Jump to content

Search the Community

Showing results for tags 'phishing'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia. The campaign was detected in late September and accounts for a larger than usual batch of Government-Backed Attack notifications that Google sends to targeted users every month. Fancy Bear phishing Shane Huntley, who is at the helm of Google’s Threat Analysis Group (TAG) that responds to government-backed hacking, notes that the higher-than-usual number of alerts this month comes from “from a small number of widely targeted campaigns which were blocked.” The campaign from APT28, also known as Fancy Bear, lead to a larger number of warnings for Gmail users across various industries. In a statement sent by a Google spokesperson, Huntley says that Fancy Bear’s phishing campaign accounts for 86% of all the batch warnings delivered this month. He explains that these notifications indicate targeting of the recipient, not a compromise of their Gmail account. “So why do we do these government warnings then? The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions” - Shane Huntley Huntley says that these warnings are normal for individuals such as activists, journalists, government officials, or people that work national security structures because that’s who government-backed entities are targeting. All the phishing emails from the Fancy Bear campaign were blocked by Gmail and did not land in the users’ inboxes as they were automatically classified as spam. “As we've previously explained, we intentionally send these notices in batches, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies,” Huntley said. source: Barton Gellman APT28 has been operating since at least 2004 on behalf of Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The group is typically engaged in data theft and espionage activity. Among its more recent targets are members of the Bundestag, the German federal parliament, and of the Norwegian Parliament. Google’s goal with these alerts is to inform individuals that they are being targeted so they can improve defenses. The company’s recommendation is to enroll in the Advanced Protection Program for work and personal email. Google warns 14,000 Gmail users targeted by Russian hackers
  2. A vulnerability in Microsoft Outlook is tricking users into believing that phishing emails directed to them are genuine. The Address Book within Outlook shows a person's contact information even though they are not genuine and come from Internationalized Domain Names (IDNs). IDNs include letters from other scripts like Cyrillic that are similar in appearance to letters from the Latin alphabet. These alphabets trick users into believing that the emails have come from genuine contacts. The vulnerability was discovered by "Dobby1Kenobi" (via Windows Central). I registered an email address that looked like my own organization email address and sent myself a test email to distinguish what factors in the email stood out as suspicious. This means if a company’s domain is 'somecompany[.]com', an attacker that registers an IDN such as 'ѕomecompany[.]com' (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within 'somecompany.com' that used Microsoft Outlook for Windows. What differed between my organization domain and the phishing domain was a Cyrillic “s” at the start of the domain name. Mike Manzotti from Dionach.com also reported the bug. Even though Microsoft acknowledged the vulnerability, it said that it won't release a fix for it. Microsoft told Manzotti: We've finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case.  In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways. However, it seems like Microsoft has in fact gone ahead and fixed it. According to Manzotti, Outlook version 16.0.14228.20216 does not have the vulnerability anymore. We recommend users update Outlook to the latest version, and beware of phishing scams like these. New Outlook bug lets phishing emails seem genuine
  3. Microsoft brings Safe Links phishing protection feature to Teams Microsoft today announced that Microsoft Teams users can be now protected using Safe Links in Microsoft Defender for Office 365. With this feature, organizations can protect their users from malicious phishing attacks. When a user clicks a URL in Teams, Safe Links service scans the URL to ensure that the link is safe with the latest intelligence from Microsoft Defender. If a link is found to be malicious, users will have the following experiences: If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot below will appear in the default web browser. If the link was clicked from a pinned tab, the warning page will appear in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons. Depending on how the Do not allow users to click through to original URL setting in the policy is configured, the user will or will not be allowed to click through to the original URL (Continue anyway (not recommended) in the screenshot). We recommend that you enable the Do not allow users to click through to original URL setting so users can’t click through to the original URL. Source: Microsoft Microsoft brings Safe Links phishing protection feature to Teams
  4. Gmail update will go some way to eliminating phishing once and for all Verified logos in Gmail will make it harder for scammers to impersonate brands The days of cybercriminals using spoofed logos and lookalike email addresses to trick unsuspecting users into falling for phishing scams could soon be over as Google is adding a new security feature to Gmail to make it harder to impersonate brands over email. While the search giant announced last year that it would begin its Brand Indicators for Message Identification (BIMI) pilot, in a new blog post the company has said that it will begin rolling out BIMI support in Gmail over the coming weeks. For those unfamiliar, BIMI is an industry standard that aims to drive adoption of strong sender authentication for the entire email ecosystem. It does this by providing email recipients as well as email security systems with increased confidence in the source of emails to prevent impersonation attempts. (Image credit: Google) BIMI support As part of Google's rollout of BIMI in Gmail, organizations that authenticate their emails using DMARC will be able to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass Google's anti-abuse checks, Gmail will begin displaying an organization's logo in the service's avatar slot so that users know these emails come directly from a company and not from someone impersonating them. According to Google, BIMI is designed to be easy for organizations with DMARC already in place and once configured, validated logos will be displayed on emails from both their domains and subdomains. Chair of the AuthIndicators Working Group, Seth Blank praised Google's support of BIMI in Gmail, saying: “Gmail's support of BIMI is a win for email authentication, brand trust, and consumers alike. BIMI gives organizations the opportunity to provide their customers with a more immersive email experience, strengthening email sender authentication across the entire email ecosystem.” In order to take advantage of BIMI, Organizations will first need to adopt DMARC before having their logo validated with Verified Mark Certificate (VMC). Gmail users on the other hand won't have to do a thing and they'll soon see company logos alongside their emails once BIMI support rolls out in the coming weeks. Gmail update will go some way to eliminating phishing once and for all
  5. There’s nothing wrong with your PC - Microsoft is again the top phished brand this year Once again, Microsoft was granted the top spot as the most impersonated company, in this quarter’s Vade Secure’s Phishers’ Favourites report. Vade’s machine used learning algorithms to analyse data from more than 600 million protected mailboxes worldwide and performed real-time analysis of the URL and page content to identify the brand being impersonated. In Q2 2019, the AI engine detected 20,217 unique Microsoft phishing URLs- averaging at more than 222 per day; which is a 15.5% YoY increase compared to the same quarter last year. The company has also ranked number one on the Phisher’s Favourites list every quarter since the release of the official rankings. Cybercriminals often like to target users of Office 365 for their credentials, as they provide a single entry point to the entire platform, allowing them to go onto infiltrate the entire business. Facebook has also had its fair share of phishers, with a 175.8% increase in phishing URLs; advancing the company up to the third position. This is likely due to the increase in the use of Facebook Login to sign into other sites, which makes it easier for hackers to gain access to those accounts too. Chief Solution Architect at Vade Secure, Adrien Gendre, warns both organisations and individuals to be wary of the prevalence of the attacks: Cybercriminals are more sophisticated than ever, and the ways they target corporate and consumer email users continued to evolve in Q2. Microsoft Office 365 phishing is the gateway to massive amounts of corporate data, while gaining access to a consumer’s Facebook log-in information could compromise much of their personal, sensitive information. The fact that we saw such a significant volume in impersonations of these two brands, along with the coinciding new methods of attack, means that virtually all email users and organizations need to be on heightened alert. In the list of the top 10 most impersonated brands, PayPal came in at number 2, and Netflix number 4, followed by Bank of America, Apple, CIBC, Amazon, DHL and DocuSign. Amazon also saw a massive increase in phishing URLs, with a 182.6% increase since Q1, and 411.5% YoY. New Amazon phishing kits were reported in both May and in the time prior to Prime Day 2019. In terms of industries, cloud companies were the most impersonated, taking the top spot for the fifth quarter in a row with 37.6%. Financial services made up 33.1%, social media 15.6%, followed by e-commerce/logistics with 7.7% and finally internet/telco contributing to 5.2%. Interestingly, Tuesday and Wednesdays were the most popular days for cybercriminals to attempt attacks, with 80% of phishing taking place on weekdays. Maybe hackers also need a weekend after a hard week of scamming. Microsoft published a blog post earlier this year, which outlines all of the anti-spoofing protection methods that are available in Office 365, in order to reduce the likelihood of users suffering a phishing attack. Check it out here. Source: There’s nothing wrong with your PC- Microsoft is again the top phished brand this year (MSPoweruser)
  6. Last year my Twitter feed became full of stories and retweets about how Google “solved the phishing problem” using hardware multi-factor authentication (MFA) tokens. One such article covering this topic was “Google: Security Keys Neutralized Employee Phishing” by the venerable Brian Krebs. While I have a lot of respect for his work, I have to strongly disagree with the title of his blog post. If you haven’t already read the story, take a moment to familiarize yourself with it. I don’t want to be the one to crush your hopes and dreams, but, frankly, this is untrue. Before we get too far into this, I want to throw this out there and say that for the sake of this article, I use the term MFA loosely and as a synonym for 2-factor authentication (2FA). I will also mention that I am a fan of MFA and cover some information about MFA in a previous article I wrote for this column, “Credential Phishing – Easy Steps to Stymie Hackers”; however, it is not the cure for everything as some people seem to think. In my years doing sysadmin and information security work for the US Army and in the private sector, I have learned to appreciate the great things that MFA can do to secure systems and communications, something I have even covered in previous articles in this very column. I have also learned that it has its limitations as well. I want to go on record saying this, MFA does not solve the phishing epidemic. There, I said it. Now let me help you understand what is happening here. First and foremost, Google is an advertising juggernaut. Marketing is what they do. This is an important fact when we consider this story. You see, just days after the Krebs article was published, Google announced it would be selling its own version of a hardware MFA key called the Titan. Is it just a coincidence that these two things happened so close to each other? I don’t think so. To my bigger point about what MFA can and will do for you, I think it’s very important to understand what was actually said in the Krebs article. In the article “a Google spokesperson” said, “We have had no reported or confirmed account takeovers since implementing security keys at Google”. This is not the same as saying the keys neutralized employee phishing and that is a very important distinction. Account takeovers and credential stuffing are significant issues in the larger scheme of phishing, but certainly not the only issues. This is not a small issue, and the FBI estimates that there was a loss of over $12 billion since 2013 due to Business Email Compromise (BEC) scams. That is nothing to scoff at; however, it is still only a part of the phishing epidemic we are facing. Consider this. What does this second form of authentication on an email account do to protect against a user clicking a link or opening an infected document and launching malware? What does it do to protect against a spoofed email from the CEO requesting a funds transfer? Nothing. Another thing to consider is that even with hardware MFA tokens, accounts can be taken over using other attacks such as session hijacking as demonstrated by Kevin Mitnick on TechCrunch. I have even demonstrated how session hijacking works using free tools downloaded from GitHub in a past webinar here with The Ethical Hacker Network, “A Perfect Crime: The Tech and Psych of Effective Phishing“. What can’t MFA do for you? Multi-Factor Authentication will do nothing against the types of attacks that involve getting the user to transfer funds, buy gift cards or let tech support scammers take control of PCs. These attacks are almost purely driven by human manipulation. In these cases, training the users to spot, ignore or report these sorts of attacks is the most effective defense. Unfortunately, these attacks are on the rise both in the commercial and consumer spaces. Looking at this story where a couple lost $130k while trying to buy a house, it seems that the real estate agent had their email account compromised. While this may have been avoided with an additional factor associated to their email address, there is nothing an additional factor would have done to help the couple realize the email was a scam. This is true for other scams as well. One of the hot topics currently active in the scammer circles is the redirection of paychecks. It works like this, someone in human resources or the payroll department receive an email from an employee (usually from a spoofed email address with a similar reply-to address and also often an executive) that gives some sort of reason that they had to open a new bank account and requests that their paycheck be sent to the new account. As it is often from an executive, the HR or payroll person doesn’t want to push back against that authority and makes the change. Again, MFA is useless in these cases. So, what can MFA do for you? So, if MFA only handles specific types of phishing, why bother with it? Well, it is very effective at protecting against credential stuffing. This is where an attacker gets a set of credentials from a user, either through a credential phishing attack or through a dump from a data breach like Collection #1 and tries to use these credentials on other websites. Because people continue reusing the same passwords across multiple websites, the attackers are often successful. Consider this, Collection #1 had 773 million unique email addresses and only 21 million unique passwords. That means a lot of passwords are either reused, or the same password is used across an awful lot of people. Either way, the numbers are very telling. MFA helps with this in a couple of ways. First of all, it can provide an alerting mechanism, especially in the case of MFA that generates a text message with a code. Think of it like this: Codes are generated after you enter a correct username and password pair, right? Therefore, if you receive a legitimate text message out of the blue with a secondary code for your account, you would be wise to assume that the username and password have been compromised for that account. The other thing it does is to stop the login, even if the attackers have the correct credentials because of the lack of the additional factor(s). As you can see, other than these scenarios, MFA does very little to combat the majority of phishing attacks occurring today. For this reason, you can’t let your guard down even if you have deployed MFA and users have adopted it. And especially don’t let your guard down just because a Google spokesperson dazzles with apophenia. Use MFA to: Secure email accounts from takeovers Secure social media accounts Secure password managers and other high-value accounts Don’t expect MFA to: Protect against scammers Replace training and awareness campaigns Replace requirements around password reuse or length Eliminate phishing as an attack vector As long as you have a clear idea of what MFA can and can’t do for you, it can be a very powerful tool in specific scenarios. Regardless of the title of the Krebs story, the Titan Key (or any other type of MFA) will not neutralize employee phishing any more than a lock on your front door will keep a burglar from going through an open window. Source
  7. A new phishing campaign is underway that pretends to be from the "Office 365 Team" warning you that your email account cancellation has been approved and that all your email will be deleted unless you cancel the request within the hour. This particular phishing campaign is interesting as it uses an uncommon bait of the risk of losing all your email and a time limit to make you act quickly and potentially without thinking. These phishing emails have a subject line of "Urgent Request" and state that unless you want your email account to be canceled and your email to be deleted, you need to cancel the request. Office 365 Phishing Email The text of this phishing scam can be read below. Dear user:sales Your request on 5/27/2019 7:28:58 a.m. to remove your email from our server has been approved, Are you sure you want to terminate our service to you? Ignore to continue with removal in exactly one(1)hour you read this notice or CANCEL THIS REQUEST NOW Excel Online If you click on the "CANCEL THIS REQUEST NOW" link, you will be brought to a fake "Microsoft Office Support | Account Update" page that prompts you to sign in to cancel the request. This page is actually a survey created in Excel Online. Phishing Scam Landing Page As this page is hosted on live.com, the site is secured with a certificate signed by Microsoft, which add legitimacy to the landing page. Microsoft Certificate After a user enters their credentials, the landing page will thank them and state that their "response was received." The attackers can the collect the submitted credentials at their leisure. As the form is located on onedrive.live.com, and that host actually does contain the legitimate login page https://onedrive.live.com/about/en-us/signin/, it makes this scam harder to spot. In this particular case, the word survey in the URL would have been your best clue. Furthermore, if you ever receive emails from Office stating that your account will be canceled or some other admin like request, you should always speak to your network administrator first before doing anything on your own. Thx to Michael Gillespie for the sample. Source
  8. Should Failing Phish Tests Be a Fireable Offense? Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach). John LaCour is founder and chief technology officer of PhishLabs, a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure. LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive. “We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme,” LaCour said. “There are a lot of things that organizations can do that aren’t as draconian and still have the desired effect of making security posture stronger,” he said. “We’ve seen companies require classroom training on the first failure, to a manager has to sit through it with you on the second time, to revoking network access in some cases.” LaCour said one of the most common mistakes he sees is companies that purchase a tool to launch simulated phishing campaigns just to play “gotcha” with employees. “It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” he said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.” Rohyt Belani, CEO of Leesburg, Va.-based security firm Cofense (formerly PhishMe), said anti-phishing education campaigns that employ strongly negative consequences for employees who repeatedly fall for phishing tests usually create tension and distrust between employees and the company’s security team. “It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security,” Belani said. “Threatening people usually backfires, and they end up becoming more defiant and uncooperative.” Cofense provides a phish reporting system and encourages customers to have their employees flag suspected phishing attacks (and tests), and Belani said those employee reports can often stymie real phishing attacks. “So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani said. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'” LaCour says PhishLabs encourages clients to use positive reinforcement in their employee training campaigns. “Recognition — where employees and departments that do especially well are acknowledged — is very common,” LaCour said. “We also see things like small gifts or other things that companies would typically use to reward employees, such as gift cards or small bonuses for specific departments or people.” LaCour said his offices make a game out of it. “We make it competitive where we post the scores of each department and the lowest scoring department has to buy lunch for the rest of the department,” he said. “It teaches people there are real consequences and that we all need to be diligent when it comes to phishing.” Source: Should Failing Phish Tests Be a Fireable Offense? (Krebs on Security) - Brian Krebs)
  9. Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page Think you have bad luck? Imagine being the script kiddie who inadvertently tried and failed to pwn an Akamai security pro. Larry Cashdollar, a senior security response engineer at the US-based global web giant, told us late last week he just recently noticed something peculiar in the logs on his personal website. Further investigation turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities. Anyone in charge of public-facing servers will know these boxes come under continuous scanning and probing by miscreants, bots, and security researchers all the time. However, in this particular case, Cashdollar has today helpfully documented his findings as a heads up, or warning, to website admins and webapp developers. If anything, you should ensure your software is not vulnerable to RFI, otherwise you may well fall to the same fools who tried to pwn the infosec engineer's website. He told The Register his site's logs showed the would-be attacker probing for RFI holes that would allow them to trick web applications into fetching and running a remote malicious script. In this case, the scumbag was trying, unsuccessfully, to load a file via a custom tool Cashdollar had created for his site. "Based on my log entries they appear to be parsing web sites looking for form variables and automatically testing if those variables allow remote file inclusion," Cashdollar told El Reg. "It’s a generic test against any website where they can parse out the form input variable and then supply a URL to that variable to see if the content is included and executed." Unfortunately for the attacker, Cashdollar also used the logs to follow the GET requests to the payload the attacker was trying to load: a script that attempted to harvest information about his server. By dissecting that and other files the hacker had ready to execute commands and take over vulnerable websites, Cashdollar was also able to extract the criminal's email address and their preferred language – Portuguese. While RFI exploits are usually performed to hijack a web server, in this case Cashdollar believes the attackers were trying something different: using file-injecting holes as a way to transform the site into a base for phishing. The miscreant's arsenal of scripts included commands that would create HTML files on the victim's server that mimicked the site of a popular European bank. In other words, the attacker was probing for an RFI vulnerability that would allow them to quietly install phishing pages on the host server that masqueraded as a legit bank's login webpage, and then direct victims to those pages to harvest their bank account credentials as they tried to log into the fake. Source
  10. Phishers are Angling for Your Cloud Providers Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals. Stamford, Ct.-based United Rentals [NYSE:URI] is the world’s largest equipment rental company, with some 18,000 employees and earnings of approximately $4 billion in 2018. On August 21, multiple United Rental customers reported receiving invoice emails with booby-trapped links that led to a malware download for anyone who clicked. While phony invoices are a common malware lure, this particular campaign sent users to a page on United Rentals’ own Web site (unitedrentals.com). A screen shot of the malicious email that spoofed United Rentals. In a notice to customers, the company said the unauthorized messages were not sent by United Rentals. One source who had at least two employees fall for the scheme forwarded KrebsOnSecurity a response from UR’s privacy division, which blamed the incident on a third-party advertising partner. “Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the response read. “The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform,” the reply continued. “The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.” United Rentals told KrebsOnSecurity that its investigation so far reveals no compromise of its internal systems. “At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking trojan,” said Dan Higgins, UR’s chief information officer. United Rentals would not name the third party marketing firm thought to be involved, but passive DNS lookups on the UR subdomain referenced in the phishing email (used by UL for marketing since 2014 and visible in the screenshot above as “wVw.unitedrentals.com”) points to Pardot, an email marketing division of cloud CRM giant Salesforce. Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems. Salesforce did not respond to multiple requests for comment. But it seems likely that someone at Pardot with access to United Rental’s account was phished, hacked, or perhaps guilty of password re-use. This attack comes on the heels of another targeted phishing campaign leveraging Pardot that was documented earlier this month by Netskope, a cloud security firm. Netskope’s Ashwin Vamshi said users of cloud CRM platforms have a high level of trust in the software because they view the data and associated links as internal, even though they are hosted in the cloud. “A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows),” Vamshi wrote. “The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.” Cybercriminals increasingly are targeting cloud CRM providers because compromised accounts on these systems can be leveraged to conduct extremely targeted and convincing phishing attacks. According to the most recent stats (PDF) from the Anti-Phishing Working Group, software-as-a-service providers (including CRM and Webmail providers) were the most-targeted industry sector in the first quarter of 2019, accounting for 36 percent of all phishing attacks. Image: APWG Source: Phishers are Angling for Your Cloud Providers (KrebsOnSecurity - Brian Krebs)
  11. Scammers Use Fake Copyright Notices to Steal Instagram Accounts Scammers are using fake copyright notices to obtain login credentials from Instagram users, cybersecurity firm Kaspersky reveals. The recipients are told that their account will be suspended for copyright infringement within 24 hours. They can, however, "verify" their account if they believe it's a mistake. There is no denying that many people spend several hours per day on their social media accounts. Those who gain enough status on sites such as Instagram can even make a living out of it. When this livelihood is threatened, panic and fear can ensue. This is something scammers are well aware of and some are gladly exploiting it for their benefit. According to cybersecurity company and anti-virus provider Kaspersky, a new phishing scheme that uses fake copyright notices is “gaining momentum.” The email campaign uses an Instagram letterhead and warns recipients that their accounts will be suspended. “We regret to inform you that your account will be suspending because you have violated the copyright laws. Your account will be deleted within 24 hours. If you think we make a mistake please verify, to secure your account,” the email reads. Example of the email, courtesy of Kaspersky. Most native speakers will spot the grammatical errors, which should sound the alarms bells. On the other hand, people who are less fluent in English, or don’t read closely, might easily be drawn to the “verify account” button which leads to a heap of trouble. “If you click it, you end up on a convincing phishing page, where fraudsters put an image saying they care very much about copyright protection and offer you a link to ‘Appeal’,” Kaspersky writes. People who click the appeal link will be asked to enter their Instagram credentials, which will obviously be stolen. And while the scammers are at it, victims are also asked to verify their email addresses. “We need to verify your feedback and check if your e-mail account matches the Instagram account,” the fake notice reads. Those who proceed will be asked to choose their email provider and submit their address and password, which undoubtedly be stolen as well. None of these phishing tricks are new and it appears that this scam has been running for a few months already. What’s interesting, however, is that copyright infringement is used as a threat to spur people into action. With all the recent talk about upload filters and disappearing memes, people are likely to be more susceptible to fall for this scheme than an ordinary “verify your account” email. Especially if their precious social media accounts are supposedly at risk. Source
  12. When in Doubt: Hang Up, Look Up, & Call Back Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme. On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card. But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida. If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up. The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold. “When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.” Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity. Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity. That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank. Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer. It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day. Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help. To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank. Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida. Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida. Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address. “I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'” Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice. What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance. If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled). As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online. “What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.” Source: When in Doubt: Hang Up, Look Up, & Call Back (KrebsOnSecurity - Brian Krebs)
  13. Watch out - this VPN might be trying to steal your money Hackers use fake VPn messages to target remote workers (Image credit: Shutterstock / Ico Maker) Office 365 customers are being targeted by a phishing campaign that uses fake VPN update messages to steal login details. Security experts have flagged that the campaign looks to impersonate legitimate messages telling remote workers that they need to update their VPN configuration while working from home. The phishing emails used in the campaign are made to look as if they come from an organization's IT support department in an effort to lure employees into opening them. According to the email security firm Abnormal Security, so far 15,000 targets have received these convincing phishing emails. VPN usage has soared with more employees working from home than ever before as a result of the pandemic which is why this and other recent phishing campaigns have been so effective. Employees rely on VPNs as a means to connect to their company servers and access sensitive data while working remotely. Office 365 credentials The attackers behind this campaign have gone to great lengths to make not only their phishing emails but also their phishing landing pages more convincing. For starters, the attackers are spoofing the sender email address in their phishing emails to match the domain of targets' organizations. The VPN configs sent in these emails actually take users to a phishing landing page that accurately impersonates Microsoft's Office 365 login page. This fake login page is also hosted on a domain owned by Microsoft. By abusing the Azure Blob Storage platform, the attackers have made it so their landing page has a valid Microsoft certificate that displays the secure padlock since they are using a web.core.windows.net wildcard SSL certificate. Most users would see that the certificate was issued by Microsoft and not even think twice about entering their Office 365 credentials. In a blog post, Abnormal Security warned that this campaign is widespread and that numerous versions of this attack have been spotted in the wild, saying: “Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website.” To avoid falling victim this campaign, users should only enter their Office 365 credentials on official login pages hosted by Microsoft on its microsoft.com, live.com or outlook.com domains. Watch out - this VPN might be trying to steal your money
  14. Phishing for Apples, Bobbing for Links Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures. KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices. While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains “apple.” or “icloud.” followed by a domain name starting with “com-“. Here are just a few examples (the phishing links in this post have been hobbled with brackets to keep them from being clickable): apple.com-support[.]id apple.com-findlocation[.]id apple.com-sign[.]in apple.com-isupport[.]in icloud.com-site-log[.]in Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first forward slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name. For instance, in the case of the imaginary link below, example.com is the true destination, not apple.com: https://www.apple.com.example.com/findmyphone/ Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com). The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites. Source: Phishing for Apples, Bobbing for Links (KrebsOnSecurity - Brian Krebs)
  15. Excel is being used as fresh bait for phishers- here’s how Evil Corp has found a new way to phish their victims- using Microsoft Excel documents. The cybercrime group, also known as TA505 and SectorJo4, are financially motivated cybercriminals. They’re renowned for targeting retail companies and financial institutions with large-sized malicious spam campaigns, using Necurs botnet; but now, they’ve adopted a new technique. In their latest scam, they’re sending attachments featuring HTML redirectors with malicious Excel documents. Through the links, they’re distributing remote access Trojans (RATs), as well as the malware downloaders that delivered the Dridex and Trick banking Trojans. This also includes Locky, BitPaymer, Philadelphia, GlobeImposter, Jaff ransomware strains. “The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload,” “In contrast, past Dudear email campaigns carried the malware as an attachment or used malicious URLs.” -Microsoft Security Intelligence’s researchers. Upon opening the HTML attachment, the victim will automatically download the Excel file. Once they open it, this is what they’re met with: Once the target clicks on “Enable Editing” as they’re instructed to in the document, they’ll unleash the malware on their system. After this point, their device will also be infected with an IP traceback service, which “track(s) the IP addresses of machines that download the malicious Excel file.” Threat Analytics report (Microsoft) As well as this, the malware includes GraceWire- an info-stealing Trojan, which collects sensitive information and relays it back to the perpetrators via a command-and-control server. View the full list of Indicators of Compromise (IOCs), including SHA-256 hashes of the malware samples used in the campaign, here and here. Source: bleepingcomputer Source: Excel is being used as fresh bait for phishers- here’s how (MSPoweruser)
  16. Microsoft said it got a court order to seize 50 websites used by a hacker group with ties to North Korea that targeted government employees, universities, human rights organizations and nuclear proliferation groups in the U.S., Japan and South Korea. The group, known as Thallium, uses the network of websites, domains and connected computers to send out “spear phising” emails. Hackers gather as much information on targets as they can to personalize messages and make them appear legitimate. When the target clicks on a link in the email, hackers are then able to “compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” Microsoft wrote in a blog post. Microsoft showed an example of one of Thallium’s spear phishing messages. It looks very much like a standard notification that comes with signing into a Microsoft account in a new location. One big difference, Microsoft says, is the group combined the letters “r” and “n” in the domain name to look like the first letter “m” in “microsoft.com.” Microsoft, through its Digital Crimes Unit and Threat Intelligence Center, has positioned itself as an important line of defense against so-called “nation state” hacking organizations. Microsoft has in recent years taken on hacking groups with ties to China, Iran and Russia. The tech giant uses the information it gathers from tracking these hackers to beef up its security products. Microsoft recommended a number of actions organizations can take to better protect themselves, including enabling two-factor authentication on business and personal email accounts, training people to spot phising attempts and enabling security alerts about links and files from suspicious websites. Source: MSN
  17. Arrest, Raids Tied to ‘U-Admin’ Phishing Kit Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers. The U-Admin phishing panel interface. Image: fr3d.hk/blog The Ukrainian attorney general’s office said it worked with the nation’s police force to identify a 39-year-old man from the Ternopil region who developed a phishing package and special administrative panel for the product. “According to the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out thanks to the development of the Ternopil hacker,” the attorney general’s office said, noting that investigators had identified hundreds of U-Admin customers. Brad Marden, superintendent of cybercrime operations for the Australian Federal Police (AFP), said their investigation into who was behind U-Admin began in late 2018, after Australian citizens began getting deluged with phishing attacks via mobile text messages that leveraged the software. “It was rampant,” Marden said, noting that the AFP identified the suspect and referred the case to the Ukrainians for prosecution. “At one stage in 2019 we had a couple of hundred SMS phishing campaigns tied to just this particular actor. Pretty much every Australian received a half dozen of these phishing attempts.” U-Admin, a.k.a. “Universal Admin,” is crimeware platform that first surfaced in 2016. U-Admin was sold by an individual who used the hacker handle “Kaktys” on multiple cybercrime forums. According to this comprehensive breakdown of the phishing toolkit, the U-Admin control panel isn’t sold on its own, but rather it is included when customers contact the developer and purchase a set of phishing pages designed to mimic a specific brand — such as a bank website or social media platform. Cybersecurity threat intelligence firm Intel 471 describes U-Admin as an information stealing framework that uses several plug-ins in one location to help users pilfer victim credentials more efficiently. Those plug-ins include a phishing page generator, a victim tracker, and even a component to help manage money mules (for automatic transfers from victim accounts to people who were hired in advance to receive and launder stolen funds). Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. This core functionality is what’s known as a “web inject,” because it allows phishers to dynamically interact with victims in real-time by injecting content into the phishing page that prompts the victim to enter additional information. The video below, produced by the U-Admin developer, shows a few examples (click to enlarge). A demonstration video showing the real-time web injection capabilities of the U-Admin phishing kit. Credit: blog.bushidotoken.net There are multiple recent reports that U-Admin has been used in conjunction with malware — particularly Qakbot (a.k.a. Qbot) — to harvest one-time codes needed for multi-factor authentication. “Paired with [U-Admin’s 2FA harvesting functionality], a threat actor can remotely connect to the Qakbot-infected device, enter the stolen credentials plus the 2FA token, and begin initiating transactions,” explains this Nov. 2020 blog post on an ongoing Qakbot campaign that was first documented three months earlier by Check Point Research. In the days following the Ukrainian law enforcement action, several U-Admin customers on the forums where Kaktys was most active began discussing whether the product was still safe to use following the administrator’s arrest. The AFP’s Marden hinted that the suspicions raised by U-Admin’s customer base might be warranted. “I wouldn’t be unhappy with the crooks continuing to use that piece of kit, without saying anything more on that front,” Marden said. While Kaktys’s customers may be primarily concerned about the risks of using a product supported by a guy who just got busted, perhaps they should be more worried about other crooks [or perhaps the victim banks themselves] moving in on their turf: It appears the U-Admin package being sold in the underground has long included a weakness that could allow anyone to view or alter data that was phished with the help of this kit. The security flaw was briefly alluded to in a 2018 writeup on U-Admin by the SANS Internet Storm Center. “Looking at the professionality of the code, the layout and the functionality I’m giving this control panel 3 out of 5 stars,” joked SANS guest author Remco Verhoef. “We wanted to give them 4 stars, but we gave one star less because of an SQL injection vulnerability” [link added]. That vulnerability was documented in more detail at exploit archive Packet Storm Security in March 2020 and indexed by Check Point Software in May 2020, suggesting it still persists in current versions of the product. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. This advice is the same whether you’re using a mobile or desktop device. In fact, this phishing framework specialized in lures specifically designed to be loaded on mobile devices. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites. Further reading: uAdmin Show & Tell Gathering Intelligence on the Qakbot banking Trojan Arrest, Raids Tied to ‘U-Admin’ Phishing Kit
  18. This phishing scam lures you in by pretending you've got a bonus Campaign infects victims with the Bazar trojan which creates a backdoor on their systems (Image credit: Shutterstock / DRogatnev) Security researchers at Fortinet have discovered a new phishing campaign which tries to lure enterprise users with fake customer complaint reports, fake billing statements and even the offer of a phony bonus. The campaign also uses a new variant of the Bazar trojan, which has been linked to the developers of Trickbot, that comes equipped with anti-analysis techniques to make it more difficult for antivirus software to detect. These anti-analysis techniques include hiding malicious APIs in the code, extra code obfuscation and encrypting some strings of the code to make the trojan more difficult to analyze. Bazar is a relatively new trojan which first appeared last year. If successfully deployed, it can provide cybercriminals with a backdoor into a compromised Windows system to allow them to control a user’s device, gain additional access to a corporate network to steal sensitive data and deploy malware. Bazar trojan Regardless of the theme used, this new phishing campaign tries to encourage a potential victim to click on a link that redirects them to a malicious website with a downloadable PDF. However, while the page prominently features the PDF logo, it doesn’t actually contain a document. Instead there are three links that all point to the same executable which when downloaded, installs the Bazar trojan on a user’s system. Once installation is complete, a backdoor is present on a victim’s system that an attacker can exploit on their own or sell to other cybercriminals on dark web marketplaces. According to Fortinet, this phishing campaign remains active and attempted attacks are still being observed in the wild. To prevent falling victim to this or other similar attacks, the firm’s researchers recommend that organizations provide training for their employees on how to identify and recognize online scams and attacks. At the same time though, organizations should also implement a patch management strategy to prevent cybercriminals from exploiting known vulnerabilities. Via ZDNet This phishing scam lures you in by pretending you've got a bonus
  19. U.K. Arrest in ‘SMS Bandits’ Phishing Service Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies. The U.K.’s National Crime Agency (NCA) declined to name the suspect, but confirmed that the Metropolitan Police Service’s cyber crime unit had detained an individual from Birmingham in connection to a business that supplied “criminal services related to phishing offenses.” The proprietors of the phishing service were variously known on cybercrime forums under handles such as SMSBandits, “Gmuni,” “Bamit9,” and “Uncle Munis.” SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service for the mass sending of text messages designed to phish account credentials for different popular websites and steal personal and financial data for resale. Image: osint.fans Sasha Angus is a partner at Scylla Intel, a cyber intelligence startup that did a great deal of research into the SMS Bandits leading up to the arrest. Angus said the phishing lures sent by the SMS Bandits were unusually well-done and free of grammar and spelling mistakes that often make it easy to spot a phony message. “Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most,” Angus said. According to Scylla, the SMS Bandits made a number of operational security (or “opsec”) mistakes that made it relatively easy to find out who they were in real life, but the technical side SMS Bandits’ operation was rather advanced. “They were launching fairly high-volume smishing campaigns from SMS gateways, but overall their opsec was fairly lousy,” Angus said. “But on the telecom front they were using fairly sophisticated tactics.” The proprietor of the SMS Bandits, telling the world he lives in Birmingham. For example, the SMS Bandits automated systems to check whether the phone number list provided by their customers was indeed tied to actual mobile numbers, and not landlines that might tip off telecommunications companies about mass spam campaigns. “The telcos are monitoring for malicious SMS messages on a number of fronts,” Angus said. “One way to tip off an SMS gateway or wireless provider is to start blasting text messages to phone numbers that can’t receive them.” Scylla gathered reams of evidence showing the SMS Bandits used email addresses and passwords stolen through its services to validate a variety of account credentials — from PayPal to bank accounts and utilities providers. They would then offload the working credentials onto marketplaces they controlled, and to third-party vendors. One of SMS Bandits’ key offerings: An “auto-shop” web panel for selling stolen account credentials. SMS Bandits also provided their own “bulletproof hosting” service advertised as a platform that supported “freedom of speach” [sic] where customers could “host any content without restriction.” Invariably, that content constituted sites designed to phish credentials from users of various online services. The “bulletproof” offerings of Muni Hosting (pronounced “Money Hosting”). The SMS Bandits phishing service is tied to another crime-friendly service called “OTP Agency,” a bulk SMS provider that appears catered to phishers: The service’s administrator stated on multiple forums that he worked directly with the SMS Bandits. Otp[.]agency advertises a service designed to help intercept one-time passwords needed to log in to various websites. The customer enters the target’s phone number and name, and OTP Agency will initiate an automated phone call to the target that alerts them about unauthorized activity on their account. The call prompts the target to enter a one-time password generated by their phone’s mobile app, and that code is then relayed back to the scammer’s user panel at the OTP Agency website. “We call the holder with an automatic calling bot, with a very believable script, they enter the OTP on the phone, and you’ll see it in real time,” OTP Agency explained on their Telegram channel. The service, which costs anywhere from $40 to $125 per week, advertises unlimited international calling, as well as multiple call scripts and voice accents. One of the pricing plans available to OTP Agency users. The volume of SMS-based phishing skyrocketed in 2020 — by more than 328 percent — according to a recent report from Proofpoint, a security firm that processes more than 80 percent of North America’s mobile messages [Full disclosure: Proofpoint is currently an advertiser on this site]. U.K. Arrest in ‘SMS Bandits’ Phishing Service
  20. Microsoft Office 365 phishing evades detection with HTML Lego pieces A recent phishing campaign used a clever trick to deliver the fraudulent web page that collects Microsoft Office 365 credentials by building it from chunks of HTML code stored locally and remotely. The method consists in gluing together multiple pieces of HTML hidden in JavaScript files to obtain the fake login interface and prompt the potential victim to type in the sensitive information. Hidden building blocks Victims received an email with just an attachment claiming to be an Excel file (.XLSX) about an investment. In reality, the file is an HTML document with a chunk of URL Encoded text. Researchers at Trustwave decoded the text and found more decoding ahead as it was further obfuscated through Entity codes. Using GCHQ’s CyberChef, they revealed links to two JavaScript files hosted at “yourjavascript.com,” a domain used for other phishing campaigns. Each of the two JavaScript files had two blocks of encoded text hiding HTML code, URL and Base64 encoded. In one of them, the researchers found the beginning of the phishing page and code that validates the email and password from the victim. The second JavaScript contained the ‘submit’ function, located via the 'form' tags and code that triggered a popup message informing victims that they had been logged out and needed to authenticate again. In all, the researchers decoded more than 367 lines of HTML code spread in five chunks among the two JavaScript files and one the email attachment, which, stacked together, built the Microsoft Office 365 phishing page. Trustwave said that the unusual thing about this campaign is that the JavaScript is downloaded in obfuscated chunks from a remote location and then pieced together locally. "This helps the attackers bypass security protections like Secure Email Gateways that might identify the malicious JavaScript from the initial attachment and block it," the researchers added. The victim email address is automatically filled in to give a sense of legitimacy. The phishing scams also check to make sure the password is not blank and will use regular expressions to confirm a valid email address. In a blog post today, Trustwave notes that the URL receiving the stolen credentials for this campaign is still active. The researchers says that the tricks in this campaign are uncommon. Using an HTML attachment pointing to JavaScript code in a remote location and unique encoding, the cybercriminals are looking to avoid detection. Source: Microsoft Office 365 phishing evades detection with HTML Lego pieces
  21. Beware: PayPal phishing texts state your account is 'limited' A PayPal text message phishing campaign is underway that attempts to steal your account credentials and other sensitive information that can be used for identity theft. When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to "limited," which will put temporary restrictions on withdrawing, sending, or receiving money. A new SMS text phishing (smishing) campaign pretends to be from PayPal, stating that your account has been permanently limited unless you verify your account by clicking on a link. "PayPal: We've permanently limited your account, please click link below to verify," the smishing text message reads. Clicking on the enclosed link will bring you to a phishing page that prompts you to log in to your account, as shown below. PayPal smishing text and landing page If you log in on the phishing page, the entered PayPal credentials will be sent to the threat actors. The phishing page then goes a step further as it will try to collect further details from you, including your name, date of birth, address, bank details, and more. Collecting personal information from the victim The collected information is used to conduct identity theft attacks, gain access to your other accounts, or perform targeted spear-phishing attacks. Yesterday, two other people I know received these phishing texts, so it is a very active campaign, and everyone needs to watch out for these messages. Smishing scams are becoming increasingly popular, so it is always important to treat any text messages containing links as suspicious. As with all phishing emails, never click on suspicious links, but instead go to the main site's domain to confirm if there is an issue with your account. What should you do if you enter info at this link? If you received this text and mistakenly logged into your PayPal account or provided other information, you should immediately go to Paypal.com and change your password. If you use that same password at other sites, change them there as well. Finally, you should look out for other targeted phishing campaigns using the submitted data. BleepingComputer also suggests that you monitor your credit report to make sure fraudulent accounts are not created under your name. To prevent identity theft, you can also temporarily freeze on your credit report to stop banks and other companies from issuing credit under your name. Beware: PayPal phishing texts state your account is 'limited'
  22. Microsoft is working on adding a new Microsoft Forms phishing attempt review feature that will allow Office 365 admins to confirm and block forms that try to maliciously harvest sensitive data. Microsoft Forms is a web and mobile app that enables users to create surveys, quizzes, and polls designed for collecting feedback and data online. Previously it was only available to business users with Microsoft 365 Personal and Microsoft 365 Family, but it has recently been made available for personal use to anyone with a Microsoft account. Block potential form-based phishing attempts "When managing Microsoft Forms, IT admins now have two options in response to possible phishing: you can either click 'unblock' or 'confirm phishing', a new option that is now available," Redmond explains in a new Microsoft 365 Roadmap entry. Phishing attempts are detected by Microsoft Forms with the help of proactive phishing detection (available for all public forms since July 2019 and for enterprise forms from September 2019), a protection feature that will proactively identify malicious password collection in forms and surveys. Such attempts are automatically and temporarily blocked from continuing to collect answers to preemptively block threat actors from abusing forms as phishing landing pages. Global and/or security administrators receive alerts of all forms detected and blocked for potential phishing in their tenant. Reviewing potentially malicious forms Starting with the feature's roll-out to all standard multi-tenants during November 2020, IT admins can examine all forms automatically tagged as phishing attempts to make sure that those that try to harvest the users' sensitive info for use in future malicious campaigns. To review and unlock phishing forms, admins will have to go through the following steps: Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing (this notification contains a daily summary of any and all blocked forms created in your tenant) Click on the Forms admin review URL link in the notification to review blocked forms. For each form you review, go to the upper right corner of the page and select whether to unblock it or confirm its phishing attempt (unblock those wrongfully tagged and confirm those that you want blocked for malicious intent) Reviewing Forms phishing detections (Microsoft) Unblocking Microsoft Forms users Microsoft Forms will also automatically block users if they repeatedly try to collect information by distributing forms. Such attempts are logged and admins will be informed via the Microsoft 365 message center. Once the notifications are added to the message center, admins can unblock the users if they consider that no malicious intent was behind their data collection attempts. To remove restrictions for any blocked Microsoft Forms users in their tenant, admins will have to follow this procedure: Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing. Click on the link provided in the notification to review blocked users. For each user you believe has no malicious intent, you can choose to click the Unblock link in the Actions column that is associated with that user. Source
  23. New phishing attack targets Zoom users to steal Office 365 credentials A new phishing attack is targeting Microsoft 365 (formerly Office 365) users in the form of an email notification for a Zoom account suspension. The email aims to steal users’ Microsoft 365 credentials. The attack was spotted and documented by Abnormal Security (via BleepingComputer). The attack seems familiar to the one that was spotted in May, where a fake Teams email would navigate users to a duplicate Office 365 login page. With the popularity and adoption of Zoom increasing due to increased remote collaboration in the times of the pandemic, such account suspension emails spike users’ interest and warrant immediate attention. In this case, users mostly rush to correct the problem without any suspicion to avoid losing access to the tool that may hinder their work. The email for the Zoom suspension notification interestingly comes from an email address that spoofs the official domain, says the source. It mimics an automated email notification that links to a face Microsoft 365 login page, prompting users to enter their Office 365 credentials. The credentials are then compromised by hackers. The research firm adds that the phishing email has been served to more than 50,000 users. One sign that points to the illegitimacy of the email is the “zoom” branding in the email body without the capitalization of the first letter. Even if users click on the ‘Activate Account’ link in the email, the ‘Outlook’ logo or the domain of the Office 365 login page are telltale signs. The stolen credentials could be used in Business Email Compromise (BEC) scams that exploit cloud email services like Microsoft 365 and Google G Suite. New phishing attack targets Zoom users to steal Office 365 credentials
  24. New Netflix phishing scam uncovered - here’s how to stay safe Netflix phishing scam uses CAPTCHA form to create sense of legitimacy (Image credit: Shutterstock / sitthiphong) Security analysts have uncovered a dangerous and highly convincing new Netflix phishing scam, capable of evading traditional email security software. Identified by researchers at Armorblox, the phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided. The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate. After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised. Netflix phishing While Netflix phishing has been around ever since the video streaming platform rose to prominence, this latest scam is particularly threatening, thanks to its capacity to both seduce the victim and evade email filters. According to ArmorBlox researchers, the scam outwits email security controls using two distinct techniques. The legitimate CAPTCHA form serves to conceal the phishing landing page from security technologies that analyze URL redirection, while the landing page itself is hosted on a bonafide domain (www.axxisgeo.com), managed by a Texas-based oil and gas company. “By hosting phishing pages on legitimate parent domains, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains,” explained ArmorBlox in a blog post. “Attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host these pages on legitimate parent domains without the website admins knowing.” The information gathered by the scammers could be used in a variety of secondary attacks, including account compromise, identity theft and financial fraud. To protect against phishing attacks of this kind, users are advised to scrutinize emails for abnormalities that might identify a scam and cross-check landing page URLs with known addresses (e.g. www.netflix.com) before entering account or payment information. New Netflix phishing scam uncovered - here’s how to stay safe
  25. Microsoft Office 365 users targeted in SurveyMonkey phishing SurveyMonkey used to hide phishing attacks against Microsoft Office 365 users Online polling service SurveyMonkey was used as a disguise for a potentially damaging phishing attack that targeted Microsoft Office 365 users. Researchers at Abnormal Security recently uncovered attempts to steal Office 365 user credentials using SurveyMonkey as cover. In the campaign, the victim receives an email from a genuine SurveyMonkey site, stating it is conducting a survey among company employees. However the message contains a hidden redirect link, appearing as the text “Navigate to access statement” with the brief message “Please do not forward this email as its survey link is unique to you”. SurveyMonkey phishing However when clicked on, this link instead redirects the victim away from SurveyMonkey to a Microsoft form submission page, which tells the user to submit their Office 365 email and password to proceed. However doing so allows the criminals to steal the unsuspecting user’s Microsoft account security credentials. Abnormal Security notes that this attack may be particularly effective due to its use of a real SurveyMonkey link to hide the nefarious goals within. The email messages carrying the phishing link also use official SurveyMonkey phrases and content, tricking users into believing the message is genuine. Since the phishing URL isn’t visible within the body text, it's also easy for victims to be tricked and miss this at first glance. "Phishing is one of the most successful and long-standing cybercriminal tactics, and the constant evolution in the methodology as seen in these attacks goes some of the way to understanding why," noted Niamh Muldoon, senior director of trust and security at OneLogin. "As phishing attacks become increasingly common, and increasingly sophisticated — often tailored to a targeted team with an organisation — companies and consumers cannot rely on defending against 100% of attacks. Applying Multi-Factor Authentication (MFA) supports user awareness and conscious behaviour when it comes to phishing threats and associated risk of clicking on suspicious links." Microsoft Office 365 users targeted in SurveyMonkey phishing
  • Create New...