Phishing attacks and cyber-attacks based on social engineering tactics are not going to stop any time soon, and therefore it is recommended to adopt phishing prevention measures. The following are this week’s major phishing news headlines:


Beware of FluBot Attacks: Says NCSC-FI

Owing to the growing spread of the FluBot Android malware via SMS and MMS, Finland’s National Cyber Security Center (NCSC-FI) recently posted a security warning. The NCSC-FI reported that several malicious messages were sent during a recent SMS campaign. These messages were mainly to lure users using the bait of incoming money from a random financial transaction. The campaign used missed call notifications, voicemail, and alerts to send the links to users, redirecting them to a website hosting FluBot APK upon clicking. The users would then be urged to download and install the malware to get more details about the so-called transaction.

Typically, the malware application asks for risky permissions on Android devices, like reading the user’s address book, managing phone calls, and accessing SMS data. Once a device is compromised, the adversaries launch the second wave of SMS targeting those on the contact list of the compromised device. The second wave of the campaign has more chances of being effective because the message comes to victims from well-known sources.

The malware uses the bait of a premium subscription and other such scams to lure users. After infecting an Android or iPhone device, the FluBot malware’s main objective is to steal users’ financial details. It becomes easy because the malware already has access to users’ incoming notifications such as OTPs and other SMS data. SMS campaigns are not a new phenomenon and have been extensively used to steal financial credentials. Therefore, it is advisable to take phishing attack prevention measures and resist the urge to react or respond to messages from unknown sources, especially those with hyperlinks. If the device gets infected with FluBot, resetting to factory defaults removes the malware.


Data Breach Hits Oklahoma City Indian Clinic

Oklahoma City Indian Clinic (OKCIC) recently underwent a data breach that compromised the personally identifiable information (PII) of around 40,000 individuals. The breach notification posted on the clinic’s website notifies users of a security incident that affected its computer systems. OKCIC hired a third-party forensic firm to investigate the breach as part of its anti-phishing protection measures. The investigation revealed that an unauthorized party gained access to sensitive customer information stored on its systems.

The compromised details include patients’ names, DOBs, prescription and treatment information, phone numbers, social security numbers, tribal ID numbers, driver’s licenses, health insurance policy numbers, and physician information. Some 38,239 individuals were reportedly affected by the breach, and data breach notifications were sent to all these customers. The OKCIC breach adds to the many cyberattacks that have targeted the US healthcare sector this year. Healthcare is one of the 16 critical infrastructure sectors identified by CISA. Therefore, taking anti-phishing measures is every healthcare facility’s first obligation toward its patients and associates.


Data From SuperVPN, GeckoVPN, ChatVPN Compromised

In a recent breach, 21 million VPN users had their data exposed in a Telegram group. These are users of renowned VPNs like SuperVPN, GeckoVPN, and ChatVPN. Reportedly, this database containing 10 GB worth of data was put up for sale last year but has now been released for free on Telegram. The compromised user information could include their names, usernames, email addresses, country names, randomly generated password strings, billing details, premium status, validity period, etc.

The leaked passwords were hashed, random, or salted and difficult to crack, and 99.5% of the email IDs were Gmail accounts. However, researchers believe that the leaked data is merely a subset of the full data dump. Whether this data was stolen in a breach or obtained from a misconfigured server is uncertain. Because people use VPN services to maintain anonymity, stealing their data proves more beneficial for adversaries. Hackers can easily blackmail victims or launch phishing attacks against them. VPN users are advised to adopt measures for protection against phishing attacks and change their account passwords immediately.


Ransomware Attack Hits Omnicell

In a filing with the US Securities and Exchange Commission (SEC), the healthcare technology company Omnicell reported that it recently fell victim to a ransomware attack. Omnicell is a renowned American MNC manufacturing patient engagement software for pharmacies and systems for automated medication management at healthcare facilities. Some of its internal systems were targeted in a ransomware attack on 4th May 2022.

Omnicell was quick to adopt measures for protection against phishing and restore its operations. The extent of the attack remains to be determined, but the company has informed law enforcement and hired cybersecurity experts to investigate the breach. The company has not disclosed details about the ransomware or whether any personal or corporate information was compromised.


NB65 Targets Russian Payment Platform Qiwi

The Network Battalion (NB65) ransomware group (affiliated with Anonymous) recently targeted Qiwi, a Russian payment processing platform. As proof of the hack, it leaked the payment card details of 7 million people. Qiwi took to Twitter to announce that it had gained access to Qiwi’s OpRussia databases. Qiwi provides financial services in Russia and the Commonwealth of Independent States (CIS) countries, and this hack has caused much loss.

NB65 claims to have extracted 10.5 TB of data from Qiwi’s databases, including 30 million payment records and 12.5 million credit cards of customers. The hacker group was quite vocal about its intentions of disrupting the Russian financial system and referred to the platform’s last press release, where it mentioned that sanctions against it wouldn’t affect its business in any way. NB65 said that this attack, if not the sanctions, will certainly affect Qiwi’s business.

NB65 has threatened Qiwi that if it fails to reach out, the group will release 1 million records every day after the 3-day contract period. However, in its statement, Qiwi has denied NB65’s claims of attacking its platform and said its measures to prevent phishing attacks are intact and have ensured that no customer data is lost and payment services continue to function normally.


Ransomware Hits Agricultural Machinery Producer – AGCO

A ransomware attack recently targeted the leading US-based agricultural machinery producer, AGCO, which affected some of its production facilities. While the company has not revealed many details about the breach, it reportedly shut down some of its IT systems to stop the attack from spreading. In its statement, AGCO said that while it is adopting measures for protection from phishing and investigating the breach, it would still need several days (or longer) to resume all of its services.

With a revenue of over $9 billion and more than 21,000 workers, AGCO is a giant in its field and owns brands like Massey Ferguson, Fendt, Challenger, Valtra, and Gleaner. Thus, a production disruption will significantly impact the production and delivery of equipment. AGCO has denied requests for further comments, but this incident brings us back to the FBI’s recent warning of ransomware attacks targeting the US agriculture sector.

The FBI also issued a similar notice in 2021, indicating that national food production and supply entities fall under “critical infrastructure” and are often targeted by cyberattackers. Experts believe that this attack on AGCO could be motivated by a retaliatory agenda to disrupt its production because it recently announced its plans to donate money and seeds to the war-affected farmers in Ukraine.


Cyberattack Hits DeFi platform MM.Finance

A Domain Name System (DNS) attack recently targeted the DeFi platform MM.Finance and stole over $2 million worth of digital assets. MM.Finance operators said adversaries could inject a malicious contract address into its front-end code. In a post-mortem on Medium, the DeFi platform said that the adversaries exploited a DNS vulnerability to modify the router contract address in its hosted files. The platform apologized for the inconvenience caused to all those who lost their funds in the process and resolved to take phishing protection matters and settle the issue at the earliest. It further requested users not to perform any transactions, as that may send all their funds to the exploiter’s wallet. MM.Finance will soon disable the front end.

MM.Finance said that the adversaries stole over $2 million in cryptocurrency before laundering it through Tornado Cash. The platform is now setting up a compensation pool for all victims and said it would forego its share of the trading fees to cover the losses. The compensation pool will continue for 45 days, and all those who lost their cryptocurrency will be repaid.

Further, MM.Finance plans to employ a security company to evaluate its DNS configurations and remove two of its service providers from operation to minimize the potential attack surface. The initial investigation traced the stolen funds to the OKX exchange. MM.Finance has threatened OKX to return the funds ASAP, and the exchange is now investigating the issue.