Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Spear Phishing Mails. Show all posts

FBI Alerts Gmail and Outlook Users Regarding Malicious Email That Drains Bank Account

 

The FBI is alerting email users regarding a potentially harmful fraud. Victims may get into major legal difficulties with their employers or experience bank account theft. 

This fraud, known as the "Business Email Compromise," allows thieves to steal hundreds of thousands of dollars in a matter of minutes. An official FBI security brief explains how it works and what you can do to protect yourself. 

The scam can take many forms, such as an invoice from a company you routinely do business with, a CEO asking an employee to buy dozens of gift cards, or a message instructing a home buyer on how to wire their down payment. 

"Business email compromise (BEC) – also known as email account compromise (EAC) – is one of the most financially damaging online crimes," the FBI stated."It exploits the fact that so many of us rely on email to conduct business—both personal and professional." 

The fraud may occur anytime, even on trusted applications like Microsoft Outlook or Google Gmail. 

Modus operandi

According to the FBI, scammers have a variety of methods at their disposal to dupe you. For example, they might "spoof" a website or email address. 

"Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic," the FBI further explained. 

The use of "spear phishing" emails is another strategy. Phishing emails are designed to appear like they are from someone you know or trust, while spear phishing refers to attacks that are sent to a particularly targeted audience rather than the broader public. 

"These messages look like they’re from a trusted sender to trick victims into revealing confidential information," the FBI added. "That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes." 

The third strategy involves criminals attacking you through malware. Hackers can steal a lot of information about you or your business. 

"Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices," the FBI concluded. "That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information." 

Mitigation Tips 

In order to safeguard oneself from phishing emails "we recommend our customers to use the phichi platform for customised phish simulation," Mr. Suriya Prakash, Head DARWIS CySecurity Pte Ltd told. 

Further, we are listing below some of the best practices for avoiding this kind of scam as enumerated by the FBI.

  • Being cautious about what you post online or on social media 
  • Avoiding unwanted emails or texts with links or attachments 
  • Examine email addresses and URLs carefully
  • Exercise caution with what you download 
  • Make sure that two-factor authentication is enabled on all of your accounts (you'll need a login code in addition to your password)
  • Verify all requests for money transfers from people you know by calling them first

If you have doubts about a message, verify it before transferring money or revealing personal information.


Blind Eagle: Hackers Targets Prominent Industries in Columbia


BlackBerry has recently published a report on a malicious actor, Blind Eagle. It is a cyberespionage campaign based in South America that has been targeting systems in Ecuador, Chile, Spain, and Colombia since the year 2019. 

The most recent threat activities conducted were primarily targeted at organizations in Colombia, involving sectors like “health, finance, law enforcement, immigration, and an agency in charge of peace negotiation in the country.” 

Check Point researchers, who recently examined the Blind Eagle, also known as APT-C-36, noted the adversary and its advanced toolset that includes Meterpreter payloads, distributes through spear-phishing emails. 

How Does APT-C-36 Operate? 

Blind Eagle’s phishing emails lure its victims over the false impression of fear and urgency. The email notifies its recipients that they have "obligaciones pendentes," or "outstanding obligations," with some letters informing them that their tax payments are forty-five days overdue. 

The cleverly-crafted emails are being provided with a link, navigating users to a PDF file that appears to be hosted on DIAN’s website but actually installs malware to the targeted systems, effectively launching the infection cycle. 

The BlackBerry researchers explain it further: 

"The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices," says the BlackBerry researchers. "Clicking the blue button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam." 

"A malicious [remote access trojan] installed on a victim's machine enables the threat actor to connect to the infected endpoint any time they like, and to perform any operations they desire," they further add. 

The researchers also noted that the threat actors utilize dynamic DNS services such as DuckDNS in order to take control of the compromised hosts. 

Blind Eagle’s Operators are Supposedly Spanish 

Owing to the use of Spanish in its spear-phishing emails, Blind Eagle is believed to be a group of Spanish-speaking hackers. However, the headquarters from where the attacks are conducted and whether the attacks are carried out for espionage or financial gain are both currently undetermined. 

"The modus operandi used has mostly stayed the same as the group's previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work," BlackBerry said.  

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn

 

An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.

IBM: Flags More Cyber Attacks on COVID-19 Vaccine Infrastructure

 

On Wednesday, IBM reported that its cyber-security unit has discovered more digital attacks targeting the global COVID-19 vaccine supply chain since the problem was first reported late last year. 

IBM Security X-Force has now revealed that the number of organizations affected has increased since the previous evaluation. A total of 44 organizations from 14 countries were singled out for attack. The targeted companies are key organizations involved in transportation, warehousing, storage, and distribution in Europe, North America, South America, Africa, and Asia. 

The threat actor began sending spear-phishing emails in early September 2020, before any COVID-19 vaccine variant was approved, in order to pre-position themselves in the evolving infrastructure. The emails requested quotes for the Cold Chain Equipment Optimization Platform (CCEOP) program and mentioned Haier Biomedical products used for storage and transportation of vaccines. 

IBM which has identified 50 files associated with the attacks, states the threat actor has excellent knowledge of the cold chain. Spear-phishing emails impersonating the executive from Chinese biomedical firm Haier Biomedical were extensively used in the attacks. 

IBM stated that “While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.” 

The attacks used HTML files that included references to solar panel manufacturers and petrochemical companies. Around eight distinct organizations in the aviation, aerospace, shipping, and transportation services industries, as well as biomedical research, medical manufacturing, pharmaceuticals, and hygiene services, were hit by the attackers. Six companies in web-hosting, software creation, IT operations and outsourcing, and online platform provisioning were also affected. 

Government agencies (involved in the import/export of special products, transportation, and public health), as well as establishments in the refrigeration and metal manufacturing industries, were targeted, according to IBM. 

According to IBM security analysts, the attackers were attempting to gain access to the COVID-19 vaccine cold chain for espionage purposes, including information on national Advance Market Commitment (AMC) agreements, distribution timetables, collection or duplication of the electronic documents, and warehousing technical requirements. 

“While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation,” IBM added.