Gone Phishing

-

This is a blog on some of the latest phishing threats that are out there and ones I have recently, personally experienced and reverse engineered.

 On 1 May I received this SMS text: 
To me, it was quite clearly a phish, as I'm not with HSBC, however, someone who is may have been easily fooled. The trick the phishermen used here is via a subdomain. Average users may be able to recognise their usual bank domain and feel safe. However, the threat actors who sent this to me could use a domain like 'digitalbanking.com' (which is for sale) and simply insert my bank's full URL as a subdomain - making it quite convincing. Plus, they can add a free digital certificate from Let's Encrypt CA to give it HTTPS and now we have a pretty convincing phish.

 I chucked the domain into VirusTotal and found it's IP address, along with a few other phishing URLs that contact it. It appears Nationwide and HSBC customers are targeted:

 On 28 April I received this email:
This phish was a little more cunning as it used a hyperlink on the text (support.apple.com) which was actually a shortened URL. It uses an Indonesian service similar to Grabify that logs your IP address, geo-location, and user-agent. I searched online to see if anyone had received an email from the same sender and found a few posts on Apple forums as far back as December 2019. They also rightly pointed out that Apple will never send you a PDFdon't open it or click on the link!

 I put the link in VirusTotal and found 33 other phish with similar URLs that were likely used in the same campaign. I added them to my OTX feed here. 

 Who's behind all this phishing? 

 Well, I can't say who is behind these exact phishing emails and texts, but there is one cybercriminal gang which is responsible for hundreds of thousands around the world. The gang, also known as the IndonesianCyberArmy, produces and sells '16Shop' phishing kits which are sold as-a-service. Aspiring cybercriminals can buy the 16Shop kit, pick a target or brand and immediately begin phishing. Instructions and guidance will be provided by the gang, as with many Malware-as-a-Service offerings.

 The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source)

 @JCyberSec_ has also produced an insightful 16Shop Intelligence Thread here:
The @phishingreel bot on Twitter provides detection of commercial phishing kits, with 16Shop featuring heavily. (source)

How phishing is evolving:

 Newer phishing campaign are becoming even more advanced that actively block security tools from detecting the landing pages and leverage custom targeting lists.

 @MalwareTraceKr uncovered a new Korean SMiShing campaign which uses a database of  phone numbers (likely stolen) that only permits the recipients from downloading the malware. This means if a security researcher wants to view the content, they need to have a phone number which is present in the database. This means campaigns can carry on for longer, before a sample can be analysed and it can be stopped. (source)

 Researchers at Barracuda have also discovered cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns. (source)

 I predict that SMiShing campaigns will eventually overtake traditional email campaigns as more users move towards mobile and tablets only, leaving desktops and laptops behind. Instant messaging apps like WeChat (Weixin) has replaced email almost entirely in China and they are seeing more mobile-based threats because of it.

 In the Western hemisphere and across EMEA countries, email does appear to show signs of slowing with collaborative apps like Microsoft Teams and Slack taking over, as well as video conferencing software like Zoom. This has been spurred on due to lockdown during the coronavirus pandemic.

 For now though, email is still an effective communication method that is still used professionally. Although, the FBI's IC3 report for 2019 found that businesses lost an estimated $1.7 billion from BEC attacks. This may help shape future IT department budgets and encourage the move away from email.

 Subscribe for more blogs 🙂

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more