Brand Phishing Attacks: Hacker’s favorite choices

February 8, 2020 |by ethadmin | 0 Comments | blog | ,

Check Point Software Technologies, a leading solutions provider for security in the cyberspace, published its new report “Brand Phishing Report» for the fourth quarter of 2019. The researchers included in this report, the brands /company names that hackers exploited, by imitating them, during the fourth quarter of 2019, in order to steal personal data and/or banking credentials from the victims.

According to Check Point, during a “brand-phishing” attack, criminals are trying to emulate the official page of a famous brand by making a fake page, which looks exactly like the original. They also use a similar domain name or URL. The link leading to the fake page can be sent to victims via e-mail or text message. The fake website usually contains one form in which users enter credentials, payment information or other personal information. All this information is sent to hackers.

Which are the top phishing brands for the fourth quarter of 2019, according to Check Point?

Phishing brands are presented based on how often they appear in phishing attempts:

  • Facebook (18%)
  • Yahoo (10%)
  • Netflix (5%)
  • PayPal (5%)
  • Microsoft (3%)
  • Spotify (3%)
  • Apple (2%)
  • Google (2%)
  • Chase (2%)
  • Ray-Ban (2%)

 

Top Phishing platform-based brands

Email (27% of all phishing attacks)

  • Yahoo
  • Rbs (Ray-Ban Sunglasses)
  • Microsoft
  • DropBox

Web (48% of all phishing attacks)

  • Spotify
  • Microsoft
  • PayPal
  • Facebook

Mobile (25% of all phishing attacks)

  • Chase Mobile Banking
  • Facebook
  • Apple
  • PayPal

Phishing

According to Check Point researchers, cybercriminals use various ways of attack to deceive their victims and persuade them to pass on their personally data and payment details. To do so, they exploit known companies and brands as to mislead the victims, usually targeting them via spam emails. Sometimes, they monitor the victims for days or even weeks and carry out targeted attacks to steal money.

In the last two years, such attacks have increased significantly. Hackers are taking advantage of the increased usage of cloud-based emails which makes it easy for them to hide their true identity and present themselves as a credible company. Phishing will continue to be a major threat in 2020.

Check Point’s “Brand Phishing Report” was created by Check Point’s ThreatCloud intelligence, the largest cybercrime collaboration network that provides data on the most popular threats and attacks.

KEEP READING

Kevin Mitnick: The official interview of the famous hacker!

February 8, 2020 |by ethadmin | 0 Comments | blog |

Watch the first official interview of Kevin Mitnick, the most famous hacker of our time, in Greece, exclusively at SecNews TV.

Undoubtedly, no one would want to lose one of the exclusive interviews of the famous American hacker, who is a living legend for millions of people who believe in his work, as well as for all those who are interested in the advice of a renowned security professional, in order to become better in the field of online security.

Kevin Mitnick, being a successful Cyber ​​Security Consultant, emphasizes the importance of security awareness to users, regarding the social media and web usage, either personal or as members of a corporation.

View the entire interview:

TOPICS

Kevin Mitnick speaks exclusively at SecNews for his life, his first contact with hacking and its evolution , which established him as a legend in the sector of security of information systems.

In his interview, Kevin Mitnick talks about some of the most critical and important security issues, but also the risks faced by companies and organizations both in Greece and globally, according to his many years of experience.

Do not miss the tips given to you by the most famous hacker of our time to become informed regarding the safe usage of the web.

Kevin Mitnick also referred to the arrest of the founder of WikiLeaks, Julian Assange, who was expelled from the Ecuadorian embassy and arrested by the British authorities.

On the occasion of the arrest of Julian Assange, which made the round of the world, Kevin Mitnick also refers to his personal experience of US prisons and more specifically his isolation period, where he was locked up for a whole year.

A few words about Kevin Mitnick

Kevin Mitnick is one of the most famous American hackers. Having invaded many telecommunication networks by acquiring unauthorized access to them, he has been sentenced to imprisonment for cybercrimes and possession of counterfeit data. Kevin Mitnick gained many supporters who believed that his punishment was excessive and considered him the greatest hacker and social engineer of our time.

Mitnick has written three books around socialengineeringand security gaps in systems. He has founded his own company which deals with network security issues (Mitnick Security Consulting). He also conducts security seminars for major corporations throughout the world.

From the very first moment he made contact with computers using his “Pheaking” ability, and began to deal with obtaining remote access to computers. At 1987 he got arrested for the first time for hacking. The year after that, he was again accused for invasion to an information system, getting access to the source code of Digital Equipment Corporation and he was sentenced for one year in prison.

After his release, Kevin Mitnick continued facing hacking consequences as he traveled across various states of America, using counterfeit data, to avoid another arrest. He soon became the center of attention for the media but also for the FBI. Eventually, at 1995, Kevin Mitnick was arrested and sentenced to 5 years in prison. When he was released, at 2000, he was forbidden to use keypad devices for many years after.

KEEP READING

Greek Companies victims of CrySIS / Dharma ransomware! An Endless Attack?

February 7, 2020 |by ethadmin | 0 Comments | blog | ,

According to several reports by small and medium-sized businesses and organizations in Greece, CrySIS or Dharma ransomware, which has been spreading terror to its victims since 2016, has infected several companies.

CrySIS

While the global online community felt that the tyranny of CrySIS ransomware was over, several Greek companies are reporting that they been affected by the malware, paying – most of them – large sums of money for decrypting their files.

In fact, according to Malwarebytes Labs, there is an increase of 148% in CrySIS ransomware attacks from February to March 2019 globally.

In the Greek business world, ransomware seems to have bothered several companies who considered themselves untouchable or who never expected to be targeted by hackers.

According to SecNews’s research, the hackers behind the attacks have pure financial incentives, demanding ransoms from their victims. In simple words, companies are not victims of personal interests or conspiracies by their competitors.

The hackers act as “professionals” and as soon as they receive the demanded ransom, they send the decryption key to the victims.

Based on SecNews’s evidence, Chinese and/or Russians are probably behind the attacks, and they act as organized groups that have made millions (!) of dollars [b. $ 500.000.000 million] from malicious activities.

CrySIS Ελληνικές εταιρείες

CrySIS / Dharma targets Windows systems, aiming primarily at businesses, and using various distribution methods

CrySIS is distributed as malicious attachments to spam emails. Specifically, malicious attachments use duplicate file extensions, which in default Windows settings may appear to be non-executable, while they actually are.

CrySIS may also end up being disguised as installation files for legitimate software, including AV solutions. The hackers behind CrySIS offer apparently harmless installers for various legitimate applications, as executable files, that can be downloaded, which are been distributed through various websites and public networks.

Most of the time, CrySIS / Dharma is delivered manually during targeted attacks, exploiting leaked or weak RDP credentials. This means that the attacker has access to the victims machines before the brute-force attack on a Windows RDP protocol on port 3389.

In a recent attack, CrySIS was sent as a download link to a spam email. The link redirected to a password-protected installer. The password was given to potential victims in the email, and in addition to the CrySIS / Dharma executable, the installer contained an outdated removal tool from a known security vendor.

This social engineering strategy was used to keep users unsuspected. Seeing a familiar security solution in the installation package,  they did immediately considered the downloadable as safe.

CrySIS ransomware Ελληνικές εταιρείες

The Attack

Once CrySIS infects a system, it creates registry entries and encrypts virtually any file type, bypassing system and malware files. It performs encryption using a powerful encryption algorithm (AES-256 in combination with asymmetric RSA-1024 encryption), which is applied to fixed, removable and network drives.

Prior to encryption, CrySIS deletes all Windows Restore Points by running the vssadmin delete shadows / all / quiet command.

Trojan spreaded through the ransomware collects the computer name and the number of encrypted files from certain formats, sending them to a hacker-controlled C2 remote server. In some versions of Windows, it also tries to operate with administrator privileges, thus expanding the list of files that can be encrypted.

After a successful RDP-based attack, it has been observed that before executing the ransomware payload, CrySIS uninstalled the security software installed on the system.

ransomware Ελληνικές εταιρείες

The Ransom

When CrySIS completes the encryption, it leaves a note on the desktop informing the victim for the amount he has to pay in order to retrieve his files, providing two email addresses to contact the hackers.

The ransom required is usually around 1 Bitcoin, but there have been cases where pricing seems to have been adjusted according to the income of the company affected. Economically advanced companies often pay more.

How to protect yourself?

Although you have the option of using other software to operate remotely on your work computers, RDP is essentially a secure and easy-to-use protocol with a pre-installed client on Windows systems, as well as clients available for other operating systems. Here are some steps you can take to make it much more difficult for someone to access your network through unauthorized RDP connections:

  1. To make it more difficult for a brute force attack to succeed, use strong passwords.
  2. Do not disable Network Level Authentication (NLA) as it offers an additional level of authentication. Turn it on if it wasn’t already.
  3. Change the RDP port so that port-scanners looking for open RDP ports can’t detect yours. By default, the server listens on port 3389 for both TCP and UDP.
  4. Otherwise, you can use a remote Gateway Server server, which also gives you some additional security and functionality like 2FA. RDP session logs can be very useful when you want to control the various actions. As these logs are not found on the hacked machine, it is more difficult for hackers to be successful on their attacks.
  5. Restrict access to specific IP addresses, if possible. There should be no need for many IPs that need RDP access.
  6. Use an effective and easy-to-use backup strategy.
  7. Train your staff on phishing attacks and raise awareness for cyber security.
  8. Finally, use a multilevel, advanced security solution to protect your machines from ransomware attacks.

ransomware

Crysis is using the following extensions for encrypted files:

.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra,  .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal

The following ransom names have been identified so far:

  • HOW TO DECRYPT YOUR DATA.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • FILES ENCRYPTED.txt
  • Files encrypted!!.txt

Commonly used file hashes:

  • 0aaad9fd6d9de6a189e89709e052f06b
  • bd3e58a09341d6f40bf9178940ef6603
  • 38dd369ddf045d1b9e1bfbb15a463d4c
KEEP READING