#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

phishing attack | Breaking Cybersecurity News | The Hacker News

Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks

Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks
Nov 12, 2021
Threat actors are increasingly banking on the technique of  HTML smuggling  in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads. Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the  Mekotio  banking Trojan, backdoors such as  AsyncRAT  and  NjRAT , and the infamous  TrickBot  malware. The multi-staged attacks — dubbed  ISOMorph  — were also publicly documented by Menlo Security in July 2021. HTML smuggling is an approach that allows an attacker to "smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachments or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers. By doing so, it enables

Microsoft Warns of TodayZoo Phishing Kit Used in Extensive Credential Stealing Attacks

Microsoft Warns of TodayZoo Phishing Kit Used in Extensive Credential Stealing Attacks
Oct 23, 2021
Microsoft on Thursday disclosed an "extensive series of credential phishing campaigns" that takes advantage of a custom phishing kit that stitched together components from at least five different widely circulated ones with the goal of siphoning user login information. The tech giant's Microsoft 365 Defender Threat Intelligence Team, which detected the first instances of the tool in the wild in December 2020, dubbed the copy-and-paste attack infrastructure " TodayZoo ." "The abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits," the researchers said. "They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo." Phishing kits, often sold as one time payments in underground forums, are packaged archive files containing images, scripts, and HTML pages that

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future
Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

How Does DMARC Prevent Phishing?

How Does DMARC Prevent Phishing?
Sep 27, 2021
DMARC  is a global standard for email authentication. It allows senders to verify that the email really comes from whom it claims to come from. This helps curb spam and phishing attacks, which are among the most prevalent cybercrimes of today. Gmail, Yahoo, and many other large email providers have implemented DMARC and praised its benefits in recent years. If your company's domain name is bankofamerica.com, you do not want a cyber attacker to be able to send emails under that domain. This puts your brand reputation at risk and could potentially spread financial malware. The DMARC standard prevents this by checking whether emails are sent from an expected IP address or domain. It specifies how domains can be contacted if there are authentication or migration issues and provides forensic information so senders can monitor email traffic and quarantine suspicious emails. What is a Phishing Attack? Phishing is an attempt by cybercriminals to trick victims into giving away sensitive

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation
Sep 22, 2021
Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. "With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today," Microsoft 365 Defender Threat Intelligence Team  said  in a Tuesday report. "BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators." The tech giant said it uncovered the operation during its investigation of a credential phishing

Microsoft Warns of Widespread Phishing Attacks Using Open Redirects

Microsoft Warns of Widespread Phishing Attacks Using Open Redirects
Aug 28, 2021
Microsoft is warning of a widespread credential phishing campaign that leverages  open redirector links  in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software. "Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking," Microsoft 365 Defender Threat Intelligence Team  said  in a report published this week. "Doing so leads to a series of redirections — including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems — before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks." Although redirect links in email messages serve a vital tool to take recipients to third-party websites or track click rates and measure the success of sales and marketin

Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection

Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection
Aug 13, 2021
Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials. The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file ("XLS.HTML"). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts. Microsoft likened the attachment to a "jigsaw puzzle," noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation. "This phishing campaign ex

Passwordstate Warns of Ongoing Phishing Attacks Following Data Breach

Passwordstate Warns of Ongoing Phishing Attacks Following Data Breach
Apr 30, 2021
Click Studios, the Australian software firm which confirmed a  supply chain attack  affecting its Passwordstate password management application, has warned customers of an ongoing phishing attack by an unknown threat actor. "We have been advised a bad actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action," the company  said  in an updated advisory released on Wednesday. "These emails are not sent by Click Studios." Last week, Click Studios said attackers had employed sophisticated techniques to compromise Passwordstate's update mechanism, using it to drop malware on user computers. Only customers who performed In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC are said to be affected. While Passwordstate serves about 29,000 customers, the Adelaide-based firm maintained that the total number of impacted customers is very low. It's also urging users to refrain from po

Lazarus APT Hackers are now using BMP images to hide RAT malware

Lazarus APT Hackers are now using BMP images to hide RAT malware
Apr 20, 2021
A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information. Attributing the attack to the  Lazarus Group  based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13. "The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious  HTA  file as a compressed  zlib  file within a PNG file that then has been decompressed during run time by converting itself to the BMP format," Malwarebytes researchers  said .  "The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks
Feb 24, 2021
New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software. "A majority of the time, the attack involves basic malware that is often signed, making it hard to detect using antivirus or other threat detection software," researchers from ThreatLocker said in an analysis shared today with The Hacker News. QuickBooks is an accounting software package developed and marketed by Intuit. The spear-phishing attacks take the form of a PowerShell command that's capable of running inside of the email, the researchers said, adding, a second attack vector involves decoy documents sent via email messages that, when opened, runs a macro to download malicious code which uploads QuickBooks files to an attacker-controlled server. Alternatively, bad actors have also been spotted running a PowerShell command called  Invoke-WebRequests  on target systems to upload relevant data to

Ukrainian Police Arrest Author of World's Largest Phishing Service U-Admin

Ukrainian Police Arrest Author of World's Largest Phishing Service U-Admin
Feb 09, 2021
Law enforcement officials in Ukraine, in coordination with authorities from the U.S. and Australia, last week shut down one of the world's largest phishing services that were used to attack financial institutions in 11 countries, causing tens of millions of dollars in losses. The Ukrainian attorney general's office  said  it worked with the National Police and its Main Investigation Department to identify a 39-year-old man from the Ternopil region who developed a phishing package and a special administrative panel for the service, which were then aimed at several banks located in Australia, Spain, the U.S., Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany, and the U.K. Computer equipment, mobile phones, and hard drives were seized as part of five authorized searches conducted during the course of the operation. Security researcher Brian Krebs  noted  the raids were in connection with  U-Admin , a phishing framework that makes use of fake web pages to pil

Targeted Phishing Attacks Strike High-Ranking Company Executives

Targeted Phishing Attacks Strike High-Ranking Company Executives
Jan 26, 2021
An evolving phishing campaign observed at least since May 2020 has been found to target high-ranking company executives across manufacturing, real estate, finance, government, and technological sectors with the goal of obtaining sensitive information. The campaign hinges on a social engineering trick that involves sending emails to potential victims containing fake Office 365 password expiration notifications as lures. The messages also include an embedded link to retain the same password that, when clicked, redirects users to a phishing page for credential harvesting. "The attackers target high profile employees who may not be as technically or cybersecurity savvy, and may be more likely to be deceived into clicking on malicious links," Trend Micro researchers  said  in a Monday analysis. "By selectively targeting C-level employees, the attacker significantly increases the value of obtained credentials as they could lead to further access to sensitive personal and

Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet

Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet
Jan 21, 2021
A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees. The cyber offensive is said to have originated in August last year, with the attacks aimed specifically at energy and construction companies, said researchers from Check Point Research today in a joint analysis in partnership with industrial cybersecurity firm Otorio. Although phishing campaigns engineered for credential theft are among the most prevalent reasons for data breaches, what makes this operation stand out is an operational security failure that led to the attackers unintentionally exposing the credentials they had stolen to the public Internet. "With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker," the researchers said . The attack chain comm

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
Jan 08, 2021
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks. But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it. The vulnerability (tracked as CVE-2021-3011 ) allows the bad actor to extract the encryption key or the  ECDSA  private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections. "The adversary can sign in to the victim's application account without the U2F device, and without the victim noticing," NinjaLab researchers Victor Lomne and Thomas Roche  said  in a 60-page analysis. "In other words, the adversary created a clone of the U2F device for the victim's application account. This c

Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution

Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution
Dec 04, 2020
A global spear-phishing campaign has been targeting organizations associated with the distribution of COVID-19 vaccines since September 2020, according to new research. Attributing the operation to a nation-state actor,  IBM Security X-Force researchers  said the attacks took aim at the vaccine cold chain, companies responsible for storing and delivering the COVID-19 vaccine at safe temperatures. The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to  issue an alert , urging Operation Warp Speed ( OWS ) organizations and companies involved in vaccine storage and transport to review the indicators of compromise (IoCs) and beef up their defenses. It is unclear whether any of the phishing attempts were successful, but the company said it has notified appropriate entities and authorities about this targeted attack. The phishing emails, dating to September, targeted organizations in Italy, Germany, South Korea, the Czech Republic, greater Europe

Interpol Arrests 3 Nigerian BEC Scammers For Targeting Over 500,000 Entities

Interpol Arrests 3 Nigerian BEC Scammers For Targeting Over 500,000 Entities
Nov 26, 2020
Three Nigerian citizens suspected of being members of an organized cybercrime group behind distributing malware, carrying out phishing campaigns, and extensive Business Email Compromise (BEC) scams have been arrested in the city of Lagos, Interpol reported yesterday. The investigation, dubbed " Operation Falcon ," was jointly undertaken by the international police organization along with Singapore-based cybersecurity firm Group-IB and the Nigeria Police Force, the principal law enforcement agency in the country. About 50,000 targeted victims of the criminal schemes have been identified so far, as the probe continues to track down other suspected gang members and the monetization methods employed by the group. Group-IB's participation in the year-long operation came as part of Interpol's Project Gateway, which provides a framework for agreements with selected private sector partners and receives threat intel directly. "The suspects are alleged to have develo

A Google Drive 'Feature' Could Let Attackers Trick You Into Installing Malware

A Google Drive 'Feature' Could Let Attackers Trick You Into Installing Malware
Aug 22, 2020
An unpatched security weakness in Google Drive could be exploited by malware attackers to distribute malicious files disguised as legitimate documents or images, enabling bad actors to perform spear-phishing attacks comparatively with a high success rate. The latest security issue—of which Google is aware but, unfortunately, left unpatched—resides in the " manage versions " functionality offered by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users. Logically, the manage versions functionally should allow Google Drive users to update an older version of a file with a new version having the same file extension, but it turns out that it's not the case. According to A. Nikoci, a system administrator by profession who reported the flaw to Google and later disclosed it to The Hacker News, the affected functionally allows users to upload a new version wit

Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon

Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon
Aug 07, 2020
Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly. "The idea is simple and consists of using characters that look the same in order to dupe users," Malwarebytes researchers said in a Thursday analysis . "Sometimes the characters are from a different language set or simply capitalizing the letter 'i' to make it appear like a lowercase 'l'." Called an internationalized domain name (IDN) homograph attack , the technique has been used by a Magecart group on multiple domains to load the popular Inter skimming kit hidden inside a favicon file . The visual trickery typically involves leveraging the similarities of character scripts to create and register fraudulent domains of existing ones to deceive unsuspecting users into

A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations
Jul 16, 2020
In a report shared with The Hacker News, researchers at cybersecurity firm CheckPoint today disclosed details of a minor but easy-to-exploit flaw they reported in Zoom, the highly popular and widely used video conferencing software. The latest Zoom flaw could have allowed attackers mimic an organization, tricking its employees or business partners into revealing personal or other confidential information using social engineering tricks. We know, social engineering attacks may sound a bit boring, but someone used the same to put Twitter on fire just last night when hundreds of high-profile Twitter accounts were hacked to promote a cryptocurrency scam, all thanks to an employee's compromised internal tooling account. The said vulnerability resides in Zoom's customizable URL feature dubbed Vanity URL, aiming to let companies create a custom URL on its subdomain and branded landing page, such as " yourcompany.zoom.us, " where the invitation link to a meeting then

Indian IT Company Was Hired to Hack Politicians, Investors, Journalists Worldwide

Indian IT Company Was Hired to Hack Politicians, Investors, Journalists Worldwide
Jun 09, 2020
A team of cybersecurity researchers today outed a little-known Indian IT firm that has secretly been operating as a global hackers-for-hire service or hacking-as-a-service platform. Based in Delhi, BellTroX InfoTech allegedly targeted thousands of high-profile individuals and hundreds of organizations across six continents in the last seven years. Hack-for-hire services do not operate as a state-sponsored group but likely as a hack-for-hire company that conducts commercial cyberespionage against given targets on behalf of private investigators and their clients. According to the latest report published by the University of Toronto's Citizen Lab, BellTroX—dubbed ' Dark Basin ' as a hacking group—targeted advocacy groups, senior politicians, government officials, CEOs, journalists, and human rights defenders. "Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against oppo
Cybersecurity Resources