Introduction

Social engineering, namely the aim of threat actors to trick humans so as to gain access to IT infrastructure to install malware or steal important information, is still a favored method of attack. One of the reasons why is that it can be done over email, with spam or targeted phishing emails, over the phone, and even in person. This has meant that organizations irrespective of what economic sector they fall into need to conduct some form of internal social engineering testing.

Is it really necessary?

The short answer is an unequivocal yes. Social engineering allows a threat actor a low-tech, high-threat opportunity to attack an organization without the use of advanced malware. To this extent, the amount of new social engineering scams increases daily as scammers and hackers attempt to take advantage of current events and disasters to get your employees to open an email or grant special access to data. With such a low technological barrier to entry, namely simply phoning or emailing a target, and such a potentially high cost to the organization, especially if ransomware is involved, internal testing is most certainly necessary.

Dumpster Diving

This is possibly the easiest way to apply an internal social engineering test because it’s the lowest technology barrier a hacker will need to jump over, they simply rummage through your waste. All you need to do is collect your organization’s rubbish at certain points and see what it contains. It is the easiest but can be rather distasteful but those looking to scam your organization share very little of your scruples.

When going through the rubbish you should be looking for anything a malicious party would like. Documents containing social security numbers and other personally identifiable information, hand shredded cheques, and confidential internal memos are all examples of paper waste that can be weaponized against the business. In terms of e-waste, hard drives and USB drives can be a treasure trove and should be disposed of appropriately and not in the dumpster.

Phone Tests

These are typically done by a third party who will call staff and try and get as much information from them as possible. The third party will then report any area of concern to the organization and steps can be taken to avoid future exploitation by a malicious third party. Typically these tests attempt to trick employees into giving confidential business, customer, or employee information, or any information that can be used as part of a scam. While these tests are often done by third parties they can also be done in-house but often requires a fair amount of planning and practice to truly get actionable data.

Phishing Tests

This is the hardest to implement internally but is likely the most important given how predominant phishing email attempts are in any organization. If you have a large and knowledgeable IT staff this can be done internally, however, such luxuries are not shared across businesses. Luckily smaller enterprises can implement relatively inexpensive business tools that can run tests on employees to see how they interact with potentially suspicious emails.

The data that these tools produce can then be used to better educate staff against threats they’ll likely encounter. At the time of writing several tools could be found with ease online.

Conclusion

Completely internal tests to help combat the scourge of social engineering should not be seen as a wasted expense. Ask any business leader that has experienced the ramifications of such an attack and whether the organization survived said ramifications and viewpoints quickly change. Such a test can be a lifesaver.

The post Social Engineering Internal Testing Best Practises appeared first on Information Security Newspaper | Hacking News.

To know how this deception works, it is worth remembering that a QR is a unique code optical label that contains information and presents a square format, since it is represented by different modules in this way. This code is used to, among other things, access certain places, such as a concert hall or a cinema as a method of WiFi authentication or to make payments. Due to the amount of information it may contain, the various functions it offers, and its massive implementation in different establishments and services, cybercriminals have found the perfect method to carry out their fraudulent attacks. In this way, they have used these QR codes for their benefit and have carried out the technique known as ‘reverse QR’ a social engineering technique.

To do this, the scammer showed the victim a QR code that allegedly belonged to his bank, although turned out to be a forged code that, instead of paying, he requested money. Thus, although the waiter at this establishment thought that the author of the events was paying what had been taken, he was actually there paying for the consumption himself. In addition to obtaining personal data and information from the victim, it has been learned that with the ‘reverse QR’ it also manages to get hold of the complainant’s bank details.

TIPS TO AVOID FRAUDES

 To avoid these scams, citizens have to take a series of security measures, such as carefully reviewing those physical QRs that may have been manipulated or superimposed on the original codes. It is also important to analyze the URL to which you direct this code and determine if it is a link suspected of being false. There are different applications They offer a preview of the URL content, to find out what it presents before opening it, like Link Preview Generate or URLVoid. In addition, it is convenient to ensure that the website you want to access always complies with the protection and safe browsing standards, such as the popular ‘HTTPS’. On the other hand, other applications can be used security checks before activating the QR code on devices with Android or iOS operating system

The post What is the Reverse QR social engineering attack and how to protect from it appeared first on Information Security Newspaper | Hacking News.

In an interview with Vice, the victim, simply known as Keith, claims that hackers tricked him into visiting a specially designed phishing website: “The site had a smart contract to move all my Moonbirds in one swoop; although at first, the transactions failed, they finally materialized.”

Keith, who claims to be an oncologist, husband, and father of three, claims he decided to invest his life savings in NFT, only to see these assets disappear in a matter of a few minutes.

He added that hackers used a Twitter account to contact him a few weeks ago. After the initial contact, Keith continued to interact with the scammers until he received an offer to sell his Moonbirds collection; the account used by the hackers has already been deleted.

The victim sent a message to the hackers, hoping to recover his collection: “Please return the stolen moonbirds to the original owner. Keep one as compensation.”

The collector adds that, if his tokens are not returned before this weekend, he will notify the FBI about the incident.

Common issues

NFT collectors have become frequent victims of ambitious phishing and social engineering campaigns, as this is a vector of quick and easy access to virtual collections worth tens of thousands of dollars.

The researcher Tal Be’ery was able to analyze this attack, concluding that this operation could be complex for the hackers in charge because they tried to use a smart contract to leave no trace; failing in their attempt, the cybercriminals simply used a conventional address to divert the stolen tokens.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Hackers theft over $1.4 million worth of Moonbird NFT collection appeared first on Information Security Newspaper | Hacking News.

In total, the analysis revealed the detection of 200 malicious applications that hide code from dangerous malware variants, capable of putting users of the affected devices in serious trouble.

Simple tools, complex issues

One of the main threats identified is Facestealer, a spyware variant capable of stealing Facebook access credentials, allowing subsequent phishing campaigns, social engineering, and invasive advertising. Facestealer is constantly updated and there are multiple versions, making it easy for them to get into the Play Store.

Daily Fitness OL is described as a fitness tool, offering exercise routines and demonstration videos. Although there doesn’t seem to be anything wrong with this app, an in-depth analysis shows that the app’s code hides a load of The Facestealer spyware.

When a user opens this app, a request is sent to hxxps://sufen168.space/config to download their encrypted settings. This setting sends the user a message requesting to log in to Facebook, after which the app launches a WebView to load a malicious URL. Subsequently, a snippet of JavaScript code is injected into the loaded website, allowing the theft of the user’s credentials.

Once the user logs into their Facebook account, the app collects the cookies and the spyware encrypts the collected information to send it to a remote server.

Other malicious apps, such as Enjoy Photo Editor or Panorama Camera, also hide Facestealer loads and have a very similar attack process, although they may vary in some stages or methods.

Risk for crypto investors

Experts have also identified more than 40 fraudulent cryptocurrency apps disguised as legitimate tools, even taking their image or using similar names. The developers of these tools seek to get affected users to buy supposed Premium versions at high costs with fake ads.

Tools like “Cryptomining Farm Your Own Coin” do not demonstrate invasive behaviors even in test environments, so they effectively evade security mechanisms in the Play Store. However, when trying to connect a Bitcoin wallet to this application, a message appears asking the user to enter their private keys, a clear red flag alerting that something’s wrong.

A sample of the code was developed using Kodular, a free online suite for mobile app development. Trend Micro notes that most fake cryptocurrency apps use the same framework.

The analyzed app only loads a website and does not even have capabilities to simulate mining processes or cryptocurrency transactions.

The uploaded website mentions users who can participate in a cloud mining project in order to lure them to the true start of the attack. Next, threat actors ask users to link a digital wallet to this website, in an attempt to collect private keys, which are further processed with no encryption at all.

Although the malicious applications were reported to Google and have already been removed from the official store, the researchers believe that the company must considerably improve security measures in the Play Store, as many developers of malicious applications continue to find methods to evade the security of the app repository, putting millions of users at risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post More than 200 apps on Play Store with millions of downloads are stealing users’ passwords and sensitive information appeared first on Information Security Newspaper | Hacking News.

LinkedIn is a more professional social media platform where connections are of great importance. Usually, users must enter personal information such as CV, work experience and some contact details, as all this information is required for the creation of connections.

Given the vast amount of personal information that necessarily circulates on LinkedIn, the presence of threat actors posing as legitimate users is worrying, especially when the work of millions of users and their aspirations for professional development is at stake.

For many experts, this kind of risk will always exist in social networks, so the only solution is to know how to identify this kind of risks and knowing the best ways to avoid falling victim to cybercriminals.

Below, specialists from the International Institute of Cyber Security (IICS) list the main variants of attack on LinkedIn, as well as some to avoid becoming victims.

Fake job offers: One way to steal credentials involves well-paying job offers published in the platform.  Fake job offers could take different forms, for example, a fake recruiter will offer a remote job with a good salary, ask for a registration fee, and disappear immediately after payment.

Whenever you receive a job offer, try to do your research to make sure you’re not being scammed.

Phishing: In this case, we talk about receiving an email informing you of an attempt to hack your profile; the email will have a link to click. The link will take you to a cloned LinkedIn page where you will be asked for your login details.

Remember always ignore any unasked email, as this may be the entry point for hackers.

Finally, to prevent you from being scammed through a fake LinkedIn profile, follow these advices:

• Always check your profile before accepting connection requests
• Research job openings, the recruiter, and the company you work for
• Never share personal information online
• Any email or InMail message that asks you to click on a link or open an attachment is mostly a scam

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post LinkedIn scam attempts multiply during 2022: How to prevent it? appeared first on Information Security Newspaper | Hacking News.

In the complaint, a total of 10 charges were filed against Idris Dayo Mustapha, accusing him of employing social engineering tactics, phishing and other means in order to obtain usernames and passwords to access online bank accounts between 2011 and 2018.

Prosecutors mention that Mustapha, originally from Nigeria, began by transferring money from the victims to his own accounts; after the banks identified the fraudulent activity, the defendant and his accomplices decided to conduct unauthorized stock trades in compromised accounts, while also conducting other lucrative operations.

Among the evidence presented by prosecutors is a conversation between the defendant and an alleged accomplice that took place in April 2016: “It is better to make constant transfers, not to make a direct fraud,” Mustapha said.

Breon Peace, the attorney general in Brooklyn, released a statement mentioning that Mustapha was part of a cybercriminal group that caused millions of dollars in losses to hundreds of victims in the U.S., participating in all kinds of cybercrimes.

Mustapha was arrested in the UK at the end of 2021; the DOJ has already requested his extradition. If convicted, Mustapha could face a sentence of up to 20 years in prison for each of the charges against him, including wire fraud, securities fraud, money laundering and aggravated identity theft.

In 2016, the U.S. Securities and Exchange Commission (SEC) successfully requested an asset freeze against Mustapha in a civil lawsuit in Manhattan, an investigation related to a hack against stock market investors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post British individual accused of hacking email servers and computers in US banks; losses of more than $5 million USD appeared first on Information Security Newspaper | Hacking News.

The defendant learned of his conviction on April 28, when he was found guilty of charges such as conspiracy to commit wire and bank fraud, access to electronic devices to commit fraud, identity theft and false statements to federal agents.

To complete the fraud, Oyuntur and his accomplices deployed a complex phishing campaign against an employee of the fuel supply company, who was responsible for communication between the company and the DOD through a government computer system of the General Services Administration (GSA).

The cybercriminals created several fraudulent email accounts with which they pretended to be employees of the fuel company, in addition to designing websites similar to those of the company. Between June and September 2018, Oyuntur and his accomplices sent multiple emails to the affected employee, successfully redirecting him to phishing websites.

On these websites, threat actors managed to trick the employee into obtaining their login credentials, subsequently employed to break into GSA systems and divert DOD money to their bank accounts.

A key element in the fraudulent operation was an automotive dealership and the creation of a fictitious company run by Hurriyet Arslan, Oyuntur’s accomplice. On October 10, 2018, the DOD transferred $23.5 million USD to the shell company’s bank account; subsequently, a third conspirator sent Arslan an altered government contract awarding the transfer of the money to Arslan’s concessionaire.

The charges of conspiracy and bank fraud for which Oyuntur was convicted could lead to more than 60 years in prison, while charges of unauthorized access to electronic systems are punishable by up to 10 years in prison. For his part, Arslan pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering. His sentence will be known in mid-2022.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How a techie guy scammed the US Department of Defense and stole $23 million using a simple phishing email appeared first on Information Security Newspaper | Hacking News.

The attackers caught the attention of unsuspecting NFT collectors by offering a supposedly free token; these users followed the link posted on Instagram and connected their MetaMask cryptocurrency wallets to an address controlled by the hackers. Instead of receiving the aforementioned token, affected users found their wallets wiped out in minutes.

Shortly after, the project’s official Twitter account confirmed the attack: “Looks like BAYC’s Instagram was hacked; please don’t click any links or link your wallet to another site,” the message read.

Yuga Labs, creators of the Bored Ape Yacht Club, also confirmed that the attackers stole four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFT tokens, as well as other NFTs from various collections, mining assets totaling approximately $3 million USD.

The team behind the NFT collection claims to be actively working to establish contact with affected users, adding that the compromised account had multi-factor authentication and other security mechanisms enabled, so it is still unclear how the attack occurred. The investigation is still ongoing and updates are expected soon.

This is the second attack to hit BAYC in less than a month; In late March, the NFT project confirmed that its official Discord server had been compromised, putting hundreds of investors at critical risk of phishing. Shortly before the Discord server attack and in the context of the ApeCoin cryptocurrency launch, a hacking group stole more than $1.5 million USD through quick loan fraud.

These attacks are highly worrying for NFT developers, investors and enthusiasts, who have seen cybercrime as the main threat to the growth of these projects and their investment potential.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Bored Ape Yacht Club NFTs heist. How come this keeps happening over and over again? appeared first on Information Security Newspaper | Hacking News.

Specialists have detected a new Instagram phishing campaign in which threat actors use an email supposedly sent from this social media platform arguing that the user has to respond to an alleged “Instagram claim”. In the following screenshot, we can observe that the message is in plain text and in the subject line it simply mentions “INSTAGRAM SUPPORT”, just like in the sender’s line.

According to the report, this phishing and social engineering campaign is aimed at employees of an insurer in the U.S., under the guise of Instagram Support. The message was sent from a legitimate Outlook domain, and the hackers employed various techniques to evade Google’s email security mechanisms.

As for the content of the message, it states that the target user was reported because their activity on Instagram violates copyright laws. The attackers strategically designed this message with the clear intention of creating a sense of urgency in the user and forcing him to click on the attached link, setting a limit of 24 hours to respond to the alleged report.

As you can guess, the link redirects the user to a fraudulent website with a fake Instagram account verification page; you can even see the Meta logos and the web browser used. On this site the target user is asked to enter their Instagram login credentials and complete a supposed verification form.

If the target user falls into the trap, their login credentials will be sent to a C&C server controlled by the hackers, so these sensitive logs will be completely exposed.

This is an active campaign and can be highly harmful to affected organizations and users, so it will be necessary to follow some recommendations to avoid a catastrophic scenario. The risks of this and other phishing campaigns can be reduced by following the following recommendations:

• Be careful before opening any unsolicited email. No legitimate company or organization requests personal information without prior contact
• Do not download attachments or click on links included in these messages
• Use different login credentials for your personal applications and business applications. Using the same passwords increases the risk of exposure in case hackers can access one of your passwords 
• Use multi-factor authentication for your online platforms whenever possible

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Never-seen-before Instagram phishing scam that can defraud any user appeared first on Information Security Newspaper | Hacking News.

The Agency believes that the recent focus on videoconferencing platforms consists of a new attempt by threat actors to abuse the trend towards remote work due to the pandemic: “Between 2020 and 2021 we detected an increase in BEC complaints related to the use of videoconferencing platforms for malicious purposes,” the researchers note.

Threat actors have devised an attack by combining various malicious techniques focused specifically on video calling platforms, managing to deceive some members of organizations by posing as directors, owners or staff of financial areas for the purpose of collecting confidential financial information.

The FBI detailed some scenarios of this attack variant, including:

• Employing stolen images and deepfake audio, threat actors could pose as company directors, inviting employees to illegitimate virtual meetings to obtain transfers to hacker-controlled accounts
• Threat actors can pose as employees to simply intercept sensitive information of the affected company
• Using the stolen information, hackers can deploy phishing and social engineering campaigns for subsequent attacks

Through its Internet Crime Complaint Center (IC3), the FBI reports that these types of attacks proved very lucrative over the past two years, generating losses of approximately $1.8 billion USD, more than a quarter of the damages resulting from variant cybercrimes.

Of the nearly 800,000 complaints received by the IC3, 19,400 relate to BEC attacks, campaigns that primarily affect private organizations, although these attacks are not alien to government agencies.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How scammers are using deep fake to impersonate CEO and directors during zoom calls to empty company bank accounts appeared first on Information Security Newspaper | Hacking News.

Unlike other similar groups, TA2541 does not usually use current events, topics of general interest or false promotions to attract potential victims. Instead, this group draws on topics related to transportation, aviation, commercial flights, tourism, and the airline industry in general. This campaign has been detected in countries in North America, Europe, Asia and the Middle East.

Below we can see an example of the emails sent by these hackers:

Proofpoint researchers detected that the emails used by this group contained a Google Drive URL to redirect affected users to an obfuscated Visual Basic Script (VBS) file; when executed, an executable file is extracted in text hosted on platforms such as Pastetext or GitHub.

Hackers run PowerShell on various Windows processes and query Windows Management Instrumentation (WMI) to search for security products on the affected system and try to disable them. Finally, hackers will collect information from the affected system before installing the RAT.

In addition to Google Drive, threat actors also use Discord links that redirect users to compressed files to AgentTesla or Imminent Monitor. TA2541 has also resorted to delivering attachments in emails that contain embedded executables containing the malicious URL.

VBS files are used to restore persistence with an AsyncRAT payload by adding the VBS file to the home directory pointing to a PowerShell script.

Experts also report that TA2541 has used more than a dozen different malware payloads since its emergence on the cybercriminal scene. Proofpoint has always resorted to commercial malware available for sale on criminal forums or in code repositories. While hackers currently mainly use AsyncRAT, they have also used other variants such as NetWire, Parallax or WSH RAT.

Given the characteristics of the malware variants used by this group, the researchers believe that these campaigns have as their main purpose the collection of information and remote access to infected systems. However, the researchers have not been able to confirm what the real goals of this group are.

This group has been a constant threat for the past few years and is highly likely to remain so in the medium term, so system administrators will need to remain alert to any potential ATTACK attempts related to TA2541.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post APT group TA2541 has been targeting thousands of organizations across aviation, aerospace, transportation, manufacturing, and defense industries worldwide appeared first on Information Security Newspaper | Hacking News.

These routes also resort to social engineering techniques to trick users into enabling document macros and automating malware execution. Upon receiving these standards, operating systems automatically convert the values to the quadruple decimal representation to initiate the request from remote servers. The main goal of this campaign seems to be the delivery of other malware variants such as TrickBot and Cobalt Strike.

The samples detected by the experts resided in an email attachment using Excel 4.0 macros, a function used to automate some repetitive tasks in Excel that cybercriminals have abused to deliver malware before. The abuse of this feature allowed the malware to run once the document is opened using the macro auto_open.

The URL is obfuscated with collation signs and the host contains a hexadecimal representation of the IP address. The researchers were able to convert the hexadecimal numbers to find the most commonly used dotted decimal equivalent, 193.42.36.245.

Once executed, the macro invokes cmd.exe>mshta.exe with the URL containing the hexadecimal representation of the IP address as an argument, downloading and executing HTML application code from the remote host.

Like the hexadecimal representation, the document also uses Excel 4.0 macros for the execution of malware when opening the document. The URL is also obfuscated with collation signs, but the IP contains an octal representation.

This campaign has been active since November 2021, although for a couple of weeks researchers noticed a very high peak of activity, so relying on security solutions based on pattern detection could be an undesirable approach in terms of cybersecurity.

Trend Micro experts recommend that system administrators take the necessary measures to detect and block this attack vector before attacks are complete.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post These hexadecimal and octal IP addresses can bypass your security solution. Block them to avoid getting hacked by Emotet malware appeared first on Information Security Newspaper | Hacking News.