Phishing-as-a-Service through Telegram bot

Researchers have discovered a phishing marketplace called ONNX Store, which gives cybercriminals access to tools for hijacking Microsoft 365 accounts, including a means for bypassing two-factor authentication (2FA). This enables threat actors to crank out phishing attacks on both Microsoft 365 and Office 365 email accounts. Corporate information security teams should be aware of this threat and tool up with anti-phishing protection. Let’s take a closer look at the danger…

A malicious attachment with a QR code and 2FA bypass

The researchers’ report describes an attack using ONNX Store phishing tools that targets employees of several financial institutions. First, the victims receive emails seemingly from their HR departments on the topic of remuneration as bait.

The emails contain PDF attachments containing a QR code to be scanned in order to gain access to a “secure document” with “vital information” about the recipient’s salary. The idea here is to get the victim to open the link not on a work computer — which most likely has anti-phishing protection, but on a personal smartphone — which may well not.

The link opens a phishing site mimicking a Microsoft 365 login page. Here, the victim is asked to enter their username and password, followed by a one-time 2FA code.

The fake Microsoft login page prompts victims to enter their credentials and a one-time 2FA code. Source

All of this information of course goes straight to the attackers. One-time 2FA codes usually have a very short lifespan — often just 30 seconds. Therefore, to speed up delivery of information, the phishing kit uses the WebSocket protocol, which provides real-time communication.

Armed with the stolen credentials and still-valid code, the attackers immediately log in to the account and gain full access to the victim’s correspondence. This access can then be exploited for business email compromise (BEC) and other attacks.

Phishing-as-a-service: plenty of phish in the sea

The hub of this phishing operation is the Telegram instant messenger. ONNX Store embraces automation to the fullest — all interaction with users is through Telegram bots.

Its creators provide phishing services on a subscription basis. The prices are quite low: for example, a monthly subscription for harvesting Microsoft 365 account passwords would cost a potential attacker $200 without a 2FA bypass — $400 with it.

Even small-time cybercriminals can afford that. For this modest investment, they get access to a set of finely-tuned phishing tools. All they have to do is to select an attackable target and devise a monetization scheme.

How to protect your organization against advanced phishing

It’s the low-entry threshold that makes the phishing-as-a-service model such a threat: the circle of cybercriminals with dangerous tools at their disposal becomes much wider. Therefore, we strongly advise that you take preemptive measures against an advanced phishing attack on your organization. Here’s what we recommend:

Consider using FIDO U2F hardware tokens (also known as YubiKeys) or passkeys for 2FA. These tools negate even the most sophisticated covert phishing attacks.
Deploy a reliable security solution with anti-phishing protection on all corporate devices, including smartphones and tablets.
Conduct regular security-awareness training to train employees to recognize and deal with suspicious emails. Our interactive Kaspersky Automated Security Awareness Platform provides everything you need on this and more.

Kaspersky official blog – ​Read More

How to protect yourself from surveillance that uses AirTag beacons or similar devices (on either Android or iOS) | Kaspersky official blog

Small Bluetooth tags for finding lost items are a godsend for frequent travelers and simply forgetful people. The coin-sized devices contain a battery and a Bluetooth Low Energy (BLE) transmitter, and a smartphone app allows you to determine the beacon’s location to within a few centimeters. If the lost keys with the tag are far away from the owner and their smartphone, other people’s smartphones can help find them: both Apple and Google have deployed a global network in which every smartphone reports the location of nearby beacons to a server, and their proprietary apps (Find My for iOS, and Find my Device for Android) can locate the lost item. There just needs to be at least one smartphone nearby that has both Bluetooth switched on and an internet connection.

Although the most popular beacon is Apple’s AirTag, there are several other accessories that work on the same principle and that are sometimes compatible with each other (Chipolo, eufy, Filo, Samsung SmartTag, Tile, and others). Sometimes tracking functions are built directly into frequently lost accessories, such as Bluetooth headsets and headphones.

The possibility of remote tracking was quickly appreciated not only by the forgetful but also by scammers and stalkers. By planting an AirTag on a victim — for example, slipping it into a purse pocket or under a car license plate — one can track a person’s movements without their knowledge. Thieves use this technology to steal expensive cars, and stalkers and jealous partners use it for surveillance and harassment. So how can you protect yourself from such a thing?

First generation of AirTag protection

As soon as the first reports of AirTags being used for tracking appeared, Apple implemented several protective measures to reduce the likelihood of stalking. First, AirTag was equipped with a speaker. If the Bluetooth tag is far away from the smartphone it’s linked to, it intermittently emits a loud beep. Second, iOS 14.5 introduced a feature that alerts a smartphone owner if a someone else’s AirTag is detected nearby for an extended period of time and regardless of the smartphone’s location. If this happens, you can turn on the sound on this beacon to physically locate it, and also check the serial number of the AirTag. Sometimes, it can all be quite innocent, for example if it’s a tag hanging on the keys of a relative or friend you’re traveling with, or a beacon parents have put in their child’s backpack. In this case, the warning about the foreign AirTag can be disabled temporarily or permanently.

Unfortunately, these measures were not enough. They didn’t help Android owners in any way, and attackers learned to bypass the “beep” protection by manually disabling or damaging the speaker, or buying “silent” AirTags on online markets.

How to protect yourself from AirTag and other Bluetooth trackers in 2024

This year, manufacturers have developed cross-platform compatibility — the ability to detect BLE beacons regardless of which smartphone they’re linked to and what kind of smartphone the tracking victim has. To achieve this, Apple and Google joined forces and implemented this functionality in both iOS 17.5 and Android (the update is available for all versions starting with Android 6). Now, warnings that someone else’s tracker is being consistently detected nearby is available on either of these platforms, and the victim can see the tracker’s ID, turn on its speaker, and even get instructions on how to disable the beacon. The tech giants proposed the DULT (detecting unwanted location trackers) standard, which may become an industry standard in the future. For now, some tag manufacturers — Chipolo, eufy, Jio, Motorola, and Pebblebee — have said they will support the current specification.

What to do if you find an unknown Bluetooth tag on your belongings?

There are no hard and fast rules for this situation, as much depends on individual circumstances.

Upon receiving a warning on your smartphone, the first step is to locate the tracker and carefully examine it. You can use the “precision finding” feature, for example by following this guide. The tag could be hidden anywhere — in the folds or pockets of your bag, in your wallet, under the wheel arch of your car, stuck to the bumper or license plate frame, and so on. If you’re unsure whether it’s the same tracker flagged by the app, check the serial number. Some models have it printed on the casing, while others can be checked by placing them next to the smartphone’s NFC reader.

Locating the tracker helps rule out innocent scenarios: perhaps you accidentally picked up someone else’s headset instead of yours, or a colleague left their keys in your car. In such cases, simply return the lost item to its owner. Another possible legitimate tracking scenario is a tag attached to rented equipment, especially cars and expensive electronics. In this case, discuss the tracking with the rental provider and decide whether it’s acceptable to you. Normally, such property protection measures should be outlined in the rental agreement.

The situation is more complex when it comes to malicious tracking.

For victims of domestic violence, married couples going through a difficult divorce, or given other circumstances where exposing tracking might provoke aggression from the perpetrator, it’s recommended to remain discreet. Report the tracking to law enforcement, but avoid revealing this fact to the stalker. It’s important that the tag doesn’t “light up” at the police station. To achieve this, you can either remove the battery or arrange a meeting with the authorities at a safe location.

If there’s no risk of violence, you can simply hand the tag over to the police. Throwing it away or deactivating it is not enough, as the perpetrators could just start all over again.

For comprehensive protection of your privacy, use our most advanced security solution — Kaspersky Premium, which not only neutralizes viruses but also provides the world’s best protection against phishing, detects intrusions into your Wi-Fi networks, protects your personal data and payment information online, alerts you to password leaks and identity theft, and offers many more features to ensure your complete security.

We’ve prepared a detailed step-by-step guide to help you choose the optimal subscription and quickly set everything up from scratch, or switch from other vendors to our applications — which have received more awards than any other security solutions in the world.

Kaspersky official blog – ​Read More

New LianSpy spyware targets Android smartphones | Kaspersky official blog

Spyware is a dangerous tool that can be used to selectively monitor specific victims. Often the victims are employees in a single company, or residents in a single country. The new mobile spyware, which we discovered and dubbed LianSpy, targets — for now — users of Android smartphones in Russia, but the unconventional approaches it employs could potentially be applied in other regions as well. How it works and how to guard against this new threat is the topic of this post.

What is LianSpy?

We discovered LianSpy in March 2024. However, our data indicates it’s been active for at least three years — dating back to July 2021! How did LianSpy remain in the shadows for so long? The attackers meticulously cover their tracks. Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges. This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone.

LianSpy disguises itself as system applications and financial services. Interestingly, the attackers aren’t interested in the victims’ banking data. This spyware silently and discreetly monitors user activity by intercepting call logs, sending a list of installed applications to the attackers’ server, and recording the smartphone’s screen — mainly during messenger activity.

How does LianSpy work?

Unlike other spyware that exploits zero-click vulnerabilities, LianSpy requires some actions on the part of the victim. Upon launching, the malware checks if it has the necessary permissions to read contacts and call-logs, and use overlays. If not, it requests them. That done, it registers an Android Broadcast Receiver to get information about system events, enabling it to start or stop various malicious tasks.

LianSpy uses root privileges in a rather unconventional way. Typically, they’re used to gain complete control over the device. However, in the case of LianSpy, the attackers make use of only a small part of the functionality available to superusers. Interestingly, root privileges are used so as to prevent their detection by security solutions.

LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims’ devices. It remains unclear which vulnerability the attackers might have exploited in the former scenario.

Another feature of LianSpy is its combined use of symmetric (one key for both encrypting and decrypting information) and asymmetric (separate public and private keys) encryption. Before being stolen, the data is encrypted with a symmetric algorithm, the key for which is encrypted asymmetrically. Only the attacker possesses the private key. For more details about LianSpy functionality, see our Securelist post.

Who’s behind LianSpy?

Good question. The attackers only utilize public services, not private infrastructure, which makes it difficult to definitively determine which hacker group is behind these attacks on Android smartphone users in Russia. The paymaster’s identity is also not known, but, as global practice shows, such sophisticated cyberespionage campaigns are often instigated by groups affiliated with a nation-state actor.

How to guard against spyware surveillance?

Download apps only from official stores and catalogs, but keep in mind that spyware can infiltrate even those.
Update your operating system regularly — not all malware can adapt to new security features.
Use well-known apps from trusted developers. Avoid alternative clients for instant messengers and other services, as they may contain malicious code (read more about spyware mods for WhatsApp, Telegram and Signal).
Use Kaspersky: Antivirus & VPN to detect spyware such as LianSpy in a timely manner.
If you still don’t have reliable protection, use TinyCheck, a spyware detection tool.
Only grant applications the permissions they need to function.

Kaspersky official blog – ​Read More

What is an adversary-in-the-middle attack, and how is it used in phishing?

The increasing use of both multi-factor authentication (MFA) and cloud services in organizations has forced cybercriminals to update their tools and tactics. On the one hand, they no longer need to penetrate a company’s internal network or use malware to steal information and conduct fraudulent schemes. It’s enough to gain access to cloud services — such as Microsoft 365 email or MOVEit file storage — through legitimate accounts. On the other hand, stolen or brute-forced credentials are no longer sufficient — MFA must be somehow bypassed. A recent large-scale series of cyberattacks on major organizations, which affected over 40,000 victims, shows that attackers have adapted to the new reality. They’re using targeted phishing techniques and adversary-in-the-middle tools on a broad scale to target companies.

What is adversary-in-the-middle

An adversary-in-the-middle (AitM) attack is a variation of the well-known man-in-the-middle attack: the attacker gets access to the communications between legitimate parties (client and server), intercepts client requests, forwards them to the server, and then intercepts the server responses and forwards those to the client. What makes an AitM special is that the attacker doesn’t just eavesdrop on communications, but actively interferes with them — modifying the messages to their advantage.

Advanced AitM attacks may involve compromising the organization’s ISP or Wi-Fi network. Attackers then manipulate network protocols (ARP poisoning, DNS spoofing) and display fake web pages or files when the user accesses legitimate resources. But in the case of spearphishing, such tricks are unnecessary. It’s enough to lure the user to a malicious web server, which will simultaneously communicate with both the victim and the legitimate cloud-service servers using a reverse proxy. The attack generally goes like this:

The user receives a phishing message and clicks the link.
Through a chain of masking redirects, the user’s browser opens a page of a malicious site that looks like the cloud service’s login portal. To display this page, the attackers’ reverse-proxy contacts the legitimate server and transfers the entire login-page content to the user’s browser, making any changes necessary for the attackers.
The user sees the familiar interface and enters their username and password.
The malicious server relays the username and password to the legitimate server, imitating the user’s login. The username and password are also stored in the attackers’ database.
The legitimate server verifies the password and, if correct, requests a one-time code, which is sent to the user or generated in their app, as per the usual MFA procedure.
The malicious server displays a page prompting the user to enter the one-time code.
The user enters the one-time code from the authenticator app or text message.
The malicious server sends the code to the legitimate server, which verifies it and, if correct, lets the user into the system.
The legitimate server sends session cookies needed for normal system operation to the “browser” (which is actually the malicious server).
The malicious server forwards the cookies to the attackers, who can then use them to imitate the browser of a user already logged into the system. The attackers don’t need to enter passwords or MFA codes anymore — it’s all been done already!
The malicious server redirects the user to another site or to the regular login page of the legitimate service.

Additional features of modern AitM attacks

Attackers have streamlined the basic attack scenario described above. There are ready-made phishing kits available — usually including reverse proxies like Evilginx or Muraena, which enable “out-of-the-box” attacks with templates for modifying login pages of popular cloud services and well-oiled MFA-code theft scripts.

However, to successfully compromise large organizations, “off-the-shelf” attacks need to be tailored. Well-resourced attackers can target many organizations at once. In the attack mentioned above, about 500 large companies — all law firms — were targeted within three months. Each received a custom domain within the attackers’ infrastructure, so the victims (executives of these organizations) were directed to domains with familiar and correct names in the initial part of the URL.

The arms race continues. For example, many companies and cloud services are transitioning to phishing-resistant MFA methods such as hardware USB tokens and passwordless logins (passkeys). These authentication methods are generally resistant to AitM attacks, but most cloud systems allow a backup-plan login using older verification methods such as “paper envelope” one-time codes or one-time codes delivered in text messages. This is intended for cases where the user loses or breaks the second factor physical device. Attackers can exploit this feature: the malicious server shows the victim modified authentication pages of the legitimate server, erasing the more reliable authentication methods. This type of attack has been named Passkey Redaction.

How to protect against AitM attacks

Protection against spearphishing attacks aimed at gaining access to cloud accounts requires coordinated measures from corporate security services, cloud providers, and the users themselves:

Use phishing-resistant MFA tools such as hardware USB tokens. Ideally, these should be used by all employees, but at the very least by management and those responsible for critical business operations and IT.
Work with SSO solution providers and cloud services to disable backup-plan authentication methods and take technical measures to make it difficult to steal authentication-token cookies.
Educate employees to pay attention to changes in login pages and avoid entering credentials if “authentication disappears” unexpectedly, or the site name seems unfamiliar. Regularly conduct cybersecurity training tailored to employees’ responsibilities and experience.
Explore and properly configure the cloud provider’s security tools. Ensure that employee activity logging is sufficiently detailed and that the security team receives these logs promptly. Ideally, they should go directly to the SIEM system.
Ensure that all computers and smartphones used to access corporate accounts have an EDR agent
Install a reliable protective solution with antiphishing capabilities on the corporate email server.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 358 | Kaspersky official blog

Episode 358 of the Transatlantic Cable Podcast kicks off with news of American Cybersecurity firm KnowBe4 getting duped by a North Korean hacker who successfully when through their HR checks and secured employment!  Deepfake bullying being used by children on Snapchat.  X/Twitter’s AI bot Grok is now reading your tweets, however there is a fix and we show you how to protect yourself.  We close out the episode with news of a data breach at HealthEquity affecting 4.3 million people.

If you liked what you heard, please consider subscribing.

North Korean hacker gets employed at US Cybersecurity firm
Deepfake bullying
Grok AI reading public tweets
HealthEquity data breach

Kaspersky official blog – ​Read More

How to guard against fake Wi-Fi hotspots on planes and at airports | Kaspersky official blog

Evil twins — malicious Wi-Fi hotspots that intercept user data — are back in vogue. While the threat itself is nothing new (we’ve covered it before), fake Wi-Fi incidents have recently reached new heights — literally. In a particularly interesting case from Australia, a passenger was arrested for setting up evil twins both at the airport and on board the plane during the flight.

There’s a good reason these days why passengers are more likely to use in-flight Wi-Fi: airlines are increasingly offering entertainment streamed directly to your devices rather than on the seatback screens.

Here’s how it works: after takeoff, you enable Wi-Fi on your phone, laptop or tablet, connect to the access point, open your browser, and voilà — you’re on the airline’s media portal. From there you can choose from a selection of movies, music, games, and more. And sometimes this same portal offers internet access —usually for an additional fee.

While streaming entertainment saves airlines money on installing and maintaining seatback screens, it requires more vigilance from passengers — who probably don’t expect to be targeted mid-flight. In the case mentioned above, the perpetrator carried on board a laptop and a mobile Wi-Fi hotspot with the same network name as the legitimate airline Wi-Fi.

Unsuspecting passengers, connecting to what they thought was the official network simply because its signal was stronger (the weaker, genuine one with the same name generally isn’t shown) — were then directed to a fake authentication page. This page requested an email address — and password! — or social network credentials, supposedly to sign in to the airline’s online services. According to police, the criminal intended to use this data to hijack accounts and access personal information.

The insidiousness of this kind of attack lies in the victims’ limited options: stuck on board a plane, connected to what they believe is legitimate Wi-Fi, they have just two options: (i) provide the requested information, or (ii) forgo any and all in-flight entertainment — because neither cellular networks nor other Wi-Fi access points are available during the flight. Therefore, the chances of a successful attack are… sky-high.

How to use in-flight Wi-Fi safely

Our traditional advice about using free Wi-Fi boils down to two simple tips: use 4G/5G cellular access instead of public Wi-Fi hotspots wherever possible, and when that’s not an option — protect your connection with a reliable VPN. But these don’t… quite fly at cruising altitude: cellular data is out of reach; you have to disable your VPN to connect to the in-flight portal; and even if you pay for in-flight internet access, the VPN is likely to be patchy or not work at all.

So, here’s some tailored advice for staying safe when using in-flight Wi-Fi:

Don’t connect to in-flight Wi-Fi just out of curiosity to see what’s on offer.
Come prepared. Download movies and music to your devices beforehand so as not to rely on the airline’s entertainment options. That done, you probably won’t need in-flight Wi-Fi at all.
If you still do need Wi-Fi, review the instructions in your seat pocket carefully. It should list the official Wi-Fi name and connection process.
Be wary of discrepancies. If something about the Wi-Fi connection seems off compared to the instructions, or if you’re asked to enter detailed personal information like email, passwords, passport details, or payment information, disconnect immediately and alert a flight attendant. Confirm with them whether this information is actually required to use the Wi-Fi. Show them the device screen so that they can verify the legitimacy of the connection interface.
Avoid downloading anything during the flight. Connecting to the plane’s network should never require installing apps, plugins, or certificates. If asked to install anything of the sort — disconnect immediately by enabling airplane mode.
If you connect to Wi-Fi to use the in-flight internet, try enabling your VPN as soon as the connection is established. If the VPN can’t be turned on, minimize your online activity, and never log in to sensitive services such as online banking, government websites, or email.
Keep the number of devices you connect to the in-flight Wi-Fi to a minimum — preferably no more than one.
If you do connect, before landing, make sure to go to the Wi-Fi settings and “forget” the airline network. You can then put your device in airplane mode, as required by the aviation regulations.

Kaspersky official blog – ​Read More

Phase-by-phase SIEM implementation | Kaspersky official blog

We’ve already written about how, since a medium-sized company is an attractive target for cybercriminals, it can’t be protected with just basic tools; it needs layered defenses. And a security information and event management (SIEM) system is a logical choice for a main center for such a multi-protection-layer system. But how should a full-fledged SIEM in a company with 500 to 3000 employees be implemented? Today we tell you how, and as the title to this post suggests – it’s best done  phase by phase…

First of all – choose an SIEM solution

This one’s easy: pick one of the few relatively inexpensive commercial products suitable for medium-sized businesses, or a “free” open-source solution. Why the quotation marks, you may ask. Because although the license costs nothing, the implementation will consume significant resources and a lot of your infosec team’s time. You’ll need much, much longer (several-fold) than you would for implementing a commercial product — both before and after you go live. Without going into the details, let’s just say that there are no complete out-of-the-box open-source SIEM solutions. You’d have to assemble one from available components, adjusting them to be interoperable: an ELK stack or OpenSearch storage, collectors and agents based on one or several OSSEC/Snort/Suricata tools, investigation and response tools (Mozdef), and so on. The popular OSSIM and Prelude projects are likewise each a compilation of different tools, so supporting these is by no means easier, while scaling options are constrained by your IT/infosec team’s available time and specific skills.

Hardware is another thing to consider besides the direct software costs and person-hours. All but a few SIEM systems are quite demanding on hardware, and you’ll have to purchase or rent a server for the go-live specifically.

The Kaspersky Unified Monitoring and Analysis SIEM platform, with its best-in-class performance, is a welcome exception. It boasts sensible hardware requirements and also support for virtual deployments. You can deploy it on a single server or distribute it across the organization if needed by spinning up a collector in each of your offices.

Define data sources for SIEM

You need to work with your business to identify what to monitor with the SIEM. This isn’t as trivial as it may sound: besides helping you catch hackers, a SIEM can keep an eye on many other events, such as server overload or even some business performance metrics like the rate of inventory issue from a warehouse. Network devices, servers, ordinary computers and applications can all be data sources. Detailed planning of data sources ensures that the SIEM solution is properly configured and able to monitor all critical assets. EDR is typically the primary source, as it provides detailed information about server and workstation events structured in an infosec-friendly way, while generating little noise of irrelevant alerts. We obviously recommend Kaspersky EDR Expert, which can feed SIEM with both raw events data and detections associated with complex attacks.

Configure the SIEM solution

With the list of data sources approved, you now need to configure your SIEM solution to collect and analyze security data from those sources. This includes installing data collection agents and setting up correlation rules to identify potential security threats. Nearly every SIEM system comes prepackaged with default correlation rules – but they have to be adjusted to the company’s realities. After the initial setup, some rules will require correction: you need to thoroughly test the situations of both an excess and a lack of alerts.

Train employees

SIEM solutions require trained personnel for effective management and monitoring. The infosec team at a small company typically consists of generalists – jacks of all trades. Therefore, each member of the team should be proficient in the basic SIEM skills. Luckily, an SIEM system saves time on routine work such as searching for applications storing outdated passwords or triaging the backlog of notifications in your inbox. This motivates everyone to use the new tool.

Support the SIEM system and keep it up to date

SIEM is a living and breathing tool that needs regular support and adjustments as an organization grows and evolves. Noisy and ineffective rules must be deprioritized or deactivated, and further correlation rules designed to recognize new threats must be tested.

You can learn more about the Kaspersky Unified Monitoring and Analysis platform and request a demo on its official web page.

Kaspersky official blog – ​Read More

Fake leaks of passwords and seed phrases are scammers’ new weapons | Kaspersky official blog

We spent several months researching a new and very smart crypto scam, where the victims were slowly, craftily encouraged to install a malicious crypto management app. However, the ones who got scammed were only nominally victims, because the operators, like some digital Robin Hoods, targeted… other pilferers. Take an in-depth look at this scam with us and learn how to protect your cryptocurrency.

The initial bait

It all started with my receiving a fairly trivial forwarded Telegram message about cryptocurrency. Others might have ignored it, but being the web content analysts’ team lead at Kaspersky, I smelled a rat and decided to look into it. To evade detection, the message was presented as a five-second-long video clip, which contained a screenshot showing a hasty, heavily discounted sale of two lucrative crypto projects with respective links thereto. Likely designed to give the recipient a false sense of security, the first link led to a real second-tier crypto exchange — albeit a small one. The real bait was hiding behind the other link.

The screenshot of the crypto project sale announcement is wrapped into a five-second-long video clip. That’s a red flag!

A convenient server malfunction

Contrary to what could be expected, following the other link didn’t bring up any malicious content. Things were far more interesting: if you entered the address expecting to see a home page, the browser displayed a root directory listing with some enticing file names in it. It appeared as if the server had been misconfigured, or the home page accidentally had been deleted, revealing all of the unsuspecting domain owner’s data. You could click any file in the list and view its contents right in the browser, because, conveniently, all of them had common, easy-to-handle formats, such as TXT, PDF, PNG or JPG.

A visitor sees a list of files in the root folder. There isn’t a single HTML file

This made a visitor feel like they’d landed inside the personal data folder of a rich but dimwitted owner of some crypto project. The text files contained wallet details complete with seed phrases, and the images were screenshots showing proof of a large amount in cryptocurrency being successfully sent, substantial wallet balances, and the owner’s lavish lifestyle.

The text file contains carefully collected addresses, logins, passwords, seed phrases, recovery keys, PINs and private keys

One of the screenshots had a YouTube video in the background, explaining how to buy yachts and Ferraris with Bitcoin. A PDF catalog of these yachts could easily be found in the same directory. In a nutshell, this was seriously juicy bait.

The screen shows a snapshot from the life of a rich slacker. So, what is the CORRECT WAY to buy the Ferrari and Yacht with Bitcoin?

Real wallets and cash

What’s smart about this scam is that the wallet details are real, and one indeed can access the wallets and view, say, the Exodus transaction history or the assets in the other wallets, worth nearly 150,000 US dollars, according to DeBank.

The Exodus wallet is empty, but it’s real, and someone used it quite recently

You wouldn’t be able to withdraw anything, though, as the funds are staked — that is, basically tied up in the account. Nonetheless, this makes the visitor far less skeptical: the whole thing seems to be someone’s carelessly leaked real data, not spam or phishing. Besides, there are no external links or malicious files to be seen anywhere — nothing to be suspicious about!

The amounts in the other wallets are hefty. Too bad the funds are staked (locked)

We monitored the site for two months, seeing no changes whatsoever. The scammers seemed to be waiting for a critical mass of interested users to build up while tracking their behavior with web server analytics. It was only after this lengthy warm-up period that they proceeded to the next stage of the attack.

A new hope

The dramatic two-month pause was at last ended with an update: a fresh Telegram screenshot purportedly showing a successful Monero payout. If one took a closer look at the screenshot, one would notice an “Electrum-XMR” wallet app with a transaction log and a sizable balance of almost 6000 Monero tokens (XMR), worth about a million dollars at the time of publishing this.

The active phase kicks off: a wallet seemingly containing about a million dollars

By a lucky coincidence, a new text file with the seed phrase for the wallet popped up right next to the screenshot.

The seed phrase for the wallet was the bait

At this point, anyone dishonest enough rushed to download an Electrum wallet to log in to the careless dupe’s account and grab the remaining money. Tough luck: Electrum only supports Bitcoin, not Monero, and it takes a private key (and not a seed phrase) to regain access to an account. When attempting to restore the key from the seed phrase, every legitimate converter said the seed phrase format was invalid.

Yet greed was clouding the users’ judgment: after all, there was a million dollars at stake, and they needed to hurry before someone else stole it. The fast-buck artists went googling “Electrum XMR” or simply “Electrum Monero”. Whichever it was, the top result was a website ostensibly about an Electrum fork that supported Monero.

The “right” version of the wallet appears at the top of the search results

Its design resembled that of the original Electrum website, and, in typical open-source fashion, it featured all kinds of descriptions, links to GitHub (the original Electrum repository, though — not Electrum-XMR), a note that explicitly said this was a fork to support Monero, and handy direct links to macOS, Windows and Linux installers.

The website for the fake wallet app is very well made

Which is when the hunter unwittingly becomes the prey. Downloading and installing Electrum-XMR infects the computer with malware identified by Kaspersky as Backdoor.OLE2.RA-Based.a, which provides attackers with covert remote access. What they do next is probably scanning the contents of the machine and stealing crypto wallet data and any other valuable information.

Our security solution would have blocked the malicious website, let alone an attempt to the install the Trojan, but crypto hunters eager to lay their hands on other people’s money are hardly among our users.

Our security blocks the malicious site, let alone an attempt to the install the Trojan

All of a sudden, a second iteration

Some time later, when we were done investigating this feat of social engineering, we received another bit of bait, which was hardly a surprise. This time around, the scammers switched from slow steaming to searing. The screenshot showed a fake wallet with a large balance next to an open text file containing a wealth of personal information and a thoughtfully added link to a malicious site. It looks like this scam has apparently proved to work well, and we’re in for lots of similar attacks.

Version two saw the scammers get right down to it by collecting all relevant information in one screenshot

Recognizing the attack

Victims of the scam we discussed above evoke no sympathy at all, seeing how they took the bait by trying to steal other people’s money. However, the scammers keep coming up with new tricks, and next time, you might be offered an ostensibly ethical way of making money. For example, you might accidentally get a screenshot advertising a lucrative airdrop, with the link right in the address bar…

So, stay alert, and take any information with a large pinch of salt. Each stage in the attack was suspicious in its own way. The website sale ad was presented in the form of a video clip with a screenshot, obviously to get around anti-spam algorithms. A website that contains nothing but unencrypted text files with crypto wallet data in these looks too good to be true. The domain purportedly hosting the crypto wallet fork had been registered just two months before the attack. Most importantly, however, the scam-filled crypto landscape makes using little-known wallet apps an unacceptable risk. Thus, follow these steps:

Use only major, tried-and-true crypto wallet apps and exchange websites.
Carefully check that you’re signing in only through official sites and downloading apps from the right sources.
Read our tips for spotting online scammers.
Use comprehensive computer and smartphone protection that’ll keep you from going to phishing sites or running malware.
Subscribe to our blog and/or Telegram channel to be the first to learn about new threats.

Kaspersky official blog – ​Read More

Comparing From and Reply-To headers | Kaspersky official blog

We’ve recently improved the accuracy of detecting spear phishing and business email compromise (BEC) attacks by adding a tiny but important check to our email security products. Now, if our mail-protection engine flags an email as suspicious for whatever reason, we match the domain in the From header against that in the Reply To header. And it’s surprisingly effective; this simple check succeeds in weeding out a large portion of rather sophisticated attacks. Here’s how it works.

How to detect sophisticated email attacks?

Spear phishers who carry out targeted email attacks traditionally go to great lengths to make their emails seen legitimate. These aren’t the kind of bad guys who email out attachments with Trojans inside; instead, they tend to hide phishing links under multiple layers of subterfuge. And this is why security solutions capable of detecting targeted emails rarely deliver a verdict based on a single criterion, but rather on a combination of suspicious signs. Matching the From and Reply To fields is one of these criteria.

How does matching the headers help?

Most attackers, even when compromising business correspondence, don’t bother hacking legitimate domains. Instead, they exploit the often-limited “expertise” of mail-server administrators. In fact, on a huge number of domains, mail authentication methods — like Sender Policy Framework (SPF), and especially Domain-based Message Authentication, Reporting, and Conformance (DMARC) — don’t work very effectively (if at all). In the best-case scenario, these mechanisms are technically enabled, but configured so loosely to avoid false positives that they become practically useless.

This laxity allows threat actors (sometimes including those behind full-blown APT attacks) to simply take the domain of the targeted organization and put it in the From, or even the SMTP From header. However, since they don’t want to just deliver an email, but also get a direct reply to it, they have to put their own address in the Reply To field. This tends to be a disposable email address or an address hosted on a free email service. And that’s what gives them away.

From and Reply To headers in the suspicious letter

Why not match the headers all the time?

From and Reply To don’t always have to match. There are many legitimate cases when an email may be sent from one mail server, but the reply is expected to another. The simplest example of this is newsletters and marketing emails: a specialized mailing-service provider sends them, but its client is the one who’s interested in the responses. Therefore, if the From and Reply To check were always enabled, it’d generate false positives.

Where’s the technology deployed?

The check is integrated into all our corporate email security products: Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Office 365, Kaspersky Security for Linux Mail Server, and Kaspersky Secure Mail Gateway.

Kaspersky official blog – ​Read More

A safe process for updating cybersecurity products | Kaspersky official blog

According to Microsoft, the blue screen incident caused by a CrowdStrike Falcon security solution update affected more than 8.5 million computers worldwide. This incident has cost many companies dearly, and has also brought up a lot of debate about how to prevent similar situations from happening again.

First of all, no one is immune to errors; it’s simply impossible to guarantee the complete absence of bugs in complex software systems. However, a properly structured process for developing, testing, and delivering products and their updates to users’ devices can significantly minimize the risk of a serious failure. And we’ve had such a process firmly in place for years.

We, too, had incidents directly related to updates for our products. But the last time we had a notable problem of the kind was back way in 2013. After that unpleasant episode, we conducted a thorough analysis of the root causes — leading to a complete overhaul of our approach to the creation and testing of updates both in products for business and home users. And the system we built has proven itself to be very reliable: in 11 years we’ve not had a single failure of a similar magnitude.

We make no secret of the update release mechanisms we’ve built, and are ready to share them with the industry. After all, without the free exchange of best practices and solutions developed by different companies, progress in the cybersecurity industry will be hindered greatly. Among the main update release safeguarding mechanisms are multi-level testing, gradual rollout of updates, and automatic monitoring of anomalies. Let’s talk about them in detail.

Multi-level testing

There are two types of updates for our products — some are used for adding new detection logic, and some are for changing the functionality of a given product. Adding new functions potentially adds more risks, but sometimes logic updates can cause problems as well. Therefore, we carefully test both types of updates at different stages.

Checking for false positives

When creating and releasing detection rules (both those automatically generated and those written by analysts), we test them on an extensive database of legitimate (or “clean”) objects — files, web pages, behavior patterns, and so on. This way, false positives are identified and filtered out. We’ve an extensive and constantly updated collection of legitimate objects — both software and clean web resources — on which all created rules are tested.

One of the ways this collection is replenished is through our Allowlist Program, which allows software developers (both customers that develop and use their own solutions and independent vendors) to provide us with their software. This reduces the number of potential false positives and the risk of incorrect software classification.

Other methods for obtaining files and metadata include exchanging information with technological partners, using our Threat Intelligence Portal, and so on. In total, our database of legitimate objects contains information on around 7.2 billion objects.

Testing on virtual machines

But update testing isn’t limited to checking them on file collections. If no problems are detected at the first stage, all updated components then undergo multi-stage automatic testing on virtual machines with various configurations of security products, software and operating systems. Various scenarios are run related to our products and the operation of security mechanisms and also the imitation of typical user actions.

Regarding specifically product scenarios, these include a through file system scan, the process of the product update’s installation, rebooting after the update, and so on. This allows us to make sure that the product functions normally after the update, and neither crashes nor affects system stability. Each update goes through this check.

User scenarios simulate typical human behavior on a computer — opening a browser, visiting a web page, downloading a file, launching a program. This check allows us to make sure the product doesn’t have a negative impact on the computer’s performance, speed of work or stability.

Separately, updates are automatically tested for compatibility with industrial software (for example, SCADA systems). Any negative impact on solutions related to this sphere may lead to an inadmissible halt in production processes and potential financial damage.

Quality control

In addition to the above-mentioned checks, we also have a separate quality control team. Not a single product update release is delivered to our clients without confirmation of its readiness by its experts. It also, if necessary, adjusts and constantly improves the verification processes, and monitors the emergence of possible operational risks.

Phased release of updates of protective technologies

Of course, we are realists, and admit that this entire multi-level system of checks may still not be enough. For example, some third-party software will be updated at the same time as ours, and this may cause an unforeseen conflict. And in general, it’s impossible to predict all combinations of configurations of different programs and systems. Therefore, after an update affecting the functionality of security solutions is ready and approved, it doesn’t get sent to all our users’ computers at once. Instead, the updates are released in phases.

An update undergoes preliminary testing on machines in our own network before being published on public update servers. If no problems are detected, the update is first received by a very small number of randomly selected users. If no problems or failures are manifested, then the number of computers that receive the update gradually increases at certain intervals, and so on until the update is available to all users.

Automatic anomaly monitoring

So what happens if an update does cause problems? We monitor the behavior of updated solutions using voluntarily transmitted anonymized data through our KSN, and promptly halt update distribution if something goes wrong.

But most importantly, thanks to the combination of automatic anomaly monitoring and phased release of updates, an error would affect only a very small number of computers — hundreds, not millions or even thousands of them.

Testing updates on the client side

Our company provides the ability to check the received updates once again, only this time on the client side through the Kaspersky Security Center management console.

The client’s system administrators can establish an isolated test group of computers (or virtual machines) with the most common configuration and set of software for the organization’s network, and then create a task to check updates — specifying this test group as the target. In this case all incoming updates are first installed only on test machines, tested in action, and only after the test are they distributed across the entire company network. More information on how to set up such a check can be found on our technical support website.

We thoroughly analyze each and every problem related to software updates that may arise (including those identified in preliminary tests), come to understand the reasons for their occurrence, and then take measures to ensure they don’t happen again. In addition, we’ve implemented a practice of proactively identifying and assessing the risks for possible problems, and address them systematically. As a result of doing this throughout the entire lifetime of our company, we’ve established a multi-level system that allows us to significantly reduce the risk of new problems emerging.

Of course, in just one blog post it’s impossible to tell you everything about all the nuances of our multi-level system for checking product updates. However, if this topic arouses interest in the industry, we’re ready to continue sharing details. Only open cooperation of all players in the information security sphere can create an effective barrier to the actions of cybercriminals.

Kaspersky official blog – ​Read More