An online blackmail gang is using phishing emails, social engineering, and fake call center networks to defraud victims of hundreds of thousands of dollars by tricking them into allowing remote access to their PCs. them, then steal the data threatening to leak the data if ransom is not demanded. t pay.
Based on analysis of ‘phishing callback’ attacks by cybersecurity researchers at Unit 42 of Palo Alto NetworksSocial engineering campaigns are worryingly successful – which has led to the development of the infrastructure behind the attacks, as cybercriminals try to make as much money as possible.
Similar attacks to predefined campaigns used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware. The malware were used to access networks, steal data, and extort victims to pay extortion fees to prevent data from being leaked.
But this detailed new campaign investigated by Unit 42 – named Luna Moth – bypasses the malware infection, instead using social engineering to gain access to the network – and it has proven successful, claiming victims in many areas including legal and retail and costing hundreds of thousands of dollars.
Attacks start with a phishing email to a corporate email address with a PDF attachment claiming to be a credit card bill, often for less than $1,000, presumably because a lower number may be less suspicious or reported to financial authorities. main.
Also: Cybersecurity: Here are the new things to worry about in 2023
This attachment contains a unique ID and phone number with the hint that if there is a problem, the victim should call it to query or cancel payment. The wording of emails and attachments is frequently changed to help avoid detection.
If the victim calls this number, they are connected to a call center operated by the people behind the blackmail scam and the operator can determine which company has been targeted by asking ID number. Then, under the guise of helping the victim cancel the forged payment, instructing the victim through the necessary steps to download and run the remote access software.
With this access, the attacker downloads and installs a remote administration tool, allowing them to maintain access to the machine and secretly allowing them to search for sensitive files and servers – then type steal them.
After the data is stolen, the attacker sends another email, demanding an extortion payment along with a threat to disclose the information if not paid. Requests are made in Bitcoin and can run into the hundreds of thousands of dollars, depending on the institution – researchers say attackers study victims’ annual revenue to decide how much to charge .
If the victim pays quickly, they get a 25% ‘discount’ on the extortion claim – while if they refuse to pay, the attackers threaten to call customers and customers to inform them tell them about the data breach.
Also: Your biggest cybercrime threat has almost nothing to do with technology
Of course, even if the victim pays, there is no guarantee that the attackers will delete the stolen data.
“Paying an attacker doesn’t guarantee that they will live up to their promise. Sometimes they stop responding after confirming receipt,” said Kristopher Russo, senior threat researcher at received payment and failed to follow through on negotiated commitments to provide proof of deletion”. Palo Alto Network Unit 42.
The researchers said they observed and responded to a number of these attacks between May and October of this year, and all of them appear to be linked to the Luna Moth criminal group, who are “ongoing” improve the effectiveness of the attack” with campaigns moving from targeting smaller and mid-sized to targeting larger companies.
It is thought that the low cost per target, low risk of detection and rapid monetization of these campaigns mean that attacks will continue – especially due to the reliance on technical skills. Social engineering instead of malware can bypass anti-virus protections.
Organizations should warn employees to be cautious about unexpected messages of an urgent nature, especially if they appear to come from an unknown sender, and people should ask their own IT or information security team them about any remote control installation requests from external sources. software.
“All organizations should consider strengthening their cybersecurity awareness training programs, with a particular focus on unexpected bills, as well as the requirements to set up a call,” said Russo. phone or install software”.
MORE ABOUT NETWORK SECURITY
