Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.

In December 2024, during routine threat hunting activities, Sekoia.io uncovered a new Adversary-in-the-Middle (AiTM) phishing kit specifically targeting Microsoft 365 accounts. This phishing kit, dubbed Sneaky 2FA, has been circulating since at least October 2024, with potential compromises identified through Sekoia.io telemetry.

Further probing revealed that Sneaky 2FA is being offered as a Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.

The modus operandi of the entire campaign includes customers receiving access to a licensed and obfuscated source code version, allowing them to independently deploy phishing pages, typically hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attackers.

Sneaky 2FA’s on Telegram and blurred background images that it uses (Via Sekoia)

In addition, the Sneaky 2FA phishing kit incorporates elements from the W3LL Panel OV6, another AiTM phishing kit previously reported by Group-IB. This connection suggests a possible lineage and development within the cybercriminal infrastructure.

****Characteristics of Sneaky 2FA****

According to Sekoia’s report, the Sneaky 2FA phishing kit employs several techniques to evade detection and enhance its success. It utilizes URL patterns, such as “mysilverfox.commy/00/#victimexamplecom,” to automatically prefill the phishing page with the victim’s email address.

These phishing URLs are generated using 150 alphanumeric characters, followed by the path /index, /verify, and /validate. This pattern offers opportunities for tracking. Most customers deploy the server in a dedicated repository, named /auth/ by default.

To further enhance its stealth, Sneaky 2FA integrates anti-bot and anti-analysis features. Cloudflare Turnstile pages are employed to differentiate human users from bots. These pages often present seemingly benign content before loading the actual challenge. Additionally, the phishing kit incorporates anti-debugging techniques to hinder analysis using web browser developer tools.  

The phishing pages themselves utilize a variety of obfuscation methods, including HTML and JavaScript code obfuscation, the embedding of text as images, and the inclusion of junk data within the HTML code. These techniques aim to make phishing pages more difficult to detect by security tools.

****Sneaky Log’s Operations****

The Sneaky Log service operates through a sophisticated Telegram bot that allows customers to purchase the phishing kit, manage subscriptions, and receive support. The bot offers a user-friendly interface and supports multiple cryptocurrency payment options, including Bitcoin, Ethereum, and Tether.  

Analysis of cryptocurrency transactions revealed potential money laundering activities, with users instructed to pay a 10% premium and subsequent transfers occurring between various addresses.

****Detection and Tracking Opportunities****

Detecting Sneaky 2FA attacks can be achieved by analysing authentication logs for anomalies. The phishing kit utilizes inconsistent User-Agent strings for different stages of the authentication process, which can be identified as “impossible device shifts” and flagged as suspicious activity.  Furthermore, the analysis of phishing page URLs, including patterns and domain registrations, can help track and identify campaigns associated with Sneaky 2FA.

Sneaky 2FA is a growing threat in Microsoft 365 phishing attacks, offering sophisticated features and a user-friendly PhaaS platform. To mitigate risks, organizations must continuously monitor and share threat intelligence apart from improving cybersecurity measures.

Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+ commented on this urging Microsoft 365 to remain alert. _“_This kit’s ‘sneaky’ aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages._“_

_“_The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,_“_ Stephen warned. _“_Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats._“_

1.  **Malware Bypasses MS Defender, 2FA to Steal $24K in Crypto**
2.  **Rockstar 2FA Phishing-as-a-Service Kit Hits MS 365 Accounts**
3.  **Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page**
4.  **New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users**
5.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security Software**

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients. Within 90 minutes, 1,165 malicious emails bombarded 22 user inboxes, aiming to trick users into clicking on malicious links.

Researchers at SlashNext have published new findings revealing attackers using tactics similar to the **Black Basta ransomware gang**, targeting 22 inboxes within 90 minutes. The attack was swift and targeted, aiming to overwhelm users and bypass traditional security measures.

According to their **blog post**, shared with Hackread.com, this Black Basta-style attack utilizes a ransomware scam that deceives employees into granting remote access to their computers. 

SlashNext’s investigation of this phishing wave revealed five key tactics used by attackers: masquerading as popular platforms like WordPress and Shopify, using legitimate-looking domains to send fake account creation and subscription emails, utilizing seemingly harmless domains, using unusual characters or minor variations in subject lines, and targeting different user roles to increase attention.

The attackers first flood inboxes with seemingly legitimate emails like newsletters or payment receipts. The emails used subject lines like “Account Confirmation” and “Subscription Notice” to entice users to click malicious links, causing a sense of urgency. Attackers further employed social engineering tactics by incorporating foreign languages or odd characters to bypass basic keyword filters. 

This initial barrage creates confusion and makes it difficult to distinguish genuine emails from malicious ones. When users are overwhelmed, attackers swoop in, often via phone calls or messages impersonating IT support. By speaking confidently, they gain trust and trick users into installing remote access software like **TeamViewer or AnyDesk**. Once this software is installed, attackers gain a foothold in the system, potentially spreading malware or compromising sensitive data on the network.

Targeted Campaign Stats and the types of scams (Via SlashNext)

Fortunately, SlashNext’s Integrated Cloud Email Security (ICES) quickly identified hundreds of red flags targeting a small group of users. Within a mere 90 minutes, a whopping 1,165 emails bombarded 22 mailboxes, averaging over 50 emails per user in rapid bursts. This tactic aimed to create panic and encourage impulsive clicks.

The ICES platform’s early detection allowed the client to respond proactively and prevent the attack from spreading. SlashNext’s AI-powered security system, SEER™, proactively identified and blocked these emails in real time. SEER™ analyzes email behaviour beyond simple keyword checks, detecting suspicious patterns like encoded URLs and fake login pages. Researchers noted a sudden rise in these attacks across the web between November and December. SlashNext was the first to launch an automated AI-powered defence to handle the situation in real time.

The incident shows the increasing nature of cybersecurity threats, with attackers using sophisticated techniques to evade traditional security measures. Organizations should prioritize threat detection and response, and regular security assessments to identify vulnerabilities and improve overall security.

1.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
2.  Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Flaws
3.  Russian APT29 Using NSO Group-Style Exploits in Attacks: Google
4.  Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
5.  BlackByte Ransomware Exploits VMware Flaw in VPN-Based Attacks

Top/Feature Image via Freepik

Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS).
"This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations. On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing […]

**About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability.** ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

_This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes_

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting\[.\]com, a popular platform used by major enterprises to send digital greeting cards.  

Upon learning of the attack, GroupGreeting quickly responded and resolved the threat.

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting\[.\]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

****Explaining the “zqxq” malware****

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

*   **Token generation and redirection**. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

*   **Conditional checks and evasion**. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

*   **Remote payload retrieval**. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

****Overlap with NDSW/NDSX and TDS Parrot campaigns** **

Though Malwarebytes recently discovered the attack on GroupGreeting\[.\]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known **NDSW/NDSX** or **TDS Parrot** malware campaigns: 

*   **Obfuscated redirect scripts**. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

*   **Traffic Distribution System behavior**. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

*   **Large-scale website infections**. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

****Analysis of the breach and why GroupGreeting was a prime target** **

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

*   **High-profile site**. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

*   **Seasonal traffic spikes**. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

*   **Sophisticated persistence**. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

*   **Potential consequences**. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

*   **Timely patching and updates**. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

*   **File integrity checks**. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

*   **User training**. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 GroupGreeting e-card site attacked in “zqxq” campaign  

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites.

Source: Primakov via Shutterstock

A malicious plug-in found on a Russian cybercrime forum turns WordPress sites into phishing pages by creating fake online payment processes that convincingly impersonate trusted checkout services. Masquerading as legitimate e-commerce apps such as Stripe, the malware proceeds to steal customer payment data.

Called PhishWP, the WordPress plug-in was designed by Russian cybercriminals to be particularly deceptive, researchers from SlashNext revealed in findings published this week. In addition to mimicking the legitimate payment process that people would be familiar with to complete online transactions, it also has a key feature that make payment processes on transactions appear secure by allowing users to create one-time passwords (OTPs) during the process, they said.

Instead of processing payments, however, the payment gateway steals credit card numbers, expiration dates, CVVs, billing addresses, and more when people enter their personal data, thinking they are using a legitimate payment gateway. As soon as victims of the plug-in press "enter," the data is sent to a Telegram account controlled by the cybercriminals. Threat actors can use the plug-in like any WordPress plug-in, by either installing it on a legitimate but compromised WordPress site or creating a fraudulent site and using it there.

Related:Thousands of BeyondTrust Systems Remain Exposed

"PhishWP’s features make fake checkout pages look real, steal security codes, send your details to attackers right away, and trick you into thinking everything went fine," SlashNext security researcher Daniel Kelley wrote in the post.

This immediate turnaround of data "equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data — sometimes within minutes of capturing it," notes Jason Soroko, senior fellow at Sectigo, a certificate life-cycle management (CLM) firm, making it a fast return on their investment to use the plug-in for nefarious purposes.

**Other Key PhishWP Malware Features**

OTP hijacking is one of the plug-in's key features, which when combined provide attackers with a turnkey solution for hijacking payment pages. Included in these are the aforementioned customizable checkout pages that simulate common payment processes through "highly convincing" fake interfaces, Kelley wrote.

Another feature of PhishWP, browser profiling, captures data beyond payment info for the replication of user environments for use in potential future fraud. This includes IP addresses, screen resolutions, and user agents.

The plug-in also gives the hijacked checkout process added legitimacy by using auto-response emails to send fake order confirmations to victims, which delays suspicion and thus detection of the attack. And as mentioned before, PhishWP also integrates with Telegram to instantly transmit stolen data to attackers for potential exploitation in real time.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

The plug-in also comes in an obfuscated version for stealth purposes, or users can use its source code for advanced attacker customizations. Finally, PhishWP also offers multilanguage support so attackers can target victims globally.

**Browser-Based Protection From E-Commerce Phishing**

Creating malicious plug-ins for WordPress sites has become a cottage industry for cyberattackers, giving them a broad attack surface due to the popularity of the platform, which as of today is the basis for some 472 million websites, according to Colorlib, which provides WordPress themes.

One of the reasons that PhishWP — or any malicious WordPress plug-in — is so dangerous is that the malicious process is built directly into the browser, which makes it difficult to detect when it appears as a legitimate part of online engagement.

To defend against such threats, SlashNext recommends using phishing protection that also works from directly inside the browser to spot phishing sites before they reach the end user. These solutions, which are available within various browsers, work within browser memory to block malicious URLs before users engage with them. The company said this provides real-time threat detection and blocking capabilities that traditional security measures might miss.

Related:Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems.

****SUMMARY****

*   **Malicious NPM Package Identified:** “ethereumvulncontracthandler” disguises as a vulnerability scanner but installs Quasar RAT malware.

*   **Technical Details:** The package uses obfuscation and downloads scripts to modify Windows settings, ensuring persistence and communication with a command-and-control server.

*   **Quasar RAT Risks:** This malware enables keystroke logging, credential theft, and data breaches, posing significant risks to developers handling sensitive Ethereum projects.

*   **Supply Chain Attack:** The package exploits trust in dependencies, infiltrating systems through a seemingly legitimate tool.

*   **Prevention Tips:** Experts recommend strict vetting of third-party code, robust access controls, and dependency scans to secure the software supply chain.

Cybersecurity researchers at Socket recently uncovered a malicious NPM package, “ethereumvulncontracthandler,” posing as a legitimate tool for detecting vulnerabilities in Ethereum smart contracts. However, this package secretly installs Quasar RAT, a sophisticated remote access trojan, onto developers’ systems.

This malicious package was published on December 18, 2024, by an actor using the alias “solidit-dev-416.” Further probing revealed that it utilizes heavy obfuscation techniques like Base64 and XOR encoding to evade detection. Upon installation, it downloads a malicious script from a remote server, which silently executes to deploy Quasar RAT on Windows systems.

The threat actor has employed various deceptive tactics to ensure the malware’s persistence. The initial npm package serves as a loader, and retrieves/executes Quasar RAT from a remote server. Once executed, the malicious script runs hidden PowerShell commands and installs Quasar RAT.

For this purpose, it also modifies the Windows registry to ensure persistence. The infected machine then communicates with a command-and-control server at captchacdncom:7000, allowing the threat actor to maintain control and potentially spread the infection further.

For your information, Quasar RAT is a dangerous malware known for its extensive capabilities such as keystroke logging, screenshot capturing, and credential harvesting. It has become a significant threat to developers, potentially exposing private keys and sensitive information.

Another malware campaign targeting Roblox developers was recently discovered, which leveraged NPM packages to steal sensitive data and compromise systems. The campaign also involved dropping Quasar RAT payloads.

Quasar RAT in action (Via Socket Research Team)

Such incidents highlight the need for developers to be vigilant, scrutinize third-party code, especially from unknown sources, and use tools to monitor dependencies for potential threats. This proactive identification and mitigation of malicious packages can help safeguard systems and prevent malicious actors from infiltrating.

“For both individual developers and large organizations, the presence of Quasar RAT in a trusted environment can have catastrophic consequences. Ethereum developers, in particular, face the risk of exposing private keys and credentials linked to significant financial assets,” researchers noted in their blog post.

Commenting on this, Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), told Hackread, _“_Ethereum smart contracts are the backbone of decentralized applications. This malicious NPM package disguises itself as a vulnerability scanner but installs Quasar RAT to monitor sensitive projects, steal data, and undermine systems. Security teams must validate unverified code, monitor registry changes, and watch for abnormal network activity._“_

1.  **Supply Chain Attack Hits Vant npm Packages with Monero Miner**
2.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
3.  **Hackers Use Fake PoCs on GitHub to Steal WordPress, AWS Keys**
4.  **FortiGuard Labs: Series of Malicious NPM Packages Stealing Data**
5.  **Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine**

NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

iProov uncovers a major Dark Web operation selling stolen identities with matching biometrics, posing a serious threat to KYC verification systems

****SUMMARY****

*   **Dark Web Identity Fraud Operation:** iProov uncovered a sophisticated dark web network collecting genuine identity documents and facial images to bypass KYC verification.

*   **Voluntary Identity Compromise:** Individuals in regions like LATAM and Eastern Europe are willingly selling their personal and biometric data for short-term financial gain.

*   **Evolving Fraud Techniques:** Attackers use methods ranging from basic static images to advanced tools like deepfake software and custom AI models to defeat liveness checks.

*   **Global Biometric Data Risks:** High-profile breaches (e.g., ZKTeco and ChiceDNA) reveal vulnerabilities in biometric access systems and facial recognition technologies.

*   **Multi-Layered Defense Needed:** Experts recommend advanced real-time verification, challenge-response mechanisms, and continuous monitoring to counter these sophisticated threats.

iProov, a provider of science-based biometric identity verification solutions, has uncovered a large-scale Dark Web operation dedicated to bypassing Know Your Customer (KYC) verification checks. This operation involves systematically collecting genuine identity documents and corresponding facial images.

The iProov Security Operations Center (iSOC) and the company’s Biometric Threat Intelligence service discovered this threat through extensive threat-hunting activities and red team testing. The dark web group has amassed a substantial collection of these identities, potentially obtained through compensated participation where individuals willingly provide their personal information in exchange for payment. This alarming trend extends beyond traditional data theft, as individuals knowingly compromise their identities for short-term financial gain.

“What’s particularly alarming about this discovery is not just the sophisticated nature of the operation, but the fact that individuals are willingly compromising their identities for short-term financial gain,” said Andrew Newell, Chief Scientific Officer at iProov in a press release. Selling identity documents and biometric data not only risks financial security but also provides criminals with genuine identity packages for sophisticated impersonation fraud, Newell added.

This operation, primarily observed in the LATAM and Eastern Europe regions, presents a significant challenge to organizations relying on biometric verification. Genuine credentials paired with matching facial images can easily bypass traditional document verification and basic facial matching systems.

Furthermore, the sophistication of these attacks continues to evolve. While basic attacks utilize simple methods like printed photos or static images, mid-tier attackers employ more advanced techniques such as real-time face-swapping and Deepfake software.

The most sophisticated attackers leverage custom AI models and specialized software to create synthetic faces that can respond to liveness challenges, making it increasingly difficult to distinguish between genuine and fabricated interactions.

This indicates that verification systems face a multi-layered challenge in detecting fake documents and genuine credentials misused by unauthorized individuals. Biometric data, like fingerprints and facial recognition, is increasingly used for identification and security purposes. However, recent incidents involving major vendors and service providers highlight a growing threat to this sensitive information. 

> 📢 EXPOSED: Criminal networks aren't stealing identities anymore.
> 
> They're buying them. Legally. With cash.
> 
> And because these are REAL documents freely given, traditional fraud checks are useless.
> 
> Watch how this works 📷 or Read more: https://t.co/0mX1VSf9my pic.twitter.com/X2KR4tJ61t
> 
> — iProov (@iProov) December 23, 2024

In June 2024, Hackread reported Kaspersky Lab discovered 24 vulnerabilities in ZKTeco’s biometric access systems, which are used for facial recognition and entry control.  The vulnerabilities ranged from SQL injection vulnerabilities to buffer overflow flaws, allowing attackers to inject malicious code.

In September 2024, a separate incident exposed the sensitive data of thousands of customers who used ChiceDNA, an Indiana-based genetic testing and facial matching service. An unsecured WordPress folder left publicly accessible contained biometric images, personal details, and even facial DNA data.

Therefore, organizations should adopt a multi-layered verification approach to combat such threats. This includes verifying the presented identity against official documents and detecting real persons using embedded imagery and metadata analysis.

Real-time verification using unique challenge-response mechanisms, along with managed detection and response through advanced technologies and continuous monitoring, is also essential. Improving protection against sophisticated attacks would make it harder for attackers to spoof verification systems.

1.  **Thousands of UEFA Customer Credentials Sold on Dark Web**
2.  **Stolen Singaporean Identities Sold on Dark Web Starting at $8**
3.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
4.  **Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web**
5.  **Dark Web Anti-Bot Services Help Phishers Bypass Google Alerts**

Tag

#wordpress