Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label fake websites. Show all posts

Scammers Use Fake Centrelink Promises to Target Australians Online

 

Australians have been cautioned about a recent wave of scam websites falsely advertising significant Centrelink payments. These sites promise financial boosts, sometimes hundreds or thousands of dollars, to low-income residents and seniors, exploiting people facing financial challenges. Fraudsters create convincing websites that mimic government agencies like Centrelink, Service Australia, and myGov, claiming these funds are aimed at helping Australians manage the rising cost of living. To create legitimacy, scammers have designed sites that appear to offer eligibility checks, which are actually tactics to gather personal details. 

These scams largely stem from international sources, including countries like India, and often display website URLs ending in “.in” instead of “.gov.au,” an indicator of their inauthenticity. If Australians are lured into these sites, they might be asked to enter personal information, leading to risks of identity theft, unauthorized access to accounts, or financial loss. Scammers also contact victims through text messages, emails, and even direct calls, adding urgency by claiming that immediate action is required to avoid consequences such as account closures or legal threats. The National Anti-Scam Centre has warned users not to trust unsolicited links or messages, as legitimate government organizations do not send out emails or texts asking for login credentials. 

To safeguard against these scams, Australians should only rely on official government websites such as servicesaustralia.gov.au and my.gov.au, as these sites have secure government domains that are easily recognizable. If users are unsure about a message or website, they should verify through official contact channels or report the suspected scam to authorities. Fake Centrelink promises have targeted people’s vulnerabilities by exploiting the challenging economic conditions many Australians currently face. As such, the National Anti-Scam Centre and Services Australia have been actively educating citizens on how to spot fake offers. Scams typically feature enticing language, such as “life-changing benefits,” or make claims about “one-off payments” to attract attention. 

Although these offers may sound appealing, it’s essential to remember that if a promise sounds too good to be true, it likely is. Identifying and reporting such scams can help prevent others from falling victim to these frauds. Authorities urge everyone to double-check website URLs, avoid clicking on suspicious links, and never disclose personal information to unverified sources. The Australian government has intensified efforts to address these scams, working to identify, block, and take down fraudulent sites where possible. While scammers’ techniques evolve, Australians can protect themselves by staying informed, cautious, and vigilant.

Moroccan Cybercrime Group Storm-0539 Exploits Gift Card Systems with Advanced Phishing Attacks

 

A Morocco-based cybercrime group, Storm-0539, is making headlines for its sophisticated email and SMS phishing attacks aimed at stealing and reselling gift cards. Microsoft's latest Cyber Signals report reveals that this group is responsible for significant financial theft, with some companies losing up to $100,000 daily. 

First identified by Microsoft in December 2023, Storm-0539, also known as Atlas Lion, has been active since late 2021. The group employs social engineering techniques to harvest victims' credentials through adversary-in-the-middle (AitM) phishing pages. They exploit this access to register their own devices, bypass authentication, and maintain persistent access to create fraudulent gift cards. 

The group's attack strategy includes gaining covert access to cloud environments for extensive reconnaissance, targeting large retailers, luxury brands, and fast-food chains. They aim to redeem and sell gift cards on black markets or use money mules to cash out. This marks an evolution from their previous tactics of stealing payment card data via malware on point-of-sale (PoS) devices. 

Microsoft noted a 30% increase in Storm-0539's activities between March and May 2024, emphasizing their deep understanding of cloud systems to manipulate gift card issuance processes. In addition to stealing login credentials, Storm-0539 targets secure shell (SSH) passwords and keys, which are either sold or used for further attacks. The group uses internal company mailing lists to send phishing emails, enhancing their credibility and sets up new phishing websites by exploiting free trial or student accounts on cloud platforms. 

The FBI has warned about Storm-0539's smishing attacks on retail gift card departments, using sophisticated phishing kits to bypass multi-factor authentication (MFA). The group's ability to adapt and pivot tactics after detection underscores their persistence and resourcefulness. Microsoft urges companies to monitor gift card portals closely and implement conditional access policies to strengthen security. They highlight the effectiveness of using additional identity-driven signals, such as IP address and device status, alongside MFA. 

Meanwhile, Enea researchers have identified broader criminal campaigns exploiting cloud storage services like Amazon S3 and Google Cloud Storage for SMS-based gift card scams. These scams use legitimate-looking URLs to bypass firewalls and redirect users to malicious websites that steal sensitive information. 

Storm-0539's operations exemplify the increasing sophistication of financially motivated cybercriminals, borrowing techniques from state-sponsored actors to remain undetected. As these threats evolve, robust cybersecurity measures and vigilant monitoring are crucial to protect sensitive information and financial assets.

Combatting Counterfeit Drugs Online: BrandShield's Success in Dismantling Illicit Websites

 

In the rapidly evolving landscape of online pharmaceuticals, the proliferation of counterfeit drugs poses a significant threat to consumer safety. Cybersecurity firm BrandShield has emerged as a stalwart defender in this battle, successfully dismantling over 250 websites selling counterfeit weight-loss and diabetes medications. Led by CEO Yoav Keren, BrandShield's efforts represent a concerted endeavor to combat the scourge of counterfeit pharmaceuticals and protect consumers from the dangers of fraudulent medications. 

The counterfeit drugs targeted by BrandShield predominantly belong to the GLP-1 class, including popular medications like Novo Nordisk's Ozempic and Wegovy, as well as Eli Lilly's Mounjaro and Zepbound. Originally developed to manage type 2 diabetes, these medications have garnered attention for their additional benefits in weight loss, with patients experiencing significant reductions in body weight. Unfortunately, the efficacy and popularity of these drugs have also made them lucrative targets for counterfeiters seeking to exploit the growing demand. 

According to Reuters, the majority of the illicit websites shut down by BrandShield were purveyors of counterfeit GLP-1 drugs, indicating the scale of the problem. Alarmingly, studies suggest that an estimated 95% of all online pharmacies operate unlawfully, highlighting the pervasive nature of the issue. 

Moreover, reported cases of harm linked to fake GLP-1 drugs have emerged in at least nine countries, underscoring the urgent need for action. BrandShield's recent crackdown on counterfeit drug websites represents a significant victory in the ongoing battle against online pharmaceutical fraud. The company's efforts have resulted in the closure of 90% of the identified pharmacy websites selling counterfeit GLP-1 medications. This operation accounts for just over 15% of the total counterfeit drug websites reported by BrandShield last year, emphasizing the scale of the challenge. 

Collaborating closely with the Pharmaceutical Security Institute (PSI), BrandShield employs rigorous evidence collection and intelligence gathering to identify and target illicit websites. By providing actionable intelligence to service providers hosting these websites, BrandShield facilitates their removal from the internet, effectively disrupting the operations of counterfeiters. Furthermore, the company coordinates with law enforcement agencies to investigate and prosecute criminal networks involved in the production and distribution of counterfeit drugs. 

In addition to targeting counterfeit drug websites, BrandShield's efforts extend to social media platforms, where it has removed nearly 4,000 fake drug listings. Notably, a significant portion of these listings—almost 60%—was found on Facebook, highlighting the need for vigilance across all online platforms. BrandShield's global reach ensures that illegal drug listings are eradicated from marketplaces in countries around the world, including India, Indonesia, China, and Brazil. 

Contrary to concerns raised earlier, the EMA found no evidence linking these medications to an increased risk of suicidal thoughts or self-injury. This reaffirmation of safety aligns with previous findings by the US Food and Drug Administration (FDA), providing reassurance to patients and healthcare providers alike. 

Overall, BrandShield's relentless efforts to combat counterfeit drugs online serve as a beacon of hope in the fight against pharmaceutical fraud. By dismantling illicit websites, removing fake drug listings, and collaborating with industry partners and law enforcement agencies, BrandShield is making significant strides towards safeguarding consumers and upholding the integrity of the pharmaceutical industry.

Smash and Grab: Meta Takes Down Disinformation Campaigns Run by China and Russia

 

Meta, Facebook’s parent company has confirmed that it has taken down two significant but unrelated ‘disinformation operations’ rolling out from China and Russia. 

The campaigns began at the beginning of May 2022, targeting media users in Germany, France, Italy, Ukraine, and the UK. The campaign attempted to influence public opinions by pushing fake narratives in the west, pertaining to US elections and the war in Ukraine. 

The campaign spoofed around 60 websites, impersonating legitimate news websites, such as The Guardian in the UK and Bild and Der Spiegel in Germany. The sites did not only imitate the format and design of the original news sites but also copied photos and bylines from the news reporters in some cases. 

“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire […] They would then promote these articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal” Meta stated in a blog post. 

In the wake of this security incident, Facebook and Instagram have reportedly removed nearly 2,000 accounts, more than 700 pages, and one group. Additionally, Meta detected around $105,000 in advertising. While Meta has been actively quashing fake websites, more spoofed websites continue to show up.  

However, “It presented an unusual combination of sophistication and brute force,” claims Meta’s Ben Nimmo and David Agranovich in a blog post announcing the takedowns. “The spoofed websites and the use of many languages demanded both technical and linguistic investment. The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts.” 

“Together, these two approaches worked as an attempted ‘smash-and-grab’ against the information environment, rather than a serious effort to occupy it long term.” 

Both the operations are now taken down as the campaigns were a violation of Meta’s “coordinated inauthentic behaviour” rule, defined as “coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation”. 

Addressing the situation of emerging fraud campaigns, Ben Nimmo further said, “We know that even small operations these days work across lots of different social media platforms. So the more we can share information about it, the more we can tell people how this is happening, the more we can all raise our defences.”

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal

 

According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Russian Man Convicted of $7 Million Digital Advertising Scam

 

A Russian person was found guilty in the United States of using a bot farm and hiring servers to create fraudulent internet traffic on media sites, causing businesses to pay inflated advertising rates. 

Prosecutors said Aleksandr Zhukov, 41, was the brains of the Methbot operation, in which 1,900 servers were used to generate millions of bogus online ad views on websites such as the New York Times and the Wall Street Journal. According to the US, Zhukov gained $7 million from the scheme and channeled the money into offshore accounts around the world, citing a text in which he referred to himself as the "King of Fraud." 

The group allegedly called their plan "Metan," which is the Russian term for methane, while the FBI and prosecutors referred to it as Methbot, and later as Media Methane, which was the name of Zhukov's company with operations in Russia and Bulgaria. 

Zhukov and his colleagues negotiated deals with advertising networks to display their ads on websites, then received a commission for each ad that was viewed. According to prosecution filings, Zhukov and his collaborators instead established bogus sites and manipulated data centres to produce false users to make it appear like actual people were viewing the ads from September 2014 to December 2016.

"Zhukov represented to others that he ran a legitimate ad network that delivered advertisements to real human internet users accessing real internet web pages," according to a superseding indictment filed on February 12, 2020. 

"In fact, Zhukov faked both the users and the webpages: he and his co-conspirators programmed computers that they had rented from commercial data centers in the United States and elsewhere to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," it says. 

Victims of the scheme "included The New York Times, The New York Post, Comcast, Nestle Purina, the Texas Scottish Rite Hospital for Children, and Time Warner Cable," the Department of Justice said in a news release. 

On a temporary US arrest order, Zhukov was arrested in Bulgaria in November 2018. In January 2019, he was extradited to the United States and pleaded not guilty to the accusations against him.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Bengaluru: Passport offices alerts public against fake websites


Bengaluru: Passport offices throughout the country are apprehensive about the increase in fake websites that masquerade as official portals for passport related services and siphon off applicant's data and money.

The ministry has been issuing advisories and alerts on its social media handles to caution the public against such fraudulent websites. The crime branch, working with the ministry has also started awareness drives in order to prevent passport applicants from being duped by bogus.

 The fake websites that the offices caught were-
 www.indiapassport.org,
 www.online-passportindia.com,
 www.passport-seva.in,
 www.passport-india.in,
 www.passportindiaporlal.in and www.applypassport.org. (Sc.TOI)

Whereas, the official website to apply for a passport is- "www.passportindia.gov.in" and the official mobile application to avail passport related services is - "mPassport Seva".

Victims who were cheated by these bogus websites and mobile applications approached the passport office and filed complaint at the local police station, said Officials at the Regional Passport Office, Bengaluru. Not only websites but mobile applications and brokers outside the passport offices also demand more payment and could be stealing personal data like Adhaar Card, Voter Id, resident proof and birth certificate to partake in more serious crimes like identity theft or selling the data to immigrants.

The officials said they came across websites that charged unwarranted prices for filling up online forms for a new passport and other services and even people who were highly educated fell victim to the fraud. Where the real cost for a passport is Rs.1,500 for normal and Rs.3, 500 for tatkal, these fraudsters are charging from Rs. 4,500 to Rs. 6,000. And money is the lighter concern, the bigger threat is the theft of personal data like Adhar Number, Voter ID and phone connections.

These websites used logos of other government schemes like Swachh Bharat Abhiyan to appear more genuine and true. Even on Google Play Store, at least eight unauthenticated and false applications were found.

This problem is not centrist to Karnataka, as cases from all over the country have been popping up, for instance, NCR and Bhuvaneshwar being two of the areas. Bharath Kumar Kuthati, regional passport officer, Bengaluru, says "they are creating awareness by issuing warnings on social media. It is a pan-India problem and the department is taking steps to counter it."