- Phishing -
Last update 09.10.2017 13:16:51
Introduction List Kategorie Subcategory 0 1 2 3 4 5
Spam and phishing in Q2 2018
18.8.2018 Kaspersky Analysis Spam Phishing
GDPR as a phishing opportunity
In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.
As required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies’ customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.
Phishing emails exploiting GDPR
Malicious IQY attachments
In the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.
Harmful .iqy files
When the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim’s computer, steal files and personal information, and send spam.
It is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.
It must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet’s operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.
The wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:
Hacking and theft of personal information of 27M Ticketfly customers;
92M MyHeritage genealogy service users’ personal information was discovered on a public server;
340M individual records were lost by Exactis, a marketing company;
An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.
As a result of such leaks, cybercriminals get a hold of users’ names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.
In the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim’s accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.
Ethereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by ICOs on the Ethereum platform. According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs managed to make $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.
Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site
World Cup 2018
Cybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims’ bank and other accounts, carried out targeted attacks, and created bogus fifa.com account sign-in pages.
As mentioned in the 2017 report, more and more phishing pages are now found on certified domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to announce future efforts aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as “Secure” in the URL bar. Instead, starting in October 2018, Chrome will start displaying the “Not secure” label when users enter data on unencrypted sites.
When Chrome 70 comes out in October 2018, a red “Not secure” marker will be displayed for all HTTP sites where users enter data.
Google believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.
An example of a certified phishing website marked as “Secure”.
At the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.
In anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, from airplane ticket purchases to hotel bookings. For instance, we’ve found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.
An example of a fake hotel booking website
A similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.
An example of fake airline ticket websites
In our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.
Cybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of popular retailers such as Pyaterochka and Leroy Merlin, and also McDonald’s. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.
Users share messages about ticket raffles with their contacts via a messenger since it’s one of the conditions for winning
Once a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim’s location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.
An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions.
Twitter and Instagram
Cybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.
Fake account for Pavel Durov
The most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see “updating” in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason — Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list published by Fortune.
An example of a website advertised on Elon Musk’s fake account
News sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from “Pavel Durov” promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities’ authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.
Twitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user’s name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon’s name or change it to anything they want— the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.
Another measure taken by the social network is blocking accounts that post links to Elon Musk’s account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.
This scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.
Vitalik Buterin’s fake Instagram account
On Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.
Fraudulent website ad on Facebook
After clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.
Ads with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.
Users do not always notice the “Ad” label next to the ads
Last quarter, spammers tried to use the following new tricks to evade filters.
Double email headers
When generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.
In these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.
An example of spam mail sent using the subscription service on a legal site
Proportion of spam in email traffic
Proportion of spam in global email traffic, Q1 and Q2 2018 (download)
In the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.
Sources of spam by country
Spam -originating countries, Q2 2018 (download)
The leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).
Spam email size
Spam email size, Q1 and Q2 2018 (download)
The results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.
The percentage of 10-20 KB spam messages was practically unchanged — it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.
Malicious attachments: malware families
Top 10 malware families, Q2 2018 (download)
According to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.
Countries targeted by malicious mailshots
Distribution of Mail Anti-Virus triggers by country, Q2 2018 (download)
The first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).
In the Q2 2018, the Antiphishing prevented 107,785,069 attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.
Geography of attacks
The country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).
Geography of phishing attacks, Q2 2018 (download)
South Korea 11.66
* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country.
Organizations under attack
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.[/caption]
In Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).
Distribution of organizations affected by phishing attacks by category, Q2 2018. (download)
The percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.
Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.
In this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.
Exploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).
PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
16.8.2018 securityweek Attack Phishing
Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.
PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.
The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.
“Over the past two weeks, we detected (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We estimate this percentage applies to Office 365 globally. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.” reads the analysis published by Avanan.
“Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. “
In a PhishPoint attack scenario, the victim receives an email containing a link to a SharePoint document. The content of the message is identical to a standard SharePoint invitation to collaborate.
Once the user clicked the hyperlink included in the fake invitation, the browser automatically opens a SharePoint file.
The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen.
This landing page asks the victim to provide his login credentials.
Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.” the researchers said.“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,”
The problem is that Microsoft cannot blacklist links associated with SharePoint documents.
“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL.”
Experts recommend being suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line.
Every time a login page is displayed it is necessary to double check the address bar in the web browser to discover if the link points to a legitimate resource, and of course, always use two-factor authentication (2FA).
If you are interested in other attack techniques discovered in the last months by Avanan give a look at the post titled “Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns”
DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
9.8.2018 securityweek Phishing
The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.
Just weeks ago, the security firm revealed that the actor is employing numerous free or open-source utilities for their malicious purposes. They have leveraged tools such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike, as well as a PowerShell-based backdoor called RogueRobin.
With a focus on credential harvesting, the attacker(s) employs spear-phishing emails to deliver malicious Office documents and is using an infrastructure dating back to fall 2017.
The malicious documents, which use the attachedTemplate technique, load a template from a remote, attacker-controlled location to prompt users to provide login credentials. The login information is then sent to the attacker’s server.
Last year, the FBI and the DHS issued a joint report warning of cyber-attacks targeting energy facilities in the U.S. and elsewhere and leveraging the same template injection technique. Those attacks, however, were attributed to a different actor.
Palo Alto Networks’ security researchers believe that DarkHydrus used the open-source Phishery tool to create two of the Word documents observed in the observed credential harvesting attacks.
One of these attacks was observed on June 24, 2018, targeting an educational institution in the Middle East. The subdomain (of attacker-controlled 0utl00k[.]net) used in this incident was the domain of the targeted educational institution, which made the malicious document and the authentication request look credible.
The security researchers discovered additional documents that employed the same malicious domain for credential harvesting and say that the malicious campaign has been ongoing for almost a year.
Previously, Palo Alto Networks uncovered additional domains the threat actor has been using in assaults, including anyconnect[.]stream, Bigip[.]stream, Fortiweb[.]download, Kaspersky[.]science, microtik[.]stream, owa365[.]bid, symanteclive[.]download, and windowsdefender[.]win.
The RogueRobin backdoor, the security firm says, can determine whether it runs in a sandbox. It provides attackers with various remote administration capabilities, including file upload, PowerShell command, DNS queries, download of content from the command and control (C&C), and the addition of PowerShell modules to the script.The researchers were able to confirm that the Phishery tool was used to create DarkHydrus documents. The open-source utility allows for the injection of remote template URLs into Word documents and is also capable of hosting a C&C server to gather the user-provided credentials.
“We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials,” Palo Alto Networks concluded.
Industrial Sector targeted in surgical spear-phishing attacks
3.8.2018 securityaffairs Phishing
Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).
Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.
The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.
“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”
Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.
According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.
The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.
The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”
The attackers used both malicious attachments and links to external resources that are used to download the malicious code.
“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.
“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”
Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.
The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.
The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.
In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.
When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.
Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.
“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 18.104.22.168” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.
“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”
Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.
The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.
“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.
Phishing Campaign Targets 400 Industrial Organizations
3.8.2018 securityweek Phishing
A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.
Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.
The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”
“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.
The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.
Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.
The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.
When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.
Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.
In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.
While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.
“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.
Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates
20.7.2018 securityaffairs Phishing
Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.
Microsoft revealed that Russian cyberspies attempted to hack at least three 2018 midterm election candidates and it has helped the US government to repeal their attacks.
A Microsoft executive speaking at the Aspen Security Forum revealed the hacking attempts against at least three unnamed congressional candidates, all the attacks were detected this year,
The company executive only added that the three candidates were “people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint.”
The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.
“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.
“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”
Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”
Microsoft blamed the Russian APT28 group for the attacks.
We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.
“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”
Burt compared the recent activities with the hacking campaign conducted to interfere with the 2016 Presidential election, he pointed out that differently from 2016 campaigns, 2018 attacks do not target think tanks and academic experts that they did during the 2016 presidential election.
“That does not mean we’re not going to see it, there is a lot of time left before the election.” Burt added.
Trezor users targeted by phishing attacks, experts blame DNS Poisoning or BGP Hijacking
2.7.2018 securityaffairs Phishing
The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.
· 1 Jul
Replying to @TREZOR
More details will be published soon in the form of a blog post.
I had some issues yesterday, when accessing your site. It seems to be related with DNS. Is http://beta-wallet.trezor.io legit?
1:13 PM - Jul 1, 2018
See Carsten's other Tweets
Twitter Ads info and privacy
The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.
“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.
Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.
The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.
The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.
The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.
“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.” reads the security advisory.
“The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”
The company also reported two other issues for the bogus website:
The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.
The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app. If the attackers obtain the recovery seed they can take over the accounts.
The company took down the malicious website with the support of the hosting provider.
"At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future."https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced …
5:43 PM - Jul 1, 2018
[PSA] Phishing Alert: Fake Trezor Wallet website – TREZOR Blog
Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of…
75 people are talking about this
Twitter Ads info and privacy
At the time it is not clear if the attackers stole user funds.
Let’s close with suggestions provided by the company:
So how should I recognize the original Trezor Wallet?
Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.
ZeroFont phishing attack can bypass Office 365 protections
21.6.2018 securityaffairs Phishing
ZeroFont phishing attack – Crooks are using a new technique that involves manipulating font sizes to bypass Office 365 protections.
According to cloud security firm Avanan, one of the detection mechanisms in Office 365 involves natural language processing to identify the content of the messages typically used in malicious emails.
For example, an email including the words “Apple” or “Microsoft” that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious.
Experts from Avanan discovered phishing campaigns using emails in which some of the content is set to be displayed with zero-size font using <span style=”FONT-SIZE: 0px”>, for this reason, they dubbed the technique ZeroFont.
“Recently, we have been seeing a number of phishing attacks using a simple strategy to get their blatant email spoofs past Microsoft’s phishing scans. The tactic, which we are calling ZeroFont, involves inserting hidden words with a font size of zero that are invisible to the recipient in order to fool Microsoft’s natural language processing.” reads the analysis published by Avanan.
The email appears to the recipient as normal, but Microsoft’s filters are able to analyze also the text having a font size of “0”.
Summarizing, while the user sees a classic phishing content like this:
Microsoft’s filter will see the overall text including words written with “FONT-SIZE: 0px” attribute. This text, of course, doesn’t appear as a malicious content:
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.
Natural language processing is essential to prevent phishing attacks, but a technique like ZeroFont demonstrated that attackers can bypass filters with a trick.
In the past, other techniques were devised to bypass anti-phishing filters, for example, the Punycode phishing attack, the baseStriker phishing attack, the Unicode phishing attack, and the Hexadecimal Escape Characters phishing attack.
Phishers Use 'ZeroFont' Technique to Bypass Office 365 Protections
20.6.2018 securityweek Phishing
Cybercriminals have been leveraging a technique that involves manipulating font sizes in an effort to increase the chances of their phishing emails bypassing the protections implemented by Microsoft in Office 365.
According to cloud security company Avanan, one of the phishing protections in Office 365 involves natural language processing in order to identify text typically used in fraudulent or malicious emails.
For instance, researchers say the system flags emails mentioning “Apple” or “Microsoft” but not coming from legitimate domains, or messages referencing user accounts, password resets or financial requests.
In recent attacks spotted by Avanan, cybercriminals sent out phishing emails in which some of the content is set to be displayed with zero-size font using <span style="FONT-SIZE: 0px">. The security firm has dubbed this technique ZeroFont.
The email looks normal to the user, but Microsoft’s filters read the entire text, even if it’s displayed with a font size of “0”. The user sees this:
But Microsoft’s systems will analyze the following text, which includes strings that are invisible to the user due to the "FONT-SIZE: 0px" attribute:
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.
Last month, Avanan reported that cybercriminals had been splitting malicious URLs in an effort to bypass the Safe Links security feature in Office 365.
Spam and phishing in Q1 2018
27.5.2018 Kaspersky Analysis Phishing
Early 2018 will be remembered for a series of data leak scandals. The most high-profile saw Facebook CEO Mark Zuckerberg grilled by US Congress, with many public figures supporting the Delete Facebook campaign. As a result, Zuckerberg promised to get tough and make it more difficult to harvest data from third-party apps.
But the buck doesn’t stop entirely with the tech giants—personal data often ends up in cybercriminal hands due to user carelessness. Some techniques may be timeworn, but one in particular still reels in the victims: Facebook users are one of the juiciest targets for cyberfraudsters looking to launch mass phishing attacks. Last year Facebook was one of the Top 3 most exploited company names. The schemes are numerous, but fairly standard: the user is asked to “verify” an account or lured into signing into a phishing site on the promise of interesting content.
Examples of phishing pages mimicking Facebook login
Fake pages such as these exist in all languages supported by the social media. Sometimes the correct localization is selected automatically based on the victim’s IP address.
Example of code used by cybercriminals to determine the victim’s location and adapt the phishing page
Data often falls into the hands of cybercriminals through third-party apps that users themselves give access to their accounts and sometimes even allow to post messages on their own behalf.
In early March, for instance, several hundred VKontakte users were hit when third parties gained access to their private correspondence. This happened as a result of apps using the social network’s open API to request access to personal data without guaranteeing its safe storage and use.
In the headline-grabbing case of Cambridge Analytica’s This Is Your Digital Life app, users also handed over personal information voluntarily. Carelessness is the culprit: many people are unaware of just how much data they give away in personality quizzes.
Social media quizzes often ask for a lot of user data,
Remember that cybercriminals often use social media to spread malicious content. For example, we wrote about fake airline giveaways, adult video spam, and even an Alberto Suárez phishing petition.
Another major personal data story was the appearance in Russia of the GetContact app for smartphones, which not only tells users who’s calling, but shows the names under which their contacts are saved in other app users’ phone books. For this, the program needs to be fed not just the user’s own data, but the entire address book (photos, email addresses, even conversation history). That earned GetContact a ban in several countries (even before it appeared in Russia).
Telegram, ICOs, cryptocurrencies
In Q1 a battle royale broke out over the Telegram messenger. It all began late last year with talk of an upcoming ICO. That provided the backdrop for cybercriminals to create, which by the end of Q1 had allegedly raked in as much as the company’s rumored private ICO.
Fake site offering the chance to participate in the Telegram ICO
That was followed by a wave of phishing mailshots to owners of major Russian channels in Telegram. An account under the name Telegram (or something similar) sent a message informing potential victims that suspicious activity had been detected on their account and that confirmation was required to avoid having it blocked. A link was provided to a phishing site masquerading as the login page for the web version of Telegram.
Phishing site mimicking the web version of the Telegram app
If the victim agreed to fill out the form, the cybercriminals gained access to their account, plus the ability to link it to another phone number.
Another spike in scamming activity was recorded when the Internet was buzzing about the imminent takedown of the messenger in Russia. And when the messenger suffered a power outage in a server cluster, it was widely perceived as the start of the ban. Replying to Pavel Durov’s tweet about the malfunction, enterprising cybercriminals offered compensation on his behalf in cryptocurrency. To claim it, users had to follow a link to a site where they were asked to transfer a sum of money to a specified wallet number to receive their “compensation.”
But Telegram does not have a monopoly over the cryptocurrency topic this quarter. We repeatedly encountered phishing sites and email messages exploiting the launch of new ICOs. Cryptocurrency scams often bring in millions of dollars, which explains why cybercriminals are so fond of them.
For instance, on January 31–February 2 the Bee Token startup held an ICO for which participants had to register in advance on the project website, specifying their email address. Cybercriminals managed to get hold of a list of email addresses of potential investors and send out a timely invitation containing e-wallet details for making Ethereum-based investments.
Phishing email supposedly sent from the ICO organizers
123,3275 ether were transferred to this wallet (around $84,162.37). Fraudsters also set up several phishing sites under the guise of the platform’s official site.
A similar scam occurred with the Buzzcoin ICO. The project website invited users to subscribe to a newsletter by leaving an email address. The day before the official ICO start, subscribers received a fraudulent message about the start of pre-sales with a list of cryptowallets to which money should be transferred.
Phishing email supposedly sent from the ICO organizers
Cybercriminals scooped about $15,000 before the organizers took action.
One measure that addresses user safety is the General Data Protection Regulation (GDPR), a general policy on the protection and privacy of individuals. This EU regulation has a direct bearing on all companies that process data belonging to EU residents, and therefore has an international scope. The GDPR becomes enforceable on May 25 this year and stipulates large fines (up to EUR 20 million or 4% of annual revenue) for companies whose information activity does not comply with the regulation.
Such a landmark event in the IT world could hardly fail to attract cybercriminals, and in recent months (since the end of last year) we have registered a large number of spam emails related one way or another to the GDPR. It is generally B2B spam—mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.
We also came across spam offers to install on the target company’s main website or landing page special fee-based software providing web resources with everything necessary to comply with the new rules. Moreover, the site owner would supposedly be insured against problems relating to user data security.
Spam traffic also contained offers to acquire ready-made specialized databases of individuals and legal entities broken down by business division or other criteria. The sellers had no scruples about stressing that all addresses and contacts for sale were already GDPR-compliant. In fact, harvesting user data and reselling it to third parties without the consent of the owners and data carriers violates not only this regulation, but also the law in general.
Example of a spam message exploiting the GDRP topic
Note that legitimate mailers also became more active. They are already sending notices to users describing the new rules and asking for consent to use and process their data under the new policy. When the new regulation enters into force, the number of such notices will skyrocket, so we predict a surge in scam mailings aimed at obtaining personal info and authentication data for access to various accounts. We urge users to pay close attention to the new regulation and carefully study any notifications related to it. Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.
In the runup to the Russian presidential elections, we observed a range of political spam, including messages promoting or slurring various candidates. The election topic was used for fraud: cybercriminals sent email messages offering a financial reward for taking part in public opinion polls, as a result of which money ended up being transferred in the opposite direction.
Example of a message inviting recipients to take part in a poll
Phishing for taxpayers
Every country has its own tax year, but as a rule the most active period for dealing with tax services comes at the start of the year. In Q1 we registered many phishing pages mimicking the IRS, HMRC, and other countries’ tax services.
Fake tax service websites
Back in Q1 2017 we wrote about a mailout disguised as a resume concealing a malicious file from the Fareit Trojan spyware family. The same quarter 2018, cybercriminals attempted to infect users’ computers with the Smoke Loader backdoor, also known as Dofoil. Its toolbox includes downloading and installing malware such as cryptocurrency miners, banking Trojans, and ransomware. Smoke Loader could also disable some antivirus software and hide from detection by integrating itself into system processes.
The text of the malicious mailshot varied, with some messages imitating the business correspondence of real company employees. To open the password-protected DOC attachment, the user had to enter the password specified in the message, which triggered a request to enable macros (disabled by default); confirmation proved fatal for message recipients. We observed a trend for password-protected malicious attachments in Q1 2018: such protection hinders detection and increases the chances that the message will reach the recipient.
Examples of emails with malicious attachments
Another long-established social engineering method exploits user fears of infection, data leakage, access denial, and other bugbears. In Q1, this old trick was used to dupe users into parting with cryptocurrency. Most messages tried to scare recipients by reporting that malware was installed on their computer and that personal info (lists of contacts, monitor screenshots, webcam videos, etc.) was compromised. If the scammers didn’t receive a hush payment, it was said, the harvested information would be sent to all the victim’s contacts.
Example of a message with a ransom demand in exchange for not publicizing the victim’s personal data
Some messages from cybercriminals tried not only to extract money, but to install malware on recipients’ computers. The malware was located in a protected archive attachment that the attackers claimed was proof that they had the victim’s data.
Malware under the guise of proving cybercriminal intent
Proportion of spam in email traffic
Proportion of spam in global email traffic, Q4 2017 and Q1 2018
In Q1 2018, the largest share of spam was recorded in January (54.50%). The average share of spam in global email traffic was 51.82%, down 4.63 p.p. against the figure for Q4 2017
Sources of spam by country
Sources of spam by country, Q1 2018
Q1 2018 results put Vietnam (9.22%) top of the leaderboard of spam sources by country. In second place, just 0.64 p.p. behind, came the US (8.55%). The rating’s frequent leader China (7.87%) slipped to third, while India (7.10%) and Germany (6.35%) claimed fourth and fifth. The Top 10 is rounded off by Iran (2.51%).
Spam email size
Spam email size, Q4 2017 and Q1 2018
In Q1 2018, the share of very small emails (up to 2 KB) in spam increased by 19.79 p.p. to 81.62%. Meanwhile,the proportion of emails between 5 and 10 KB in size fell (by 6.05 p.p.) against the previous quarter to 4.11%.
The number of emails between 10 and 20 KB also decreased (by 4.91 p.p.). Likewise, there were fewer emails sized 20 to 50 KB—this quarter they made up just 2.72% of the total, which represents a drop of 6.81 p.p. compared to the previous reporting period.
Malicious attachments in email
Top 10 malware families
Top 10 malware families, Q1 2018
The most widespread malware family in email traffic this quarter was Trojan-PSW.Win32.Fareit (7.01%), with Backdoor.Java.QRat (6.71%) and Worm.Win32.WBVB (5.75%) completing the Top 3. Fourth place went to Backdoor.Win32.Androm (4.41%), and Trojan.PDF.Badur (3.56%) rounds off the Top 5.
Countries targeted by malicious mailshots
Distribution of Mail Anti-Virus triggers by country, Q1 2018
Germany (14.67%) was this quarter’s leader by number of Mail Anti-Virus triggers, followed by Russia on 6.37% and Britain with a score of 5.43%. Fourth and fifth positions were occupied by Italy (5.40%) and the UAE (4.30%).
In Q1 2018, the Anti-Phishing module prevented 90,245,060 attempts to direct users to scam websites. The share of unique users attacked made up 9.6% of all users of Kaspersky Lab products worldwide.
Geography of attacks
The country with the largest percentage of users affected by phishing attacks in Q1 2018 was Brazil (19.07%, -1.72 p.p.).
Geography of phishing attacks*, Q1 2018
* Number of users on whose computers Anti-Phishing was triggered as a percentage of the total number of Kaspersky Lab users in that country
Second came Argentina (13.30%), and third place was taken by Venezuela (12.90%). Fourth and fifth went to Albania (12.56%) and Bolivia (12.32%).
Top 10 countries by percentage of users attacked by phishers
Organizations under attack
Rating of categories of organizations attacked by phishers
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.
In Q1 2018, the Global Internet Portals category again took first place with 23.7% (-2.56 p.p.).
Distribution of organizations affected by phishing attacks by category, Q1 2018
However, the combined financial category—banks (18.25%), online stores (17.26%), payment systems (8.41%)—still accounted for almost half of all attacks (43.92%), which is up 4.46 p.p. against the previous quarter . The next categories in descending order were Government Organizations (4.75%), Social Networks and Blogs (4.11%), Telecommunications Companies (2.47%), IT Companies (1.55%), Messengers (0.66%), Online Games (0.43%), and Airlines (0.07%).
The quarter’s main topic, one that we will likely return to many times this year, is personal data. It remains one of the most sought-after wares in the world of information technology for app and service developers, owners of various agencies, and, of course, cybercriminals. Unfortunately, many users still fail to grasp the need to protect their personal information and don’t pay attention to who and how their data is transferred in social media.
Cybercriminal interest in personal data is confirmed by our analysis of spam traffic, where one of the main topics remains mail phishing employing a range of social and technical engineering methods. Throughout the quarter, we observed fake notifications on behalf of social media and popular services, bank phishing, and “Nigerian prince” emails.
The GDPR, set to come on stream in late May, is intended to correct the situation regarding personal data, at least in the EU . Time will tell how effective it is. But one thing is clear: even before its introduction, the new regulation is being actively exploited as a topic by cybercriminals and many others. Regrettably, the GDPR is unlikely to fix the situation.
In Q1 2018, the average share of spam in global email traffic was 51.82%, down 4.63 p.p. against Q4 2017; the Anti-Phishing module blocked 90,245,060 attempts to direct users to fraudulent pages; and Brazil (19.07%, -1.72 p.p.) had the largest share of users attacked by phishers.
Based on the quarter results, it is safe to predict that scammers will continue to exploit “fashionable” topics, two of which are cryptocurrencies and new ICOs. Given that these topics have begun to attract interest from the general public, a successful attack can reap vast rewards.