In today’s threat landscape, technology-driven exploits remain a source of inspiration for malicious activity on the web. I just recently identified five Microsoft Office vulnerabilities that have contributed to a surge in digital attacks. Bad actors are using those weaknesses to distribute Loki, Formbook, and other malware.
Vulnerabilities aren’t the only driver of web-based attacks, however. In its 2018 Data Breach Investigations Report (DBIR), Verizon Enterprise tracked 1,450 security incidents that exploited the “human factor.” Phishing alone accounted for 82% of those incidents. Reflecting this prevalence, bad actors have launched numerous phishing campaigns in 2018. Provided below are five of the most notable campaigns to occur this year so far.
1) Malicious emails sent from compromised MailChimp accounts
In mid-January, security researchers spotted the first instance of a phishing campaign in which attackers abused compromised MailChimp accounts to send out fake invoice notifications. Those emails arrived with .ZIP archives concealing .js files that downloaded the GootKit infostealer.
At the time of discovery, security experts hypothesized that criminals were abusing weak, breached and/or reused credentials to hack users’ MailChimp accounts. They also reasoned that bad actors were targeting these accounts in particular because MailChimp is an established email marketing provider and so does not run into too many problems with spam filters.
These spam email campaigns leveraging compromised MailChimp accounts ran for approximately three and a half months, with the last instances of spam appearing in early April.
2) GDPR-related phishing scams surface
Leading up to the date the European Union’s General Data Protection Regulation (GDPR) came into effect, the world inevitably saw the emergence of phishing scams attempting to exploit confusion surrounding the Standard. As one example, researchers at Redscan detected an operation which leveraged emails claiming to have originated from Airbnb. The messages presumed the recipient was an Airbnb host and told them they could not accept any more guests or send messages until they had accepted a new privacy policy that “is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United-States-based companies, like Airbnb in order to protect European citizens and companies.”
Clicking on the acceptance link, however, led the recipients to a page that asked them to submit their personal data including their financial details and account credentials.
3) Tax scammers begin masquerading as accounting associations
More than a month after Tax Day 2018, the Internal Revenue Service warned tax professionals about a new scam. In the ruse, criminals masqueraded as state accounting and professional associations in order to send fake emails to tax professionals. Those messages asked recipients to disclose their email usernames and passwords so that they could obtain access to the tax professionals’ accounts, steal their clients’ data, and either sell this information or use it to file fraudulent tax returns.
At the time of discovery, the IRS had detected attack attempts against tax professionals in Iowa, Illinois, New Jersey, and North Carolina.
4) Attackers launch iterative campaigns experimenting with shortcut and web query files
In July 2018, Proofpoint detected a phishing campaign in which a known threat actor called TA505 sent out hundreds of thousands of attack emails. Those messages contained a unique attachment: PDF files with malicious .SettingContent-ms files, XML documents which allow Windows 10 users to create shortcuts to settings pages. A security researcher found that an attacker could use the .SettingContent-ms files to run arbitrary commands while avoiding precautions introduced by Windows 10.
In this particular campaign, TA505 leveraged .SettingContent-ms files embedded within malicious PDFs to launch a PowerShell script and download the FlawedAmmyy remote access trojan (RAT). Based on the leaked source code for the remote desktop software Ammyy Admin, FlawedAmmyy grants attackers complete access to an infected machine.
These aren't the only legitimate file type TA505 have been abusing, however. Over the course of the summer the threat actors have launched a variety of campaigns deploying Excel Web Query (IQY) files to spread malware, as well.
5) Sextortion scammers use breached passwords to lure in victims
Also in July, security researchers detected a sextortion scam campaign where criminals sent out emails in which they claimed they had recordings of the recipients watching porn. In their emails, they included a breached password that at one point belonged to the recipient and said they had obtained it with the help of a keylogger. Realistically, the bad actors obtained the passwords as a result of a recent data breach.
In another variant of the campaign, scammers lured in potential victims with their redacted phone numbers. Attackers likely obtained these numbers also as a result of previous security incidents that resulted in data disclosure.
Unfortunately, some users fell for the ploys and met the sextortionists’ ransom demands. One security researcher tracking the Bitcoin addresses tied to the campaigns observed that the criminals had made $500,000 as of August 21. That's more than 3x the amount the attackers behind last year's WannaCry ransomware outbreak reportedly made.
No comments:
Post a Comment