German Police Collar Alleged Phishing Cybercriminals

The Bundeskriminalamt (BKA), Germany’s federal criminal police, raided three homes on Thursday, September 29th, in the course of an investigation of a cyber criminal operation the BKA says netted approximately €4,000,000 from its victims by using phishing tactics. Two suspects were arrested and charged; the disposition of the third individual will depend upon the results of further investigation.

statement by the BKA (provided by BleepingComputer) explained the nature of the fraud, which depended upon unusually faithful and convincing spoofed communications that misrepresented themselves as being from the victims’ banks. The emails told the victims that changes to the bank’s security system would affect their accounts, and that they should follow a link to arrange continued access to their accounts. The link led to a convincing phishing page. “There, the phishing victims were asked to enter their login data and a current TAN [Transaktionsnummer–a number associated with a particular transaction], which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount and availability of credit.” Further engagement with the victims induced them to give up additional TANs, which the criminals used to withdraw the victims’ funds.

The scam is interesting in other ways. For one thing, the criminals used distributed denial-of-service (DDoS) attacks against banking websites as misdirection for their imposture. The legitimate sites may have suffered from reduced availability, but the phishing sites, of course, remained accessible. Another interesting aspect of the case is the criminals’ alleged employment of “other cyber criminals who sell various forms of cyber attacks as ‘Crime-as-a-Service’” (the BKA uses the English phrase) “on the dark web.” Some details are being withheld pending further investigation.

The amount the BKA alleges the criminals stole is striking. €4,000,000 is the equivalent, at current exchange rates, to £3,520,000 or $3,920,000. This particular crime seems to have affected mostly individuals, but its scale and approach suggest that organizations could be vulnerable to similar scams. New-school security awareness training can help your employees cope with this and other forms of social engineering.


Response-Based Phishing Scams Targeting Corporate Inboxes Hit New Records

Setting a record for both highest count and share in volume with other types of phishing scams, response-based attacks are at their highest since 2020 and are continuing to grow.

Despite a lot of focus on credential theft, cybercriminals are trending toward response-based scams – where the scam relies on the user responding through a communication channel chosen by the scammer. We’ve seen examples of these types of phishing attacks that have leveraged chatbotsWhatsApp, and even phone calls to establish credibility and take control of the conversation.

New data from Agari and Phish Labs, in their Quarterly Threat Trends & Intelligence report for August 2022 shows that response-based scams are on the rise, being responsible for 41% of threats targeting corporate inboxes. While still trailing behind credential theft attacks, response-based scams have experienced continual growth over the last two years.

According to the report, the response-based scams can be broken down into the following types:

  • Advance-Fee scams – 54%
  • Vishing – 25%
  • Business Email Compromise – 16%
  • Job Scams – 4.8%
  • Tech Support – 0.2%

Of these, vishing is up over 625% from Q1 of last year and has steadily increased over the course of the past year.

I think I should reemphasize that these scams are all focused on business users and, according to the report, may include malware such as EmotetQBotSnakeKeyLogger – all payloads I’ve covered before here on our blog.

The growth in response-based scams means that threat actors are seeing continual success – which, in turn, means users are responding. To stop your users from responding, it’s important that you enroll them in continual security awareness training to teach them to spot these scams before they respond to them.


Social Engineering and Bogus Job Offers

Researchers at SentinelOne have warned that North Korea’s Lazarus Group is using phony job offers to distribute macOS malware. The researchers aren’t sure how the lures are being distributed, but they suspect the attackers are sending spear phishing messages on LinkedIn. SentinelOne notes that this campaign “appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.”

“Back in August,” SentinelOne’s report says, “researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange

”The campaign seems to represent a kind of twofer for Pyongyang. On the one hand, it’s intended to enable cryptocurrency theft, and this is desirable as a way of redressing North Korea’s chronic shortage of funds, driven by decades of sanctions and isolation. On the other hand, it’s also useful for espionage. They’re interested in prospecting both users and employees of cryptocurrency exchanges. There’s continuity with earlier efforts that targeted cryptocurrency exchanges, notably 2018’s AppleJeus campaign.

We’ve seen this kind of thing before. Note in particular the abuse of generally trusted platforms like LinkedIn that cater to professionals and the advancement of their careers. New-school security awareness training can teach your employees to recognize phishing and other social engineering attacks. The world of cryptocurrency may not (quite) be the Wild West, but it’s not a safe corner of cyberspace, either.


Security Practices Are Improving, But Cybercriminals Are Keeping Up

A survey by GetApp has found that the number of organizations using phishing simulations has risen from 30% in 2019 to 70% in 2022. Despite this positive trend, however, attackers continue to increase both the sophistication and volume of their phishing emails, which has led to a significant rise in employees clicking on phishing links.

“Phishing schemes and their effectiveness have reached a critical point in 2022,” the researchers write. “For the first three years of our survey, the rate of companies reporting phishing emails had remained fairly steady. But in the last year, the percentage of companies reporting phishing has jumped from 77% to 89%. More concerning, the number of companies that report someone actually clicking a link in a phishing email lept from 64% to 81% in only the last year. In the last three years, the percentage of employees clicking on phishing links has absolutely skyrocketed, from 43% to 81%. Combined, these numbers are even more alarming because they show a clear upward trend in both phishing volume and effectiveness over the last three years.”

Likewise, the amount of organizations requiring multi-factor authentication has steadily increased over the past three years, but attackers are increasingly finding ways to bypass these measures.

“In 2019, our survey found that 64% of U.S. companies used 2FA for all (21%) or some (43%) business applications,” the researchers write. “In 2022, that number has increased to 91%. Perhaps more importantly, the percentage of companies that use 2FA for all business applications has more than doubled, from only 21% in 2019 to nearly half (45%) in 2022.”

GetApp says organizations need to continue implementing security best practices to keep up with the evolving threat landscape.

“The gap between companies reporting phishing emails and those reporting employees clicking on phishing emails has narrowed year over year, from a 30-point gap in 2019 to only eight points in 2022,” the researchers write. “In response, companies must prioritize email security and educate staff on the increasingly sophisticated social engineering strategies that threat actors use in phishing emails to manipulate employees into turning over network credentials or downloading malware.”


Social Engineering Targets Healthcare Payment Processors

The US Federal Bureau of Investigation (FBI) has issued an alert warning of an increase in phishing and other social engineering attacks against healthcare payment processors.

“In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites,” the Bureau says. “In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.”

The FBI describes three successful social engineering attacks against these entities:

  • “In April 2022, a healthcare company with more than 175 medical providers discovered an unauthorized cyber criminal posing as an employee had changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to direct payments to the cyber criminal rather than the intended providers. The cyber criminal successfully diverted approximately $840,000 dollars over two transactions prior to the discovery.”
  • “In February 2022, a cyber criminal obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account belonging to the cyber criminal, resulting in a $3.1 million loss. In mid-February 2022, in a separate incident a different cyber criminal used the same method to steal approximately $700,000.
  • “From June 2018 to January 2019, cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals. One victim reported a loss of approximately $1.5 million. The cyber criminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.”

[HEADS UP] Bank of America Warns About Recent Scams That Request Zelle Payment Due to ‘Suspicious Activity’

Bank of America recently sent a customer service email warning users to watch out for this new phishing attack.

Threat actors are sending realistic texts requesting that you send money using Zelle® as payment due to a ‘fraud alert’. These texts use make the warning look legitimate, and if you respond to the text then you’ll receive a call from a fake representative.

This person will use social engineering techniques and will trick your users into asking for you to send money to yourself through the Zelle® payment method. In reality you’ll be sending the money directly to these scammers pockets, and they will be able to receive your money into their account.

Check out the full video from Zelle on how to spot this type of scam here:


It’s incredibly important that you do not share any codes based on a suspicious caller ID, and to not be pressured to act immediately if your users receive this type of call. New-school security awareness training can teach your users about the latest threats.


Cisco Attempt Attributed to Lapsus$ Group

Security researchers at Cisco Talos have issued an update on the cyberattack Cisco sustained earlier this year. The attack began with a phishing attack against a Cisco employee, which led to the attackers stealing data and attempting to extort the company with the threat of releasing the stolen information.

“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” the researchers write. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco Talos offers the following summary of the event:

  • “On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
  • “During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
  • “The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
  • “CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
  • “After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
  • “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
  • “We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”

Phishing from a French Government Career Website

Attackers are exploiting a legitimate French government website to send phishing messages, according to researchers at Vade. The website, Pôle Emploi, is a career site for companies looking for job recruits. The attackers are responding to job postings with phony resumes that contain a link to a Google Form designed to harvest credentials.

“The recruiting company—if not vigilant—opens the attachment thinking it is a resume and is faced with malicious links,” the researchers write. “If they click on the links, they are redirected to a malicious form where they will be asked for their Pôle Emploi account information. This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address.”

The phony resume instructs the victim to click on the link in order to secure their account.

“The hacker’s message states that the recipient (the recruiting company) needs to open the attachment to access an applicant’s resume,” the researchers write. “The hacker adds that the attachment contains URLs that the recipient must open in order to update Pôle Emploi’s recruiting account and secure it.”

Vade notes that the phishing document is also designed to steal users’ multifactor authentication codes.

“The credentials and the validation code of the Pôle Emploi’s recruiting account of the targeted company are sent to the hacker via email from Google Docs,” Vade says. “With those credentials, the hacker can easily access the Pôle Emploi portal of the recruiting company.”

The researchers add that access to these accounts could lead to further targeted attacks within the organizations.

“Most phishing attacks are designed to steal account credentials, and in this case, the damage could be significant,” Vade says. “The Pôle Emploi portal likely contains the personal information of companies and job candidates. With this information, hackers can access sensitive company information and steal personal data, which they can later sell to other hackers. They could also launch additional attacks on users with the data stolen, including phishing and business email compromise attacks.”


Scammer Continues Phishing From Prison

Dutch authorities have announced that an imprisoned scammer was running a phishing operation from his jail cell, Cybernews reports. The crook used four mobile phones to post malicious ads on Marktplaats, a popular Dutch classifieds site. The Northern Netherlands District Prosecutor’s Office said in a statement that the scammer targeted more than a thousand people over the course of a few months.

“In the summer of 2021, a few months after the 23-year-old suspect from Groningen was sentenced to 42 months in prison for large-scale cybercrime, the Public Prosecution Service was informed that a telephone had been found in his cell,” the statement said. “This investigation shows that this suspect from the PI was engaged in exactly the same offenses for which he was convicted: phishing and fraud. That same summer, another device was found in the suspect’s cell. And shortly afterwards device three that was found in his bird’s food and some time later a fourth device. All the phones found in the suspect’s cell contain the same thing: phishing and fraud. On his phone were more than 1000 conversations that he had on marktplaats, trying to get people to click on a link.”

The authorities have also accused a 22-year-old man from the Netherlands of assisting in the campaign.

“The phishing fraud consisted of enticing buyers on Marktplaats to transfer 0.01 euros via a payment link, after which login details of these victims were obtained,” the statement continued. “With this, it was possible to log into the victims’ bank account and money was debited, transferred or goods ordered online. The form of friend-in-emergency fraud was also applied, whereby you pretend to be the victim’s acquaintance via Whatsapp, after which he is persuaded to transfer money. The 23-year-old suspect has made at least 16 victims in this way who have reported this. In total, it would be more than 34,000 euros. The 22-year-old man gave the necessary instructions and phishing panels for this, but was also involved in logging into the bank accounts.”


Gaming-Related Phishing Trends

Researchers at Kaspersky have found that the vast majority of gaming-related malware lures are targeted at Minecraft players. Roblox came in at a distant second, and the researchers note that both of these games are frequently played by children, “who have much less knowledge of cybersecurity due to a lack of experience.”

“When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money,” the researchers write. “The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts.”

Unsurprisingly, most gaming-related malware lures target some of the most popular games.

“Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released,” the researchers write. “We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.”

Attackers also use phishing sites to compromise accounts for multiplayer games that have in-game currency, such as Grand Theft Auto 5 and Counter-Strike.

“This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles,” the researchers write. “The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks. And they can pass on what they learned to their children, too.