BLOG

Researchers at Google’s Threat Analysis Group (TAG) are tracking phishing campaigns by the Iranian threat actor APT35 (also known as Charming Kitten). The attackers used compromised websites to harvest users’ credentials.

“In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit,” the researchers write. “ Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices. APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it’s difficult for users to detect this kind of attack.”

Google notes that the attackers also posed as conference officials to target people interested in events held in Munich and Italy.

“One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks,” the researchers write. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence. Targets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files. We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.”

New-school security awareness training can enable your employees to thwart both criminal and state-sponsored social engineering attacks.

What do you get when you add a totally free 1.3 Billion set of phone numbers and data from millions of Facebook profiles? A massive dox database of users now up for sale for $100,000.

The Clubhouse data breach earlier this year, while headline-worthy, resulted in a big nothing where all the phone numbers exfiltrated were simply posted on the Dark Web. But one enterprising hacker combined the Clubhouse data with several of the already famous Facebook breaches, along with other data sources to create a 3.8 billion-strong database of accounts.

It’s been posted up for sale for $100,000 to any and all takers who believe they can do some effective mischief and malice with it.

There are a few ways this data can be used:

• SMiShing Attacks – if threat actors have your phone number and name, they can use texting to trick you into all kinds of badness; credential attacks, fraud, malware, and more.
• Account Takeover Attacks – with the Facebook account details and phone number, it’s possible to potentially brute force account logins, even perform SIM-swapping for accounts using SMS as their 2Fa.
• Social Engineering Attacks – I’ve seen successful attacks with less pertinent or valuable details over the years. Having your current phone number and Facebook logon is easily enough to trick users into giving up their credentials, credit card details, and more.

This latest sale of data raises a major red flag for organizations – with literally billions of users prime for social engineering scams, this data set can easily be used to target executives, those in the Finance department, etc. in an interest to infect corporate endpoints, install ransomware, etc.

Users should be warned against any kind of notification that either overtly is tied to Facebook or could remotely be associated with their Facebook account. Users that undergo continual Security Awareness Training should already be aware of this potential scam and be vigilant against it.

Phishing attacks have varying levels of technical sophistication, according to Mark Nicholls from Redscan. In an article published by ITProPortal, Nicholls explains that the lowest level of phishing attacks are simple emails designed to rope a victim into a scam.

“The most basic phishing emails are designed to establish a relationship with the target,” Nicholls says. “There are no links or malicious attachments to open. The phish is simply a primer for future communications, such as requests for payment. Messages are typically plain text and sent via widely used email services such as Gmail, which means they are very likely to bypass mail filters rather than be marked as spam. The sender’s name used is often a senior person within an organization, such as the CEO.”

More sophisticated phishing campaigns involve setting up spoofed websites and luring victims into entering sensitive information or downloading malware.

“To conduct mid-level phishing campaigns, attackers use basic hacking tactics, techniques and procedures,” Nicholls says. “A very common technique involves cybercriminals purchasing a private domain and using it to host a landing page that is cloned from a legitimate website. It’s a more sophisticated version of copy and paste, but with the right know-how is quick to perform. With a cloned site set-up, an attacker will email their target, share a link to the fake page and lure them into entering their details.”

The most sophisticated and damaging attacks are highly targeted phishing operations that involve a great deal of preparation and intelligence gathering on specific organizations and employees.

“Highly skilled cybercriminals use similar techniques to mid-level attackers,” Nicholls writes. “However, they are more skillful and better-resourced, making their attacks increasingly challenging to safeguard against. The professionals that create and leverage advanced phishing campaigns such as Business Email Compromise (BEC) attacks conduct extensive open-source intelligence gathering on their targets. This involves profiling individuals but also the organizations they work for. Job advertisements are often a good source of information, disclosing details about the types of systems, applications and security tools organizations use.”

New-school security awareness training can enable your employees to defend themselves against phishing attacks of all levels of sophistication.

Pent-up demand for traveling – both domestically and internationally – has driven an interest by cybercriminals to take advantage of those traveling to become phishing victims.

Security researchers at Palo Alto Network’s Unit 42 have identified a material jump in the number of travel-related phishing URLs of over 4x that of January of this year. One of the primary pieces of malware using these URLs is Dridex. Phishing campaigns using Dridex typically focuses on campaigns around billing or invoicing. But Unit 42 has spotted a jump in URLs related to travel – words like “vacation” or “airline” are commonly a part of the URL.

Their tactics remain the same – use a malicious Excel spreadsheet that is either attached to the email or linked to via Dropbox. But the campaign tone and theming is now very much travel-related.

Beyond the Dridex banking trojan, Unit42 also notes that in many cases, collection of details (e.g., personal data, credit card information, online credentials, etc.) is also a focus, as it can be sold on the Dark Web.

As long as users are vigilant through continual Security Awareness Training, they will recognize these emails as being unsolicited and suspicious, making them powerless and ineffective.

The California DMV has warned of an ongoing smishing campaign seeking customers’ personal and financial information, Pasadena Now reports.

“The California Department of Motor Vehicles (DMV) reminds customers that it will never ask for personal information related to driver’s license number, Social Security number or financial information through text or unsolicited phone calls or email,” the DMV said in a statement. “The DMV has heard from multiple customers who have received text messages directing them to an unfamiliar link. If a link does not direct customers to the main DMV website at dmv.ca.gov, it is NOT from the DMV.

The department stressed that, while it sometimes does send texts or emails to customers, it won’t contact you out of the blue asking for personal information.

“The DMV does not send customers unsolicited requests for information,” the DMV stated. “When the DMV texts or emails customers, it is based on action initiated by the customer. For example, customers may receive an appointment reminder or cancelation notice by text or email from the DMV. Customers may also receive an email related to DMV services that directs customers to the dmv.ca.gov website to take an action if they choose. Also, when a customer establishes an online account with DMV or has initiated an interactive, assisted online transaction with the DMV, further information may be requested.”

The DMV added that people should either ignore or report these phishing attempts.

“The department recommends customers ignore or delete any unsolicited texts or emails requesting personal information claiming to be on behalf of the DMV. Customers can report the phishing attack to the FTC at ftc.gov. If you receive a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. For a phishing text message, forward it to SPAM (7726).”

New-school security awareness training can enable your employees to avoid falling for social engineering attacks.