Month: May 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI announced that a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs) is now active, affecting hundreds of different entities.

While the U.S. agencies said that they hadn’t attributed this spearphishing campaign to anyone in particular, at least for now, other security researchers already named the responsible group, Nobelium (Cozy Bear). It’s the same group behind the SolarWinds attack, one of the most significant security incidents in history.

“A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs,” said the agencies in the advisory.

“A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs”, the agencies also said. “The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization.”

The email contains an URL that directs the user to a malicious page from which an infected ISO file is provided. The ISO contains a DLL (a custom Cobalt Strike Beacon version 4 implant), a malicious shortcut file that executes the Cobalt Strike Beacon loader and a PDF titled “Foreign Threats to the 2020 U.S. Federal Elections” with the filename “ICA-declass.pdf.” The PDF file is actually a copy of the Intelligence Community Assessment under Executive Order 13848, which is available online from official sources.

Cobalt Strike is a commercial penetration testing tool, but it can be used by threat actors as well. It’s unclear how successful the campaign was before it was stopped, but CISA and FBI published the indicators of compromise.

Amid increasing cyber-enabled financial crimes, Interpol announced its latest successful operation, which intercepted a whopping $83 million in illicit funds.

According to a press release, law enforcement agencies in the Asia Pacific region opened more than 1,400 investigations between September 2020 and March 2021

Over six months, the Interpol-coordinated operation, codenamed HAECHI-I l, led to 585 arrests and 892 solved cases, including investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion and voice phishing.

By identifying fraudulent activity, police froze 1,600 bank accounts from around the world, recovering most of the victims’ funds in the process.

“Online fraudsters often attempt to exploit the borderless nature of the Internet by targeting victims in other countries or transferring their illicit funds abroad,” said Ilana de Wild, INTERPOL’s Director of Organized and Emerging Crime.

“The results of Operation HAECHI-I demonstrate that online financial crime is fundamentally global and that only through close international cooperation can we effectively combat these criminals.”

In one case investigated by INTERPOL’s financial crimes unit, an unnamed Korean company was swindled out of 7 million USD through fraudulent invoices received from an apparent trading partner.

However, the bank details on the invoices were changed, and the money was routed to bank accounts of fraudsters in Hong Kong and Indonesia. Shortly after the victim company reported the scam to local authorities, police managed to intercept and freeze almost half of the stolen funds.

“The key factors in intercepting illicit money transfers are speed and international cooperation,” said Amur Chandra, Brigadier General of the Indonesian National Police and Secretary of Indonesia’s INTERPOL National Central Bureau. “The faster victims notify law enforcement, the faster we can liaise with INTERPOL and law enforcement in the relevant countries to recover their funds and put these criminals behind bars.”

This lucrative operation was supported by law enforcement in Cambodia, China, Indonesia, Korea, Laos, The Philippines, Singapore, Thailand and Vietnam.

City of London and Metropolitan Police arrested eight men for allegedly sending fake messages and trying to trick people into paying a fee to retrieve a parcel, stealing their login credentials in the process.

If you’ve ever wondered about the mechanism behind one of these spam campaigns, take a look at the investigation that ended with the arrest of several people in the UK. It’s a simple enough operation that focuses on a single point of failure. Attackers trick people into revealing their credentials via SMS messages. When they follow the provided link, they see a website that looks like the original and willingly offer the information to attackers.

Out of the eight people arrested, one person, from Enfildhas, has been charged, while the rest have been released under investigation.

“He faces charges of fraud by false representation; possession of articles for use in fraud; possession of criminal property (money laundering),” a spokeswoman for the Dedicated Card and Payment Crime Unit (DCPCU) told the BBC.

In this case, the messages were sent in the name of the Royal Mail. Attackers asked victims to pay a fee to retrieve a parcel, only to reveal their personal and banking credentials in the process. It’s called a ‘smishing’ scam.

“Ongoing investigations are now underway and we will continue to work together to bring those committing smishing scams to justice,” said DetCh Insp Gary Robinson, head of the DCPCU.

Whether it’s an email message or an SMS, the advice remains the same. Never share personal or banking information over the Internet. Don’t open messages or follow links sent by unknown people, and the same goes for email attachments. If you have any doubts regarding a message, you can always contact the supposed sender to verify if they are indeed the source.

A day before the Black Lives Matter movement marked the first anniversary of George Floyd’s death, online scammers set the bait to lure supporters from across the globe with a new crypto scam.

On May 24, Bitdefender Antispam Lab spotted hundreds of spam emails using some dirty tricks as they ask recipients to fund the Black Lives Matter movement.

They use high-profile figures and celebrities to fuel their deceit while dishonoring the memory of victims’ and protestors’ goodwill.

Alicia Keys, Eva Longoria, Meryl Streep, Amy Schumer, Angela Basset, Beyonce, Jay-Z, Chris Evans, George Takei, Katty Perry, Mandy Moore, Taylor Swift, Reese Witherspoon, Mark Ruffalo, Leonardo Dicaprio, Lenny Kravitz, Lebron James and John Legend are just a few of the celebrity names used by the scammers.

The fake email opens with a reminder about the movement and offers recipients an easy way to financially support it.

“Protestors gather around the country following the deaths of George Floyd, Tony McDade, Breonna Taylor, and many others,” the scammers’ letter reads. “Now, many are wondering how they can support the Black Lives Matter movement. In addition to learning more about racism, engaging in difficult conversations, and voting, donating to organizations that aid the individuals and communities that are directly affected is one way to show support.”

Recipients willing to offer support can choose to donate between $25 and $1,000 in bitcoin by using the crypto wallet conveniently attached at the bottom of the email. Luckily, the Bitcoin address provided in the above sample has not received any transactions so far.

“Your contribution will benefit Black Lives Matter Global Organization,” the scammers add.

This latest attempt at scamming the online community stands to prove that cybercrooks and fraudsters will do anything in their power to get what they want – your money.

This includes profiting off major social, political and financial events that receive publicity on social media platforms and make international headlines.

The Black Lives Matter movement went global in 2020 after the tragic death of George Floyd, which continues to fuel protests to this day. Supporters should be wary of any donation requests they might receive via unsolicited emails and stick to the appropriate channels to support charities and social movements such as Black Lives Matter.

E-commerce reached new heights during the pandemic as consumers interacted more with digital platforms and web apps. Then, cybercriminals stepped up their game, capitalizing on changes in digital behaviors and online shopping patterns by engaging in automated fraud attacks against online retailers.

According to the new Automated Fraud Benchmark Report: E-commerce Edition by PerimeterX, cyberattacks targeting the world’s largest online shopping websites increased in volume and sophistication throughout 2020.

The results stem from anonymously collected data amid online interactions of millions of customers with the help of a network of automated attack sensors integrated with web servers housing company applications and e-commerce platforms.

Analysis of the data shows considerable spikes in cyberattacks, including account takeover attacks, gift card cracking, checkout and scrapping attacks.

In September 2020, 84.71% of all login attempts were account takeover attacks. The researchers surmised that this uptick was most likely in preparation for Cyber 5 and holiday season shopping.

“Criminals are incented to try the same password and login credentials across numerous sites because consumers tend to reuse these combinations multiple times as a way to simplify their application management and avoid forgetting passwords,” the report reads.

Additional key findings include gift card hacking attempts that, unsurprisingly, covered nearly all holiday shopping periods of 2020. Significant spikes in e-gift card attacks were noted on July 4^th, Memorial Day, Mother’s Day, Valentine’s Day, and Thanksgiving through Cyber Monday.

“The COVID-19 Pandemic increased the use of gift cards and fraudsters followed this trend in hopes of accessing valuable card balances either to use themselves for illicit purchases or to resell on the Dark Web,” the researchers explained. “Gift card attacks have also grown more sophisticated. The botnets that deliver these automated attacks are highly distributed: they use multiple IP addresses, multiple autonomous system numbers (ASNs) and many different devices.”

The report also shows that malicious actors preferred attacks against desktop users in favor of mobile devices, a surprising position given the increase in use of mobile apps and in remote workers.

“In 2020, the ratio of attacks against desktop versus mobile devices was roughly stable at one-third on mobile and two-thirds on desktop,” the PerimeterX researchers added.

The Federal Bureau of Investigation has said in a flash announcement that the Conti ransomware group is responsible for at least 16 attacks targeting US healthcare and first responder networks within the last year.

The victim organizations include law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities, according to the bureau.

The group is said to have infected more than 400 organizations worldwide, including more than 290 in the US.

“Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim,” the agency notes. “The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors.”

Conti tailors the ransom demands based on the victim’s ability to pay, with some targets asked to hand over $25 in exchange for the decryption keys.

The bureau explains that such attacks are crippling to society, delaying access to real-time information, increasing safety risks to first responders and potentially endangering those who rely on calls for service.

“Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges,” the advisory continues. “Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”

The document contains valuable technical information regarding Conti’s modus operandi. For example, the group is known to gain access to victims’ networks through phishing emails or Remote Desktop Protocol, by leveraging stolen credentials.

The group uses threat emulation software like Cobalt Strike and the infamous Emotet banking Trojan, and weaponizes Word documents with embedded Powershell scripts to ultimately deploy Conti ransomware.

“Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery,” the technical section says. “The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data. In some cases where additional resources are needed, the actors also use Trickbot. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS.”

Conti threat actors are aggressive, going so far as to call victims who refuse to pay ransom. The attackers do so by employing throw-away VoIP numbers or via ProtonMail. Some victims are said to have negotiated a reduced ransom, according to the report.

The advisory further includes a list of indicators of compromise (IoCs) that system administrators can look for to help stop a Conti attack before it unfolds, as well as a list of recommended mitigations. As usual, the FBI does not encourage paying ransoms, as “payment does not guarantee files will be recovered.”

Microsoft is preparing to retire the Internet Explorer 11 browser on June 15, 2022, but there are a few important caveats. If we consider those exceptions, it looks like IE will be around in some capacity even past then.

Everyone knew the day would come when Microsoft finally ditched the old Internet Explorer browser. The company has been working towards this goal for some time and has built a replacement browser based on Chromium, like many available alternatives.

“With Microsoft Edge capable of assuming this responsibility and more, the Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022, for certain versions of Windows 10,” said Microsoft.

While it looks like a straightforward decision, the situation is complicated because many companies use the old IE internally in various products and capacities, so deleting it is not an option. Fortunately, Microsoft’s replacement, Edge, has a dedicated function named IE mode that’s supported until 2029.

The announcement explained which systems won’t be affected by the IE retirement.

• Internet Explorer mode in Microsoft Edge
• Internet Explorer platform (MSHTML/Trident), including WebOC
• Internet Explorer 11 desktop application on:
• Windows 8.1
• Windows 7 Extended Security Updates (ESU)
• Windows 10 Server SAC (all versions)
• Windows 10 IoT Long-Term Servicing Channel (LTSC) (all versions)
• Windows 10 Server LTSC (all versions)
• Windows 10 client LTSC (all versions)
• In-market Windows 10 LTSC and Windows Server

Regular end users will have to deal with the fact that, starting June 15, 2022, every time they try to start the application manually, they will be redirected to use Edge instead. This is actually a good move, as simply removing support for the browser would have left many users free to use an increasingly vulnerable application.

Apple Mac users are being advised to update their operating system as a matter of priority, after malicious hackers have discovered a way of bypassing the privacy protections built into Apple Macs.

The vulnerability, allows attackers to gain permissions on vulnerable Macs without users’ granting explicit consent.

Specifically, as security researchers at Jamf explain, versions of the XCSSET malware hunt for installed apps for which the targeted user may already have granted permission to take a screenshot as part of their normal operations (such as Zoom, Discord, Skype and TeamViewer).

The malware, which is written in AppleScript, then injects malicious commands into the legitimate apps – telling them to take snapshots of the user’s screen.

As Jamf describes, the malicious code has been carefully written in an attempt to avoid raising suspicions from the security mechanisms built into macOS by Apple:

“Much of the time the malware author leverages AppleScripts in their attack chain due to the facility in which it handles many bash commands, even downloading and/or executing Python scripts in an effort to obfuscate their intentions through a confusing use of various scripting languages.”

According to the researchers, the technique can be used for not just recording victim’s screens, but also accessing microphones, webcams, or capturing keypresses – all without the user granting consent.

It’s easy to imagine how exploitation of the vulnerability could allow an attacker to steal sensitive information such as passwords as well as snoop upon private communications.

According to reports, the principal targets of the XCSSET malware have been Mac developers – with malicious code injected into Xcode projects, that are sometimes later shared with the Mac development community on GitHub.

Any developers relying on the code hosted in affected GitHub repositories for their own projects are thus unwittingly assisting a supply-chain attack.

Fortunately, this week Apple has released macOS Big Sur 11.4 which, aside from the normal bug fixes, contains a patch for the permission-busting security hole exploited by the XCSSET malware.

To update your Mac or MacBook, choose “System Preferences” from the Apple menu in the top-left of the screen. Then click “Software Update” to see if any updates are available and follow instructions.

To install future updates automatically, select the option to “Automatically keep my Mac up to date”.

We’re 15 months into the pandemic, and although many have learned to embrace work-from-home and social distancing measures, the struggles of isolation and lack of social contact have carved deep wounds into our psyche.

Stuck at home with limited social interactions, individuals have found refuge online, spending hours in front of their screens. People go online to work, keep in touch with family and friends, study, shop, entertain themselves, and even visit the doctor.

In a matter of days, the pandemic-induced transformations spread to the work environment, forcing millions of people to say goodbye to their office building, friends and coworkers. Although this sudden break from daily routines and shift to the digital world might have seemed a life-saving solution, the shortcomings of the work-from-home environment have taken their toll on the remote-working population.

 Balancing work and family life can be difficult, especially when individuals can’t draw a clear line between the two. Pandemic burnout is rampant among remote workers, and although it can occur at any workplace and industry, this chronic state of exhaustion ultimately leads to the reduced ability to do one’s job, connect with others and function normally.

“Pre-pandemic burnout in a large US company was around 42%,” Bitdefender Behavioral Analyst Nansi Lungu explains. “But now, the data shows it’s gone up to 79%. The effects seem to be everywhere. Burnout seems to have a significant tendency to increase. It’s very normal, because you don’t really know how to draw the lines anymore .”

Helping millions cope with conditions of the new normal, the digital world has become an indispensable tool that continues to develop while both hurting and helping society.  The Internet seems to be the indispensable medium in which we live, and at the same time, it has become an extension of our mind. Our internet-enabled devices are much more than gadgets or pieces of hardware. They have slowly turned into an extension of ourselves, encompassing large volumes of information that in the end make up our real-life and digital selves.

Even if the accelerated digital transformation allowed for a much smoother transition into managing what we now call the new normal, it has also helped nurture an increasingly aggressive cybercriminal community.

Since COVID-19 was declared a pandemic, spikes in online scams, fraud, identity theft, phishing and malware attacks have served as a constant reminder that individuals are waging war on two fronts. This dramatic growth in cybercriminal activity is linked to the overall state of tension, anxiety and fear surrounding the pandemic that has let cybercriminals target vulnerable individuals who are tired enough that they may dismiss red flags.

It’s been rough having to adapt to new online habits so suddenly, but help is here.

When remote work and online classes became a thing, the world started focusing on cybersecurity. However, the increased exposure to cyber risks is not limited just to the remote-working population. Awareness campaigns and the adoption of good digital behaviors should follow as we step into a period of relaxation.

We might think we have learned to balance work and free time, but new digital behaviors adopted during this stressful time could have far-reaching impacts on our digital health, and our physical and financial safety.

Adapting to digital trends and keeping up with the latest cyber threats, vulnerabilities and attacks will safeguard personal and financial information from threat actors.

As a reminder to never let your guard down when using your favorite smart device or PC, take a look at some of the most vital tools and practices to remain safe online:

• Practice safe browsing and limit the personal information you share on social media, chat rooms, dating websites and gaming platforms
• Take a minute to analyze whether the correspondence you received via email, text or instant message is genuine
• Be suspicious of too-good-too-be-true offers, get-rich-quick opportunities, cryptocurrency giveaways, online surveys and coronavirus-related merchandise
• Reassess your privacy setting on social media accounts, change passwords regularly and never recycle them
• Use a security solution to protect your devices and consider installing a VPN to ensure that your data and device are not compromised when you shop, travel or dine at your favorite restaurant
• Consider shopping at well-known online stores and brands, and research before attempting to make any purchases from a new website, ads on social media or offers you received via email

We still have a long way to go until we re-establish our peace of mind as we emerge from the health crisis. With a period of relaxation on the horizon, it’s important to start analyzing our behaviors, abandoning harmful and lengthy digital activities that may lead to stress and further burnout.

As travel restrictions begin to ease, the UK’s national reporting center for fraud and cybercrime is warning the British public to watch out for holiday fraud.

According to the latest public alert, holiday fraud has been a very lucrative business during the 2020-2021 financial year, inflicting losses of £2.2 million. Action Fraud says it had received 1,907 reports with an average loss of £1,242 per victim.

Although the agency notes a decrease of over 70% in reports from the previous fiscal year, the highly anticipated reopening of international travel is bound to attract the attention of fraudsters and cybercriminals

“We are all more eager than ever to go on a holiday and relax with family and friends, following the coronavirus pandemic,” said Pauline Smith, the Head of Action Fraud. “However, criminals will stop at nothing when it comes to defrauding innocent people out of a well-deserved break and their hard-earned cash.”

The agency’s report reveals that 56% of accounts were linked to booking airline tickets online and just 29% to holiday accommodation. However, nearly a third of victims said they were approached successfully by individuals or had responded to an online advertisement on social media platforms.

“Criminals are increasingly using more sophisticated ways to trick their victims, which is why it’s important that we all do our research when booking a holiday and making travel arrangements,” Smith added. “Regardless of whether you’re planning on travelling abroad, or going on a domestic holiday this year, remember, if a deal sounds too good to be true, it probably is.”

Facebook seems to be the online platform where victims were most commonly duped, as stated in 62% of the reports. Online booking platforms such as Booking.com and Airbnb were mentioned by nearly 10% of victims.

“Online booking platforms act as a platform for third parties to advertise accommodation,” Action Fraud explains. “Whilst many accommodation providers who make use of online booking platforms are legitimate, some criminals will use these platforms to defraud victims by advertising bogus accommodation.”

Around 7% fell victim to bogus offers on fake websites that impersonate legitimate travel agencies, including holiday accommodation platforms, airline ticket websites and comparison websites.

Unfortunately, some victims only learn of the scam on the day of travel, as they could not check in at the airport.

Avoid holiday fraud this year

You can stay safe and avoid becoming another holiday fraud victim by following these simple steps:

• Research before purchasing from an unknown company – if the company you’re thinking about buying a holiday or flight from is not legitimate, you might find consumer reports, reviews and warnings online
• Check the logo and domain name of the company website – sadly, many fake websites use the logo and a spoofed version of the website of a legitimate business. The best way to avoid becoming a victim is to not click on the links provided via ads on social media platforms. Use the search bar in your browser to manually enter the website you want to visit instead. 
• Pay with a credit card whenever possible and immediately reassess your choices if asked to pay via wire transfer into a private individual’s bank account.
• Diligently study your invoices, terms and conditions and receipts.
• Trust your instinct and dismiss any too-good-to-be-true deals, as they are the first sign of fraud.