2024 - Page 2 of 11

Hackers have designed fake Google Meet error pages to distribute info-stealing malware which can compromise all the data on a network.

It feels as though malicious websites are springing up on a daily basis, and with 12.8 million websites infected with malware, this is a fair assumption to make. The latest attack under the Ophtek spotlight centers around Google Meet, a videoconferencing service hosted online by Google. The threat uses fake connectivity errors to lure victims into inadvertently launching the malware on their own system. And with Google Meet having over 300 million active users every month, the chance of this campaign tripping people up is exceptionally high.

The Danger of Fake Google Meet Pages

Google Meet attack appears to be part of a wider hacking campaign known as ClickFix, which has also been identified using similar fake websites impersonating Google Chrome and Facebook. In all these cases, the objective of the campaign is to install info stealers onto infected PCs. Malware used in these attacks include DarkGate and Lumma Stealer.

Fake error messages are displayed in the web browsers of victims to indicate a connectivity issue with a Google Meet call. However, there is no Google Meet call taking place, it’s simply a ruse to deceive victims into following through on a malicious call-to-action. These ‘errors’ recommend copying a ‘fix’ and then running it in Windows PowerShell, an app commonly used to automate processes on a Microsoft system.

Unfortunately, rather than fixing the ‘error’ with Google Meet, the execution of this code within PowerShell simply downloads and installs the malware. Once installed, malware such as DarkGate and Lumma Stealer has the potential to search out sensitive data on your network, establish remote network connections, and transmit stolen data out of your network.

Victims are redirected to these malicious websites via phishing emails, which claim to contain instructions for joining important virtual meetings and webinars. The URLs used within the emails appear like genuine Google Meet links but take advantage of slight differences in the address to deceive recipients.

Protecting Yourself from Fake Google Meet Malware

The best way to stay safe in the face of the fake Google Meet pages (and similar attacks) is by being proactive and educating your staff on the threats of malicious websites. Accordingly, following these best practices gives you the best chance of securing your IT infrastructure:

Double Check URLs: malicious websites often mimic genuine ones to catch people off guard. Therefore, always verify any URL for anything unusual such as misspelled words or lengthened and unusual domain endings, before clicking them. This will minimize your risk of falling victim to phishing and malware attacks.
Use Browser Security Features: many browsers, such as Google Chrome, come with built-in security features which can block sites known to be harmful or detect suspicious downloads. If you have these protections enabled, and this is easily done through your browser settings, you can rest assured you’re putting a strong security measure in place.
Install Antivirus and Firewall Software: one of the simplest way to protect yourself is by installing antivirus and firewall software, which is often available for free in the form of AVG and Kaspersky. This software can not only detect malware, but also block it before it reaches your system, so it can be considered a very strong form of defense.

For more ways to secure and optimize your business technology, contact your local IT profes sionals.

Infected GitHub Links Target Financial Services

GitHub, online links, Ophtek, Phishing Email, Remcos RAT, Remote Access Trojan, security softwareGitHub, online links, Ophtek, phishing email, Remcos RAT, remote access trojan, security softwareOphtek, LLC

Nov 2024

A new malware campaign, targeting finance and insurance sectors, is using infected GitHub repositories to distribute the Remcos remote access trojan (RAT).

GitHub is an online platform which allows software developers to store and share code online. It’s like an online hard drive, but one which is specifically dedicated to coding projects. It’s main use is to foster collaboration between developers and track changes in their code as it evolves. However, as it’s a trusted source, it makes it the perfect target for hackers. On this occasion, the threat actors haven’t been starting malicious repositories. Instead, they’ve been taking advantage of the comments section in legitimate repositories.

The Dangers of GitHub Comments

The GitHub attack in question appears to be targeting genuine open-source repositories, with those affected including HMRC, Inland Revenue, and UsTaxes. These are well-known and trusted repositories. Users wouldn’t expect to be infected by malware visiting these, whereas lesser known and newer repositories pose more of an obvious risk. So, how are the threat actors compromising these accounts? Well, they’re uploading malware files into the comments section.

Although the comment is deleted, the link to file stays in place. Phishing emails are then used to redirect users to the infected link on GitHub. Again, as GitHub is a genuine, trusted platform, these phishing emails are not detected as being suspicious. This puts the recipient at risk of unknowingly downloading and executing the Remcos RAT. This RAT allows threat actors to remotely take control of an infected PC. From here, they can steal your data, execute further commands on your system, and monitor all your activity. This makes the attack highly dangerous and follows in the footsteps of numerous GitHub attacks in the last year.

Staying Safe from Malicious Comments

Your employees may not have anything to do with software development, but the Remcos RAT relies on phishing techniques which could easily deceive them. Therefore, you need to ensure your employees stay safe from this innovative threat. The best way to achieve this is by following these best practices:

Identify Phishing Emails: It’s important that you team understand how to identify a phishing email. These can be highly convincing and often use language of an urgent nature to force recipients into taking actions without thinking. Educating your staff on these telltale signs will minimize the risk of their PCs becoming compromised by malware.
Be Suspicious of Online Links: Whether a link is contained within an email or on a trusted website, you should always be suspicious. These links can often hide malicious content, and this can then be used by threat actors to steal personal data or take control of your PC. Always verify a link with an IT professional before clicking on it.
Use Security Software: You can protect your PCs from malicious links by using security software such as AVG or McAfee. These tools actively scan web traffic and block access to known dangerous sites. They also detect suspicious behaviors, like phishing attempts, and pre-warn you about malicious links, all in real-time. By filtering out harmful content and preventing access to malicious websites, the risk of malware infections is significantly reduced.

For more ways to secure and optimize your business technology, contact your local IT professionals.

WarmCookie Malware Serves Up Fake Browser Updates

backdoor malware, compromised websites, fake updates, Ophtek, pop-up prompts, WarmCookiebackdoor malware, compromised websites, fake updates, Ophtek, pop-up prompts, WarmCookieOphtek, LLC

Oct 2024

Cybercriminals are using fake browser updates to spread the WarmCookie backdoor malware in a new campaign targeting users in France.

Browsers are a crucial component of modern business IT and are used almost continuously throughout the day. Whether its placing orders for stock, updating customer portals, or researching your competitors, your employees will be utilizing apps such as Chrome, Edge, and Firefox. And it’s this essential nature of browsers which makes them the perfect target for threat actors. WarmCookie was first detected in 2023, when fake OneDrive attachments were used to deploy its payload, and has recently resurfaced in France. Backdoor attacks have the potential to cause major damage to your IT infrastructures and data security, so it’s vital that you’re aware of how these attacks work.

The Basics of the WarmCookie Attack

The WarmCookie malware campaign targets its victims by concealing itself as fake browser or application updates. When a user visits a compromised website, they’re advised to download what, for all intents and purposes, looks like an update for popular browsers such as Chrome or essential Browser tools like Java. Some of the websites involved in the WarmCookie attack appear to be compromised websites, yet some seem manufactured to promote the downloading of browser updates.

Regardless of the type of website involved, instead of downloading a genuine update, the user will only be able to download the WarmCookie malware. Once this malware is activated, it opens a backdoor into the user’s system, this allows the attackers to carry out a wide range of malicious activities. Primarily, WarmCookie seeks to steal sensitive information such as login credentials, but it also focuses on executing remote commands and downloading further strains of malware onto the infected system.

So far, the campaign appears to have limited its activities to targeting PC users in France. WarmCookie is also renowned for being stealthy and evasive, which enables it to remain undetected on systems for long periods. This allows the attackers to access compromised systems at their own pace, increasing the risk of more severe damage. Therefore, due to this silent and persistent operation, WarmCookie should be classified as a highly dangerous piece of malware.

Avoid the Dangers of Malicious Downloads

Thankfully, you don’t have to become one of WarmCookie’s victims as it’s relatively simple to avoid. With a little education, you can equip yourself and your staff with the best practices to deflect any malicious download threats:

Only Download from Official Sources: it’s paramount that you stick to downloading software, updates, and files from official websites with a direct link from the software’s developer. Third-party or unofficial websites may appear appealing and simple, but they’re often hosting pirated or infected files which could easily contain malware.
Be Wary of Pop-up Update Prompts: pop-up messages are part and parcel of life online in the 21st century, but it’s important that you analyze their content before taking any actions. While they may claim to be linking to a legitimate update, it could very easily be a slice of malware which is on offer. Therefore, always double check by visiting the developer’s website to confirm this update is genuine.
Verify File Integrity: to verify how trustworthy a file is, you can always check its digital signature or file hash to ensure its authenticity. A genuine and valid signature will indicate that the file hasn’t been tampered with by third parties. And file-checking tools – such as VirusTotal – can help you avoid installing infected or manipulated versions of file updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

Italian PC users have become the target of SambaSpy, a new strain of malware which appears to originate from Brazil and employs phishing emails.

First detected by Kaspersky in May 2024, SambaSpy currently only seems to have targeted PC users in Italy. This is unusual as threat actors tend to focus their attacks on a more global range to maximize potential victims. However, it’s being speculated that SambaSpy may be using Italy as a test run before going global. Regardless of its future plans, SambaSpy utilizes a multifunctional attack, and can log keystrokes, harvest data, take screenshots, download files, and take control of process management on infected PCs.

With its strong range of weaponry, SambaSpy represents a significant threat to PC users and needs investigating further.

Say Ciao to SambaSpy

The SambaSpy attack originates within a phishing email, one which contains either an embedded link or an HTML attachment. Once the HTML attachment has been activated, one of either a malware dropper or downloader is executed from a ZIP archive. The malware dropper will load the main payload of SambaSpy from the same ZIP archive whereas the downloader will retrieve it from a remote server. The dropper is used to retrieve the malware payload from a remote location. The embedded link route sends users on a convoluted journey to a malicious site hosting the downloader or dropper.

Once SambaSpy is fully activated, it has the potential to launch all of the attack threats previously mentioned. Therefore, it’s capable of compromising every single activity taking place on your PC. SambaSpy is also clever enough to load plugins when an infected PC starts up, this allows it to shape and change its activities as required. Also of note is that SambaSpy will actively seek out web browsers in order to steal data, putting login credentials and financial information at risk of being harvested.

The attack is believed to have originated from a Brazilian threat actor as one of the malicious webpages involved features JavaScript code with Brazilian Portuguese comments. A number of recent banking trojans – including BBTok and Mekotio – have recently targeted Latin American users with phishing scams, so there may be a connection between these and SambaSpy.

Navigating the Threat of SambaSpy

While SambaSpy has only been detected in Italy, this could change very quickly as the malware becomes more powerful and widespread. Therefore, to safeguard your PCs against this and other similar threats, you need to keep your team up to date with these best practices:

Always Scrutinize the Sender: if you don’t recognize the sender of an email, then this should immediately be cause for concern when attachments or embedded links are included. Also, many threat actors will fake genuine email addresses, but use slightly different spellings e.g. support@m1crosoft.com in order to lull you into a false sense of security. Additionally, if an email claims to be from a large company but is using a generic email address such as BankofAmerica@gmail.com, this is also likely to be a phishing email.
Identify Red Flags: phishing emails will often contain urgent language designed to provoke you into making an immediate response. These call-to-actions are often along the lines of “your account has been compromised” or “this update must be downloaded to secure your PC” to instill a sense of fear. Additionally, phishing emails often have numerous grammatical errors and poor spelling, so make sure you’re aware of these telltale signs.

For more ways to secure and optimize your business technology, contact your loc al IT professionals.

« Previous 1 2 3 4 … 11 Next »

Fake Google Meet Pages Used to Spread Malware

Infected GitHub Links Target Financial Services

WarmCookie Malware Serves Up Fake Browser Updates

SnipBot Malware Used to Steal Data from Victims

SambaSpy Targets Italian PC Users with Phishing Emails

Yearly Archives: 2024