In the triumvirate of identity types, protecting the identity, privacy, and data of carbon-based forms — humans — is key. Safeguards must be in place as AI becomes more interactive.

ChatGPT and Bard AI are making the news for all kinds of reasons. People are charmed and unnerved by the quirky responses and how seemingly sentient these chatbots are.

But artificial intelligence (AI) has existed for years, and the issues today aren't just related to a greater capacity for writing term papers and malware. These new tools simply add to an already complex ecosystem of identities, which may be carbon-based, silicon-based, or now, increasingly complex artificial identities created by AI.

**Identity Trifecta**

First, let's define these different identity types:

**Carbon-based identity:** This one is easy. It's humans. We have names, we have personally identifiable information, mannerisms, and so much more. And we live, breathe, and interact with carbon, silicon, and artificial identities every day.

**Silicon-based identity:** A silicon-based identity is something that we all interact with but rarely or never think about as an entity: our cars, smartphones, and millions of other items that rarely exist or interact on their own.

**Artificial-based identity:** If you've ever read a novel, you've met a whole cast of artificial identities. Each character is a fictional creation with a backstory, internal motivations, and seemingly interactive relationships. The new chatbots can create detailed identities in moments.

**Why Does Identity Matter?**

A silicon-based identity integrates with you and your identity. Take your smartphone, for example. You set it up and customize it so that you can log in with your fingerprint or your face. You use it to set up online banking accounts, social media profiles, and much more. Essentially, you create a link between your carbon identity and your silicon identity, which allows you to interact with your bank and other peer-to-peer connections. When you sell or give away the phone, you know you need to wipe all that data, otherwise the next user could use connections that you authenticated to access your financial, work, and other personal accounts. Even after removing the data, the phone still exists as a silicon identity, and it will integrate with the next carbon entity that sets it up.

Artificial entities are increasingly easy to create, however. AI can generate faces that people find trustworthy and have difficulty distinguishing from real ones. Combined with chatbots, some of these entities have LinkedIn profiles and can easily — and convincingly — reach out to prospective customers without adding to an organization's staffing costs or training requirements. Other chatbots may be answering your banking questions, responding to fraud alerts, or authorizing transactions. They may help you book a flight, facilitate a product return, or respond to insurance queries.

**Who — or What — Are You Talking To?**

How to know which type of entity you're talking to is a question that's only going to become more challenging in the coming months and years. Today, most chatbots can answer simple questions with canned responses. Most users probably find them frustratingly inadequate and try to interact with a carbon entity instead. But it's getting harder to tell them apart. As these solutions become more available, flexible, and interactive, you need to consider who you want to share protected information with.

It may seem safe to share your banking information with an artificial identity, forgetting that if you share your checking account info and authorize them to take money out, you have very little control over when and how that happens. There are some financial regulations in place to help consumers, but they only help after something goes wrong. When your credit or debit card is compromised, you can dispute fraudulent transactions, prevent future charges, and get a new card. That can limit the potential fallout.

Health information is far more complicated. If you share information with an artificial identity about your carbon entity, such as that you have diabetes and high blood pressure, that information goes somewhere you can no longer control. If this private health information is disclosed, either because the artificial entity you shared it with was created for malicious purposes or because the data collected wasn't properly secured and encrypted, that part of your identity is now compromised and you cannot make that information private again.

**Protect Data, Privacy, and Identity**

As the different types of identities become increasingly intertwined and complicated, it's important for organizations to make it clear when an identity interfacing directly with people is artificial, why they're using it, and how.

They also need to protect the identity, privacy, and data of the carbon identities, regardless of how it is collected. That means how this information is collected, transmitted, and encrypted is important.

As we move forward, we must make certain that we protect data, privacy, and identity by challenging and validating access for all these different types of identities. Although artificial identities are becoming interactive and seemingly human, the responsibility to protect carbon identities is paramount.

Are You Talking to a Carbon, Silicon, or Artificial Identity?

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Thursday, March 23, 2023 07:03

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Talos Intelligence’s website (TalosIntelligence.com) has served as the replacement for SenderBase.org for many years, with TalosIntelligence.com providing the same information as SenderBase.org once did. Since that time, visitors to SenderBase.org have been automatically redirected to TalosIntelligence.com, and the redirect from SenderBase.org is finally being removed on \[date\]. After that, attempts to visit SenderBase.org will fail.

Any users still utilizing bookmarks or links pointing to Senderbase.org should update these to ensure they still work appropriately.

Thank you for assisting us in this process.

Senderbase.org redirects to end in April

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes.
The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS

Cyber Attack / Browser Security

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as **Kimsuky** using rogue browser extensions to steal users' Gmail inboxes.

The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS).

The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted.

Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests."

Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military, manufacturing, academic, and think tank organizations.

"This threat actor's activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea," Google-owned threat intelligence firm Mandiant disclosed last year.

Recent attacks orchestrated by the group suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn.

The use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, which has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.

The SharpTongue operation also overlaps with the latest effort in that the latter is also capable of stealing a victim's email content using the rogue add-on, which, in turn, leverages the browser's DevTools API to perform the function.

But in an escalation of Kimsuky's mobile attacks, the threat actor has been observed logging into victims' Google accounts using credentials already obtained in advance through phishing tactics and then installing a malicious app on the devices linked to the accounts.

"The attacker logs in with the victim's Google account on the PC, accesses the Google Play Store, and requests the installation of a malicious app," the agencies explained. "At this time, the target's smartphone linked with the Google account is selected as the device to install the malicious app on."

It's suspected that the apps, which embed FastFire and FastViewer, are distributed using a Google Play feature known as "internal testing" that allows third-party developers to distribute their apps to a "small set of trusted testers."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

A point worth mentioning here is that these internal app tests, which are carried out prior to releasing the app to production, cannot exceed 100 users per app, indicating that the campaign is extremely targeted in nature.

Both the malware-laced apps come with capabilities to harvest a wide range of sensitive information by abusing Android's accessibility services. The apps are listed below -

*   com.viewer.fastsecure (FastFire)
*   com.tf.thinkdroid.secviewer (FastViewer)

The disclosure comes as the North Korean advanced persistent threat (APT) actor dubbed ScarCruft has been linked to different attack vectors that are employed to deliver PowerShell-based backdoors onto compromised hosts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

Categories: News
Tags: emotet

Tags:  malware

Tags:  IRS

Tags:  scam

Tags:  email

Tags:  W-9

Tags:  word

Tags:  document

Tags:  macro

Tags:  macros

We look at a current tax scam in circulation which looks to make an Emotet deposit on your PC.



(Read more...)




The post Beware: Fake IRS tax email delivers Emotet malware appeared first on Malwarebytes Labs.

Tax season is upon us and, as with every year, we're seeing tax scammers rearing their heads.

Below, we have an example of a tax scam currently in circulation along with some suggestions for avoiding these kinds of attacks.

**An IRS W-9 tax form scam**

A Form W-9 is a form you fill in to confirm certain personal details with the IRS. Name, address, and Tax Identification Number are all things you can expect to fill in on one of these forms.

In this case, the Form W-9 is being used as a lure for people to download something sinister. Our Senior Director of Threat Intelligence, Jerome Segura, found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. The email, which contains an attachment and very little text, looks like this:

The rather short message reads as follows:

> Let me know if you would like a hard copy mailed as well.
> 
> Respectifully \[SIC\]
> 
> Barbara LaCosta
> 
> Inspector
> 
> Department of Treasure

The attachment, W-9 form.zip, is 709 KB in size.

Opening the attachment up reveals a Word document called W-9 form.doc

This file’s size is 548,164 KB (548 MB), which is very suspicious. You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background. Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools. This is because the large file size may prove too difficult for the tools to get a handle on and properly analyse.

Opening the document quickly becomes a game of Macro-related risk. Macros, used to automate aspects of your documents, are a tried and tested way of infecting a PC with malware. This is why you’ll almost always see a message saying that Macros are disabled when opening a downloaded document.

Malware authors know this, and will do everything in their power to make you enable them. This is no exception. When opening W-9 form.doc, you’ll see the following message:

> This document is protected  
> Previewing is not available for protected documents. You have to press “enable editing” and “enable content” buttons to preview this document.

Enabling this will result in Emotet being downloaded onto the system.

Emotet has been around since 2014. Originally created as a banking trojan, later versions added malware delivery and spam services. Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the infection include subjects like parcel shipping, invoices, and other forms of payment.

In fact, Emotet features as one of the top five cyberthreats businesses face in our 2023 State of Malware report. Flagged by Europol as "The world's most dangerous malware", law enforcement has never quite been able to shut it down permanently despite its entire global infrastructure being taken offline in 2021. Emotet's ability to push additional forms of malware onto target systems including threats like TrickBot, IcedID, and Conti ransomware make it a formidable proposition for any security team to handle.

**Avoiding tax scams**

Here are some of the ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks which come around every year during tax season.

*   **File early**. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last minute. That added pressure can mean responding to fake mails you otherwise would have ignored.
*   **Be careful around suspicious refunds**. Tax agencies have a proper process for issuing refunds, found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake.
*   **Beware of fake bank portals**. Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.
*   **Avoid the pressure pitch**. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions for these forms of social engineering, contact the tax entity directly.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Beware: Fake IRS tax email delivers Emotet malware

**SAN JOSE, Calif.****,** **March 22, 2023** **/PRNewswire/ --** Vectra AI, the leader in AI-driven hybrid cloud threat detection and response, today announced the introduction of Vectra Match. Vectra Match brings intrusion detection signature context to Vectra Network Detection and Response (NDR), enabling security teams to accelerate their evolution to AI-driven threat detection and response without sacrificing investments already made in signatures.

"As enterprises transform embracing digital identities, supply chains and ecosystems — GRC and SOC teams are forced to keep pace. Keeping pace with existing, evolving and emerging cyber threats requires visibility, context and control for both known and unknown threats. The challenge for many security organizations is doing so without adding complexity and cost," says Kevin Kennedy, SVP Products at Vectra. "Vectra NDR now enables security teams to unify signatures for known threats and AI-driven behavior-based detection for unknown threats in a single solution."

With the addition of Vectra Match, Vectra NDR addresses core GRC and SOC use cases enabling more efficient and effective:

*   Correlation and validation of threat signals for accuracy.
*   Compliance for network-based CVE detection with compensating controls.
*   Threat hunting, investigation and incident response processes.

According to Gartner®, "recent trends in the NDR Market indicate many NDR offerings have expanded to capture new categories of events and to analyze additional traffic patterns. This includes **new detection techniques:** by adding support for more traditional signatures, performance monitoring, threat intelligence and sometimes malware detection engines. This move toward more multifunction network detection aligns well with the use case of network/security operations convergence, but also with midsize enterprises."1

"The attack surface cyber attackers have at their disposal continues to grow exponentially creating unknown threats on top of the tens of thousands of known vulnerabilities that exist. Attackers simply have exponentially more ways to infiltrate an organization and exfiltrate data — and do so with far more frequency, velocity and impact. Keeping pace with attackers exploiting known vulnerabilities and unknown threats is an immense challenge for every Security, Risk and Compliance officer," says Ronald Heil, Global Risk Advisory Lead for Energy and Natural Resources and Partner at KPMG Netherlands. "Today, cyber-resilience and compliance requires complete visibility and context for both known and unknown attacker methods. Without it, disrupting and containing their impact becomes an exercise in brand reputation and customer trust damage control. Vectra Match capabilities allow us to combine both worlds, having the continued AI-based detection of real-time "movement", while also having the ability to check against specific Suricata indicators — often required during incident response or proof of compliancy (e.g., Log4J). Consolidating AI-based and signature-based detection enables optimization, because in our case, less is more."

"When it comes to shadow IT, we know people with admin rights are 'building boxes off the grid.' Our SOC team cannot protect what we cannot see, thus making these unknown systems prime targets for attackers. No doubt, behavior-based AI-driven detections are great for catching attackers deploying new, evasive methods, but when it comes to attackers leveraging CVEs to compromise unknown, unpatched systems, we need signature-based detection. Combining signature-based detection with behavior-based detection gives our SOC team visibility for both the known-unknown and unknown-unknown threats. It's the best of both worlds," says Brett Fernicola, Sr. Director, Security Operations at Anywhere.re.

**Vectra NDR with Vectra Match**

Vectra NDR — a key component of the Vectra platform — provides end-to-end protection against hybrid and multicloud attacks. Deployed on-premises or in the cloud, the Vectra NDR console is a single source of truth (visibility) and first line of defense (control) for attacks traversing cloud and data center networks. By harnessing AI-driven Attack Signal Intelligence, Vectra NDR empowers GRC and SOC teams with:

*   AI-driven Detections that think like an attacker by going beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the entire cyber kill chain post compromise, with 90% fewer blind spots and 3x more threats proactively identified.
*   AI-driven Triage that knows what is malicious by utilizing ML to analyze detection patterns unique to the customer's environment to score how meaningful each detection is, thus reducing 85% of alert noise — surfacing only relevant true positive events that require analyst attention.
*   AI-driven Prioritization that focuses on what is urgent by automatically correlating attacker TTPs across attack surfaces, evaluating each entity against globally observed attack profiles to create an attack urgency rating enabling analysts to focus on the most critical threats to the organization.

Vectra NDR empowers security and risk professionals with next-level intrusion detection. Armed with rich context on both known and unknown threats, GRC and SOC teams not only improve the effectiveness of their threat detection, but the efficiency on their threat hunting, investigation and incident response program and processes. Vectra NDR with Vectra Match is available for evaluation and purchase today. For additional information, please visit the following resources.

**Blog:** Vectra AI Announces Vectra Match for Signature-Based Detections

**Solution Brief:** Stop Network Exploits with Vectra NDR and Vectra Match 

**Product page:** Vectra NDR

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai. 

1Gartner Market Guide for Network Detection and Response, Published 14 December 2022 \- ID G00730869 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

SOURCE Vectra

Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection

**HERZLIYA,** **Israel** **and** **PALO ALTO, Calif.****,** **March 22, 2023** **/PRNewswire/ --** XM Cyber, the leader in hybrid cloud security, announced today the acquisition of Confluera, a pioneer in next-generation cyber attack detection and response for the cloud. XM Cyber now offers a comprehensive CNAPP (Cloud Native Application Protection Platform) solution using its unique attack path modeling to prioritize and assess real risk to the critical assets in your cloud environment.

Together with Confluera, XM Cyber's Continuous Exposure Management platform will provide all aspects of cloud security, from identifying and fixing risk regarding cloud identities (CIEM), identifying vulnerabilities and the detection and response of actual cyber attacks in real time (CWPP), and best practice and compliance management (CSPM).

The rapid rise in sophisticated attacks across hybrid cloud environments requires organizations to equip themselves with a dual strategy that combines advanced preventative capabilities with active detection and response. Classic EDRs that were originally meant for endpoint protection aren't equipped to deal with the runtime protection of cloud infrastructures. Detection in the cloud requires the next-generation capabilities of CxDR (Cloud eXtended Detection and Response), which leverages visibility from different vantage points and accurately combines them to identify multi-stage attacks propagating across distributed cloud environments.

The XM Cyber solution enables organizations to see their on-prem and cloud environments just like an attacker would and identify weaknesses that can potentially be exploited on attack paths to critical assets. With the addition of Confluera, organizations will now have the ability to continuously monitor their cloud environments in real-time to see if they are actually being exploited and effectively block the attacker's progress before any damage is caused.

"We work so well together because we're both looking at the environment through attack path modeling," said Boaz Gorodissky, co-founder and CTO of XM Cyber. "For example, XM Cyber shows our customers how an attacker could take advantage of a cloud secret found in the on-prem environment, move into the cloud, escalate privileges of an EC2, and compromise S3 buckets with sensitive information through a chain of events. Now with Confluera, we will detect if this attack path is actually happening in real time, alert our customers and help them stop the attack before it reaches the S3 buckets."

Confluera co-founder and CTO Abhijit Ghosh, who will be leading the development and integration of the CxDR with XM Cyber as VP CxDR, added: "We are very excited to join forces with XM Cyber to deliver a comprehensive cloud security platform. The technologies complement one another. They cover the prevention and detection aspects of security, with a common attack path modeling-based approach of unifying diverse visibility to identify multi-stage attacks. We are thrilled about leveraging this synergy to address our shared mission of protecting hybrid cloud environments from advanced attacks." Confluera co-founder Niloy Mukherjee further added that "the offensive cybersecurity knowledge of XM Cyber's research team will greatly enrich Confluera's engine to discover and intercept any form of security threat possible across any cloud plane."

The acquisition of Confluera comes less than a year after XM Cyber acquired Cyber Observer to expand its CSPM capabilities.

"Integrating Confluera into our offering just made so much sense. We compared their detection capabilities on workloads with a prominent CWPP solution and were able to detect several attacks that the other CWPP solutions did not. And perhaps just as significantly, it did not create unnecessary noise for the security teams," said Noam Erez, co-founder and CEO of XM Cyber. "Today, security teams are overwhelmed with an overwhelming amount of alerts and multiple security tools that they can't keep track of. They are demanding the consolidation of solutions that can accurately and holistically analyze risk and pinpoint high priority exposures to be remediated efficiently. Confluera aligns perfectly with this core value that we deliver within our suite of services and is a natural fit for us."

The new real-time detection and response capabilities will be available to XM Cyber customers soon. To learn more, please visit: confluera.com. XM Cyber will be attending RSA 2023 and providing demos at their booth #1755 in the South Hall Expo. 

**About XM Cyber** 

XM Cyber is a leading hybrid cloud security company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

**About Confluera**

Confluera is the leading provider of next-generation Cloud eXtended Detection and Response (CxDR) solutions. Founded by Abhijit Ghosh and Niloy Mukherjee, Confluera's patented real-time attack storyboarding, built for hybrid cloud environments, gives organizations full visibility into active attack progressions and helps to drastically reduce the industry average time to detect and respond to advanced attacks. To learn more about Confluera's award-winning solution, visit confluera.com.

XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads

**WOBURN, Mass.****,** **March 22, 2023** **/PRNewswire/ --** Kaspersky has released new survey results showing that one third of crypto owners in the U.S. have experienced theft of their currency or other assets, at an average cost of $97,583. This, and other findings, are part of a new report, "Crypto Threats 2023," based on a survey of 2,000 American adults in October 2022.

Crypto trading has skyrocketed in popularity in recent years. Twenty-four percent of respondents to the survey said they currently own cryptocurrency or other crypto assets. However, scammers are continuously seeking new ways to capitalize on that popularity and defraud users, with tactics such as impersonating legitimate exchanges or launching phishing attacks to steal login credentials. They also use cryptojacking malware to generate currency by stealing computing resources from unknowing victims.

A third of respondents who said they own or have owned cryptocurrency or other crypto assets said they have fallen victim to a fraudulent crypto\-related website, app or investment scam at some point. Among those victims, 19% said they experienced identity theft as a result, while 27% had payment details stolen and money taken from their bank account.

"From fake apps to cryptojacking, there is a long list of threats lurking online to target cryptocurrencies," said Marc Rivero, senior security researcher at Kaspersky's Global Research and Analysis Team. "Without any regulation or established common knowledge, people need to take care to protect themselves. This survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft. Users should keep a close eye out for scams, and should employ any extra security measures that are available to them, such as multi-factor authentication."

The survey revealed that there is often more users could be doing to protect their crypto assets. On average, respondents said the last time they checked on their crypto investments was six weeks ago. Twenty-seven percent of users said they keep their crypto stored in an exchange account with no added protection, while only 34% use multi-factor authentication to protect their account. Only 15% of users said they use a "cold wallet," storing their crypto in external storage not connected to the internet. Thirty-two percent of respondents who own or have owned cryptocurrency or other crypto assets said they have lost access to a crypto\-related account at some point.

The survey also yielded some interested findings with respect to age differences among crypto traders. Thirty-six percent of respondents aged 25-44 said they currently own cryptocurrency or crypto assets, compared to just 10% of respondents aged 55 and up. Older respondents who do own crypto, however, appeared to be doing a much better job at protecting their assets. Just 8% of crypto owners aged 55+ said they have had cryptocurrency or a crypto asset stolen, and only 14% in that age group said they have fallen victim to a fraudulent crypto\-related app, website or investment scam. Meanwhile, nearly half (47%) of crypto owners aged 18-24 said they had been victimized by theft, with 46% saying they've fallen victim to a scam.

The full report is available here.

In order to avoid falling victim to cryptocurrency\-related scams, Kaspersky recommends:

*   Use strong and unique passwords for each of your crypto accounts. This will help prevent password cracking and brute force attacks.
*   Avoid phishing attacks: Be wary of suspicious emails and links, and always double-check the URL before entering your login information.
*   Don't share your private keys: your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
*   Use security solutions: a reliable security solution will protect your devices from various types of threats. Kaspersky's consumer portfolio prevents cryptocurrency fraud, as well as unauthorized use of your computer's processing power to mine cryptocurrency.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the globe. The company's comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOURCE Kaspersky

Kaspersky Survey Finds One in Three Users Have Experienced CryptoTheft

With more than $36M nearly swindled away, an almost-successful BEC attempt in the commercial real estate space shows how sophisticated and convincing fraud attacks are becoming.

In an attempt to fraudulently obtain more than $36 million, a threat actor emailed an escrow officer and their client, a commercial real estate company, while impersonating the senior vice president and general counsel of a trusted partner company. The business email compromise (BEC) attack was caught due to a flaw in a domain name, behavioral AI, and an advanced modeling system.

Included in the email was an invoice and instructions for payment for a loan worth $36.4 million. While this may be a number that might ring alarm bells for anyone else, commercial real estate involves the use of large-sum loans, according to an analysis from Abnormal Security, so there was no initial concern. A false company letterhead was used to legitimize the scam, and the cyberattackers added another reputable real estate investment company to the email chain to make it even more convincing. 

The escrow officer may have fallen for it, but the BEC attempt was caught due to artificial intelligence (AI) technology spotting signs of fraud, such as discrepancies in the wiring instructions, newly registered email domains, and irregular language patterns in the email. In addition to this, there was a minor change in the sender domain from ".com" to ".cam."

Though this attempt was caught, BEC attacks are becoming more popular — increasing by 84% in the first half of 2022 alone. They are continuing to prove to be successful against organizations, particularly those without multifactor authentication or security awareness training.

AI might be increasingly necessary to catch ever-more-savvy BEC attacks. "As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases," according to Abnormal Security. "Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$36M BEC Fraud Attempt Narrowly Thwarted by AI

Administrator shutters the forum on fears that it had been breached by federal authorities but assured members it's not the end for the popular underground hacking site.

The BreachForums underground hacker site — which emerged to replace RaidForums nearly a year ago — now also has gone offline less than a week after its leader was arrested in New York.

The forum's administrator, who goes by the online moniker "Baphomet," said in a post on the group's Telegram channel March 19 that he was closing down the forum due to concerns that the FBI had access to the site, researchers from Dark Owl, a provider of Dark Web data and intelligence, said in a blog post.

Baphomet apologized to members of the forum for closing it down but said he would set up another Telegram group for further information and news, teasing that the launch of another site or other support for their activities was in the works, according to the post.

"I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is," he wrote in the message, according to a screenshot shared in the Dark Owl blog post. "You are allowed to hate me, and disagree with my decision, but I promise what is to come will be better for us all."

**BreachForums Leader Apprehended**

The shutdown came just five days after US federal agents arrested man called Conor Brian Fitzpatrick, who they allege is behind the forum's administrator handle "pompompurin," and its chief operator. Fitzpatrick was arrested in Peekskill, NY, on March 15, according to an affidavit made in a New York district court.

Fitzpatrick was charged with one count of conspiracy to commit access device fraud, and bail was set at $300,000, which was paid for by his parents, Dark Owl researchers said. When arrested, he admitted to his role as admin on BreachForums and the use of the alias, which the researchers said was surprising.

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, allowing users to buy and sell data obtained from cybercriminal activity, with site administrators running an escrow service ensuring that sellers received the funds that they had requested, the researchers said.

Cybercriminals widely used BreachForums to purchase stolen data and host data from controversial leaks, such as data stolen from the Washington, DC, healthcare exchange, they said. Pompompurin also conducted cyberattacks of his own, revealing in an interview for the KrebsOnSecurity site in November 2021 that he was responsible for sending fake emails using the fbi.gov domain, the researchers said.

This behavior is likely what put him in the crosshairs of federal authorities, according to Dark Owl. "He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtedly put him higher on the FBI's radar, leading to his recent arrest," the researchers wrote.

**What Comes Next?**

Since BreachForums itself came about after the Department of Justice seized what at the time was one of the world's largest hacker forums — RaidForums — and arrested its founder and chief administrator, Portuguese national Diogo Santos Coelho, it's likely that a new forum will emerge from its ashes.

RaidForums was founded in 2015 and, prior to its seizure, was used by its members to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

BreachForums' Baphomet practically acknowledged that a new underground hacker site is in the works in his post on Telegram, the researchers noted. He said he is working to create new infrastructure that would replace BreachForums and even may collaborate with competitor marketplaces to keep support for members going.

However, for now, the BreachForums onion site is no longer reachable, and cybercriminals who used the site will have to take a wait-and-see approach until its current administrators regroup and create a new forum on which they can conduct their nefarious activity, the researchers said.

For its part, Dark Owl researchers said they "will continue to monitor the Dark Web and adjacent sources, such as Telegram, to identify any news of emerging groups and sites which may take the place of BreachForums."

BreachForums Shuts Down in Wake of Leader's Arrest

Categories: Threat Intelligence
Tags: Magecart

Tags: skimmer

Tags: Kritect

Tags: Magento

Compromised online stores have been injected with skimmers hiding around the Google Tag Manager script. We identified a new one that looked similar at first but is part of a different campaign.



(Read more...)




The post New Kritec Magecart skimmer found on Magento stores appeared first on Malwarebytes Labs.

Threat actors often compete for the same resources, and this couldn't be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.

In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn't seem to be documented yet.

In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.

**Original campaign using WebSockets**

Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada's largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai's blog. 

**Kritec campaign**

Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech\[.\]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

We believe this is a different campaign and threat actor altogether. Here are some reasons why:

*   No WebSocket being used
*   Domains abusing Cloudflare
*   Intermediary loader
*   Completely different skimming code

To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:

We started calling this new skimmer 'Kritec' after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:

Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):

The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:

**Google Tag Manager variants**

In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai's blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.

While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.

Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

**Indicators of Compromise**

WebSocket Skimmer:

cloud-cdn\[.\]org

\--

Kritec skimmer:

kritec\[.\]pics

vitalmob\[.\]pics

flowit\[.\]pics

flagmob\[.\]quest

entrydelt\[.\]sbs

sanpatech\[.\]shop

prijetech\[.\]shop

nebiltech\[.\]shop

kruktech\[.\]shop

lavutele\[.\]yachts

tochdigital\[.\]pics

smestech\[.\]shop

klstech\[.\]shop

shotsmob\[.\]sbs

gemdigit\[.\]pics

nevomob\[.\]quest

vuroselec\[.\]quest

apexit\[.\]yachts

sorotele\[.\]yachts

bereelec\[.\]quest

bereelec\[.\]quest/ww\[.\]min\[.\]js

apexit\[.\]yachts/apex\[.\]min\[.\]js

vuroselec\[.\]quest/dych\[.\]min\[.\]js

nevomob\[.\]quest/elan-loader\[.\]js

gemdigit\[.\]pics/wpp-loader\[.\]js

gemdigit\[.\]pics/sun-loader\[.\]js

klstech\[.\]shop/opencart-cache-worker\[.\]min\[.\]js

tochdigital\[.\]pics/digital\[.\]min\[.\]js

vitalmob\[.\]pics/pre-loader\[.\]js

Tag

#intel