Phishing Archives - Page 4 of 9

Vidar Malware Attacks Online Sellers

malware, Ophtek, Phishing, social engineering, Vidar Malware, Virusesmalware, Ophtek, phishing, social engineering, Vidar_Malware, virusOphtek, LLC

Aug 2023

E-commerce means big business in the 21^st century and it proves a highly attractive target to threat actors, as online sellers are now finding out.

Such is the size of the e-commerce industry – estimated to hit $4.11 trillion in 2023 – threat actors have many reasons for attacking online merchants. Taking control of a seller’s account will instantly provide hackers with a treasure chest of personal information about their customers e.g. payment methods, personal identifiers, and email addresses. It’s also common for threat actors to lace these compromised inventories and shops with malicious JavaScript code, this can then record credit card details during the checkout process.

Therefore, this latest attack, which uses the Vidar malware to advance its payload, is one that you need to be aware of.

How is Vidar Causing Havoc in the Digital Aisles?

The attack launched against online sellers uses a combination of social engineering and phishing emails to deceive its targets. Threat actors are posing as disgruntled customers who claim to have had large amounts of money deducted from their bank without an order being processed. Using a bit.ly URL – which is typically used to shorten long URLs, but also hides the true destination of the link – the sender of the email advises the merchant to investigate a screenshot of their bank account. This, they claim, will show proof that funds have been taken.

Clicking this link will take the victim to a malicious website designed to look like a genuine Google Drive account. Here, the victim is encouraged to download a .PDF of the bank statement which the sender claims will demonstrate that an illegal transaction has taken place. However, rather than downloading a .PDF, the victim will instead download a file called bank_statement.scr. And this file contains the Vidar malware.

Vidar was first discovered in 2018 and its method of attack is well known. A classic data miner, Vidar will steal information such as passwords, browser cookies, text files, and also take screenshots of the infected PC. After uploading this data to a remote location, the threat actors can easily download this information and use it to exploit the victim further e.g. sell login credentials on the dark web or access other user accounts using the same information.

Taking Vidar Back to the Store

If you believe that your PC has been breached by Vidar, the good news is that most anti-virus tools will pick it up and eradicate it from your system. Nonetheless, it’s always better to not get infected in the first place. Therefore, make sure you follow these best practices to avoid falling victim to Vidar:

Pick up on suspicious language: phishing emails are full of telltale signs, but you need to know what you’re looking for. Firstly, look out for urgency, fear, and excitement-inducing words. Secondly, watch for requests to disclose personal information or click on suspicious links. And, finally, pay attention to poor grammar or spelling errors.

Only download from trusted sources: it’s advisable to only download files from sources you can verify are genuine. Downloading files from customers, even if they are genuine, should be avoided wherever possible. These files could, as the Vidar attack has shown, contain anything. In a scenario where you need verification, always turn to an IT professional.

Use anti-phishing tools: installing anti-phishing software is a good way to enhance your protection against phishing attacks. These tools can be implemented as either browser extensions or part of a security suite. Once they detect an attempt at phishing, they will block the content and present you with a warning in its place.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Windows WordPad Flaw Exploited to Infect PCs

cybersecurity, DLL_hijacking, email_links, email_sender, Ophtek, Phishing, Updates, WordPadCybersecurity, DLL_hijacking, email_links, email_sender, Ophtek, phishing, updates, WordPadOphtek, LLC

Jul 2023

WordPad, a basic yet popular word processor, is the latest Windows app to fall victim to a vulnerability exploited by threat actors.

Bundled free with almost every version of Windows since Windows 95, WordPad has remained popular thanks to its simplicity. Less complex than Microsoft Word and more advanced than the basic Notepad app, WordPad gives users an effective word processing tool. However, it’s now an app which carries a real threat to your IT security. Due to a flaw in WordPad’s design, threat actors have started to abuse this vulnerability by launching a DLL hijacking attack.

Everything You Need to Know about the WordPad Hack

You may not be familiar with DLL hijacking, so we’ll start by looking at this form of attack. DLL files are library files which can be used by multiple programs all at the same time. This makes it a highly flexible and efficient file, one which can reduce disk space and maximize memory usage. When Windows launches an app, it searches through default folders for DLLs and, if they are required, automatically loads them. What’s important to note, however, is that Windows will always give priority to loading DLLs located in the same folder as the app being launched.

DLL hijacking abuses this process by inserting malicious DLLs in the app’s parent folder. Therefore, Windows will automatically load this malicious file instead of the genuine one. This allows threat actors to guarantee their malware can be launched long after they have left the system. And this is exactly what has happened with WordPad. The hackers begin their attack by using a phishing email to trick users into downloading a file, one which contains the WordPad executable and a malicious DLL with the name of edputil.dll. Launching the WordPad file will automatically trigger the loading of the malicious DLL file.

This infected version of edputil.dll runs in the background and uses QBot, a notorious piece of malware, to not only steal data, but also download further malware. The infected PC is then used to spread the attack throughout its entire network.

Writing QBot into History

While this form of attack is far from new, it has proved successful. Accordingly, it’s important that we hammer home the basics of good cybersecurity, with a particular emphasis on phishing attacks:

Be careful of email links and attachments: Phishing emails often contain harmful links or attachments. Be careful when clicking on links or downloading attachments, especially if they seem suspicious. Hover over the link to check the URL before clicking and only download attachments from trusted sources. If you’re unsure, always verify the email with an IT professional before clicking anything.
Verify the email sender: phishing emails often impersonate genuine organizations or individuals. Therefore, make sure you check the sender’s email address for any inconsistencies or spelling mistakes. And, if you’re still in doubt, contact the sender by phone or in person to confirm they have sent the email.
Always update: software manufacturers routinely issue updates to patch security vulnerabilities and improve performance. It’s crucial that these updates are installed as soon as possible to avoid threat actors exploiting these flaws. The simplest way to do this is by authorizing automatic updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Interest in ChatGPT Related to New Malware Attacks

ChatGPT, cyber attacks, malware, Ophtek, Phishing, two-factor authenticationChatGPT, Cyber Attacks, malware, Ophtek, phishing, two-factor authOphtek, LLC

Jul 2023

The launch of ChatGPT and its accompanying headlines have been heard around the world. And threat actors are leveraging this interest to launch new attacks.

You don’t have to look hard to find a headline relating to ChatGPT, the latest and most intriguing AI service to be released to the public. Everyone has been talking about it and, of course, this also includes hackers. After all, anything which proves popular – such as social media and cryptocurrency – quickly becomes an attractive method of delivering malware. Now, while you and your business may not use ChatGPT daily, this latest campaign utilizes a few attack strategies you need to be aware of.

How Has ChatGPT Got Caught Up in Malware?

The massive interest generated by ChatGPT means that AI related apps are at the forefront of most internet users’ thoughts. As a result, threat actors have decided to turn this interest to their benefit with their most favored technique: deception. The attacks, which were discovered by Meta, the owners of Facebook, have involved 10 different malware families and, on Meta’s platforms alone, 1,000 malicious links relating to ChatGPT.

Two of the most notable strains detected, which appear to have originated from Vietnam hacking groups, are NodeStealer and DuckTail. NodeStealer is a JavaScript-based piece of malware which is used to steal cookies and login credentials. DuckTail, meanwhile, not only steals cookies, but also focuses on hijacking Facebook business accounts to access lucrative ad accounts. Both of these malware strains are typically spread and activated via infected files or links to malicious websites.

How Do You Stay Ahead of AI Malware?

The official and genuine ChatGPT site has already been used by threat actors to develop new malware, so there is already concern about how it can be compromised. And this latest attack, while not directly involving the app, certainly adds fuel to the fire. Deception, of course, is nothing new in the world of hacking. But the number of people who fall for the duplicitous schemes of hackers is astronomical. Therefore, you need to remain on your guard by following these best practices:

Educate yourself: Phishing scams and techniques are constantly evolving, so it’s important to understand the key basics of these attacks. Emails, for example, which include urgent or threatening language, requests for personal information, and suspicious URLs should never be trusted. Regularly educating yourself on these scams can help you avoid falling victim to malicious links and keep your online accounts secure.

Only download from safe sources: downloading files from unknown sources can put your PC at risk of malware, viruses, and other types of cyberattacks. Accordingly, only download files from reputable websites and avoid clicking on links from unknown sources. Also, emails which contain attachments, especially those from unknown senders, should immediately be quarantined. These precautions will help protect your PC and your organization’s wider IT infrastructure.

Use two-factor authentication: many of the malware strains identified in the latest round of ChatGPT-related attacks involve stealing credentials. Therefore, there’s never been a better time to implement a further layer of security in the form of two-factor authentication. While it won’t necessarily protect against session hijacks, two-factor authentication will significantly reduce the risk of unauthorized access to your accounts.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Microsoft’s OneNote Poses a Real Malware Risk

AsyncRAT, Formbook, OneNote, Ophtek, Phishing, QbotAsyncRAT, Formbook, OneNote, Ophtek, phishing, QbotOphtek, LLC

May 2023

Making notes is part and parcel of any working day, so it’s fantastic that we have apps such as Microsoft’s OneNote. Except when it opens you up to malware.

Part of the Microsoft Office suite, OneNote is an app which allows you to create notes and store them in one central location. Therefore, you can create text documents, drawings and tables on a blank canvas and then access them from any location. While it has proved popular with business users, it has also been readily adopted by threat actors for malicious means. And this is because OneNote also allows you to share its files – known as notebooks – with other users. Accordingly, malicious software has been able to spread.

How Has OneNote Been Compromised?

The malware risk with OneNote has been growing for some time and can be evidenced by the following attacks:

Qbot: Active in the digital landscape since 2007, Qbot began being passed around via OneNote notebooks in January 2023. These notebooks were distributed, at first, through a series of malicious spam email campaigns where embedded links redirected users to the malicious notebooks. However, it also turned out that existing email threads were being hijacked, with malicious notebooks being attached to trick the recipients. With Qbot activated, threat actors were able to steal data and download further malware.

AsyncRAT: Posing as Canadian fuel provider Ultramar, threat actors sent phishing emails to recipients which contained ‘invoices’ in the form of notebooks. These invoices, though, were far from genuine. In fact, all they contained was the AsyncRAT malware. And, once activated, AsyncRAT would provide remote access to threat actors. This means that they would have the power to steal data, download further malware onto infected systems and compromise networks.

Formbook: In December 2022, it was discovered that the information stealing malware Formbook had been at the heart of another OneNote campaign. Using phishing methods, the Formbook malware was observed as part of an email claiming to be a customer seeking a quote. The attached notebook file was used to activate a Windows Script File which, in turn, unleased Formbook’s malicious activity. Again, Formbook was primarily used as a data thief, stealing data from website forms, clipboards, and keystrokes.

Staying Safe from OneNote Attacks

With OneNote’s notebooks becoming a popular method for cyber-attacks, it’s crucial you understand how to deal with them. Therefore, make sure you practice the following:

Block notebook files: If your organization doesn’t use OneNote files, the best thing to do is block notebook files in your email servers. This will minimize the risk of these attachments appearing in your employees’ inboxes and ensure the malware can’t be activated.

Understand what phishing is: With over 255 million phishing attacks in just six months in 2022, it’s clear to see that phishing poses a credible threat. This means it’s vital your organization understands how phishing campaigns work and the best ways to defend against them.

For more ways to secure and optimize your business technology, contact your local IT professionals.

CircleCI Hacked: Cookie Theft Bypasses 2FA Process

cookies, Google Authenticator, Ophtek, Phishing, Two Factor Authenticationcookies, google authenticator, Ophtek, phishing, two factor authentificationOphtek, LLC

Mar 2023

Two-factor authentication (2FA) is there to provide a high level of security, but what happens when this process is compromised?

CircleCI is a platform used by software developers to build, test and implement code. Therefore, due to the amount of confidential and potentially valuable data CircleCI holds, it’s a highly attractive target for threat actors. Thankfully, for those using CircleCI, strong security practices are in place to provide a secure environment, and one of the most important is 2FA. Nonetheless, threat actors are persistent and innovative individuals, and the presence of 2FA merely represents a challenge. And it was this obstacle hackers managed to overcome in December 2022 when they breached CircleCI.

As 2FA is such a critical element of excellent cybersecurity practices, it’s important that we understand what went wrong at CircleCI.

How 2FA Failed at CircleCI

The first sign of CircleCI becoming compromised came in early January 2023 when a user discovered that their OAuth token – used to identify customers to online platforms – had been accessed by an unauthorized party. CircleCI were unable to pinpoint how the security token had been compromised, but immediately began to randomly rotate the OAuth tokens in use by their users.

Further investigation, however, revealed how access to the OAuth tokens had been breached. A developer at CircleCI had fallen victim to a malware attack, one which focused on stealing data. Among the stolen data was a session cookie which had already been validated through the 2FA process and, therefore, ensured that anyone in possession of it could gain quick and easy access to the CircleCI network. And this is exactly what the threat actors did, stealing encryption keys, OAuth tokens and customer data.

Can You Combat a Compromised Cookie?

2FA has long been championed as one of the cornerstones of IT security, but this attack on CircleCI has brought the spotlight on to one of its glaring weaknesses. The success of the attack also highlights the popularity of this technique, which has recently been deployed against several major IT organizations. Accordingly, to protect your IT infrastructure, it’s crucial that your organization practices the following:

Be careful with emails: most malware is delivered by email, so it makes sense to treat all your emails carefully. If anything looks suspicious, then always ask an IT professional to run their eyes over it. And always verify a link embedded in an email before clicking it, you can do this by hovering your mouse cursor over the link to display the true destination.

Monitor cookies: abandoning 2FA is far from recommended, but you do need to look at how you monitor cookies. Identifying when validation processes are being carried out by cookies in new locations is vital, and once this has been identified, a new 2FA validation should be generated.

Strengthen with Google Authenticator: you can back up the security of your 2FA process by also implementing an authentication code generated by Google Authenticator. This piece of software uses an algorithm to generate a unique code on your phone which must then be entered into a prompt for the software app you are trying to access.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 2 3 4 5 6 … 9 Next »

Category Archives: Phishing