A fake Volkswagen campaign is making its way across social media platforms, luring in victims with promises of a free Volkswagen car giveaway – but instead redirecting them to third-party ad servers.
Victims are first sent messages via WhatsApp or Facebook, purporting to be from Volkswagen and claiming it will give away up 20 free cars until the end of the year, researchers with Sucuri said. Targets of the scam are instructed to participate in the contest by clicking a link embedded in the message. However, the link attached to the messages sent via social media does not appear to collect personal information – but instead tries to re-direct victims to various advertising networks.
Read more about the Volkswagen scam campaign on Threatpost.
In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.
This is the first time an APT (Advanced Persistent Threat –an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension. A pending report by the ASERT team at Netscout reveals the details of a spear-phishing campaign that’s been pushing a malicious Chrome extension since at least May 2018. Researchers said they found evidence suggesting that the group may be based in North Korea.
Read more about the cyber-espionage campaign on ZDNet.
There is not enough evidence to attribute a recent wave of spear-phishing emails impersonating personnel at the United States Department of State to Russian hackers, Microsoft says.
The attack, which started on November 14, was previously said to have been the work of Cozy Bear, a Russian threat actor involved in hacking incidents during the 2016 U.S. presidential election. Microsoft, which tracks the adversary as YTTRIUM, begs to differ. “Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM,” the software giant says.
Read more about Microsoft’s take on the campaign on SecurityWeek.
A new campaign delivering various remote access Trojans (RATs) is likely the work of a known Dridex/Locky operator, Morphisec security researchers warn. Dubbed Pied Piper, the campaign targets users in multiple countries and is likely operated by TA505, the threat group known to have orchestrated large Dridex and Locky attacks in the past. Observed starting last week, the phishing attempts use documents with malicious macros for malware delivery.
The campaign is multi-staged and still ongoing, with a version delivering the FlawedAmmyy RAT, while another variant dropping the Remote Manipulator (RMS) RAT. Earlier this year, TA505 was observed exploiting an Office zero-day to deliver the FlawedAmmyy RAT.
Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.
A phishing campaign with a clever Spotify lure has been spotted trying to harvest user credentials for the popular streaming service. Researchers at AppRiver detected the offensive earlier this month, in a campaign looking to compromise Spotify customers using bogus – but convincing – emails with the purpose of hijacking the owner’s account.
The emails attempt to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password, where it would go directly into the bad guys’ repository of compromised things.
Read more about the recent Spotify phishing campaign on Threatpost.
Emotet, the seemingly ubiquitous banking trojan, has turned up again after a small hiatus, this time as the anchor in a Thanksgiving-themed campaign that cranked up in the U.S. this week. It has also upgraded its capabilities with new tactics and modules, which has boosted its efficacy, according to researchers.
Looking to take advantage of a nation preparing for a collective food coma, the cybercriminals behind the campaign have so far sent out 27,000 or so messages daily, with verbiage that marks a departure from the standard financial themes regularly seen used as phishing lures by the group.
Read more about Emotet’s thanksgiving campaign on Threatpost.
A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector.
The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it’s one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections. “On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors,” Adam Meyers, VP of Intelligence told ZDNet.
Read more about the new attack campaign by Cozy Bear on ZDNet.
Banks in Russia today were the target of a massive phishing campaign that aimed to deliver a tool used by the Silence group of hackers. The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.
The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the “standardization of the format of CBR’s electronic communications.” International cybersecurity company Group-IB investigated the attack.
Anti-phishing firm Cofense has discovered an uptick in the use of .com file extensions in phishing emails. The .com file extension designated executable files in DOS and Windows 95, 98 and Me. It has been replaced by .exe in later versions of the OS. However, for backwards compatibility, Windows will still attempt to execute a file with the .com extension.
Throughout October, Cofense analyzed 132 unique phishing samples with the .com extension. To put this uptick in context, it found only 34 samples in the entire preceding nine months of 2018. The most popular subject line lures in the new campaign (or campaigns) are ‘payment’ and ‘purchase order’ themes.
Read more about the findings of the new Cofense report on SecurityWeek.