@BushidoToken Threat Intel

  On 3 February 2022, the The UK Office of Gas and Electricity Markets (Ofgem) issued a warning that there has been a "record increase in global gas prices" which saw an "energy price cap rise of 54% "; adding that " Ofgem knows this rise will be extremely worrying for many people ". That last sentence is precisely why phishing threat actors are beginning to use Ofgem-themed lures as a pretext for phishing attacks to target and defraud UK-based users online.  On 17 May 2022, Ofgem issued a warning  " of a scam email claiming to be from Ofgem asking for bank details so customers can get a rebate " (see Figure 1). This was followed by an alert from UK Action Fraud stating it has  received "over 750 reports in just four days about these fake O fgem  emails". The UK NCSC also included the warning in its Weekly Threat Report. Figure 1: Ofgem-themed phishing email On 20 May 2022, while researching newly phishing pages a recently created Of...

  There is no doubt that mobile banking has taken the world by storm. Another growth industry is digital-only banks, especially in the UK. As of January 2022, over a quarter (27%) of British adults have opened an account with a digital-only bank, equating to 14 million people. This has created a new pool of targets for phishing threat actors to create new campaigns for fraud. This blog will explore a recent and ongoing campaign targeting mobile users and digital-only banks.  Monzo is a popular digital-only bank in the UK. For years, users are able to open an account without having to visit a branch just by walking through the steps in the mobile application. One of the key parts to creating a Monzo account is verifying your device. Monzo will send you a "golden link" which you use to login to for the first time (see Fig. 1). This is what the phishing threat actors are after. Fig. 1 - Example "golden link" sent via Monzo to login to bank accounts Fig. 2 - Example SM...

As far as brands that get impersonated a lot, PayPal has got to be in the Top 5 or Top 3 globally. Between August and October, I personally received 19 PayPal credential phishing page links and my crud email provider (not Gmail or Outlook) didn't block them, so they've been landing in my inbox. So I took a look at them, natch.  I examined various phishing attempts that appear to be sent in a similar manner to my personal email, which has only appeared in one small breach in 2017, according to Have I Been Pwned for the record. One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I'd not personally seen before (but I doubt is that new) was that it asked me to "Upload your identity".   The amount of personal data this phishing kit is harvest...

Online shopping sites are prime targets for cybercriminals. Large sites can process vast quantities of personal information and payment data, making them a high-value reward if successfully hijacked. On 29 April, Malwarebytes Threat Intelligence shared a JavaScript web skimmer their team discovered on a compromised French Canadian online shoe store. The skimmer was injected into the online store's checkout page and used to siphon off payment data and billing info. Data entered into the site was exfiltrated to a domain in Russia. I pivoted off this domain and looked at what was hosted on the same IP with a similar naming convention. This led to uncovered multiple other domains used for web skimming. I mapped the domains on VirusTotal graph here: I then chucked these domains into URLscan and uncovered at least five other sites that have been compromised in these attacks: Some additional pivoting uncovered a skimmer masquerading as a Bing Analytics domain that was injected ...

  A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC). While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC: Active compromise of dovesfarm.co.uk: Skimmer 1: Identifier - sClass="yeikyd" - 'dovesfarm.js' (available here ) Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here ) Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here ) Skimmer 1 - Listener: Skimmer 2 and 3 - Listener: Skimmed Data: RC4 encryption: Data collected: Credit Card Number, Card Holder Name, CVV, expiry day, mont...

  Background A point of sale (POS) system refers to the critical piece of software used by customers to execute a payment for goods or a service. This also includes the physical devices in stores, where POS terminals and systems are used to process card payments. These are often the primary targets of financially motivated organised cybercrime groups (also known as eCrime advanced persistent threats). Successful intrusion of a POS system can lead to the theft of vast amounts of financial data from customers. This can be used for immediate gain or sold on underground markets for fraud. A combination of hard-to-detect data-exfiltration malware; legacy hardware - which is difficult to patch; and general OS vulnerabilities, mean that this particular threat is common and can be difficult to defend against. Organised Cybercrime APT groups such as FIN6, FIN7, and FIN8 are currently some of the most significant threats to large retailers, restaurant chains, hotels, the leisure industry, an...