Gift card fraud earns $100k a day

May 28 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that features more lowlife RATS than Ashley Madison πŸ‘€πŸ€πŸ’€ Remote Access Trojans, that is 😏 #Netflix

Today’s hottest cybersecurity news stories:

  • 🎁 Gift card fraud earns Moroccan cybercrime gang $100k/day πŸ’°

  • πŸ‘¨β€πŸ’» Hackers have a new tackle box of phishing tricks incl. GenAI πŸ€–

  • πŸͺ Pakistan uses Python, Golang, Rust malware on Indian targets πŸ•Œ

It’s the gift that keeps on stealing πŸ’€πŸ’€πŸ’€

🚨 Cybercrime Alert: Storm-0539's Gift Card Scams πŸ’³

Microsoft has flagged a cybercrime group from Morocco, Storm-0539, for sophisticated email and SMS phishing attacks aimed at stealing and selling gift cards.

Sneaky Tactics πŸ•΅οΈ

Using adversary-in-the-middle (AitM) phishing pages, Storm-0539 steals credentials and session tokens. They then register their own devices, bypass authentication, and create bogus gift cards. This group, also known as Atlas Lion, has been active since late 2021.

Big Targets 🎯

Their victims include large retailers, luxury brands, and fast-food chains. They even gain covert access to victims' cloud environments to conduct reconnaissance and weaponize the infrastructure.

Evolving Threats ⚠️

Storm-0539 has evolved from stealing payment card data to targeting gift card portals. Microsoft noted a 30% increase in their activity between March and May 2024. The FBI has also warned about their sophisticated smishing attacks.

Top Tips πŸ›‘οΈ

Microsoft urges companies to monitor gift card portals closely and use advanced identity-driven signals along with multi-factor authentication (MFA) to protect against these attacks.

Stay vigilant and safeguard your gift card systems!

Hackers: It’s phish and tricks for dinner, boys πŸŸπŸŸπŸ™ƒ

🚨 Cloudflare Workers Phishing Alert πŸ•΅οΈ

Cybersecurity researchers have identified phishing campaigns using Cloudflare Workers to serve fake login pages for Microsoft, Gmail, Yahoo!, and cPanel Webmail.

How It Works βš™οΈ

These attacks use a method called transparent phishing or adversary-in-the-middle (AitM) phishing. According to Netskope’s Jan Michael Alcantara, Cloudflare Workers act as reverse proxy servers, intercepting traffic to steal credentials, cookies, and tokens.

Widespread Targets 🌍

Phishing campaigns, mostly targeting Asia, North America, and Southern Europe, have impacted sectors like tech, finance, and banking. Traffic to these malicious pages has spiked, with domains increasing from over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

HTML Smuggling 🚨

The attacks use HTML smuggling, where malicious JavaScript assembles the phishing payload on the client side, evading security measures. Victims are prompted to sign in to view fake documents, leading them to spoofed Microsoft 365 login pages.

Avoiding Detection πŸ”

Once victims enter their credentials, attackers collect tokens and cookies, gaining ongoing access. The phishing pages use a modified Cloudflare AitM toolkit, making it hard to spot the scam.

Evolving Techniques βš”οΈ

Threat actors are now using sophisticated methods like invoice-themed phishing emails with HTML attachments, and phishing-as-a-service (PhaaS) toolkits like Greatness, which targets Microsoft 365 logins. These attacks often include QR codes and CAPTCHA checks to bypass MFA.

Stay Safe πŸ›‘οΈ

Be cautious of unexpected login prompts and emails with attachments. Organisations should bolster security with advanced identity verification and keep a lookout for suspicious activities on Cloudflare Workers-hosted domains.

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Golang!! πŸˆπŸ‘€πŸ™ˆ

🚨 Transparent Tribe Targets Indian Sectors 🌊

The Pakistan-based Transparent Tribe, also known as APT36, is launching new attacks on Indian government, defence, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust.

Campaign Highlights 🎯

  • Target Period: Late 2023 to April 2024.

  • Key Victims: Three companies linked to the Department of Defense Production (DDP) in Bengaluru, likely including Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited.

  • Methods: Spear-phishing emails using platforms like Discord, Google Drive, Slack, and Telegram.

Sophisticated Techniques βš™οΈ

Transparent Tribe employs a range of malware including CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, and more. They use spear-phishing emails with malicious links or ZIP files to deploy these tools, often targeting Linux-based systems due to their prevalence in Indian government infrastructure.

Innovative Malware πŸ“²

Key malware in these campaigns:

  • GLOBSHELL: Python-based info-gathering utility.

  • PYSHELLFOX: Exfiltrates data from Mozilla Firefox.

  • Silverlining.sh: An open-source C2 framework.

  • ISO Images: Used to deploy Python-based remote access trojans via Telegram for C2.

Evolving Tactics πŸ”„

The group has also been observed using a Golang-compiled "all-in-one" tool to find and exfiltrate files, take screenshots, upload/download files, and execute commands. This tool, a modified version of Discord-C2, is delivered via ELF binaries within ZIP archives.

Persistent Threat ⚠️

Transparent Tribe has been targeting critical sectors crucial to India’s national security. Their adaptive tactics and sophisticated malware highlight the persistent threat they pose.

Stay Alert πŸ›‘οΈ

Organisations in the affected sectors should enhance their security measures and be vigilant against spear-phishing attempts and suspicious email activities.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles