May 28 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that features more lowlife RATS than Ashley Madison πππ Remote Access Trojans, that is π #Netflix
Todayβs hottest cybersecurity news stories:
π Gift card fraud earns Moroccan cybercrime gang $100k/day π°
π¨βπ» Hackers have a new tackle box of phishing tricks incl. GenAI π€
πͺ Pakistan uses Python, Golang, Rust malware on Indian targets π
Microsoft has flagged a cybercrime group from Morocco, Storm-0539, for sophisticated email and SMS phishing attacks aimed at stealing and selling gift cards.
Sneaky Tactics π΅οΈ
Using adversary-in-the-middle (AitM) phishing pages, Storm-0539 steals credentials and session tokens. They then register their own devices, bypass authentication, and create bogus gift cards. This group, also known as Atlas Lion, has been active since late 2021.
Big Targets π―
Their victims include large retailers, luxury brands, and fast-food chains. They even gain covert access to victims' cloud environments to conduct reconnaissance and weaponize the infrastructure.
Evolving Threats β οΈ
Storm-0539 has evolved from stealing payment card data to targeting gift card portals. Microsoft noted a 30% increase in their activity between March and May 2024. The FBI has also warned about their sophisticated smishing attacks.
Top Tips π‘οΈ
Microsoft urges companies to monitor gift card portals closely and use advanced identity-driven signals along with multi-factor authentication (MFA) to protect against these attacks.
Stay vigilant and safeguard your gift card systems!
Cybersecurity researchers have identified phishing campaigns using Cloudflare Workers to serve fake login pages for Microsoft, Gmail, Yahoo!, and cPanel Webmail.
How It Works βοΈ
These attacks use a method called transparent phishing or adversary-in-the-middle (AitM) phishing. According to Netskopeβs Jan Michael Alcantara, Cloudflare Workers act as reverse proxy servers, intercepting traffic to steal credentials, cookies, and tokens.
Widespread Targets π
Phishing campaigns, mostly targeting Asia, North America, and Southern Europe, have impacted sectors like tech, finance, and banking. Traffic to these malicious pages has spiked, with domains increasing from over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.
HTML Smuggling π¨
The attacks use HTML smuggling, where malicious JavaScript assembles the phishing payload on the client side, evading security measures. Victims are prompted to sign in to view fake documents, leading them to spoofed Microsoft 365 login pages.
Avoiding Detection π
Once victims enter their credentials, attackers collect tokens and cookies, gaining ongoing access. The phishing pages use a modified Cloudflare AitM toolkit, making it hard to spot the scam.
Evolving Techniques βοΈ
Threat actors are now using sophisticated methods like invoice-themed phishing emails with HTML attachments, and phishing-as-a-service (PhaaS) toolkits like Greatness, which targets Microsoft 365 logins. These attacks often include QR codes and CAPTCHA checks to bypass MFA.
Stay Safe π‘οΈ
Be cautious of unexpected login prompts and emails with attachments. Organisations should bolster security with advanced identity verification and keep a lookout for suspicious activities on Cloudflare Workers-hosted domains.
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
The Pakistan-based Transparent Tribe, also known as APT36, is launching new attacks on Indian government, defence, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust.
Campaign Highlights π―
Target Period: Late 2023 to April 2024.
Key Victims: Three companies linked to the Department of Defense Production (DDP) in Bengaluru, likely including Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited.
Methods: Spear-phishing emails using platforms like Discord, Google Drive, Slack, and Telegram.
Sophisticated Techniques βοΈ
Transparent Tribe employs a range of malware including CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, and more. They use spear-phishing emails with malicious links or ZIP files to deploy these tools, often targeting Linux-based systems due to their prevalence in Indian government infrastructure.
Innovative Malware π²
Key malware in these campaigns:
GLOBSHELL: Python-based info-gathering utility.
PYSHELLFOX: Exfiltrates data from Mozilla Firefox.
Silverlining.sh: An open-source C2 framework.
ISO Images: Used to deploy Python-based remote access trojans via Telegram for C2.
Evolving Tactics π
The group has also been observed using a Golang-compiled "all-in-one" tool to find and exfiltrate files, take screenshots, upload/download files, and execute commands. This tool, a modified version of Discord-C2, is delivered via ELF binaries within ZIP archives.
Persistent Threat β οΈ
Transparent Tribe has been targeting critical sectors crucial to Indiaβs national security. Their adaptive tactics and sophisticated malware highlight the persistent threat they pose.
Stay Alert π‘οΈ
Organisations in the affected sectors should enhance their security measures and be vigilant against spear-phishing attempts and suspicious email activities.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!