Email scammers posed as DOT officials in phishing messages focused on $1 trillion bill
According to Cyberscoop, “shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials.” This is according to researchers at email security company INKY. The scheme used numerous layers intended to disguise the messages as authentic government solicitations, some of which pointed back to the real Department of Transportation website. “In what may be an ironic twist, the phishers also copied and pasted in a real warning about how to verify actual U.S. government sites,” security researcher Roger Kay of the firm INKY stated. “The victim might have noticed that something was up if they had realized that the phishing site domain ended in .com rather than .gov or .mil.”
A new banking Trojan abuses YouTube for remote configuration
Researchers at ESET have reported the existence of the Numando trojan, which “implements backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown machines, and display overlay windows” every time a victim visits a financial organization website in order to capture the credentials provided. Numando focuses currently on Latin America, and leverages public services such as Pastebin and YouTube for the remote configuration. Google has since removed the files.
Admin of DDoS service behind 200,000 attacks faces serious prison time
A jury in California has found 32-year old Matthew Gatrel of St. Charles, Illinois, guilty of being the administrator of two distributed denial-of-service (DDoS) operations also called “booters“ or “stressers.” His websites, DownThem and Ampnode, allowed paying users to launch more than 200,000 DDoS attacks on targets in both the private and public sector, including schools, universities, municipal and local government websites, and financial institutions. The trial took nine days. Gatrel is facing a maximum statutory sentence of 35 years in a federal prison for the three felonies he has been found guilty of. His sentencing has been scheduled for January 27, 2022.
US government sites showing porn and Viagra ads due to shared software vendor
Security researcher Zach Edwards has described the problem as being one in which certain.gov and .mil domains use a common software product provided by Laserfiche, which is a contractor to the FBI, CIA, U.S. Treasury, the military, and other government bodies. Its software product called Laserfiche Forms “contains a vulnerability that has allowed threat actors to push malicious and spam content on reputable government sites.” Laserfiche has released a security advisory along with instructions on how to clean up the websites. They state the root cause of the issue as an unauthenticated File Upload vulnerability.
Thanks to our episode sponsor, Kanu Solutions
Threat actor has been targeting the aviation industry since at least 2018
Security researchers from Cisco Talos team have uncovered a spear-phishing campaign that has been targeting the aviation industry for two years undetected. The threat actor behind this campaign is believed to be based out of Nigeria and is not technically sophisticated, using off-the-shelf malware throughout the campaigns. The spear-phishing messages use bait documents specifically crafted to target the aviation or cargo industry that purport to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of remote access trojans (RATs) like AsyncRAT and njRAT. Evidence collected by experts suggests that the threat actor has been active at least since 2013 and their small operational is credited for their success.
(ZDNet)
Yes, of course there’s now malware for Windows Subsystem for Linux
According to The Register, “Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft’s Windows Subsystem for Linux (WSL) to install unwelcome payloads. Black Lotus Labs, the threat research group at Lumen Technologies, said it had found several malicious Python files compiled in the Linux binary format ELF (Executable and Linkable Format) for Debian Linux. “These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls,” Black Lotus Labs said in a blog post.
AT&T phone-unlocking malware ring costs carrier $200M
Muhammad Fahd of Pakistan and Grenada, is facing 12 years behind bars after effectively compromising AT&T’s internal networks to install credential-thieving malware. He was convicted of grooming AT&T employees at a Bothell, Wash. call center to use their AT&T credentials to sever phones from the AT&T network for customers who were still under contract, meaning those customers could take their newly independent phones to another service. Next, Fahd got them to install custom malware and “hacking tools that allowed him to unlock phones remotely from Pakistan,” according to court documents. In all, the 35-year-old Fahd effectively defrauded AT&T out of more than $200 million in lost subscription fees after divorcing nearly 2 million mobile phones from the carrier.
Customer care giant TTEC hit by ransomware
“The company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack”, KrebsOnSecurity has learned. The company, based in Englewood, Colorado, has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number of name-brand companies, including Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon. A widespread system outage that began on Sunday, Sept. 12 was later confirmed as a ransomware attack possible by Ragnar Locker or a group pretending to be them.