Have you heard about the latest AiTM attack that Microsoft exposed?

Jun 12 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that salutes Silvio Berlusconi who’s finally retired to the Bunga Bunga Party in the sky. RIP you sex-crazed sonuvabitch ????

Today’s hottest cyber security stories:

  • Microsoft exposes AitM phishing & BEC attacks on financial giants

  • BlackCat ransomware attack shooed away by Aussie law firm

  • 1,000+ fake crypto sites trick traders in bogus reward airdrops

Hackers AiTM to deceive, but Microsoft’s at BEC and call ????

Monday again already and boy have the bastards been busy since Friday’s newsletter. First up, thanks to some stellar detective work by the cybersecurity team at Microsoft, a particularly insidious phishing campaign has been caught and weighed.

Before we get into the ins and outs, we have some new (new to us, anyway!) acronyms that need deciphering. So, here you go:

AitM = Adversary-in-the-middle

An Adversary-in-The-Middle (AiTM) attack is a sophisticated form of hacking that allows fraudsters to inject themselves into network communications to steal credentials, forge or copy encryption and identity verification keys, and launch further attacks to steal data or money.

BEC = Business Email Compromise

A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company's supervisors, CEO, or vendors in order to request a seemingly legitimate transfer of funds. Spoiler alert: it ain’t legitimate.

So, what happened and who’s affected?

A perfect Storm-1167

Unfortunately not a storm (moniker: Storm-1167) in a teacup, this sophisticated multi-stage attack has been targeting multiple banking and financial services organizations and they would’ve gotten away with it too if it wasn’t for you pesky kids. I mean Microsoft.

"The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report.

This is what makes detection difficult. The fact that the criminals were able to compromise a ‘trusted vendor’. When an email appears to come from a friend, our guard comes down. They’re counting on that.

"The attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service," Microsoft said.

"The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim's credentials."

Despite all the smoke and mirrors, as with all phishing attacks, they require at least one instance of user error to gain entry.

In this case, it all starts with one phishing email that points to a link, which, when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and steals the entered credentials and TOTPs.

So, our advice: always read the sender address with a fine-tooth comb! Only takes one match to burn a thousand trees and similarly only takes one act of carelessness to bring down an empire.

Don’t get socially engineered!

It’s a game of BlackCat and mouse…

Last night, the ALPHV ransomware gang, also known as BlackCat, published 1.45 terabytes of Australian law firm HWL Ebsworth’s data for all to see.

This leak contained over ONE MILLION documents allegedly stolen from the law firm's systems in April 2023. The cybercriminals are now threatening to leak more if the company doesn't meet their demands.

It’s interesting that they're not complying, though. Reminds us of the 'we don't negotiate with terrorists' moment from Tropic Thunder. Tom Cruise says it and everyone claps because it sounds like the right thing to do but, in effect, can be incredibly callous.

Plus, you wonder what the affected clients think about it…

From the source article: “A spokesperson for the firm stated on ABC that they would not succumb to the threat actor's extortion demands, even if that means that they and their clients will have to suffer the consequences of a very exposing data leak.”

We’re not so sure that the clients will be too happy about a potentially 'very exposing data leak'. They may well be thinking ffs just pay them, will you?!

The law firm gets to look like the hero by not complying whilst also avoiding spending any money.

But then again as with all ransomware attacks, there's absolutely no guarantee that the criminals will stick to their word once the ransom's been paid.

Guess it hasn't actually been made illegal to pay yet in Australia even though there's been a lot of talk about going that way.

Interesting moral dilemma, isn't it? Ransomware ???? amirite?

All that glitters is not Bitcoin Gold

Trend Micro researchers uncovered an elaborate cryptocurrency scam that went undetected since at least January 2021.

This dastardly scheme employed a network of more than 1,000 fraudulent websites to deceive users into participating in a bogus rewards program.

In a recent report, the researchers expressed concern that this widespread campaign has likely victimised a lot of people across the globe.

Time for some Impulse control ????

They have identified a Russian-speaking threat actor called "Impulse Team" as the mastermind behind this operation.

The scam operates through an advanced fee fraud tactic, wherein victims are led to believe that they have won a specific amount of cryptocurrency.

However, in order to claim their rewards, the victims are required to make a small payment to open an account on the scammer's website. Classic.

It starts when they slide into potential victims’ DMs on Twitter, enticing targets to visit a dodgy website designed to deceive them.

Silver lining is that the Twitter account responsible for these messages has been subsequently closed down.

Here at Gone Phishing, we celebrate the little victories. For our own sanity. Cheers!

So long and thanks for reading all the phish!

Recent articles