Beware of New Phishing Attacks Mimicking Booking.com and Airbnb

July 7, 2023

Beware of attackers masquerading as well-known vacation rental websites such as Airbnb and Booking.com.

Scammers that prey on tourists for Phishing Attacks are more active once the summer travel season is in full force.

It is recommended to double-check the website URL before entering any credentials on it to prevent being the victim of such scams.

If you’re unsure about the correct address, it’s best to double-check using Wikipedia and a search engine.

Phishing Site Mimicking Booking.com

According to Kaspersky’s research, the fake website’s goal is to collect “email passwords” and email addresses that may also be used as usernames.

The phishers appear to have tangled their nets; their true target is likely credentials for Booking.com accounts.

Phishers harvest login credentials of Booking.com users

Notably, the second-largest group of Booking.com users, hotel and flat owners who utilize the website to draw in customers, was also targeted by phishers. There are fake websites that collect usernames and passwords for them as well.

Website pretending to be Booking.com harvests credentials of hotel and apartment owners

Scammers Target Airbnb Users

A fake Airbnb site, which is a replica of the real one, advertises appealing flat rentals while persistently informing users that they must send money to a third party to finalize their reservation.

Fake Airbnb site urges visitors to pay for a non-existent booking

Other Online Scams

Scam sites promise great items in exchange for taking a survey. In this example, travel surveys with a $100 reward.

At the end of the survey, the fraudsters typically ask the victim for personal information such as their first and last name, address, phone number, and, in some cases, Phishing Attacks, payment information.

Such information may be utilized for a variety of unpleasant things in the future, ranging from identity theft to hacking into financial accounts. The “prize,” on the other hand, is not exactly forthcoming.

Airline passengers are another common target for phishers. Fake websites impersonating the official sites of several carriers are constantly appearing. The larger the airline, the more likely phishers would target its customers’ credentials.

DocumentFREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Beware Of Online Scammers And Phishers

Only utilize reliable websites. Before entering any sensitive information, such as a login and password or a credit card number, double-check the website URL.

Install a reputable antivirus with built-in protection against online fraud and phishing on all your devices. This will provide you with an early warning about sites to avoid.

Is this Website Safe: How to Check Website Safety – 2023

The post Beware of New Phishing Attacks Mimicking Booking.com and Airbnb appeared first on Cyber Security News.

Cyber Security News

The usual suspects are up to their usual tricks.

ODNI’s Annual Threat Assessment highlights the usual suspects. The White House meets with UnitedHealth Group’s CEO. A convicted LockBit operator gets four years in prison. The Clop ransomware group leaks data from major universities. Equilend discloses a data breach. Fortinet announces critical and high-severity vulnerabilities. GhostRace exploits speculative race conditions in popular CPUs. Incognito Market pulls the rug and extorts its users. Patch Tuesday notes. On the Learning Layer, Sam Meisenberg talks with Joe Carrigan from Johns Hopkins University Information Security Institute, and co-host of Hacking Humans podcast. They explore Joe’s journey on the road to taking his CISSP test. And, I do not authorize Facebook, Meta or any of its subsidiaries to use this podcast. Read More

The CyberWire

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore the security of the LLM model. This model is utilized by chat assistants such as ChatGPT.

This scanner, which is called ‘Vigil’, is specifically designed to analyze the LLM model and assess its security vulnerabilities. By using Vigil, developers can ensure that their chat assistants are safe and secure for use by the public.

As the name suggests, a large language model can understand and create any language. LLMs learn these skills by using huge amounts of data to learn billions of factors during training and by using a lot of computing power while they are studying and running.

Vigil Tool

If you want to ensure the safety and security of your system, Vigil is a useful tool for you. Vigil is a Python module and REST API that can help you identify prompt injections, jailbreaks, and other potential threats by evaluating Large Language Model prompts and responses against various scanners.

The repository also includes datasets and detection signatures, making it easy for you to begin self-hosting. With Vigil, you can rest assured that your system is secure and protected.

Currently, this application is in alpha testing and should be considered experimental.

Document

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

ADVANTAGES:

Examine LLM prompts for frequently used injections and inputs that present risk.

Use Vigil as a Python library or REST API

Scanners are modular and easily extensible

Evaluate detections and pipelines with Vigil-Eval (coming soon)

Available scan modules

Supports local embeddings and/or OpenAI

Signatures and embeddings for common attacks

Custom detections via YARA signatures

To protect against known attacks, one effective approach is using a Vigil to prompt injection technique. This method involves detecting known techniques used by attackers, thereby strengthening your defense against the more common or documented attacks.

Prompt Injection When an attacker generates inputs to manipulate a large language model (LLM), the LLM becomes vulnerable and unknowingly carries out the attacker’s aims.

This can be done directly by “jailbreaking” the prompt on the system or indirectly by manipulating external inputs, which may result in social engineering, data exfiltration, and other problems.

If you want to load the vigil by appropriate datasets for embedding the model with the loader.py utility.

The set scanners examine the submitted prompts; every one can help with the ultimate identification. Scanners are:

Vector database

YARA / heuristics

Transformer model

Prompt-response similarity

Canary Tokens

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

The post Vigil: Open-source Security Scanner for LLM Models Like ChatGPT appeared first on Cyber Security News.

Cyber Security News

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently.

These bots can work quickly, flood systems, steal information, and conduct and orchestrate sophisticated cyber operations largely autonomously.

Cybersecurity researchers at ASEC recently discovered that Bondnet has used high-performance bots for C2 servers.

Technical Analysis

Bondnet, a threat actor deploying backdoors and cryptocurrency miners since 2017, was still finding new approaches.

The ASEC researchers noted that Bondnet configures reverse RDP environments on fast stolen systems using them as C2 servers.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

It meant modifying an open-source, fast reverse proxy (FRP) tool embedding the threat actor’s proxy server information.

This included setting up an FRP-based reverse RDP environment, whereby Bondnet ran various programs onto the targets, like the Cloudflare tunneling client, for remote access, ensuring that they remained vigilant about keeping hold of compromised valuables.

Cloudflare tunneling client (Source – ASEC)

Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.

One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.

The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one.

However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.

Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.

They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.

No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.

During analysis of this system, it turned out that the HFS program did not work properly.

Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.

IOCs

MD5s

D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)

2513EB59C3DB32A2D5EFBEDE6136A75D(mf)

E919EDC79708666CD3822F469F1C3714(hotfixl.exe)

432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)

9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)

7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)

D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)

6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)

0753CAB27F143E009012053208B7F63E(netpass64.exe)

782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)

8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)

00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)

AD3D95371C1A8465AC73A3BC2817D083(kit.bat)

15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)

28C2B019082763C7A90EF63BFD2F833A(dss.bat)

5410539E34FB934133D6C689072BA49D(mimikatz.exe)

59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)

0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)

057D5C5E6B3F3D366E72195B0954283B(check.exe)

35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)

1F7DF25F6090F182534DDEF93F27073D(svchost.exe)

DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)

76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)

44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)

E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)

DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)

35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)

URLs And C2s

223.223.188[.]19

185.141.26[.]116/stats.php

185.141.26[.]116/hotfixl.ico

185.141.26[.]116/winupdate.css

84.46.22[.]158:7000

46.59.214[.]14:7000

46.59.210[.]69:7000

47.99.155[.]111

d.mymst[.]top

m.mymst[.]top

frp.mymst007[.]top

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post Bondnet Using High-Performance Bots For C2 Server appeared first on Cyber Security News.