These days, cyber-attacks involve more than the obvious malicious link sent to you through a phishing email. You must remain alert, especially against cryptocurrency scams, as they continue to rise. Here are this week’s cyber headlines:
Beware of LinkedIn Scams
The FBI has recently issued a cybersecurity warning asking citizens to be wary of LinkedIn-based crypto scams. Sean Ragan, the FBI’s special agent in charge of San Francisco and Sacramento, mentioned that cryptocurrency scams have increased on LinkedIn as it is the ideal location to target senior executives.
In a typical attack, the adversaries create professional-looking fake profiles and initiate conversations with LinkedIn users. The scammers first direct the target users to a genuine investment platform, and after winning their trust, the attackers develop a rapport with these users. They remain in touch for months before finally convincing the victims to transfer their crypto investments to another platform (this is obviously an attacker-run platform). The funds instantly disappear from the fraudulent site, just like the LinkedIn profiles of these scammers.
The FBI noted that such attacks have increased in the recent past. Over $200,000-$1.6 million worth of crypto funds has already been stolen from LinkedIn users. LinkedIn users are advised to remain alert and refrain from accepting connection requests from people they do not know directly. Anybody asking for money should ring caution bells in your head. Furthermore, avoid clicking on links sent by connections on LinkedIn.
New Phishing Campaign Targeting Microsoft 365 Users
Adversaries have devised a new spoofing technique to con Microsoft 365 users. They are spoofing the MetaMask cryptocurrency wallet provider and trying to steal users’ recovery phrases. The MetaMask recovery phrases (or seeds) consist of 12 words and can be used to import existing crypto wallets to other devices. Anyone accessing this recovery phrase can import the wallet to any device and steal the cryptocurrency and NFTs.
The cybersecurity firm, Armorblox, reports that this new campaign using MetaMask mainly targets Microsoft Office 365 users. This is done by circulating messages that look like real identity verification requests from Microsoft Office. Hackers send a phishing email to victims, impersonating MetaMask support and spoofing its Know Your Customer (KYC) verification request. These emails are meticulously framed with none of the usual errors in logos, sentence structure, etc. Unlike regular phishing emails that induce a sense of urgency, these MetaMask emails give users a comfortable deadline of over a month to update their KYC and verify themselves.
Clicking on the link in these emails naturally takes users to a fake landing page resembling the actual MetaMask website. Entering the passphrase on this phishing site gives hackers instant access to victims’ accounts, and funds transfer takes just a few seconds!
Authentication Bypass Issue in Apple Game Center
Cybersecurity experts recently discovered a vulnerability in the open-source project Parse Server, which is available on GitHub. The software provides push notifications for macOS, iOS, tvOS, and Android devices. A further probe into the Parse Server vulnerability revealed an authentication bypass in Apple Game Center.
Reportedly, Parse Server versions before 4.10.11/5.0.0/5.2.2 led to a validation issue in Apple Game Center. The Game Center is Apple’s social gaming platform and includes real-time multiplayer play and leaderboards. This Apple vulnerability has been tracked as CVE-2022-31083 and awarded a CVSS severity score of 8.6. The vulnerability leads to an unsuccessful validation of Apple Game Center’s security certificate. No privileges are required for this attack, and the complexity recorded is low.
To ensure cybersecurity, a patch has been released for the Parse Server vulnerability in version 4.10.11/5.2.2. Apple users are advised to patch their devices immediately to avoid this threat.
Two New Hacking Campaigns Detected in Ukraine
Ukrainian cybersecurity experts recently uncovered two new hacking campaigns. One of these uses a fraudulent tax collection document impersonating the national tax agency, and the other uses a malicious document describing the threat of Russian-led nuclear attacks. Experts at CERT-UA released a notice warning of malicious Word documents titled “Imposition of penalties” from the State Tax Service of Ukraine. This document would open a Cobalt Strike Beacon and give attackers access to the target system.
The CERT-UA experts attributed the attack vector to a cyberattack group called UAC-0098, which showed links to TrickBot and was involved in a few other attacks on Ukrainian entities. The second attack used malicious code in a text file to launch the CredoMap malware. This attack has been pinned down to the APT28 or Fancy Bear group, a renowned Russian military intelligence hacking group. The attack has been tracked as CVE-2022-30190 and allows adversaries to take full control of an infected system.
Combined Efforts Helped Dismantle a Cybercrime Group
In a recent cross-border operation conducted by Europol in collaboration with the Belgian and Dutch police, the forces successfully dismantled an organized crime group. The criminal group involved multiple phishing, money laundering, and fraud scams. As part of the operation, cybersecurity experts made nine arrests and 24 house searches in the Netherlands. They also seized firearms, ammunition, electronic devices, cryptocurrency, jewelry, and cash from these houses.
The adversaries would use text messages and emails to contact victims and send messages with phishing links. These links would lead victims to a fake banking website where they would unsuspectingly enter their banking credentials. The cyber experts investigating the breaches noted that the hackers have already stolen millions of euros using this scheme. These hackers were also found to be associated with firearms and drug trafficking.
DDoS Attack Interrupts the Russian Economic Forum
A DDoS attack interrupted the proceedings of the recent Russian Economic Forum in St. Petersburg. The 25th Petersburg International Economic Forum is Russia’s response to the Davos World Economic Forum. The incident occurred last Friday, which delayed the Russian Premier, Vladimir Putin’s speech by around 100 minutes.
Cybersecurity experts noted that the DDoS attack disrupted the Russian government’s admissions and accreditation systems. So far, Russia has not held any particular hacker group or individual responsible for the attack, but the attack had visible disruptive effects on the forum. For instance, poor internet connectivity issues were observed even during the premier’s speech.