IP addresses in Mexico. 

The cybercriminals behind the effort utilize email subject lines like "Account Confirm Confirmation Required," "Second Reminder: Your Account Is On Hold," and "Account Confirm Confirmation Required" to deceive Citibank clients into opening the emails. Other subject lines were, "Urgent: Account Confirmation Required," "Security Alert: Your Account Is On Hold," and "Urgent: Your Citi Account Is On Hold." 

Since some of the phishing emails in the campaign use the official Citibank logo to make them appear more real, the scammers who sent them did not take the time to correctly fake the sender's email address or repair any punctuation issues in the email body.

Citing phoney transactions or payments, and also questionable login attempts is another strategy used to create these phishing emails which appear to be from Citibank itself, to fool potential victims into authenticating actual accounts. When victims click the verify button, users are taken to a cloned version of the legitimate Citibank homepage. However, if a Citibank customer goes this far, fraudsters will steal the credentials and utilize them in future assaults. 

Bitdefender has discovered another large-scale phishing campaign that went live between February 11 and 15, 2022, offering victims the opportunity to seek cash compensation from the United Nations. The challenge in this situation is to identify the beneficiary as a scam victim, one of the 150 people who were declared eligible for a $5 million payout from Citibank. 

Banks rarely send SMS or email alerts to customers about critical account changes, thereby users can contact the bank and ask to speak to an agent if they receive a message which makes strong claims. Instead of calling the phone numbers included in the email, users should go to the bank's official website and look up the information on the contact page.

Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Group-IB Found 140 Resources with Fraudulent Schemes under the Guise of Olympic Games Broadcasts

 

Group-IB experts have identified 140 resources in the network that, under the guise of live broadcasts of the Winter Olympic Games in Beijing, redirect users to fraudulent and phishing sites. Most of the dangerous resources are already blocked. 

"After the opening of the XXIV Winter Olympic Games in Beijing, the specialists of the Information Security Incident Response Center (CERT-GIB) found 140 active resources that were used to host illegal broadcasts, and therefore for scamming and phishing. In total, 289 sites could potentially be involved in the scheme," said experts. 

The largest fraudulent network is Kinohoot, which includes over a hundred resources. During the Summer Olympic Games in Tokyo, CERT-GIB specialists found 120 resources of the same type created for conducting fraudulent live broadcasts. 

Group-IB explained that the user sees on one of the pages of the hacked resource a video player window with an embedded link to the live broadcast and symbols of the Winter Olympic Games. Users must register, enter the phone numbers and indicate a special access code to watch the broadcast. This leads the victim to phishing resources. 

Attackers can offer users to participate in the drawing of free access to broadcasts, and to receive a cash prize, the user must pay a conversion fee, which is usually 300-500 rubles ($4-7), and enter bank card data on a phishing resource, or send an SMS to the specified number. Instead of broadcasting, the victim is connected to various paid services and subscriptions. 

"Such Internet scams have been known for quite a long time, but scammers constantly adjust their schemes to popular or significant events in the world and, of course, use newly registered domains for this. In this scheme, in order to gain the trust of the victim, the redirect is often placed on legitimate hacked sites, for example, universities (Ecuadorian Universidad Esp ritu Santo or Indonesian Universitas Muhammadiyah Yogyakarta), charitable foundations and non-profit organizations (African Studies Association)," said the head of CERT-GIB Alexandra Kalinina. 

Group-IB experts recommend to follow sporting contests of the Olympic Games only on official resources, as well as to be wary of draws and not to enter the data of bank cards and personal data on suspicious sites.

Hackers Linked to Palestine Use the New NimbleMamba Malware

 


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told.