2023 October Cyber Bytes

Fast-Growing Dropbox Campaign Steals Microsoft SharePoint Credentials

Thousands of messages are being sent weekly in a campaign that uses links hosted on legitimate websites to evade natural language processing and URL-scanning email protections.

DarkReading.com by Elizabeth Montalbano on October 03, 2023

Threat actors are using messages sent from Dropbox to steal Microsoft user credentials in a fast-growing business email compromise (BEC) campaign. The effort evades natural language processing (NLP)-based security scans, and demonstrates the rapid evolution of these types of attacks.

Researchers at Check Point Harmony observed more than 5,000 of the attacks — in which fake login pages lead victims to a credential-harvesting site — in the first two weeks of September alone, they revealed in a recent blog post. They informed Dropbox of the campaign's existence on Sept. 18.

The attack is yet another example of the latest iteration of BEC — BEC 3.0 — in which attackers use legitimate sites that are familiar and trusted by end users to send and host phishing material, the Check Point Team wrote in the post. Other popular sites used in BEC 3.0 attacks include Google, QuickBooks, and PayPal.

"The legitimacy of these sites makes it nearly impossible for email security services to stop and for end users to spot," according to the post. "It's one of the cleverer innovations we've seen, and given the scale of this attack thus far, it's one of the most popular and effective."

Indeed, the attacks are dangerous for users because they evade both NLP technology and the URL scanning that email security technology uses to flag messages as suspicious.

"NLP is useless here — the language comes directly from legitimate services and nothing is awry," according to the post. In a similar way, trying to flag a suspicious URL doesn't work either, since the links used in the messages direct to a legitimate Dropbox site.

Direct from Dropbox

Messages in the campaign observed by researchers appear to come directly from Dropbox, letting users know they have a file or files to download. Clicking on a link included in the message leads potential victims to another page, where they are instructed to click on a link to start the download.

This second step in the campaign is notable in that the page to which users are directed is hosted on a legitimate Dropbox URL. However, the page is branded as OneDrive, a Microsoft cloud storage and download service.

If users don't pick up on the discrepancy, the link on this secondary page — which pretends to take users to their file or files — leads to a phishing site that looks like a login for Microsoft SharePoint, asking people to enter their credentials. This final page in the campaign is hosted outside of Dropbox.

The case is a perfect example of so-called BEC 3.0, the researchers noted, which makes use of cloud services. While BEC attacks have long spoofed or impersonated legitimate entities, BEC 3.0 represents a whole new challenge for defenders because it creates attacks that appear to come from legitimate services, making them particularly difficult to stop and identify, both from security services and end users, the Check Point Team said.

Avoiding BEC Compromise

There are some steps organizations can take both to help their employees identify BEC 3.0 attacks and also stop them before they even get to the end user, the researchers said. For the former, organizations should educate users on common tactics and encourage them to pause and take notice of suspicious activity before clicking on emails from unfamiliar sources or unsolicited links, according to the post.

For example, the discrepancy between receiving an email from a Dropbox domain and receiving a page linking to a OneDrive account should be a giveaway that the Dropbox campaign is malicious, the Check Point researchers noted. A savvy user could then identify this and delete the message before even getting to the phishing page.

Deploying a comprehensive security solution that includes document- and file-scanning capabilities, AI defenses, as well as a robust URL-protection system that conducts thorough scans and emulates webpages for enhanced security can also help thwart BEC 3.0 campaigns, according to Check Point.

Businesses should take note given that BEC attacks are on the rise, not just in numbers but in sophistication. In 2022, the FBI reported that it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion, and that the attack vector has cost businesses worldwide more than $50 billion in the last 10 years. That figure reflected a growth in business losses to BEC of 17% year-over-year in 2022.

"That's why these attacks are increasing in frequency and intensity," the Check Point team wrote in the post.

LinkedIn Smart Links Abused in Phishing Campaign Targeting Microsoft Accounts

A recently observed phishing campaign targeting Microsoft accounts is using LinkedIn smart links to bypass defenses.

SecurityWeek.com by ByIonut Arghire on October 12, 2023

A recently identified phishing campaign is relying on LinkedIn smart links to bypass email defenses and deliver malicious lures into Microsoft users’ inboxes, email security firm Cofense reports.

A legitimate feature connected to LinkedIn’s Sales Navigator services, smart links allow businesses to promote websites and advertisements, redirecting users to specific domains.

Threat actors, however, are relying on the feature to redirect users to malicious websites that attempt to steal their credentials and personal information, abusing the inherent trust that email gateways have in LinkedIn.

While LinkedIn smart links have been abused in malicious attacks before, the recently observed phishing campaign stands out with more than 80 unique smart links embedded within over 800 phishing messages delivered to recipients from various industries, Cofense says.

The campaign, the email security firm says, likely employed newly created or compromised LinkedIn business accounts to deliver document, financial, general notification, and security themed lures to unsuspecting victims.

A smart link typically includes the LinkedIn domain followed by a parameter and an eight-alphanumeric character ID, but the threat actors added other pieces of information as well, including the recipient’s email address, to autofill the malicious phishing form the victim is redirected to, and which asks for their Microsoft account credentials.

According to Cofense, the campaign mainly targeted employees at financial and manufacturing organizations. However, energy, construction, healthcare, insurance, mining, consumer goods, and technology organizations were targeted as well.

“Despite finance and manufacturing having higher volumes, it can be concluded that this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and smart links to carry out the attack,” Cofense notes.

Fake friends and followers on social media – and how to spot them

One of the biggest threats to watch out for on social media is fraud perpetrated by people who aren’t who they claim to be. Here’s how to recognize them.

WeLiveSecurity.com by Phil Muncaster on October 6, 2023

Some 4.5 billion people worldwide, or almost 55 percent of the global population, have at least one account with one of the big players. And global internet users spend around two-and-a-half hours each day reading news, sharing stories and swapping pictures on their social media platforms of choice. In other words, social media has had an immeasurable effect on our lives, including on how we engage and interact with other people.

Yet not everything is always as it seems on social media. As per the internet in general, these platforms have become a hotbed for scammers and fake news peddlers. The sheer volume of global users, the dynamic nature of user-generated content and the agility of malicious actors make policing these platforms extremely challenging for the providers.

That means users must take matters into their own hands.

Social media is a haven for scammers

Among the biggest threats to watch out for are friends and followers who aren’t who they claim to be. Scammers use these profiles, often registered and managed by automated bots, to spam users with too-good-to-be-true offers, clickbait stories, romance scams and more. It could range from a “who viewed your profile” link to a bogus cryptocurrency investment opportunity or a free gift card offer.

The bottom line is that they want your money and/or your data. They may be hoping you click on a malicious link, triggering a covert malware download, or that you voluntarily hand over personal information. They may even be reeling you in for a bigger scam like romance fraud or crypto scams.

10 tips for spotting the fakers

Social media platforms are getting better at removing inauthentic profiles and accounts. But they’re nowhere near 100% successful. We all need to be more credulous about what we see on these sites. Here are some of the top ways to spot the scammers:

  • An unusual bio: Fake accounts may have bios that are copied and updated from elsewhere, leading to an incongruous mix of sentences. Also look out for typos, excessive emojis and/or stilted language indicative of a bot.
  • Catfishers: Scammers might use fake social media profiles just as they do on dating sites in a bid to con their way into a romantic online relationship with the victim before asking for money to be wired to them. A reverse image search should be the first port of call. 
  • A mismatch between “followers” and “following”: This is particularly prevalent on Instagram. Spam accounts will automatically follow hundreds or thousands of users, but few will follow them back.
  • Friend’s profile pic: Sometimes scammers will try to clone a friend’s account. They may then send an urgent message pretending that friend is in trouble and asking for money. It’s easier to do than it sounds and still tricks a lot of unwitting social media users. It always pays to double-check with any friend if they really have sent you a message like this. Drop them a line via another channel. Alternatively, scrutinize the account sending the message. 
  • Direct message (DM) spam: A scam account will often try to message you directly with fake offers and encourage you to DM to someone else or visit a website to find out more. These accounts will also be fake, used to peddle anything from crypto investment fraud to retail scams.
  • No official checkmark: Instagram, Facebook and X (Twitter), for example, have badges or checkmarks to identify the official accounts of businesses, celebrities and others. If you see an account purporting to be an organization or individual of some import, but which doesn’t feature any of these, it’s likely to be an imposter.
  • Posting activity: Fake accounts will often post a barrage of content in one go – perhaps with similar or identical captions – and then fall silent. Or they may even fail to post at all. So, check the quantity, quality and cadence of any posts.
  • Free gift offers: Beware of any accounts that offer you giveaways and/or cash – perhaps in return for filling out a survey. They may impersonate a big-name brand to do so. They just want your personal information.
  • Heavily discounted items: Fake accounts might also promote luxury items that have been heavily marked down. Remember, if it’s too good to be true, it usually is.
  • Random comments: If an account is leaving comments on your posts unrelated to that post, it is quite probably a fake.

How to report fake accounts

The good news is that many social media gatekeepers like Instagram and LinkedIn, are continually looking at ways to improve account verification and boot inauthentic users and bots off their platforms. However, one of the best tools they have to spot fake accounts is their eagle-eyed users.

TikTok flooded by 'Elon Musk' cryptocurrency giveaway scams

BleepingComputer.com by Lawrence Abrams on September 17, 2023

TikTok is flooded by a surge of fake cryptocurrency giveaways posted to the video-sharing platform, with almost all of the videos pretending to be themes based on Elon Musk, Tesla, or SpaceX.

Threat actors have created fake cryptocurrency giveaways on social media platforms like Instagram and Twitter for years. These scams pretend to be giveaways from celebrities, cryptocurrency exchanges, and, more commonly, impersonating Elon Musk or SpaceX.

The scammers set up hundreds of websites that pretend to be crypto exchanges or giveaway sites that prompt users to register an account to receive free cryptocurrency. However, as expected, these scams simply steal any deposited crypto, with the users receiving nothing in return.

While you would think that most people would see through these scams, they have been incredibly successful in the past, with scams stealing millions of dollars in cryptocurrency from unsuspecting social media users.

TikTok invaded by cryptocurrency scams

With TikTok's immense popularity, scammers are increasingly flooding the platform with fake cryptocurrency giveaways.

These videos are posted hourly and contain a deep fake video of Elon Musk being interviewed on Fox News or other networks, promoting a fake cryptocurrency giveaway.

Some videos are a bit more amateurish, simply showing how to log in to a listed website and enter a promo code to receive free Bitcoin.

One of the giveaways to see how it works and found that almost all utilize the same template, which pretends to be a crypto investment platform.

Most of the videos use website domains that look slightly similar, such as bitoxies[.]com, moonexio[.]com, altgetxio[.]com, cratopex[.]com.

To take part in the giveaway, users are prompted to register an account and enter a promo code shared in the TikTok video. Once they enter the code, the site will pretend to deposit Bitcoin into the user's wallet.

For example, the scam site below pretended to deposit .34 Bitcoin into my wallet, worth approximately $9,000.

However, when attempting to withdraw the free Bitcoins, you must first activate your account by depositing .005 Bitcoins, worth approximately $132. As you will never receive any bitcoins from the site, the scammers generate their revenue by stealing these "activation" deposits.

To make matters worse, you will also be prompted to enter KYC information, which can collected by the threat actors to attempt to breach your other legitimate cryptocurrency accounts.

As these scams have the potential to generate a large amount of revenue for threat actors, they will not be going away, and social media platforms will continue to be flooded with these fake giveaways.

These scams have gotten so profitable that the FTC released a report warning that $80 million has been lost to cryptocurrency investment scams since October 2020. More recently, the Better Business Bureau issued a warning last week about cryptocurrency scams on TikTok.

Therefore, it is essential to recognize that almost every crypto giveaway site is a scam, especially those claiming to be from Elon Musk, Tesla, SpaceX, Ark Invest, Gemini, and high-profile exchanges and celebrities that promise massive returns.

If you see emails, videos, tweets, or other messages on social media promoting these giveaways, remember that any cryptocurrency you send will just be stolen with nothing in return.

Fake Red Cross blood drive info lures phishing victims

SCMagazine.com by Simon Hendery on September 26, 2023

A highly skilled but previously unknown advanced persistent threat (APT) group targeted victims using an American Red Cross blood drive phishing lure and two novel trojan horse malware tools.

The fake blood drive campaign was discovered by NSFOCUS Security Labs researchers who believe the threat group behind it “is highly likely to deploy this attack process into larger-scale network attack operations."

In a Sept. 25 post, the NSFOCUS researchers said the new group, which they named AtlasCross, demonstrated a high level of technical skills combined with “strong process and tool development capabilities” and a “cautious attack attitude."

The researchers said AtlasCross’ approach was “quite different from known attacker characteristics in terms of execution flow, attack technology stack, attack tools, implementation details, attack objectives, behavior tendency and other main attribution indicators."

NSFOCUS could not determine AtlasCross’ origins but described the group’s attack processes as highly robust and mature.

“On the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology stack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection, execution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency.”

Red Cross used as bait

The AtlasCross phishing campaign decoy document examined by NSFOCUS was a Microsoft Word macro-enabled file titled “Blood Drive September 2023.docm."

Targets who proceeded to open the lure were shown a McAfee logo and a message that the file was protected by McAfee DLP. They were encouraged to click “Enable Content” in response to Word’s standard security warning for macro-enabled files.

If the victim complied with the request to enable macros, the hidden content of the file was opened, displaying a Red Cross flyer headed “Become A Blood Donor."

Meanwhile, malicious marco code in the document dropped a malware program on the victim’s system in the form of a .PKG file.

It’s not the first time threat actors have abused the reputation of the Red Cross for nefarious purposes. Following Hurricane Katrina in 2005, a Miami man was imprisoned after pleading guilty to selling phishing kits that included software used to develop a phony American Red Cross relief website.

The organization is also an attractive target for threat groups, especially because of the large amount of personally identifiable information it holds.

AtlasCross deploys novel malware

The .PKG file dropped by AtlasCross was a loader trojan – dubbed DangerAds by NSFOCUS – that executed a built-in shellcode used to load the final payload in the attack process, another novel trojan NSFOCUS calls AtlasAgent.

“The main functions of the (AtlasAgent) trojan are to obtain host information, process information, prevent opening of multi-programs, inject specified shellcode and download files from CnC (command and control) servers,” the researchers said.

As well as noting the high standards of AtlasCross’ attack techniques and tools, the researchers said residual debug code they observed in the threat actor’s self-developed trojans demonstrated the APT gang was still working to improve its attack process.

“These characteristics reflect the high-level threat nature of this attacker, who may continue to organize other cyberattack activities against key targets after this attack,” they said.