Over the past years, phishing attacks have evolved in number and intensity. Organizations can stay resilient against threats by staying updated about the latest episodes. Here are this week’s phishing and data breach headlines.
Middle Eastern Countries See a Spike in World Cup Phishing Emails
In the last month leading up to the FIFA World Cup, phishing attempts targeting Middle Eastern users rose 100 percent, according to security shop Trellix. The researchers witnessed a spike in e-mail-based attacks from September to October, with doubled malicious email volume. Threat actors used FIFA and related lures to target the victims, and security researchers showed several malicious email samples.
In one email, the cybercriminals faked the FIFA TMS (transfer matching system) helpdesk with a fake alert saying the victim’s two-factor authentication got deactivated. The user had to visit an attacker-controlled website that allowed the crooks to steal the user’s credentials.
Another email impersonated the Auckland City FC team manager, David Firisua, and requested confirmation for a FIFA payment. Trellix’s phishing net also caught emails impersonating Snoonu, the World Cup’s official food delivery partner, that offered free match tickets.
“It is a common practice for cybercriminals to utilize popular events as social engineering tactics and particularly target the businesses related to the events,” the researchers warned.
Daixin Ransomware Gang Attacks AirAsia, Steals 5 Million Passengers’ Data
The cybercrime group Daixin Team recently leaked sample data of AirAsia, the Malaysian low-cost airline, on its leak portal. As per DataBreaches.net, the development comes after AirAsia recently became the target of an attack on November 11 and 12. The threat actors allegedly obtained the personal data linked to five million unique passengers and all AirAsia employees.
The samples uploaded to the data leak portal reveal passenger information and booking IDs, including personal data of the company’s staff. A spokesperson for the group said that they were not pursuing further attacks owing to AirAsia’s poor security measures, including “the network’s chaotic organization.”
Daixin Team was part of a US cybersecurity and intelligence advisory, warning of attacks aimed at the healthcare sector. Other victims of the threat group include Fitzgibbon Hospital, Trib Total Media, and OakBend Medical.
Mastodon: Leaky Server Exposes Scraped Data of 150,000 Users
According to a security researcher, an Elasticsearch server was scraping public account information and posts of Mastodon users. So far, information on 150,000 Mastodon got scraped in the ongoing process. But worse, the server lacked any security authentication and left the logged records open to public access.
Thus, any user who can explore the Shodan search engine does not need login credentials to access the information. Furthermore, it’s worth noting that the exposed server is not affiliated with official Mastodon servers and belongs to a third party. According to the researcher, the server actively scrapes information from Mastodon users, who found the server on November 15. However, it is unclear how long it logged users’ information. The exposed data includes:
- Account name
- Display names
- Profile pictures
- Following Count
- Follower Count
- Last Status Update
Mastodon is Twitter’s alternative for people who do not like the uncertain policies of Elon Musk, its new owner. Technically, it is a decentralized, open-source social network launched in 2016 by entrepreneur and programmer Eugen Rochko.
Search Results Poisoned Via Google Data Studio
Threat actors abused Google’s Looker Studio (or Google Data Studio) to enhance search engine rankings for their malicious websites promoting spam, torrents and pirated content. BleepingComputer analyzed the SEO poisoning attack, which uses datastudio.google.com, Google’s subdomain, to make the malicious domains look credible.
Researchers came across several Google search results pages flooded with datastudio.google.com links when a user reported them. These links do not represent a legitimate Google Data Studio project and are minisites that the hosts link to pirated content. For example, one search result redirects users who search for “Download Terrifier 2 (2022)” to bit.ly links, redirecting them multiple times to land on a spammy website.
The SEO poisoning campaign utilizes a keyword stuffing technique (considered a webspam) for boosting the malicious domains’ rankings. Clicking on these Bit.ly URLs redirects the user multiple times before they arrive on streaming sites of dubious authenticity and legality, a website promoting online surveys and spam.
Introduced in 2016 by Google, the Looker Studio (formerly Google Data Studio) is an online business intelligence tool enabling users to translate data into customizable informative reports for easy visualization and analysis.
Island Nation Vanuatu Hit by a Ransom Attack, Government Crippled
Vanuatu, the South Pacific Ocean‘s small archipelago, became a target of a cyberattack on November 4, Friday, crippling the country for over a week. The government’s civil servants said their emails were bouncing back from government addresses, the first sign they thought something was amiss. The attack that brought the Vanuatu government to an 11-day halt forced some workers to complete their jobs using pen and paper, thus causing widespread delays across the nation. The officials could not access emails and the internal systems.
Additionally, the ransomware disabled the websites of the nation’s prime minister’s office, parliament, and police; by taking down the internet and online databases of hospitals and schools. The country, with a 315,000 population, had trouble carrying out basic tasks like invoicing bills, paying taxes, getting licenses, and getting travel visas.
It’s still unclear how the attack happened and what protections Vanuatu currently has. Experts noted the government has a centralized system hosted on its own servers, which became a fundamental security flaw. While the island nation forwarded requests for a system upgrade to the concerned authorities, Australia is currently helping it rebuild its network.
Email Security Protocols Bypassed In Instagram Credential Phishing Attack
Malicious actors impersonated Instagram and reportedly targeted 22,000 students enrolled at national educational institutions. Security experts at Armorblox shared the information and highlighted the new threat pattern in an advisory on November 17, 2022. “The subject of the malicious email encouraged victims to open the message,” mentions the technical write-up.
“The subject’s goal was to induce a sense of urgency, making it look like an action the victim must take to prevent future harm.”
The email reportedly came from Instagram support, with the sender’s email address and name matching Instagram’s actual credentials. “The cybercriminals socially engineered the email attack, which contained recipient-specific information – like his Instagram user handle – to instill trust that the email was a legitimate communication from Instagram.”
Once users clicked on the link, they got redirected to a fake landing page with Instagram branding. Armorblox explained, “The email attack used language that bypassed native Microsoft email security controls, including the SPF and DMARC email authentication checks.”
Earth Preta APT Group Spear-Phishes Governments Worldwide
Researchers at Trend Micro are monitoring the latest wave of spear-phishing attempts targeting the government, academic foundations, and research sectors globally. They believe it is a large-scale cyberespionage campaign that started around March this year. The wide outbreak includes Australia, the Philippines, Myanmar, Japan, and Taiwan. Researchers analyzed the malware families and attributed the campaigns to Earth Preta (also called Bronze President and Mustang Panda), a notorious APT (advanced persistent threat) group.
Observing the campaigns, researchers noted that the threat actors abused fake Google accounts and distributed malware through spear-phishing emails. The attackers lured the victims into downloading the malware and triggering it to execute TONESHELL, TONEINS, and PUBLOAD.
Additionally, the threat group leveraged various techniques to evade detection and analysis, like custom exception handlers and code obfuscation. The researchers analyzed the abbreviated names of earlier compromised accounts and concluded the attackers potentially researched targeted organizations.
Phishing Kit Impersonates Renowned Brands to Target US Shoppers in Holiday Season
Since September, a sophisticated phishing kit has been targeting North Americans, using holiday-focused lures like Labor Day and Halloween. According to Akamai, the kit utilizes multiple evasion detection techniques and several mechanisms to keep non-victims away from phishing pages. An exciting feature of the phishing kit is a token-based system that ensures each victim gets redirected to a unique phishing URL.
Akamai said the campaign continued throughout October, targeting shoppers looking for “holiday specials.” The central theme is a prize-winning chance from a reputable brand. The links in the email don’t seem suspicious as they land on the phishing site after multiple redirections, with URL shorteners concealing most URLs.
Additionally, the attackers abuse genuine cloud services like Google, Azure, and AWS to bypass protection mechanisms. Some impersonated brands are: sporting goods firm Dick’s, the wholesale clubs – Sam’s Club and Costco, high-end luggage maker Tumi and Delta Airlines.