Malign AI Chatbots, Teams Targeted: Russian Threats, Facebook’s Zero-day Threat – Cybersecurity News [July 31, 2023]

Listen to this blog post below

 

Here’s a close look at the latest phishing news covering significant attacks on Facebook, Google, and Microsoft.

 

Google AMP Exploited by Threat Actors in Sophisticated Phishing Attacks

Security experts are warning about a concerning rise in phishing attacks that exploit Google AMP (Accelerated Mobile Pages) to bypass email security measures, making their way into enterprise employees’ inboxes.

Google AMP is a collaborative HTML (Hyper Text Markup Language) framework that enhances the loading speed of web content on mobile devices. These AMP pages are hosted on Google’s servers, simplifying content and pre-loading heavier media elements for faster delivery.

The tactic behind incorporating Google AMP URLs (Uniform Resource Locators) into phishing emails is to avoid detection by email protection technologies, leveraging Google’s reputable image. Upon clicking the AMP URLs, victims are redirected to malicious phishing sites, adding a layer to thwart analysis efforts. To enhance stealth and success rates, phishing actors employ various evasive methods.

A multi-faceted approach from malicious actors makes it increasingly challenging for targets and security tools to identify and block phishing threats effectively. Therefore, users and organizations must be aware and cautious to safeguard against evasive phishing attacks.

 

Microsoft Teams Phishing Attacks: Government Organizations Under Fire by Russian Threat Actors

Microsoft has reported that a malicious group known as APT29, which is linked to Russia’s Foreign Intelligence Service (SVR), has launched targeted phishing attacks on numerous organizations worldwide, including government agencies, using the Microsoft Teams platform.

According to Microsoft’s findings, nearly 40 organizations have been affected by this campaign. The attackers, also known as Midnight Blizzard, appear to have specific espionage objectives, focusing on government agencies, NGOs (Non-Government Organizations), IT services, technology, discrete manufacturing, and media sectors.

The threat actors use compromised Microsoft 365 accounts to create domains with a technical theme. Using social engineering tactics, they sent tech support lures to deceive users and trick them into approving MFA (Multi-Factor Authentication) prompts, aiming to steal their credentials. The attackers use legitimate onmicrosoft.com subdomains for their messages to appear more trustworthy.

 

Image sourced from vpnoverview.com

 

Microsoft has taken measures to block the use of these domains in further attacks and is actively working to rectify the campaign’s impact. Organizations must be vigilant against such Microsoft Teams phishing attacks and be cautious when dealing with suspicious messages and files. It is imperative for them to implement necessary phishing protection solutions.

 

Facebook Phishing Attack Leveraging Salesforce Zero-day Exploitation by Threat Actors

Malicious actors employed a previously unknown vulnerability in Salesforce’s email services and SMTP servers to execute an intricate phishing campaign targeting high-value Facebook accounts.

The attackers utilized a flaw named “PhishForce” to circumvent Salesforce’s sender verification measures and exploit certain peculiarities within Facebook’s web games platform, allowing them to send phishing emails on a massive scale.

By leveraging a reputable email gateway like Salesforce, the attackers could evade secure email gateways and filtering protocols, ensuring their malicious emails reached the recipients’ inboxes.

The objective of the phishing kit used in this Facebook phishing attack campaign was to steal account credentials, even including mechanisms to bypass 2FA. Guardio Labs reported their findings to Salesforce, leading to a resolution of the vulnerability.

As phishing scam actors continually seek new opportunities to exploit legitimate service providers, users should remain vigilant, scrutinizing incoming emails for discrepancies and verifying claims before acting.

 

Malicious Actors Utilize AI Chatbots for Advanced Phishing and Malware Campaigns

Following the WormGPT incident involving a malicious ChatGPT clone, a new hacking tool called FraudGPT emerged. Besides, another AI tool allegedly in development based on Google’s Bard experiment is also making news.

Information on WormGPT and FraudGPT came to light through an individual with the nickname CanadianKingpin12, who seems deeply involved in providing chatbots trained for malicious purposes such as phishing, social engineering, exploiting vulnerabilities, and creating malware. FraudGPT came to be known on July 25 and is being spread on the dark web and malicious forums as a tool for threat actors.

 

 

Cybersecurity enterprise SlashNext’s investigation revealed that CanadianKingpin12 actively trains chatbots using dark web data or large language models meant for combating cybercrime. 

CanadianKingpin12 mentioned developing DarkBART, a vicious version of Google’s conversational AI and had access to another model named DarkBERT, trained on dark web data for cybersecurity purposes.

Malicious use of DarkBERT can perform advanced phishing scams, launch social engineering attacks, exploit vulnerabilities, conduct malware attacks, and target zero-day vulnerabilities.