Facebook Phishing Attack Chain Infrastructure Uncovered

Facebook Phishing Attack Chain Infrastructure Uncovered

Phishing campaigns are still the most effective way to hack a person, spread malware, infiltrate an organization or conduct any cybercriminal activities.

Though several security measures have been taken against phishing campaigns, threat actors are still coming up with various sophisticated methods for succeeding in them.

Read moreBuilding cyber skills and roles from CyBOK foundations

Recent reports from Zero Day’s Security Platform indicate that threat actors are currently conducting a phishing scam in the name of the social media giant “Meta” which stated a community guidelines violation on Facebook that can lead to the deactivation of the account.

One of the emails was received by PhishZDL, Zero Day Security Platform.

Phishing Email Analysis

Read moreAccessibility as a cyber security priority

In the same way as any other phishing campaign, this email also tends to create an emotional response from the victim that could potentially lead to clicking the embedded link in the body of the email, which will land on a phishing page.

Meta Phishing Campaign

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

The Phishing page had the domain hxxps://meta-business-care-7faed[.]web[.]app looks like a legitimate Meta Support team page along with the logo. The page displays the information as the page has been flagged for suspicious activity. 

Meta Phishing Page

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

In addition to the above message, the page has an option for victims to appeal against the suspension which asks for Email ID, Phone Number, and other details.

Submitting these details will result in the attacker getting Personally Identifiable Information (PII) that can lead to account takeovers and much more.

SSL Certified Phishing Pages

Read moreS3 Ep135: Sysadmin by day, extortionist by night

These phishing pages have an SSL certificate that was issued by Google Trust Service LLC and have multiple falsely branded phishing pages like Dropbox, Microsoft Outlook, and Sharepoint.

A complete technical analysis of these phishing campaigns has been released by Zero Day.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

SSL Certified Phishing Page

The number of people that fell victim to these phishing campaigns is reported to be 40,000 or higher.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

It is recommended that every individual be aware of phishing campaigns and be vigilant to protect personal information.

Domains used for this phishing campaign

https://ad-account-disabled-[random].web.app

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

https://business-request-appeal-[random].firebaseapp.com

https://due-to-policy-[random].web.app

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

https://fb-restriction-case-[random].web.app

https://infringement-case-[random].web.app

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

https://meta-business-case-[random].web.app

https://meta-for-business-case-[random].web.app

Read more6 Ways to Mitigate Risk While Expanding Access

https://policy-violation-[random].web.app
DocumentFREE Demo


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Read moreHypervisors and Ransomware: Defending Attractive Targets

The post Facebook Phishing Attack Chain Infrastructure Uncovered appeared first on Cyber Security News.

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

   Read More 

Cyber Security News 

Related Posts

Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure
Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure

Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure

Google Calendar RAT (GCR) is a proof of concept for Command & Control (C2) via Google Calendar Events. It’s useful when setting up a full red team infrastructure is challenging.

GCR needs a Gmail account, using event descriptions in Google Calendar as a “Covert Channel” for direct connections to Google. Besides this, it acts as a layer 7 application called Covert Channel, as reported by its developer and researcher, Mr. Saighnal (aka Valerio Alessandroni).

When GCR is running on a computer that has been hacked, it checks the calendar event description for new commands every so often. It then runs those commands on the target device and adds the results of the commands to the event description. Based on what the coder said, GCR only talks through official Google infrastructure, which makes it hard for defenders to spot strange behavior, Google said.

GCR Workflow

The red teaming tool uses Google Calendar events for C2. The tool enables an attacker to place commands in the event description field of Google Calendar events.

GCR connects to a shared Google Calendar link, checks for pending commands, and creates a new one “whoami” if none exist. 

In the below image, the complete GCR workflow attack is presented:

GCR Workflow Attack (Source – GitHub)

While apart from this, each event consists of two parts, and here we have mentioned them:-

The Title contains a unique ID allowing multiple commands for scheduling under the same ID.

The run command and its base64-encoded output are contained in the description and are separated by “|”.

Moreover, the connections appear to be completely genuine because they are limited to Google’s servers in terms of networking.

Document

FREE Webinar


Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

How do I use it?

Here below, we have mentioned all the steps to use it:-

First of all, create a Google service account, get the credentials.json file, and put it in the script’s directory.

Create a new Google calendar, share it with the service account, and update the script with your calendar address.

It automatically creates an event with a distinct target ID and runs the “whoami” command when it is run on the target system.

Now, in the communication’s event description, make sure to use the following syntax:-

=> CLEAR_COMMAND|BASE64_OUTPUT

Earlier, Google TAG noticed an Iran-linked APT group using Gmail for C2 with a small .NET backdoor, BANANAMAIL, in March 2023. Besides this, through IMAP the backdoor checks email accounts for the execution of commands.

We haven’t seen GCR used in real life yet, but Mandiant has seen multiple players share the public proof of concept on underground sites. Google said via a threat report that people are still interested in abusing cloud services.

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Also Read:

A New Malware That Hides In The Linux Calendar System on February 31st

What is Red Teaming, Tactics & How Does it Works?

The post Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure appeared first on Cyber Security News.

   Read More 

Cyber Security News