Ughh. FBI’s Vetted Threat Sharing Network ‘InfraGard’ Hacked

Investigative reported Brian Krebs reported December 13, 2022 that “InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.”

Here is another extract from Krebs

“On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.

“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.

In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.”



Scammer Group Uses Business Email Compromise to Impersonate European Investment Portals

A sophisticated scammer group has stolen at least €480 million from victims in France, Belgium, and Luxembourg since 2018, according to researchers at Group-IB. The gang uses a highly detailed scam kit called “CryptosLabs,” which impersonates investment portals from more than forty major European financial entities.

“Right out of the block, the victims are promised high returns on their capital,” the researchers write. “To find the ‘investors’ scammers leave messages on the dedicated investment forums or use legitimate advertising mechanisms on social media and search engines to promote the scheme. To appear trustworthy, such ads feature logos of notable banking, fin-tech, crypto, and asset management companies active in France, Belgium, and Luxembourg.”

After clicking on one of the scammers’ ads, the user will be taken to a webpage where they’ll be asked to enter their contact details.

“Interestingly, the victim doesn’t get immediate access to a fake investment platform. The scammers’ call center verifies the information to identify the most likely targets. Masquerading as personal managers of investment divisions of the companies that victims saw on the social media ads, call-center operators reach out to the victims to clarify further steps, explain how the platform works, and provide credentials to start trading.”

The scammers go to a great deal of effort to interact with their victims professionally, convincing them to continue investing money. The scam kit even shows phony growth charts on the victims’ investments.

“After successfully logging into an investment portal the victim sees multiple made-up graphs and charts all indicating sky-high returns and growth stocks,” the researchers write. “After some time, the victim is contacted by a ‘personal manager’ again to sign a fake engagement document and make a €200-300 deposit to activate the account. Once the victim pays, the money goes straight into the scammers’ pockets. The victim is finally granted full access to a branded fake trading platform. Those who make it that far can see the account balance and multiple juicy investment opportunities in stocks, crypto, NFTs, and contact their ‘personal manager’ at their convenience. Some panels seen by Group-IB offer victims up to 17 different investment strategies. The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves and encouraging them to deposit more funds to multiply their investments.”


Incident Response Actions are Systematically Reversed by Hackers to Maintain Persistence

Analysis of attacks on two cellular carriers have resulted in the identification of threat actions designed to undo mitigations taken by security teams mid-attack.

We’d like to think that the attackers only move in a game of cyberattack chess is “attack” and then once you begin to mitigate their intrusion, lateral movement, modification of user accounts, etc. the threat actor just gives up and you win. But new analysis of several attacks by security vendor Crowdstrike show that while your team is busy trying to undo everything attackers have done to facilitate their access, they are equally busy either reversing your actions or setting up additional means of entry, privilege, and access.

According to the analysis, Crowdstrike observed the following activity mid-attack when response actions weren’t being taken swiftly:

  • Setup of additional VPN access
  • Setup of multiple RMM tools
  • Re-enabling of accounts disabled by security teams

It’s just like chess; you make a move and your adversary makes another.

There are two takeaways from this story:

  • Response actions need to be swift; you need to cut off attacker access quickly and effectively
  • Based on the initial attack vectors – mostly social engineering designed to harvest credentials, Security Awareness Training for every user is needed to keep users vigilant whether they’re using email, the phone, or the Internet.

Archives Overtake Office Documents as the Most Popular File Type to Deliver Malware

Taking the lead over the use of Word, Excel, PDF, and other office-type documents in attacks, new data shows that files like ZIP and RAR have grown in popularity by 11% last quarter.

For years, we’ve seen attackers take advantage of the scripting functionality found in Office documents (e.g., macros using VB and PDF support for java) to enable the download and execution of malicious content. But it was inevitable that attackers would move on – with so many security sources being vocal about disabling macros and scripting, attackers had to find a new way to sneak their malicious content in via email.

According to HP Wolf Security’s Q3 Threat Insights Report, archive files now represent 44% of the files used to deliver malware, overtaking Office document found in only 32% of attacks. Attackers are leveraging the inability of security solutions to open archives (especially those protected with a password provided as part of a phishing attack) to obfuscate the true intentions.

Additionally, according to the report, attackers are focusing more energy on improving their social engineering, brand impersonation, and their use of built-in OS capabilities (instead of downloading malicious tools) to improve their chances of a successful attack.

All this adds up to more phishing attacks, craftier scams, and more victims falling prey because they aren’t interacting with email with a sense of vigilance – something taught through Security Awareness Training – to ensure that every time an unsolicited email is received, it’s scrutinized by the recipient as being malicious first until proven otherwise.


Cyber Insurers Focus on Catastrophic Attacks and Required Minimum Defenses as Premiums Double

Recent attacks are helping cyber insurers better understand what security strategies need to be in place and how to price policies based on the risk those policies cover.

Remember, insurance companies of all kinds are in business to stay in business. That means that while they are willing to share the risk with your organization, they’re not in the business of just paying out on a claim without a fight. And because that’s not a good look for cyber insurers, it makes more sense for them to be proactive and do one or more of the following:

  • Help to reduce the risk of attack by establishing what cyber defenses must be in place
  • Price policies across the board correctly so there’s enough revenue coming in to cover the percentage of claims that should be paid
  • Limit what attack scenarios are covered – sometimes in specific down to the kind of attack, the role of the attacker, the role of internal employees in the attack, etc.

According to a recent Wall Street Journal article on the subject, cyber insurers are getting really smart at limiting their risk. With premiums rising by 92% in 2021, according to reinsurance company Swiss Re, the focus now is on the impact an attack could have on, say, a supplier that could impact millions of people, evaluating which cloud providers the insured use, and possibly requiring insureds to hold capital in reserve for worst-case scenarios.

In other words, cyber insurers are better understanding the nature of cyber risk. While news of premiums hiking significantly isn’t pleasing, in the end, it may be a necessary step until there’s enough significant data on attacks for insurers to determine what the risk reality looks like.

Until then, it’s up to organizations to continue to put up strong cyber defenses designed to keep attackers from succeeding – something that should include Security Awareness Training as part of the strategy.


New Threat Group Already Evolves Delivery Tactics to Include Google Ads

Delivering an equally new Royal ransomware, this threat group monitored by Microsoft Security Threat Intelligence has already shown signs of impressive innovation to trick victims.

Microsoft keeps track of new threat groups, giving them a DEV-#### designation to track them until there is confidence around who is behind the group. In the case of DEV-0569, this threat group uses malvertising, and malicious phishing links that point to a malware downloader under the guise of being a legitimate software installers or software update, using spam emails, fake forum pages, and blog comments as initial contact points with potential victims.

According to Microsoft, the group has expanded its social engineering techniques to improve their delivery of malware, including delivering phishing links via contact forms on the targeted organizations’ website and hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to their targets.

Take the example below, where the threat group hosted their malicious downloader, known as BATLOADER, on a site that appears to be a TeamViewer download site.


Source: Microsoft

Microsoft have also noted the expansion of their malvertising technique to include Google Ads in one of their campaigns, establishing legitimacy and blending in with normal ad traffic.

This level of innovation shows that threat actors are stepping up their game to establish legitimacy in any way possible – including paying for ads – so that victim’s defenses are down. It’s all the more reason for organizations to educate their users through Security Awareness Training to always be watchful, even in situations where everything seems “normal”; as that legitimate search query on Google could result in enabling malicious activity.


Inside NATO’s Efforts To Plan For A Future Cyberwar

Maggie Miller at Politico had the scoop: “TALLINN, Estonia — Some 150 NATO cybersecurity experts assembled in an unimposing beige building in the heart of Estonia’s snow-covered capital this week to prepare for a cyberwar.

It’s a scenario that has become all too real for NATO member states and their allies since the Russian invasion of Ukraine. The conflict has forced Ukraine to defend against both missile attacks and constant efforts by Russian hackers intent on turning off the lights and making life more difficult for their besieged neighbors.

“There is a level of seriousness added; it’s not anymore so fictitious. It has become quite obvious those things are happening in reality,” Col. Bernd Hansen, branch head for Cyberspace at NATO Allied Command Transformation, said of the impact of the conflict in Ukraine.

NATO’s cyber forces have been watching the war in Ukraine closely, both to find ways to help Ukraine and to figure out how to make it harder for Russia and other adversaries to hack into infrastructure in NATO member states and their allies.

The conflict has added urgency to NATO’s annual Cyber Coalition exercise, in which more than 40 member states, allies and other organizations work together to respond to, and recover from, simulated cyberattacks on critical infrastructures like power grids and ships. The exercise spanned the globe, with nearly 1,000 cyber professionals participating remotely from their home countries.” The rest of this revealing article is here at Politico:


Credential Phishing with Apple Gift Card Lures

phishing campaign is impersonating Apple and informing the user that their Apple account has been suspended due to an invalid payment method, according to researchers at Armorblox.

“Attackers crafted the targeted email in order to convince recipients that they were receiving a legitimate email communication from the brand Apple, Inc.,” the researchers write. “With the subject of the email reading: We’ve suspended your access to apple services, it is clear the attacker’s intention was to establish a sense of urgency in order for the email to be opened. Once opened, unsuspecting victims were met with minimalist email (black with white text) informing recipients that validation of the card associated with his or her apple account failed to validate. The consequence was clear – access to services that use the account would be lost.”

The link in the email will take the user to a spoofed login page designed to steal their credentials.

“The goal of the targeted email was to get victims to go to a fake landing page created in order to exfiltrate sensitive user credentials,” the researchers write. “The information included and language used within the email aims to lead victims to click the main call-to-action (login now) located at the bottom of the email. Once clicked, victims were directed to a fake landing page, which was crafted to mimic a legitimate Captcha security check landing page.”

The researchers note that while the emails bypassed security filters, observant users could recognize this scam by looking at the URL (bachemad[.]com).

“The email was sent from a valid domain,” Armorblox says. “Traditional security training advises looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity.”

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.


Spoofing-as-a-Service Site Taken Down

Law enforcement authorities across Europe, Australia, the United States, Ukraine, and Canada have taken down a popular website used by cybercriminals to impersonate major corporations in voice phishing (vishing) attacks. The website, called “iSpoof,” allowed scammers to pay for spoofed phone numbers so they could appear to be calling from legitimate organizations.

According to Europol, which coordinated the operation, users of the website are believed to have scammed victims around the world out of more than €115 million (approximately US$120 million).

“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords,” Europol says. “The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims. The investigations showed that the website has earned over EUR 3.7 million in 16 months.”

As a result of the operation, 142 users and administrators of the site were arrested in November. More than 100 of these, including iSpoof’s main administrator, were arrested in the UK. London’s Metropolitan Police Commissioner Sir Mark Rowley stated that online fraud should be a major priority for law enforcement.

“The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century,” Rowley said. “Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands. By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”

New-school security awareness training can enable your employees to thwart social engineering attacks.

Europol has the story.


Beware of Holiday Gift Card Scams

Every holiday season brings on an increase in gift card scams. Most people love to buy and use gift cards. They are convenient, easy to buy, easy to use, easy to gift, usually allow the receiver to pick just what they want, and are often received as a reward for doing something. The gift card market is estimated in the many hundreds of BILLIONS of dollars. Who doesn’t like to get a free gift card?

Unfortunately, scammers often use gift cards as a way to steal value from their victims. There are dozens of ways gift cards can be used by scammers to steal money, but here are the top three:

You Need to Pay a Bill Using Gift Cards

A very common scam is someone contacting a potential victim, often using a voice-based telephone call (but it can also be done via text message or email), saying either that the victim’s regular payment to some trusted service has been declined or that there is a new emergency charge. A good example of the former is a scamming calling and posing as the victim’s electric company. They will say that the victim’s regular electricity payment was declined and that the victim’s electricity will be cut off in hours unless they go to the store and pay the bill using gift cards. Who would pay an electricity bill using gift cards? You’d be surprised. The list of victims is a Who’s Who of doctors, lawyers, and even law enforcement. People who previously thought they were too savvy to get scammed are often on the victim list.

A good example of the latter scam is someone calling claiming they are the IRS or law enforcement and claiming the victim owes some previously unknown fine, and if the victim doesn’t pay immediately, the victim will be arrested. Who would believe that the IRS or the police would accept gift cards for a fine? Again, a higher percentage than you might think.

I’ve interviewed a bunch of these types of gift card victims and found all of them to be fairly knowledgeable, smart, people, who thought they would usually be able to spot a scam from a mile away. They just got surprised by the scam contact at an inopportune moment and either their busy lives or some other unrelated circumstance made them think the scam was real. Anyone can become a victim to a scam if approached at the wrong time in their lives with the right scam.

How to prevent? If anyone contacts you asking for an emergency payment, especially using gift cards, there’s a very high likelihood that the request is fraudulent. You can take the caller’s contact details, if they are willing to give them. Usually, they will hang up right away if asked for contact information. Either way, contact the organization that is being claimed on a known good telephone number or email address and ask how you can verify if the request is real. If the request is real, the legitimate organization will get you through to their billing department to confirm the request and pay the bill.

Maliciously Modified Gift Cards in Stores

In this scam, fraudsters steal department store gift cards, learn their secret PIN information, and then replace back onto the shelves to await a victim. When the victim purchases the previously tampered with card and activates it, the fraudster is often able to spend the gift cards value faster than the victim. The fraudster can call the store’s gift card line over and over to verify when the gift card is activated and what value is left on the card.

How to prevent? Look for signs of tampering when you buy a gift card. Some people say to pick gift cards from the end of the stack, but that’s assuming that the fraudsters will always place the tampered gift cards up front and that the store’s staff didn’t rearrange them when restocking new gift cards. Know that all the big vendors using gift cards are aware of these scams and many will offer a way for you to protect yourself against this type of scam and some may even reimburse you if you are out money.

Phish You For Information to Supposedly Get a Gift Card

This is a big scam, especially around the holidays. “Win a free $100 Amazon Gift Card!” is a common ploy. They will either ask you for personal identifiable information, such as your social security or bank account information or ask you to download and run a file to “transfer” the gift card to you. The problem with this type of phishing scam is that there are thousands of legitimate scenarios where anyone can win a free gift card.

You can spot these types of scams because they randomly appear in email or a text message and even though they claim to be from a major trusted brand, the gift card URL, phone number, or email address is not. Again, this can be tricky, because many legitimate organizations outsource real free gift cards to external third parties. The URLs, phone numbers, and email addresses you see may not be directly linked to the real legitimate vendor.

One good way to detect these scams is when the offer is just too good to be true. For example, they offer a free iPhone or $100 just for answering 5 easy questions. A real gift card worth $100 is usually going to require a substantial time commitment or large purchase at a legitimate web site. If the offer seems too good to be true, it’s likely too good to be true.

If someone contacts you and says you need to immediately pay a bill using a gift card, it’s usually a scam. In general, there are a ton of gift card scams. If you can’t absolutely, 100% verify that the gift card request or reward is real, or that a card hasn’t been tampered with, just ignore them. Buying or winning a possible $100 gift card isn’t worth possibly losing your bank account and personal information. When in doubt, chicken out.


By Roger Grimes