Cybersecurity is a growing concern across the globe. But as more and more people are gaining awareness about the importance of anti-phishing solutions, there are all the more instances of cybercrimes recorded. There is little doubt that the increase in the adoption of cybersecurity measures is followed by a parallel and perhaps more significant increase in the intellectual and innovative abilities of the adversaries who manage to invent some new form of cyber forgery almost every other day. To help the cyber enthusiasts get a better idea of the recent updates from the incessant scuffle between the good actors and bad actors, we have presented the latest headlines from this past week in the cyber world.
Malware ‘Cutlet Maker’ From 2017 Discovered, German ATMs Hacked
Researchers have recently found the re-entry of a phishing technique (jackpotting) that was supposedly inactive hitherto. A malware called ‘Cutlet Maker’ was employed by attackers to steal around $1.5 million from ATMs in Germany between February and November 2017.
This malware sells openly for $5000 online to help all aspiring ATM launderers give shape to their goal. Motherboard and the German broadcaster Bayerischer Rundfunk (BR) were responsible for bringing this to the line.
How Does ‘Cutlet Maker’ Operate?
The malware once installed on an ATM makes the ATM dispense all its cash by displaying a message which says, “Ho-ho-ho! Let’s make some cutlets today!” accompanied by a cartoon image of a chef cheering a piece of meat.
There have been several instances of jackpotting attacks being launched across the globe, and these regions include the US, Latin America, and Southeast Asia. Of all these names, Santander seems to be the most affected bank in the 2017 attacks. This only resonates with the inadequate phishing prevention measures adopted by the banks. Using old and slow Windows systems may seem cost-efficient at the moment, but these are the loopholes that attackers wait to pound on, and their success would only lead to unimaginable financial losses to the banks.
A Full-Time Job: Send Sextortion Emails Via Botnets
Hackers have taken to spreading a massive “sextortion” campaign over a botnet of more than 450,000 infected computers, and they are progressing rapidly with 30,000 potential victims per hour. They make use of victim’s data procured probably from a past breach and send out emails threatening the receiver to release compromising photographs of theirs if they fail to make a payment of $800 (£628) in Bitcoin.
Some analysts opine that such sextortion campaigns are seldom fallen for, but we need to focus on the big numbers here. Of 100,000 sextortion emails sent out in a day, even if just a 100 manage to trap victims, it’s a lot of money for the attackers.
The botnet operated sextortion emails tell the receivers that they could hack into their network and have access to all their details and can even view them via webcam. While this claim is absurd, they manage to make the mails believable by adding an actual password associated with the email receiver. Yet another peculiarity about this campaign is that the attackers make use of the users’ infected computers to give shape to their sextortion campaign, and the users are completely unaware of this.
A botnet is a network of computers taken over by hackers using malicious software typically spread via infected web pages or email attachments. All those people whose computers have been hacked won’t even know about it. Sending emails via this botnet channel increases the chances of the sextortion emails not being marked as spam. Not only this, the attackers are smart enough to evade all phishing protection measures by ensuring that they send a limited number of emails per machine. Hence, the only anti-phishing protection at the disposal of users is to use the updated version of software and web browsers to minimize the risk of these threats.
Hackers Send Links From Compromised Servers Over Linkedin
In a recently discovered hacking scheme, the attackers make use of compromised servers and fake links and send out messages to LinkedIn users, which are quite believable at first glance. The discovery of this scam accredits to a Sophos employee who received a similar message on LinkedIn from a familiar LinkedIn account. The email contained a link to a OneDrive attachment sent by the impersonated acquaintance and used the text “www.businessingith” at the start of the attached link to increase its credibility.
In addition to this, what struck the Sophos employee was the salutation. Usually, the acquaintance from whose account the message reached him addressed him by his first name, but this message mentioned his full name. The URL attached began with “www.businessinsight,” but contained the name of somebody else’s website in its second half. This turned out to be the website of a U.S. entertainer who had endured a breach in the past.
This scam serves as a warning for all LinkedIn users and internet users in general to incorporate some decent phishing protection software to ensure safety against the attackers.
Email Phishing Attack Impersonating Telecommunication Company Telstra
Yet another phishing scam to add to the list of email spoofing attacks is this recent one, discovered on 15th October 2019, that sends out emails to people claiming to be ‘Telstra’ – the renowned telecommunication company. The email scarcely evokes any sense of suspicion among receivers as it comes from the display name of Telstra along with a matching domain. The email tries to induce greed into the minds of the receivers via its title, which says, “$500 Citibank Visa prepaid gift card reward”.
The body of the email contains Telstra’s logo and branding. It asks the recipient to claim their reward before the 18th of October 2019 by clicking on the ‘Claim Link’ attached to the email. Obviously enough, this link leads not to the official Telstra page but to a fake one that is designed to steal all the information entered by the victim.
The fast believers among the recipients instantly click on the link and reach the phishing page created by the attacker. This page imitates a Telstra login page, and once a victim enters his details and taps on the next button, he is led to a blank page, which perhaps indicates poor connectivity. Email phishing protection tools and measures seem to be the only rescue in such vulnerable times!
Ransomware Attack Hits Shipping Firm Pitney Bowes
A ransomware attack recently hit the global shipping and mailing services company, Pitney Bowes. The company, however, confessed that the attack could encrypt some of its systems, thereby leading to a partial disruption of their system, which restricted the access of customers to certain services.
Pitney Bowes is known for providing mailing, e-commerce, shipping, data, and financial services and powering billions of transactions for over 1.5 million clients globally, and naturally, the attack comes as a significant threat to its many customers. However, the company claims to have found no evidence of any breach of customer or employee data. The company immediately got its Enterprise Outage Response Team to act upon the discovery of the attack, and hence, there have been minimal losses. They have also employed third party security experts to ensure protection from phishing in the future and to resolve this issue.
Among the Pitney Bowes services that were temporarily affected was their mailing system products. The attack also blocked user access to the ‘Your Account’ service, disabling clients from refilling postage or uploading transactions on their mailing machine. However, mailing machines, SendPro C and P devices, SendPro Online in the U.S., SendPro Enterprise, SendSuite Live, SendSuite Xpress, SendSuite Tracking (SST), SendSuite Tracking Online (SSTO) and Relay Hub are among the services that function uninterruptedly.
Silent Librarian Hacking Group Stealing Thousands Of University Records
A hacking group with ties with the Iranian government becomes a major cause of concern for several universities across the globe, particularly those in North America. The Silent Librarian threat group, which is also known by names like TA407, Cobalt Dickes, Mabna Institute, has consistently been progressing in its pursuit of getting university students’ details compromised.
The hacking group uses a predefined set of reasons that it most articulately presents to the recipients as grave issues deserving immediate attention. It usually mentions the loss of access to library resources caused by prolonged inactivity. The threat factor involved is a closing of the account, which almost always seems to do the work for them.
The group manages to maintain its credibility by incorporating certain believable features of the actual university website. They put in a lot of effort, time, and research in procuring all the relevant images and other minor details before they send out emails to victims.
A typical Silent Librarian attack flow starts with creating a shortened URL using an account from a compromised university, which is sent to recipients from another university, who are expected to be users of the authentication portal.
The hackers are allegedly the recruits of the Iranian company ‘Mabna Institute’, and their sole motive is to rob universities of their intellectual property and then sell it on the dark web. Silent Librarian is accused of having attacked at least 380 universities in 30 countries. They function by shortening the URL of an account belonging to a compromised university and then using it to send out emails to other recipients from different universities.
The only way to prevent email phishing at the hands of the Silent Librarian is by implementing and enforcing two-factor authentication to make it difficult for attackers to get through.
The “Spy App” Of The Chinese Communist Party Comes To Light
Once again, China manages to earn some stains for its image in the technological world. This time it’s the Chinese communist party’s app, “Study the Great Nation” that has come out as a questionable app. It has been alleged of spying over the 100 million Android devices that have downloaded the app. The app has a ‘backdoor’ that lets the government view a person’s messages, photos, contacts, and internet browsing history.
Researchers have found that the app has weak encryption incorporated on purpose in functions like mail and biometric authentication. Not only that, but it also stores files on the phone’s storage that allows other apps to read data from them. The app further executes ‘superuser’ commands, which enable authorities to track a user’s location, activate audio recording, or call a number on their behalf. This is a serious violation of a person’s privacy and in a way, makes protection from phishing attacks difficult since the government itself is promoting the intrusion.
Exposed Database Leads To Data Breach At Leafly
The most renowned Cannabis information platform in the world – Leafly has recently sent out notification emails to some of its customers, notifying them about an exposed database that has probably compromised their private information. The company has a large user base with 10 million monthly active users and 1.4 million user-generated strain, product, and dispensary reviews. However, they claim that no credit card details of customers have been compromised in the breach.
Furnishing details, they said that the leak was from a secondary database that stored user records starting from July 2nd, 2016. Post the discovery of this breach, they took immediate disaster management measures and collaborated with a forensic security auditor to ensure protection against phishing. They also brought the database down soon after finding out the truth and informed all affected users of the breach via email.
The exposed data included emails, usernames, and encrypted passwords of users. In some cases, it also included more specific details such as name, age, gender, location, and mobile number. But the silver lining is that Leafly does not store the national identification numbers or credit card information of users and so these sensitive details of users are still safe.
The firm advises its users to regularly change their passwords to evade phishing attacks and apologized sincerely for the trouble caused to the customers.
Play Store Gaming Apps Spread Malware
Google Play Store has been accused of hosting malicious apps in the past, and so it makes serious efforts to ensure that no corrupt applications appear. However, certain apps loaded with malware, adware, and spyware still manage to get through. Recently, one app was found to be spreading malware called “The Joker”. These malicious apps usually aim at stealing bank and other personal details of users.
The malware spreading apps are not related to a particular field and include apps like Yobit trading, Encontre Mais, Motocycle Road 2D, Insight Photo Editor, Cell Camera, Pledge Clean, Mentor Security, Compose Camera, Display Wallpaper, Green Camera, etc.
Hence, Android users should remain vigil and subscribe to some phishing protection service to ensure that the apps they download do not make them vulnerable at the hands of attackers.
New Malware Targeting Mac Users Detected
A new type of malware was recently detected, which targets Mac users. Known as “Tarmac”, the malware runs code in a Mac browser and redirects users to sites with software updates. These sites are the fraudulent ones that mostly display updates for Adobe Flash Player. Any user falling for this trap and downloading the Flash Player update actually loads the OSX/Shlayer malware into their system, thereby launching the OSX/Tarmac malware.
The malware then collects information from the infected device and relays it to its command-and-control server. The malware is designed to evade anti-phishing tools as it signs the payload with legitimate Apple developer certificates.
The malvertising campaign that delivers Shlayer and Tarmac began in January 2019. The campaign was spotted in January, but only the Shlayer malware was discovered then. Very little is known about the malware presently but it has been found that the malware primarily targets users in Japan, Italy, and the US.