#1 Trusted Cybersecurity News Platform
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: phishing attack

Luna Moth Gang Invests in Call Centers to Target Businesses with Callback Phishing Campaigns

Luna Moth Gang Invests in Call Centers to Target Businesses with Callback Phishing Campaigns

November 22, 2022Ravie Lakshmanan
The Luna Moth campaign has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing a technique called  callback phishing  or telephone-oriented attack delivery ( TOAD ), wherein the victims are social engineered into making a phone call through phishing emails containing invoices and subscription-themed lures. Palo Alto Networks Unit 42 said the attacks are the "product of a single highly organized campaign," adding, "this threat actor has significantly invested in call centers and infrastructure that's unique to each victim." The cybersecurity firm  described  the activity as a "pervasive multi-month campaign that is actively evolving." What's notable about callback phishing is that the email messages are completely devoid of any malicious attachment or booby-trapped link, allowing them to evade detection and slip past email protection solutions. These messages ty
Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign

Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign

November 17, 2022Ravie Lakshmanan
A China-based financially motivated group is leveraging the trust associated with popular international brands to orchestrate a large-scale phishing campaign dating back as far as 2019. The threat actor, dubbed Fangxiao by Cyjax, is said to have registered over  42,000 imposter domains , with initial activity observed in 2017. "It targets businesses in multiple verticals including retail, banking, travel, and energy," researchers Emily Dennison and Alana Witten  said . "Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp." Users clicking on a link sent through the messaging app are directed to an actor-controlled site, which, in turn, sends them to a landing domain impersonating a well-known brand, from where the victims are once again taken to sites distributing fraudulent apps and bogus rewards. These sites prompt the visitors to complete a survey to claim cash prizes, in exchange for which the
Warning: New Massive Malicious Campaigns Targeting Top Indian Banks' Customers

Warning: New Massive Malicious Campaigns Targeting Top Indian Banks' Customers

November 10, 2022Ravie Lakshmanan
Cybersecurity researchers are warning of "massive phishing campaigns" that distribute five different malware targeting banking users in India. "The bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers," Trend Micro  said  in a report published this week. Some of the targeted banks include Axis Bank, ICICI Bank, and the State Bank of India (SBI), among others. The infection chains all have a common entry point in that they rely on SMS messages containing a phishing link that urge potential victims to enter their personal details and credit card information to supposedly get a tax refund or gain credit card reward points. The smishing attacks, which deliver Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy, are just the latest in a series of similar rewards-themed malware campaigns that have been documented by  Microsoft, Cyble , and  K
Several Cyber Attacks Observed Leveraging IPFS Decentralized Network

Several Cyber Attacks Observed Leveraging IPFS Decentralized Network

November 09, 2022Ravie Lakshmanan
A number of phishing campaigns are leveraging the decentralized InterPlanetary Filesystem (IPFS) network to host malware, phishing kit infrastructure, and facilitate other attacks. "Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks," Cisco Talos researcher Edmund Brumaghin said in an analysis shared with The Hacker News. The research mirrors similar findings from Trustwave SpiderLabs in July 2022, which  found  more than 3,000 emails containing IPFS phishing URLs as an attack vector, calling IPFS the new "hotbed" for hosting phishing sites. IPFS as a technology is both resilient to censorship and takedowns, making it a double-edged sword. Underlying it is a peer-to-peer (P2P) network which replicates content across all participating nodes so that even if a file is removed from one machine, requests for the resource can still be served via other systems. This also makes it ripe for abuse
Robin Banks Phishing Service for Cybercriminals Returns with Russian Server

Robin Banks Phishing Service for Cybercriminals Returns with Russian Server

November 07, 2022Ravie Lakshmanan
A phishing-as-a-service (PhaaS) platform known as  Robin Banks  has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. The switch comes after "Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations," according to a  report  from cybersecurity company IronNet. Robin Banks was  first documented  in July 2022 when the platform's abilities to offer ready-made phishing kits to criminal actors were revealed, making it possible to steal the financial information of customers of popular banks and other online services. It was also found to prompt users to enter Google and Microsoft credentials on rogue landing pages, suggesting an attempt on part of the malware authors to monetize initial access to corporate networks for post-exploitation activities such as espionage and ransomware. In recent months, Cloudflare's decision to blocklist its infrastruct
BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics

BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics

October 11, 2022Ravie Lakshmanan
The operators behind the BazaCall call back phishing method have continued to evolve with updated social engineering tactics to deploy malware on targeted networks. The scheme eventually acts as an entry point to conduct financial fraud or facilitate the delivery of next-stage payloads such as ransomware, cybersecurity company Trellix  said  in a report published last week. Primary targets of the latest attack waves include the U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K. BazaCall , also called BazarCall, first gained popularity in 2020 for its novel approach of distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages. These email baits aim to create a false sense of urgency, informing the recipients about renewal of a trial subscription for, say, an antivirus service. The messages also urge them to contact their support desk to cancel the plan, or risk gett
Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks

Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks

October 07, 2022Ravie Lakshmanan
In what's a new phishing technique, it has been demonstrated that the Application Mode feature in Chromium-based web browsers can be abused to create "realistic desktop phishing applications." Application Mode is designed to offer native-like experiences in a manner that causes the website to be launched in a separate browser window, while also displaying the website's favicon and hiding the address bar. According to security researcher mr.d0x – who also devised the browser-in-the-browser ( BitB ) attack method earlier this year – a bad actor can leverage this behavior to resort to some HTML/CSS trickery and display a fake address bar on top of the window and fool users into giving up their credentials on rogue login forms. "Although this technique is meant more towards internal phishing, you can technically still use it in an external phishing scenario," mr.d0x  said . "You can deliver these fake applications independently as files." This is
5 Ways to Mitigate Your New Insider Threats in the Great Resignation

5 Ways to Mitigate Your New Insider Threats in the Great Resignation

September 15, 2022The Hacker News
Companies are in the midst of an employee  "turnover tsunami"  with no signs of a slowdown.  According to Fortune Magazine,  40% of the U.S. is considering quitting their jobs. This trend – coined the great resignation - creates instability in organizations. High employee turnover increases security risks, and companies are more vulnerable to attacks from human factors worldwide.  At  Davos 2022 , statistics connect the turmoil of the great resignation to the rise of new insider threats. Security teams are feeling the impact. It's even harder to keep up with your employee security. Companies need a fresh approach to close the gaps and prevent attacks. This article will examine what your security teams must do within the new organizational dynamics to quickly and effectively address unique challenges. Handling Your New Insider Threats  Implementing a successful security awareness program is more challenging than ever for your security team—the new blood coming in cause
New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security

New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security

September 06, 2022Ravie Lakshmanan
A new phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy is being advertised on the criminal underground as a means for threat actors to bypass two-factor authentication (2FA) protections employed against online services. "EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication – proxifying victim's session," Resecurity researchers  said  in a Monday write-up. The platform generates phishing links that are nothing but cloned pages designed to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others. EvilProxy is similar to adversary-in-the-middle ( AiTM ) attacks in that users interact with a malicious proxy server that acts as a go-between for the target website, covertly harvesting the credentials and 2FA passcodes entered in the login pages. It's offered on a subscription basis per service
JuiceLedger Hackers Behind the Recent Phishing Attacks Against PyPI Users

JuiceLedger Hackers Behind the Recent Phishing Attacks Against PyPI Users

September 02, 2022Ravie Lakshmanan
More details have emerged about the operators behind the  first-known phishing campaign  specifically aimed at the Python Package Index (PyPI), the official third-party software repository for the programming language. Connecting it to a threat actor tracked as  JuiceLedger , cybersecurity firm SentinelOne, along with Checkmarx, described the group as a relatively new entity that surfaced in early 2022. Initial "low-key" campaigns are said to have involved the use of rogue Python installer applications to deliver a .NET-based malware called JuiceStealer that's engineered to siphon passwords and other sensitive data from victims' web browsers. The attacks received a significant facelift last month when the JuiceLedger actors  targeted PyPi package contributors  in a phishing campaign, resulting in the compromise of three packages with malware. "The supply chain attack on PyPI package contributors appears to be an escalation of a campaign begun earlier in th
Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users

Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users

August 29, 2022Ravie Lakshmanan
Twilio, which earlier this month became a  sophisticated phishing attack , disclosed last week that the threat actors also managed to gain access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service. The communication tools company  said  the unauthorized access made it possible for the adversary to register additional devices to those accounts. It has since identified and removed the illegitimately added devices from the impacted accounts. Authy, acquired by Twilio in February 2015, allows  safeguarding online accounts  with a second security layer to prevent account takeover attacks. It's estimated to have nearly 75 million users. Twilio further noted its investigation as of August 24, 2022, turned up 163 affected customers, up from 125 it reported on August 10, whose accounts it said were hacked for a limited period of time. Besides Twilio, the sprawling campaign, dubbed  0ktapus  by Group-IB, is believed to have struck 136 companies,
Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

August 24, 2022Ravie Lakshmanan
The threat actors behind a large-scale adversary-in-the-middle (AiTM)  phishing campaign  targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users. "This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu  detailed  in a report published this month. The AiTM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a  social engineering campaign  designed to siphon users' Microsoft credentials and even bypass multi-factor authentication. The low-volume Gmail AiTM phishing campaign also entails using the compromised emails of chief executives to conduct further social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take the victims to the final landing page. Attack cha
Microsoft Warns About Phishing Attacks by Russia-linked Hackers

Microsoft Warns About Phishing Attacks by Russia-linked Hackers

August 16, 2022Ravie Lakshmanan
Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests. The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker  SEABORGIUM , which it said overlaps with a hacking group also known as  Callisto ,  COLDRIVER , and TA446. "SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries," Microsoft's threat hunting teams  said . "Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft." Attacks launched by the adversarial collective are known to target the same organizations using consistent methodologies applied over long periods of time, enabling it to infiltrate the victims' social networks through a combination of impersonation,
Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack

Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack

August 16, 2022Ravie Lakshmanan
Popular end-to-end encrypted messaging service Signal on Monday disclosed the cyberattack aimed at Twilio earlier this month may have exposed the phone numbers of roughly 1,900 users. "For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal," the company  said . "All users can rest assured that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected." Signal, which uses Twilio to send SMS verification codes to users registering with the app, said it's in the process of alerting the affected users directly and prompting them to re-register the service on their devices. The development comes less than a week after Twilio  revealed  that data associated with about 125 customer accounts were accessed by malicious actors through a phishing attack that duped the comp
Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector

Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector

August 11, 2022Ravie Lakshmanan
A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call back phishing as an initial access vector to breach targeted networks. "Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology," cybersecurity firm AdvIntel  said  in a Wednesday report. These targeted campaigns "substantially increased" attacks against entities in finance, technology, legal, and insurance sectors, the company added. The actors in question include Silent Ransom, Quantum, and Roy/Zeon, all of which split from Conti after the ransomware-as-a-service (RaaS) cartel  orchestrated its shutdown  in May 2022 following its public support for Russia in the ongoing Russo-Ukrainian conflict. The advanced social engineering tactic, also called  BazaCall  (aka BazarCall), came under the spotlight in 2020/2021 when it was put to use by operators of the
Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack

Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack

August 09, 2022Ravie Lakshmanan
Customer engagement platform Twilio on Monday disclosed that a "sophisticated" threat actor gained "unauthorized access" using an SMS-based phishing campaign aimed at its staff to gain information on a "limited number" of accounts. The social-engineering attack was bent on stealing employee credentials, the company said, calling the as-yet-unidentified adversary "well-organized" and "methodical in their actions." The incident came to light on August 4. "This broad based attack against our employee base succeeded in fooling some employees into providing their credentials," it  said  in a notice. "The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data." The communications giant has  268,000 active customer accounts , and counts companies like Airbnb, Box, Dell, DoorDash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter,
Researchers Warns of Large-Scale AiTM Attacks Targeting Enterprise Users

Researchers Warns of Large-Scale AiTM Attacks Targeting Enterprise Users

August 03, 2022Ravie Lakshmanan
A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts. "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu  said  in a Tuesday report. "The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the U.S., U.K., New Zealand, and Australia. This is not the first time such a phishing attack has come to light. Last month, Microsoft  disclosed  that over 10,000 organizations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA). The ongoing campaign, effective June 2022,
Deals — IT Courses and Software

Sign up for our cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.