Apr 09 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s impressed by the sun’s cybersecurity team. Came back online in no time 😂😂😂 #Eclipse2024
Today’s hottest cybersecurity news stories:
🌐 Google Sues App Developers Over Fake Crypto Investment App Scam ⚠️
👨💻 Cybercriminals Target Latin America w/ sophisticated phishing attack 🥘
👀 Watch Out for 'Latrodectus' – This Malware Could Be In Your Inbox 📥
Google has launched a lawsuit against Yunfeng Sun and Hongnam Cheung, accusing them of orchestrating an "international online consumer investment fraud scheme." 📉
The Scheme Unveiled
Sun and Cheung allegedly uploaded 87 crypto apps to the Google Play Store since 2019, luring over 100,000 users with promises of high returns. However, the apps turned out to be fraudulent, resulting in significant financial losses for victims.
The Deception Unraveled
Under the guise of offering lucrative returns, the defendants tricked users into downloading bogus apps, only to steal their funds. Victims attempting to withdraw their balances were further exploited through additional fees and payments.
Google's Response
The tech giant has taken legal action against Sun and Cheung, emphasizing the importance of maintaining the integrity of the Google Play platform. The lawsuit accuses the defendants of wire fraud, violating terms of service, and breaching various policies.
Persistent Threat
Google highlighted the defendants' use of sophisticated tactics, including text messages via Google Voice and affiliate marketing campaigns, to perpetuate their fraudulent activities.
A Call for Vigilance
This incident underscores the ongoing battle against malicious actors in the app ecosystem. Google urges users to remain cautious and report suspicious activities to maintain a safe online environment.
This legal action reflects Google's commitment to safeguarding its users and upholding the integrity of its platforms. Stay informed and stay safe! 🔒📱
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
Heads up, everyone! A new phishing campaign has emerged, specifically targeting Windows systems in the Latin American region. 🌎
The Phishing Attack Unveiled
Trustwave SpiderLabs researcher Karla Agregado uncovered this malicious scheme. Victims receive phishing emails with ZIP file attachments posing as invoices. Once extracted, the ZIP file contains an HTML file leading to a fake invoice download.
The Deceptive Tactics
The email originates from addresses using the domain "temporary[.]link" and lists Roundcube Webmail as the User-Agent string. The HTML file contains links to a domain ("facturasmex[.]cloud"), triggering a CAPTCHA verification page when accessed from Mexican IP addresses.
The Malicious Payload
After CAPTCHA verification, victims are redirected to another domain to download a malicious RAR file. This file includes a PowerShell script that gathers system data and checks for antivirus software. It then runs PHP scripts to determine the user's country and retrieves a ZIP file from Dropbox containing suspicious files.
Similarities to Horabot Malware Campaigns
Trustwave noted similarities with past Horabot malware campaigns, suggesting a continuation of Spanish-speaking user targeting in Latin America.
Expert Insights
Karla Agregado highlighted the evolving tactics of threat actors, emphasizing the use of newly created domains accessible only in specific countries to evade detection.
Ongoing Threat Landscape
This phishing campaign is part of a broader trend of cyber threats. Malwarebytes recently reported a malvertising campaign targeting Microsoft Bing search users, while SonicWall uncovered a fake Java Access Bridge installer distributing cryptocurrency miners.
Stay vigilant and report any suspicious activity to protect yourself and your systems! 🛡️🔒
🃏 The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya 😂 Let us tell who’s not fooling around though; that’s the Crüe 👀 at Motley Fool. You’d be a fool (alright, enough already! 🙈) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! 🐛 Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets 🤑 (LINK)
🚵 Wander: Find your happy place. Cue Happy Gilmore flashback 🏌️⛳🌈🕊️ Mmmm Happy Place… 😇 So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)
🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ⚾👻🍿 (Great movie, to be fair 🙈). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty 😑). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho 😉 And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)
A dangerous new malware named Latrodectus has surfaced, distributed through email phishing campaigns since late November 2023. 📧
The Threat Unveiled
Latrodectus serves as a downloader with advanced sandbox evasion techniques, allowing threat actors to retrieve payloads and execute commands remotely. Researchers from Proofpoint and Team Cymru issued a joint analysis, highlighting its association with IcedID malware and its use by initial access brokers (IABs) to deploy additional malware.
The Modus Operandi
Latrodectus is closely linked to TA577 and TA578 IABs, particularly the latter, which has been employing it exclusively since mid-January 2024. The malware is distributed via email campaigns, often delivered through a DanaBot infection. TA578, active since May 2020, has a history of delivering various malware, including Ursnif, IcedID, and Buer Loader.
Attack Techniques
The attackers leverage contact forms on websites to send legal threats, leading victims to bogus websites for downloading JavaScript files. Latrodectus then posts encrypted system info to its command-and-control server (C2) and awaits further instructions. It's equipped to detect sandboxed environments and executes a range of commands, including file enumeration, process execution, and updates.
Connections to IcedID
Latrodectus shares infrastructure with IcedID, indicating a potential evolution of threat actor tactics. The malware communicates with Tier 2 servers associated with IcedID's backend infrastructure.
Assessment and Response
Experts predict Latrodectus will become increasingly prevalent among financially motivated threat actors. Vigilance and robust security measures are critical to thwarting these threats and protecting organizations from harm.
Stay informed and stay secure, everyone! 🔒🛡️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think!
So long and thanks for reading all the phish!