Phishing Archives - IT Services & IT Support Wilmington, NC

November 7, 2022January 30, 2023 Atlantic Computer Services Blog

Dropbox Suffers Major Breach in Phishing Attack

It’s no secret that cyber attacks are on the rise, and that no company is immune to them. Dropbox, a cloud storage company, was the lastest victim when their GitHub account was compromised. This allowed attackers access to 130 code repositories, which contained sensitive data.

Dropbox was notified of a potential breach on October 14th from GitHub, who observed suspicious activity coming from the account starting one day earlier.

On Tuesday, November 1, 2022, Dropbox released an announcement that said, “our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers.”

The data contains the names and email addresses of a few thousand Dropbox employees, current customers, past customers, sales leads, and vendors.

A successful email phishing campaign, targeting Dropbox employees and pretending to be from CircleCI (a continuous integration and delivery platform), has been attributed to a recent data breach. The emails directed the victims to a landing page where they were asked to enter their GitHub credentials.

Dropbox states that the hackers did not manage to get access to customers’ accounts, passwords, or payment information. In addition, none of Dropbox’s core apps or infrastructure were compromised. As a result of this attack, Dropbox is taking further steps to secure its environment by using WebAuthn and hardware tokens or biometrics.

It was almost immediately after the compromise that GitHub detected the exfiltration of content from private repositories. The threat actors used VPNs and proxy services to make it more difficult to trace and identify them.

The Dropbox security breach is just one example of how even big companies are susceptible to damage by sophisticated cyber attacks. But while Dropbox was quickly mitigate the damage caused by the attack, it’s a reminder to all businesses that they’re always vulnerable to these kinds of threats. Therefore, it’s important for employers educate their staff on how identify potential cyberattacks.

November 2, 2022 Atlantic Computer Services Blog

The Evolution of Callback Phishing Scams

Phishing is one of the oldest forms of cybercrime. It continues to grow and evolve, making it difficult for people to defend themselves.

Callback phishing scams are email campaigns that pose as expensive memberships to confuse recipients who have never signed up for these services.

The email includes a phone number the receiver may call to learn more about this “membership” and cancel it. But doing so opens the door to social engineering assaults that infect victims’ devices with malware and, in some cases, full-blown ransomware attacks.

This type of attack started with what is now known as BazarCall campaigns.

Under the alias “BazarCall,” threat actors started sending emails posing as subscriptions to popular services, along with a phone number to call so they could cancel the purchase.

When a target dialed the number, the threat actors guided them through a series of prompts that ultimately resulted in downloading an Excel file infected with the BazarLoader malware. BazarLoader allowed remote access to compromised devices, which led to ransomware assaults.

The evolution

The social engineering method has changed in recent callback phishing attacks, but the bait is still an invoice from well-known service provider companies.

Once the receiver phones the number provided, they are asked for “verification” invoice data. Next, the scammer says no matching records exist, and the victim’s email was spam.

The fake customer care worker tells the recipient that the spam email may have infected their computer with malware and offers to connect them with a technician. In the final step, the victim is connected to the fake technician to aid with the infection and takes them to a website where they download malware disguised as antivirus software.

In the security software campaigns, the scammers claim that the security package pre-installed on the victim’s laptop has expired and has been automatically renewed. Eventually, the fraudster takes the victim to a malware-dropping canceling and refund gateway.

These tactics convince victims to download malware like BazarLoader, remote access trojans, or other remote access software.

The final step is persuading the victim to access their bank account to get the reimbursement. But the victim is deceived into paying money to the con artist by locking the victim’s screen, starting a transfer-out request, then unlocking the screen when the transaction requires credentials.

After the transaction, the victim is supplied with a fake refund successful page to deceive him into believing that they have received the refund. In addition, in some cases, the threat actors send the victim an SMS stating that the money has been refunded to prevent the victim from noticing any fraud.

Of course, losing money is only one of the issues that infected users may have because the threat actors can launch new, more dangerous malware that will spy on them for a longer period and steal sensitive data.

Overall, callback phishing scams are difficult to defend against because they are constantly evolving. The best defense is to be aware of the signs of a scam, such as unexpected invoices or calls from numbers you don’t recognize. If you suspect you may be a victim of a callback phishing scam, hang up and call your bank or service provider directly to verify any suspicious activity.

October 26, 2022 Atlantic Computer Services Blog

Toyota T-Connect Database Exposed

On October 7, 2022, Toyota Motor Corporation made an announcement that the personal information of approximately 296,000 consumers had been compromised.

The Toyota T-Connect system enables owners of Toyota automobiles to link their cell phones to their vehicles. By doing so, users can monitor the status of their engines, listen to music, navigate, and track fuel consumption.

Recently, Toyota discovered that a source code section was published on GitHub. Included in the source code were access keys to the T-Connect data server.

Anyone possessing these keys could gain access to the T-Connect data server. The data server stores customers’ email addresses when they register through the T-connect application. Due to this, unauthorized third parties could access the records of customers between December 2017 and September 2022.

The database keys were updated on September 17, 2022, to prevent any other unauthorized access.

The compromised information did not include the consumers’ personal information, such as their names, credit card numbers, or phone numbers.

In addition, Toyota issued an apology for any inconvenience caused by the improper handling of customer information and stated that a subcontractor was responsible for the mistake.

There are no indications that data has been misused. However, the Japanese automobile manufacturer cannot rule out the possibility of the information being accessed and stolen.

T-Connect users enrolled between July 2017 and September 2022 are cautioned to avoid accepting email attachments from unknown senders. Threat actors may attempt to commit phishing attacks by posing as Toyota officials.

September 30, 2022 Atlantic Computer Services Blog

Microsoft 365 Accounts Targeted In New BEC Scam

Recently, researchers at Mitiga have sounded the alarm about a new Business Email Compromise (BEC) campaign. They discovered evidence of the campaign responding to another incident and have watched the campaign grow in scope and scale over time.

Here’s how the attack works:

The individual targeted by the campaign receives an email that appears to be from a bank and explains that the corporate account they usually send payments to has been frozen while a financial audit is underway.

In the meantime, the email explains that if the target needs to send payments, they can follow the instructions below the message.

The instructions appear to be inside a document behind a DocuSign wall, which is a contract management platform used widely in the corporate world.

To access the instructions, a potential victim needs to press the “Review Documents” button, which hands the victim off to a website controlled by the hackers.

These websites typically have names that appear to be legitimate companies the victim is familiar with, but a careful review of the URL will reveal an intentional typo, which gave rise to the term “typosquatting” to describe this very phenomenon.

On this page, the victim is asked to log into the Windows domain. If they do so, they inadvertently hand the attackers their Microsoft 365 account details which can be used later for any nefarious purpose the hacker’s desire.

On the face of it, this may not seem terribly convincing, but the hackers employ several tricks to make it seem completely legitimate. Chief among these is the fact that the hackers hijack existing email streams and interrupt them. So to a reader who’s not paying close attention, the instructions seem to come from someone the victim is having an ongoing conversation with.

So far, the campaign has been devastatingly effective, so keep your guard up. You don’t want to become their next victim.

September 14, 2022 Atlantic Computer Services Blog

New Phishing Service Is Targeting Banks

Hackers are increasingly adopting practices that legitimate business owners will immediately recognize.

Recently, a new PhaaS (Phishing as a Service) operation has surfaced that specifically targets major banks. These banks include Bank of America, Wells Fargo, Citibank, Capital One, PNC, US Bank, Lloyds Bank, Santander, and the Commonwealth Bank of Australia.

Snarkily named “Robin Banks,” the service also offers templates to steal T-Mobile, Netflix, Google, and Microsoft accounts.

The group was unearthed by analysts from IronNet, whose evidence indicates that the group has been active since at least March of this year (2022).

Even though the group hasn’t been active for terribly long, they’ve already made quite a name for themselves for their high-quality phishing pages that target customers of the organizations mentioned above.

The group has two different pricing tiers to those who wish to engage their services. Their budget option is just fifty dollars a month and offers a single page and 24/7 support. Their deluxe package is available for $200 a month and it gives their customers unlimited access to their templates, along with 24/7 support.

The service even offers a professionally designed dashboard. This allows threat actors who hire them to keep an eye on every aspect of their illicit operation, create and manage the pages they have created using the offered templates, wallet management, and a variety of other advanced tools, including reCAPTCHA services to thwart bots.

If you’re in any way associated with information security, the details above should alarm you. Robin Banks has seen their popularity on the Dark Web explode. What’s perhaps most disturbing about the service they’re offering is that increasingly, hackers don’t need a broad or deep skillset to set up an effective phishing campaign. The service does all the hard work for them.

Unfortunately, that means that IT Security just got a whole lot harder. Stay vigilant out there.

1 2 3 … 13 Next page

Tag Archives: Phishing