Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label fake domain. Show all posts

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



URL Hijacking Cases uncovered by Venafi


Venafi, a company that offers a range of solutions to help financial services companies secure their cryptographic keys and digital certificates, has uncovered over 100,000 URL hijacks with valid TLS ( Transport Layer Security) certificates targeting major retailers.

Venafi conducted an analysis of lookalike domains targeting 20 major retailers, as the festive season is around the corner. The analysis resulted in the discovery of 109,045 typosquatted domains of retailers from the United States, the United Kingdom, Australia, Germany, and France. These use TLS certificates to appear more genuine.
This is more than double from last year and of these only 20,000 certificates were issued for retail.

These URL hijackers targeted 20 dominant retailers from countries like the United States, the United Kingdom, Australia, Germany, and France. Of the 109,045, nearly 84,000 hijacked US domains with 50,000 copying countries major players. In the UK, Venafi could trace 14,000 fake retail certificates. The typosquatted domains were not limited to the UK and US, but Venafi also discovered 7,000 certificates for fake domains targeting retailers in Germany, 3,500 Australian retailers, and 1,500 targeting French retailers.

Jing Xie, a senior threat intelligence researcher at Venafi said," Some of these URLs probably serve a legitimate purpose, but many may be used by attackers for fraudulent purposes. We think the sheer volume of these sites is a strong indication that a large number of them are being used for malicious purposes, especially since we are so close to the holiday shopping season. " (Sc. SecurityWeek)

He also added, “Although our research did not analyze the specific threats connected with these domains, we know that lookalike domains are frequently used in phishing attacks and to distribute malware. For example, back in 2017, security researchers found that many certificates that contained the word ‘Paypal’ were used in phishing websites. It’s logical to assume that attackers are using similar tactics with other retail domains.”

60% of the total fake domains and 85% of lookalike domains targeting German retailers got their TLS certificates from Let’s Encrypt. Let's Encrypt Certificate Authority, is an online forum which gives free certificates to website owners that they can use to encrypt traffic, however, it seems miscreants are also taking advantage of its services.