#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

social engineering | Breaking Cybersecurity News | The Hacker News

Category — social engineering
Iranian Hackers Set Up New Network to Target U.S. Political Campaigns

Iranian Hackers Set Up New Network to Target U.S. Political Campaigns

Aug 30, 2024 Cyber Threat / Cyber Espionage
Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future's Insikt Group has linked the infrastructure to a hacking group it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "The group's infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks," the cybersecurity company said . "These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files." Examples include terms like "cloud," "uptimezone," "doceditor," "joincloud," ...
North Korean Hackers Target Developers with Malicious npm Packages

North Korean Hackers Target Developers with Malicious npm Packages

Aug 30, 2024 Cryptocurrency / Malware
Threat actors with ties to North Korea have been observed publishing a set of malicious packages to the npm registry, indicating "coordinated and relentless" efforts to target developers with malware and steal cryptocurrency assets. The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. "Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as 'Contagious Interview,'" software supply chain security firm Phylum said . Contagious Interview refers to an ongoing campaign that seeks to compromise software developers with information stealing malware as part of a purported job interview process that involves tricking them into downloading bogus npm packages or fake installers for video conferencing software such as MiroTalk hosted on decoy websites. The end goal of the attacks is to...
Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data?

Crowdstrike Named A Leader In Endpoint Protection Platforms

Nov 22, 2024Endpoint Security / Threat Detection
CrowdStrike is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time, positioned highest on Ability to Execute and furthest to the right on Completeness of Vision.
Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Aug 24, 2024 Election Security / Threat Intelligence
Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S. The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump," Meta said . The social media giant attributed it to a nation-state actor tracked as APT42, which is also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. It's assessed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC). The adversarial collective is well-known for its use of sophisticated social engineering lures to spear-phish targets of interest with malware and steal their credenti...
cyber security

Breaking Barriers: Strategies to Unite AppSec and R&D for Success

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
Czech Mobile Users Targeted in New Banking Credential Theft Scheme

Czech Mobile Users Targeted in New Banking Credential Theft Scheme

Aug 20, 2024 Mobile Security / Banking Fraud
Mobile users in the Czech Republic are the target of a novel phishing campaign that leverages a Progressive Web Application (PWA) in an attempt to sidestep security protections and steal their banking account credentials. The attacks have targeted the Czech-based Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and a Georgian Bank, according to Slovak cybersecurity company ESET. "The phishing websites targeting iOS instruct victims to add a Progressive Web Application ( PWA ) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser," security researcher Jakub Osmani said . "At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic." What's notable about this tactic is that users are deceived into installing a PWA, or even WebAPKs in some cases on Android, from a third-party site without having to specificall...
Iranian Cyber Group TA453 Targets Jewish Leader with New AnvilEcho Malware

Iranian Cyber Group TA453 Targets Jewish Leader with New AnvilEcho Malware

Aug 20, 2024 Cyber Attack / Malware
Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho. Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the monikers APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC). "The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link," security researchers Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich said in a report shared with The Hacker News. "The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed Anv...
New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia

New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia

Aug 19, 2024 Threat Intelligence / Cryptocurrency
A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz . The Cyberint Research Team, which discovered the malware, said it's distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers. There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database (PDB) files embedded within the DLL file. "UULoader's 'core' files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped," the company said in a technical report shared with The Hacker News. One of the executables is a legitimate binary that's susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named "XamlHost.sys" that...
Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware

Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware

Aug 16, 2024 Malware / Data Theft
Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC . The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts. "All the active sub-campaigns host the initial downloader on Dropbox," Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said . "This downloader is responsible for delivering additional malware samples to the victim's machine, which are mostly info-stealers (DanaBot and StealC) and clippers." Of the 19 sub-campaigns identified to date, three are said to be currently active. The name "Tusk" is a reference to the word "Mammoth" used by the threat actors in log messages associated with t...
Russian-Linked Hackers Target Eastern European NGOs and Media

Russian-Linked Hackers Target Eastern European NGOs and Media

Aug 15, 2024 Cyber Attack / Social Engineering
Russian and Belarusian non-profit organizations, Russian independent media, and international non-governmental organizations active in Eastern Europe have become the target of two separate spear-phishing campaigns orchestrated by threat actors whose interests align with that of the Russian government. While one of the campaigns – dubbed River of Phish – has been attributed to COLDRIVER , an adversarial collective with ties to Russia's Federal Security Service (FSB), the second set of attacks have been deemed the work of a previously undocumented threat cluster codenamed COLDWASTREL. Targets of the campaigns also included prominent Russian opposition figures-in-exile, officials and academics in the US think tank and policy space, and a former U.S. ambassador to Ukraine, according to a joint investigation from Access Now and the Citizen Lab. "Both kinds of attacks were highly tailored to better deceive members of the target organizations," Access Now said . "The m...
Black Basta-Linked Attackers Target Users with SystemBC Malware

Black Basta-Linked Attackers Target Users with SystemBC Malware

Aug 14, 2024 Malware / Network Security
An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to "multiple intrusion attempts" with the goal of conducting credential theft and deploying a malware dropper called SystemBC. "The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution," Rapid7 said , adding "external calls were typically made to the impacted users via Microsoft Teams." The attack chain then convinces the user to download and install a legitimate remote access software named AnyDesk, which acts as a channel for deploying follow-on payloads and exfiltrate sensitive data. This includes the use of an executable called "AntiSpam.exe" that purports to download email spam filters and urges users to enter their Windows credentials to complete the update. The step is followed by the execution of several binaries, DLL files, ...
New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

Aug 08, 2024 Network Security / Cloud Security
Cybersecurity researchers have discovered a novel phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on bogus links designed to steal sensitive information. "The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim's information," Menlo Security researcher Ashwin Vamshi said . "This attack is a great example of a Living Off Trusted Sites ( LoTS ) threat." The starting point of the attack is a phishing email that directs the recipients to a graphic that appears to be an Amazon account verification link. This graphic, for its part, is hosted on Google Drawings, in an apparent effort to evade detection. Abusing legitimate services has obvious benefits for attackers in that they're not only a low-cost solution, but more importantly, ...
North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

Jul 31, 2024 Malware / Software Development
The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems. The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East. "This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News. DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview . Signs that the campaign ...
Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

Jul 31, 2024 Mobile Security / Malware
A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign. The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud. "Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories," mobile security firm Zimperium said in a report shared with The Hacker News. "This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users." Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. The starting point of the attack is the installation of a malicious app that...
OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

Jul 30, 2024 Malware / Email Security
Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script. "This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis. The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking. The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating an OneDrive page and includes the error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually." The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn pag...
'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

Jul 29, 2024 Malware / Network Security
A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it "Stargazers Ghost Network." Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy. The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn't spotted in the dark until early July 2023. "Threat actors no...
Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

Jul 27, 2024 Cybersecurity / Cloud Security
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that targets Apple macOS systems with the goal of stealing users' Google Cloud credentials from a narrow pool of victims. The package, named "lr-utils-lib," attracted a total of 59 downloads before it was taken down. It was uploaded to the registry in early June 2024. "The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data," Checkmarx researcher Yehuda Gelb said in a Friday report. "The harvested credentials are sent to a remote server." An important aspect of the package is that it first checks if it has been installed on a macOS system, and only then proceeds to compare the system's Universally Unique Identifier (UUID) against a hard-coded list of 64 hashes. If the compromised machine is among those specified in the predefined set, it attempts to access...
This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

Jul 26, 2024 Cybercrime / Mobile Security
A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform" capable of targeting users of more than 36 Spanish banks, governmental bodies, and 30 institutions worldwide. The phishing kit is priced anywhere between $150 and $900 a month, whereas the bundle including the phishing kit and Android malware is available on a subscription basis for about $500 per month. Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. As many as 288 phishing domains linked to the activity ha...
Expert Insights / Articles Videos
Cybersecurity Resources