Cyber adversaries are constantly looking for vulnerabilities in security systems. As such, adopting cybersecurity measures is vital for keeping our organizations’ information assets secure. The following are this week’s major headlines to help you plan your security moves better:
3ve Ad Fraud Botnet Linked Recovery From Swiss Banks
The ‘3ve’ online advertising fraud scheme had stored over $15 million in Swiss bank accounts, and the US government was able to recover these recently. This cybersecurity recovery involved funds amounting to $15,111,453.84 being transferred from Switzerland to the US government as part of a Final Order of Forfeiture of United States v. Sergey Ovsyannikov. The Department of Justice indicted Boris Timokhin, Aleksandr Zhukov, Denis Avdeev, Mikhail Andreev, Dmitry Novikov, Aleksandr Isaev, Sergey Ovsyannikov, and Yevgeniy Timchenko in 2018 for their role in the 3ve ad fraud botnet.
Of these individuals, only Ovsyannikov, Timchenko, and Zhukov could be arrested; the rest were roaming freely in the world. The 3ve ad fraud campaign (or Eve) impacted more than 1.7 million devices with a click-fraud malware called the Kovter botnet that runs in the background and connects to sites to consume advertisements. The adversaries worked with real advertising agencies to display advertisements on websites. The actual breach trigger lay within these advertisements because they were implanted on 86,000 spoofed domains created by the adversaries and not publishers’ sites.
The Kovter-infected devices would be redirected to these sites hosting the fake ads. The ads would appear legitimate to advertisers, and they would end up being billed. The ad campaign fake-billed advertisers for over $29 million between December 2015 and October 2018. This recent forfeiture is significant because it is the largest international cybercrime recovery and becomes a strong message for the adversaries to rectify their ways or face the consequences.
Hackers Add Interactive Chatbot To Phishing Campaign
Cybersecurity researchers recently uncovered a new technique that adversaries use to distract their victims. They have added an interactive chatbot to their phishing pages. These chatbots are a common element in the pages of some of the largest service providers that we have to navigate through, no matter how annoying we find them. Experts have noted that this new addition to the phishing domains of attackers could be part of a bigger campaign.
The campaign normally begins with a basic ‘failed DHL delivery‘ issue used as bait. Any individual falling for this trap is met with a ‘please follow our instructions’ prompt that comes with a ‘fix delivery’ button. Clicking on this button leads the user to an external website where the interactive chatbot greets them and claims to fix the delivery, but it actually harvests the user’s data.
If a user accepts the chatbot, the bot displays a damaged product’s image and asks for details to attempt the delivery again. Requesting a delivery via this bot leads the user to a fake CAPTCHA, which is nothing but the adversaries’ attempt at making the entire scam more believable.
In the next step of this scam, the attackers ask for the delivery address, time, and password. Whether you enter a DHL account password or any other password, it is immaterial because the adversaries steal it anyway. The phishers steal the password, along with the user’s address and email. However, this isn’t the end of the scam. In the next stage, the adversaries display a credit card payment page asking for a nominal charge for attempting the delivery again. Making this payment is the actual giveaway of the attack scheme because the attackers now have access to the user’s bank card details as well!
The chatbot also asks for an OTP (One Time Password), which might seem absurd because nowhere was the user’s number asked for in this process. However, entering any random set of numbers five times in a row (after four failed attempts) leads users to the ‘successful submission’ page, where the phishing chain finally ends. The attack scheme, though sophisticated, looks incomplete and could very well be a work in progress. It could eventually lead to a wider phishing campaign, and therefore, users must remain cautious.
Google Fixes High-Severity Flaw in OAuth Client Library for Java
Google recently fixed a high-severity flaw in its OAuth client library for Java that could be exploited to deploy arbitrary payloads. Dubbed CVE-2021-22573, this vulnerability was awarded a CVSS score of 8.7. It emerged owing to a faulty cryptographic signature verification in the library. The vulnerability was detected by Tamjid Al Rahat (a fourth-year computer science Ph.D. student at the University of Virginia), who was also rewarded with $5,000 as part of Google’s bug bounty program.
Reportedly, the IDToken verifier does not verify a properly signed token. Consequently, an attacker can use a compromised token and still pass the verification test on the client’s end. To ensure ransomware protection, Google has advised users of the google-oauth-java-client library to update to the patched version (1.33.3), which was released on 13th April 2022.
Windows Users Beware of This Phishing Campaign
Cybersecurity experts recently discovered that three malware strains—PandaHVNC, BitRAT, and AveMariaRAT — are targeting Windows users to steal their sensitive information. The phishing campaign is attacking users to steal their passwords, usernames, and other sensitive and confidential details such as their bank account information. In a typical attack, the adversaries send a phishing message that impersonates a payment report, appearing to be from a genuine source. This message comes with an Excel document as an attachment. The attachment contains malicious macros that deliver the malware if users ignore Excel’s security warning.
The adversaries use VBA scripts and PowerShell to retrieve and install the malware on users’ devices. The PowerShell code is further divided into three different types of malware. This new attack scheme speaks a lot about the adversaries’ sincerity towards stealing sensitive user information. Therefore, experts advise using anti-phishing solutions and training employees on phishing detection.
New App to Detect Fake Social Media Profiles
A new mobile app called ‘Think Before You Link‘ has been launched, which helps social media users detect fake profiles and remove them from their contacts at the earliest. Owing to the increasing instances of connection requests from fake accounts targeting over 10,000 individuals in the UK in 2021 alone, a new app has been designed to help people spot fraudulent profiles of spies and other malicious actors.
Apart from targeting regular users of LinkedIn, Facebook, and other social media platforms, these fake accounts also target current and former civil servants, leading to a great national loss in the worst-case scenario. Designed in cooperation with behavioral scientists, the Think Before You Link app comes with features like the ‘profile reviewer,’ which helps trace and report suspicious profiles. These fake social media profiles are a concerning topic because they are used to steal users’ sensitive and confidential official and personal details. The new app attempts to minimize the cybersecurity risk associated with these fake user profiles.
Apple Fixes Zero-Day Affecting Mac and Apple Watch Users
A zero-day vulnerability that could be exploited to target Mac and Apple Watch users was recently patched by the tech giant. Apple notified users of its knowledge of the bug via a security advisory last Monday and said the bug might have been actively exploited before the release of the security patch. Tracked as CVE-2022-22675, the zero-day was identified as an out-of-bounds write issue affecting AppleAVD, a kernel extension allowing apps to execute arbitrary code with kernel privileges.
An anonymous cybersecurity researcher notified Apple of the bug, and the company fixed it in the tvOS 15.5, macOS Big Sur 11.6., and watchOS 8.6 versions. The affected devices include Apple TV 4K, Apple Watch Series 3 or later, Apple TV HD, Macs running macOS Big Sur, and Apple TV 4K (2nd generation). The company has not revealed much about the bug apart from this security update, probably intending to reach as many Apple Watch and Mac users as possible. In the case of zero-days, it is best to keep it low-key and just aim to make patches available for users, and Apple has adopted the same strategy. It is recommended that macOS and watchOS users get the security updates at the earliest.