Water Curupira’s Email Spam Campaigns

Water Curupira, one of the known operators behind Pikabot, have been instrumental in various campaigns. It primarily aims at deploying backdoors such as Cobalt Strike, that end up with Black Basta ransomware. Initially involved in DarkGate and IcedID spam campaigns, the group has since shifted its focus exclusively to Pikabot.

Pikabot’s Mechanism

Pikabot operates through two main components, a distinguishing feature that enhances its malicious capabilities. The loader and core module enable unauthorized remote access and execution of arbitrary commands through a connection with a command-and-control (C&C) server.

Pikabot’s primary method of system infiltration involves spam emails containing archives or PDF attachments. These emails are skillfully designed to imitate legitimate communication threads. They utilize thread-hijacking techniques to increase the likelihood of recipients interacting with malicious links or attachments. The attachments, designed either as password-protected archives with an IMG file or as PDFs, are crafted to deploy the Pikabot payload.

System Impact

Once inside the target system, Pikabot demonstrates a complex and multi-layered infection process. It employs obfuscated JavaScript and a series of conditional execution commands, coupled with repeated attempts to download the payload from external sources. The core module of Pikabot is tasked with collecting detailed information about the system, encrypting this data, and transmitting it to a C&C server for potential use in further malicious activities.

Another layer of Pikabot mischievous actions is the ability to serve as a loader/dropper. Malware uses several classic techniques, such as DLL hookup and shellcode injection. Also, it is capable of straightforward executable file launching, which is suitable for certain attack cases. Among other threats, Pikabot is particularly known for spreading Cobalt Strike backdoor.

Recommendations

To protect yourself against threats like Pikabot, which is spread by Water Curupira through email spam, here are some key recommendations:

• Always hover over links to see where they lead before clicking.
• Be cautious of unfamiliar email addresses, mismatches in email and sender names, and spoofed company emails.
• For emails claiming to be from legitimate companies, verify both the sender’s identity and the email content before interacting with any links or downloading attachments.
• Keep your operating system and all software updated with the latest security patches.
• Consistently backup important data to an external and secure location, ensuring that you can restore information in case of a cyber attack.
• Educate yourself and your company. Keep up to date with the latest cyber news to stay ahead of the curve.

The post Water Curupira Hackers Spread PikaBot in Email Spam appeared first on Gridinsoft Blog.

What is SMTP Smuggling?

SMTP smuggling is a novice exploitation technique that manipulates the SMTP, a protocol used globally for sending emails since the inception of the Internet. This technique takes advantage of the differences in how outbound and inbound SMTP servers interpret the end-of-data sequence. It allows attackers to insert arbitrary SMTP commands and potentially send separate emails​​​​​​.

The core of SMTP smuggling lies in the discrepancies between how different servers handle the end-of-data sequence (<CR><LF>.<CR><LF>). By exploiting these differences, attackers can break out of the standard message data, smuggling in unauthorized commands. This technique requires the inbound server to accept multiple SMTP commands in a batch, a feature commonly supported by most servers today​​​​​​.

In-depth research into this vulnerability has revealed that SMTP servers of prominent email providers like Microsoft, GMX, and Cisco are susceptible to this exploit. While Microsoft and GMX have addressed these issues, Cisco has categorized the findings as a feature rather than a vulnerability, choosing not to alter the default configuration. Consequently, SMTP smuggling remains possible in Cisco Secure Email instances under default settings​​​​. Subsequently, the vulnerability was also identified in Microsoft’s Outlook SMTP server, further expanding the threat landscape​​.

What is the danger of SMTP vulnerability?

The implications of SMTP smuggling are far-reaching and alarming. Attackers can use this method to send forged emails that appear to be from credible sources, thereby circumventing checks designed to authenticate incoming messages, such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF)​​.

In simple words, using this trick, frauds will be able to reach the corporate emails that were not receiving any spam before. Sure, the companies which opted for this security method are most likely aware of the dangers and have other protection methods running. But the very fact of them being exposed, too, creates a much bigger risk of cyberattacks.

Mitigating the effects of vulnerability

To mitigate the risks posed by SMTP smuggling, experts recommend several best practices. For Cisco users, changing settings from “Clean” to “Allow” is advised to avoid receiving spoofed emails with valid DMARC checks​​. Additionally, all email service providers and users should remain vigilant, regularly updating their systems and staying informed about the latest security developments.

Regularly monitor for unusual server activity and review security logs to detect potential breaches. Educate users about phishing and encourage skepticism about emails from unknown senders. Finally, consider consulting with cybersecurity professionals for advanced protective measures tailored to your specific infrastructure.

The post SMTP Smuggling is a New Threat to Email Security appeared first on Gridinsoft Blog.

QakBot Comeback – Is It Real?

On December 16, 2023, the Microsoft Threat Intelligence team shared part of their observations on X. It appears that a new email spam campaign, started on December 11, spreads a good-old QakBot. Hackers disguised the message as a notification from the IRS employee and attached a PDF file to it. The quality of a spam email inspires confidence, so victims gladly move on to the further stages of a scam.

The attached PDF is, in fact, a point of malware injection. Instead of an expected document, the victim sees a page that reports a preview error and asks to download and install Adobe Acrobat. The link offered for downloading Acrobat leads to the downloading page that shares a signed .msi file. This file, as you could already have guessed, is a malware body.

Trivia uncovered by Microsoft researchers say clearly that it is not a reuse of an old QakBot sample, but a completely new generation. Both the campaign name, version number and the timestamp on the sample point at the fact that it is all about a new round of QakBot.

What is QakBot?

For over a decade, QakBot a.k.a QBot remained a severe hazard for both single users and companies. Emerged in 2007, it was originally categorized as a worm/banking trojan. With time though it received extensive updates that made it more capable in the initial purpose, and added some new features. The one in particular – loader functionality – is what dramatically changed this malware’s future.

Ever since it gained the ability to deliver payloads, QakBot has become a beloved tool for initial access and malware delivery in numerous attacks. Its use in the attacks of Russian state-sponsored hackers also explains its sustainability and impertinence. But all streaks are made to be broken – and the FBI have shown exactly this in late August 2023. By taking down the entire botnet, except for Tier 1 C2 servers, law enforcement jammed the QBot activity for 4 months. Until now, it seems.

How to protect against QakBot?

As I’ve shown above, the main way this malware spreads through is email spam. It was the main option before the takedown and remains up to date. There is tons of advice on avoiding malicious emails, but let me share a couple of specific ones for targeted spam the QakBot usually uses.

Avoid files you have not expected to receive. The main thing hackers rely on is people’s lack of attention to detail. Do you expect someone from the IRS to contact you with the “client’s information”? Are you waiting for a colleague to send you a strange table from the wrong email address? Question yourself each time you face something like this – and the chances of infection will go down dramatically.

Never interact with contents of unknown files. This is the continuation of a previous advice, though it works with files from any source. MS Office files that offer to allow macros, PDFs with links that lead to malware downloading – there are plenty of options. When you are not sure whether the file is benign or not, avoid clicking any interactive content – both in it and related to it.

Employ email protection solutions. Extensive use of email messages for malware spreading gave birth to an entire class of security solutions, that specialize in securing email inboxes. By scanning the message properties, attachments, or even text body, they conclude and say whether it is safe to work with the file.

Use reliable anti-malware software. This solution is reactive, contrary to the proactive ones I’ve named above, though should still serve as a goalkeeper. When all other systems fail, something should protect you. QakBot is not magical, so a well-done anti-malware engine should detect it right away. Be sure that GridinSoft Anti-Malware is the one you can rely on in this task.

The post QakBot is Back With a New Email Spam Campaign appeared first on Gridinsoft Blog.

What is credentials theft?

Credentials theft mostly says for itself, but in the context of email spam, things are not that straightforward. Being the subcategory of phishing, credentials theft supposes the use of a spoofed website that contains a login form. Aside from repeating the design of a login form, hackers try to create a convincing message that forces the victim to follow the link. The justification for that may be different. Such a message may ask you to join the online meeting or submit the vacation dates – they try to look naturally. Once the victim types their credentials in the form and presses the login button, hackers receive all the data. Still, it is as easy as you may think of it.

The one particular vector of credentials theft that has become exceptionally popular throughout the last year is business emails. As you may guess, compromising personal email is not that profitable, even though it is still prevalent among credential theft attacks. By stealing business emails or accounts, hackers open new, more effective attack vectors, such as spear phishing and whaling. Nonetheless, compromised business accounts are rarely used by the same crooks who perform credentials theft. Instead, such data is sold on the Darknet in a database of the same compromised accounts for a hefty sum.

Modern Credentials Theft Methods

Customising the emails to fit the current agenda, bait the user to follow the link – all these things have not changed much since the very beginning of email spam usage for credential theft. But that is not a story of the way hackers extract the credentials from the spoofed login form. I’ve mentioned that extracting the data is not just about “click the button – send the creds”. In fact, things have got an unexpected twist.

Popular way to send the data to the server from the past – a PHP file formed on the site – is quite easy to block. Most network security applications now block such a way of data sending, as it is considered unsafe even when no malicious intents are suspected. More novice approach – through using Telegram Messenger’s API – is quite easy to block either. To avoid the possible blocks from advanced security solutions, hackers started using an API of a legit mailing service EmailJS.

The API of EmailJS allows for automated email sending, using only the credentials and client-side code. It is quite convenient for spreading templated predefined emails. However, some hackers implemented the API to send the email with data from login form from the compromised site directly to their email. Since the service is recognized as legit, and is used fairly often, blocking it is not an option. Yet meanwhile, hackers keep receiving email credentials without any flaws.

Dangers of Credential Theft

Obviously, sharing access to the email account with a third party is a pretty bad situation. Things become even worse when we talk about compromised business emails – and they are targeted quite often, as I’ve already mentioned. Depending on the type of compromised account, the application may differ, though the instrumentary that hackers apply for using compromised accounts are the same for most cases.

Accounts of home users or ordinary employees are, eventually, the least valuable. Hackers may use them to spread random spam. The efficiency of such mailing may still be slightly higher than during the random account usage – just because these guys’ colleagues and relatives may eat the bait thinking that the message is legitimate.

Accounts of high-tier employees, local celebrities or even top executives are of the biggest value. Such accounts are sometimes traded alone, with the price tag of hundreds of dollars. And such prices are justified, as the guise of mentioned persons can bring hackers much bigger money in return. In this case, more sophisticated email messages are sent, often customised to the topic the recipient may expect from the sender.

Credential Theft Prevention Methods

Well, the question of preventing credential theft and providing suitable protection against it exists for a long time. For that reason, I will not repeat trivial advice like “change passwords” or “don’t follow phishing links”. Instead, I’ll try giving less popular yet effective tips.

Apply using email protection tools. There are plenty of them, though these solutions are spread as add-ons to a stand-alone anti-malware software. Such tools monitor all the attached elements, both links and files, in order to detect whether they contain any malicious things. The problem here is that such add-ons are mostly available to corporate security solutions.

Another approach towards decreasing the probability of successful phishing is using network security tools. Particularly, NDR solutions can effectively detect and weed out potentially dangerous traffic. Ones that apply zero-trust and will effectively deal with the misuse of the aforementioned API are preferred. Overall, NDRs are recommended for implementation in large networks, as it may be troublesome to control it with less advanced tools.

For single users: use anti-malware programs with an advanced network filter. Detecting phishing pages like ones used in credentials theft may not be easy manually, so it is better to give it to a specialised security software. GridinSoft Anti-Malware may offer you such functionality – its network filter is updated each hour, so it won’t miss any malignant sites.

The post Credentials Theft is On The Rise appeared first on Gridinsoft Blog.

Vacation-related scams – what are they?

First, let me point out some overall details of these scams. Cybercriminals use topics related to summer vacations to lure out personal information, credentials, or banking information. Since such an activity is typical for most people, the chance to blindly hit someone even without having any additional data is highly probable. That being said, hackers rarely perform blind spamming, preferring to have at least a somewhat relevant pick of targets. Moreover, folks commonly have their attention distorted and vigilance lulled by the overall relaxed mood of pre-vacation days.

In these attacks, crooks generally try to reach their victims on email. Though, nothing stops them from switching to SMS or even phone calls. The key thing here is forcing the victim to follow the link or open the file sent via email or in any other way. This link leads to a phishing site where all action starts. While methods of these attacks are not unique, types of disguise may be quite unusual, which makes them even more difficult to detect.

Examples of Vacation-Related Scams

As I’ve just mentioned, hackers may pick pretty unusual disguises for vacation-related scams. From more common things like posing as a support manager of a booking service, they can switch to whaling attacks and even use compromised business email accounts. Let’s have a look at each one specifically.

1.Your Booking is Cancelled

What can be worse than getting your hotel/apartment rent canceled just before your arrival to the place you are going to stay? That scares and disrupts the entire vacation, so the target will likely haste to respond or follow the instructions. To look more legitimate, scammers may take a disguise of the establishment the victim has the room booked in. After gaining trust, crooks will promptly ask for everything – but most commonly it is money for re-booking another room. They can make up any legend about why it is not possible to pay for the room at the check desk after arrival – and the attacked person will likely eat the bait.

When scammers try to pose as a booking platform, their targets will be different, precisely – your personal information and credentials. To get this information, crooks either put the “sorry card” link to the email bottom, which promises a significant discount. Nonetheless, this link leads to a fraudulent copy of the service’s website, which asks you “to log in to redeem the discount”. Everything you type becomes visible to hackers – so it is the easiest way to say goodbye to your account.

2.Your Flight is Delayed/Cancelled

Probably, an even worse case scenario than the cancellation of a hotel booking is the flight cancellation or delay. Finding where to stay when you are already on the spot is bearable – at least easier to bear than burning a day or two of your vacation. Same as in the case of canceled booking, fraudsters will offer you to buy tickets for a replacement flight through the link. The refund for a previous one is promised in three days – and that is typical for all refunds. But, as you may suppose, neither a refund nor the “replacement flight” will ever happen.

Still, there could be cases when the fraudulent message simply asks you to assign another flight and offers a link to the flight booking page. This page, however, is yet another phishing copy, though it does not try to get your money. Booking a flight always involves sharing quite a bit of information – including real name, passport number, email address, and so forth. In rare cases, both scams may be conjoined – after giving out all the personal details you will see a checkout window. The latter is – you guessed it right – a fraudulent counterfeit of a genuine payment page. It won’t charge you, but will instead collect your banking card info.

3.Confirm Your Vacation Dates (HR Department Scam)

This is a pretty unusual direction of attack, which has increased success chances. Instead of creating urgency around the incoming trip, crooks add importance to the action by disguising themselves as HR dept representatives. In the message, the victim is asked to specify the desired vacation dates in the special form, available by the link. This is a pretty common occurrence in large companies, where HRs try to balance the number of people being on vacation at the same time. Having such a trustworthy disguise, crooks wait for the victim to open the link and log in using their work email. Particularly, hackers hunt for Microsoft emails, as they often contain a wide range of supplementary data. Moreover, these emails are massively used for business purposes, so compromising it opens even more abilities.

Some cases of this email scam offer to download the file “with vacations schedule” and send back the preferred dates. The file – most often a .xlsx table – contains an infected macro that will try to execute as soon as you open the file. This macro downloads and launches malware, most often spyware or backdoor. It will grab whatever sensitive information you have and potentially expose your system to other threats. Attacks via documents with infected macros are exceptionally popular as an initial access vector. If things happen on the corporate PC, hackers will try to infiltrate all systems in the corporation one by one. Data they scraped from previously compromised systems is a great basis for lateral movement.

4.Trip Price Compensation

Isn’t it amazing to receive part of the funds you spent on your trip back? Well, sounds miraculous, and it is – no one provides any compensation for the trips. Dubious emails that offer to follow the link or contact back to retrieve some details may pose as representatives of your company, bank, or booking service you used. In the course of this phishing, crooks try to make you share your personal information, particularly name, email, phone number, and banking details. After retrieving all this stuff, the scoundrels disappear. This type of attack is rare, as it requires scam actors to spend time communicating with victims.

How to Protect Yourself Against Vacation-Related Scams?

Well, phishing and scam email popularity forced the creation of a huge number of different countermeasures. Some fit corporations and some are more effective for home users – let’s check the best approaches from both categories. Vacation-related scams do not differ from other types, thus all this advice remains valid.

Train your employees to detect spam emails. Actually, it is useful for both single users and ones in organizations. There are a few signs hackers can never counterfeit – even when they use a compromised business email. In more common cases, hackers will most likely have an email address different from the one typically used by the organization they mimic. You can find the original address(es) by checking previous emails or visiting the official page.

Use CDR systems. Content Disarm and Reconstruction, or CDR, is a type of auxiliary security system that is designed specifically to prevent malware injection via active content in documents. Wherever the files come from, CDR will analyze them and excise potentially dangerous elements, so you can access a safe document. However, it cannot protect from malicious content available by the link embedded in the message.

Use email protection tools. To counter email-based attacks, security vendors designed add-ons for normal antivirus programs. With it, they can scan the contents of emails, particularly attached files and links, bearing on the normal functionality of the antivirus. This guarantees that nothing will slip through, and contrary to the aforementioned CDR, it secures against phishing links.

Have a reliable anti-malware software inbound. That is, obviously, the step #0 of any actions related to cybersecurity. Even without the email protection functionality, a properly-made antivirus will effectively block malicious macros and prevent phishing page opening. GridinSoft Anti-Malware offers all the needed functionality, and perfectly fits home users – consider trying it out.

The post Beware of Vacation-Related Scams: 4 Most Prevalent Types appeared first on Gridinsoft Blog.

What is a business email compromise?

The term “business email compromise” mostly says for itself. It is an attack case where an adversary gains access to one or several email profiles that are used by a company for business purposes. Under this attack, hackers posess both personal business accounts and ones that represent the company. The former is mostly used for whaling attacks, while the latter is more useful in external messages. Most often, after succeeding with compromising the account, hackers change password, so the company will not be able to control the account.

Having the control over the corporate email opens a lot of opportunities. Not only it gives the ability to impersonate the company in any conversation, but also allows one to read the past conversations. And while some routine mailing to the clients or contragents may be boring and unclaimed, letters regarding further products, plans and financial situation is a completely different thing. The outcome of the leak of such information is at best worrying.

Business Email Compromise Tools

There are not a lot of ways to gain access to the business email. Most often, getting a login and password is a task for a malicious program that is injected into a target computer. Most of the time, there’s no aim at something particular. As soon as hackers get the account, they put it to use on the run. But there are cases where a specific computer is compromised intentionally. In such situations, a deep reconnaissance or even an insider job is used.

Malware type that suits the BEC purposes is obvious – the spyware/stealer malware. These two are mostly identical nowadays, despite their nominally different classification. Spyware or stealer aims at grabbing all login credentials or session tokens they can reach. Some of them – best choices for BEC, as you may suppose – additionally target mailing clients. Those samples are not just taking away the email credentials, they also dump a contact book, making the further work of cybercriminals much easier.

Actions that follow the password compromise depend on the amount of access to the network (and the particular computer) the hackers have. The most obvious way to use the compromised email is to log into it on the computer hackers have direct access to. However, it may expose the IP address and even trigger the alarm, if the mailing client security system tracks system properties. To avoid this, crooks commonly practise deploying additional malware that provides remote access to the needed system. The most often choices for that purpose are backdoors or remote access trojans (RATs). Aside from providing remote access, malware is capable of playing with system settings and processes, so all the malignant actions will be invisible to the machine owner.

Applications for compromised business email

Once the crooks manage to log into the account, the most interesting part of the action begins. I’ve mentioned a couple of possible ways hackers may use the compromised business email. All of them are much more complex, and may include several sub-specimens. Let’s have a look at each one.

Spear phishing

The conjunction of access to past emails and the ability to send new ones opens a new attack vector. When crooks aim at spear phishing, they try to act in a more stealthy manner, as if they change passwords the fact of compromise will be uncovered immediately. A successful spear phishing attempt can provide hackers with a row of other compromised emails, infected devices, or compromised bank accounts. Because of its efficiency, hackers prefer spear phishing over other applications for a compromised business email.

The key action fraudsters do is creating the trustworthy disguise – which is the main difference from a classic email phishing. Having access to past emails, they can pick a topic that will correspond to what victims are waiting for, and use verbal expressions typical for the company. The turning point is a link to a login page or other place, payment information, or so. They lead to a place that hackers need, and people will go on simply because they are not expecting the catch.

Impersonation

Using a compromised business email, hackers can impersonate the company in a pretty convincing manner. It is somewhat similar to spear phishing, but in this case, emails do not contain anything even closely related to the typical company matters. Impersonating the company, crooks may offer random people to install a malicious package, follow the phishing link, or share personal information. Considering the anomaly of such messages from the business emails, the cases of such an obvious spam raise suspicion pretty quickly. Despite that, the “conversion” of receivers into victims is still tremendous – so it may be a suitable option to precisely scam someone.

Whaling

Once getting access to the business email of a company’s top management, hackers can command someone, pretending to be these executives. However, in a more classic variant of whaling scam, crooks impersonate famous persons (or executives) without having such a powerful identity confirmation. Under this disguise, it is possible to create a mess before the business email compromise is uncovered. Asking to send confidential reports, share internal use-only documents or simply disrupting the workflow by some absurd commands – hackers are free to do any of this.

BEC Negative Effects

Based on the possible applications for the compromised business email, you can already guess its negative impact. Main damage here goes to the image of the business. Even if you uncover the incident and reported it – the dirty splash is already on your reputation. Nonetheless, that is nothing compared to the very fact that the company was hacked.

Sure, the scale of damage and possible leak of sensitive information is not always the case when it comes to BEC attacks. However, if you cannot handle the business email properly – how bad will it be with more complicated stuff? The accident-prone company is less likely to gain large contractors and, what is more important, may risk to suffer much more sensible (i.e. money) losses in future.

How to protect against BEC?

BEC attacks were around for quite a while, and for that reason, a lot of counteraction ways were created. They are related to both auxiliary systems application and improving the cybersecurity within the corporate network with passive methods. Though, the best efficiency of all these methods is reached only when all these methods are applied together.

Specialised email security tools

Since email spam is a prevalent way to spread malware these days, this vector of protection obviously pops out. That’s a pretty novice approach towards protecting from phishing email threats. Actually, they’re not separate solutions, but rather add-ons for full-fledged anti-malware software. The key action it does is scanning the incoming emails, exactly their attachments and links. This allows you to detect and dispatch the dangerous item before you can even interact with it.

Content disarm and reconstruction (CDR)

CDR is a toolkit that generally aims at securing the documents you are interacting with. If one has active content in it, CDR will cut it out and give you only static contents of the document. Some CDRs have a system that recognizes the malicious code embedded into the document. Such programs will excise only those parts that trigger the detection. These solution allows to sharply decrease the possibility of malware injection via email – but it does not remove the hazard completely.

Security tools

To be sure that no malicious items are running in the system, it is better to have a dedicated tool. Preventive protection may malfunction, or the threat can simply slip through another way. Properly designed anti-malware software will not let that happen. For securing a personal device you use for business communication, GridinSoft Anti-Malware will fit. Security in corporate networks, however, should be provided with more extensive solutions, like EDR/XDR systems.

Personnel awareness

In organisations, especially large ones, each staff member is a potential attack surface. All security measures I have written above will significantly lose efficiency if there will be such a huge attack surface out of their control. Your personnel should be aware about potential malware injection ways and ready to recognise and react accordingly. Drills and attack imitations may also give a good boost to staff incident response readiness.

The post What is Business Email Compromise (BEC) Attack? appeared first on Gridinsoft Blog.

What happened to Binance?

On March 27, 2023, Binance was charged by Commodity Futures Trading Commission for consistently violating its regulations for preventing money laundering and terrorism financing. As the note released by CFTC says, Binance employees were guided by the company’s CEO, Changpeng Zhao to ignore the rules set by CFTC. The latter supposes uncovering the real identity of their customer in order to prevent misleading and following laundering. That thesis is partially confirmed by the fact that throughout the entire 2022, no suspicious activity reports were made.

Defendants’ alleged willful evasion of U.S. law is at the core of the Commission’s complaint against Binance. The defendants’ own emails and chats reflect that Binance’s compliance efforts have been a sham and Binance deliberately chose – over and over – to place profits over following the law, — Gretchen Lowe, CFTC’s Enforcement Division Principal Deputy Director

Currently, Binance is just amidst a huge scandal, which, however, does nothing to disrupt the operation flow. Still, the trial is ongoing, and the situation may change in the future. If the evidence possessed by the accusing party is proven true, the platform may have serious consequences.

First and foremost, regulators can ban Binance from the U.S., cutting a significant portion of its money flow. That ban will likely forbid the banks to wire transactions with the organisation. It will be painful, but not impossible to withstand – the US share is not that big. However, if things get worse, US authorities will ask European banks to do the same. Cutting off over 50% of the user base in a single move is deadly for pretty much any company.

What to expect?

The scale of possible scams may easily overwhelm the similar outbreak that happened following the SVB bankruptcy in early March. Hackers were sending emails pretending to be bank representatives or legal agents, offering their help in saving money held in the ceased bank. This time, however, the vast majority of targets are regular folks, who are much less aware of scams. Moreover, people are much more likely to interact with emails they receive – and cybercriminals know that.

There is, however, a difference between the case of SVB and Binance. Bankruptcy means a complete suspension of all operations – in simple words, you cannot get your money back. Ban in a certain country makes it troublesome, but not impossible. Still, it may be less obvious for people who are not so well acquainted with all the procedures. Moreover, folks mostly have no “plan B” for such a situation. That will be the bearing point of crooks.

Malicious alternatives

Nature abhors a vacuum. If Binance is gone, there are a number of other platforms offering hot wallets and easy investments. But aside from well-known names, others will pop up, offering unbelievably good terms. And for sure, it is better to remain incredulous.

The classic scheme here is offering a service to people who escaped from Binance, taking their money and leg it. These “alternatives” will likely be offered in advertisements all over the Internet, as well as on forums. Alternatively, crooks can perform classic email spamming campaigns, targeting the emails from databases related to a breach that happened back in 2019.

Typically, users will be offered bonuses at wire-in, miserable commissions per transaction, or even leverages for trading. Links, wherever they are placed, will lead to a freshly-created website that has small to no information about the service. Instead, the site will blink with numerous offers to create an account and top it up as soon as possible. Once done, you will never see your money back. This fraud may also fill the databases with personal information you share during the registration.

Wireout help offers

This type of scam may be conjoined with the previous one but requires contacting the victim. Crooks reach the victim via email, offering to migrate seamlessly to their platform. This message can also contain convincing statements about the partnership with Binance regarding their customers. Hackers may even impersonate a well-known exchange – to lull the vigilance. However, the link they will provide to proceed leads to the same poorly-made website.

At this point, things are getting more interesting. Instead of just taking your money, fraudsters can also ask the address of a Binance hot wallet and a cold wallet. This, in turn, exposes your identity even more – and may be threatening to your funds’ safety.

Pseudo-Binance mailings

What can be the most classic example of an email scam? Email messages that pretend to be ones from a genuine company. Scams related to SVB bankruptcy were generally of this sort, and now the story may repeat itself. Hackers will pretend to be the company that wants to help with wire out or other operations. Alternatively, if nothing bad happens to Binance, the legend may switch to “insure your account” stuff. This scam may take place in social media as well.

Routinely, you should log into your account by following the link added to a message. But oops – this link leads to a phishing copy of a Binance login page. This ends up with losing access to your account, which is suboptimal even in the case of troubles.

What can I do?

First of all, it is just an attempt to predict upcoming cases. If nothing happens – great; pessimistic predictions are always good when they do not come true. However, the threat of malware and phishing scams on email is as actual as never before. Following basic cybersecurity rules is a go-to advice for all cases.

Be suspicious of all the emails you receive. Check the email addresses, read the message body carefully – they can contain the signs which will uncover the attempt to scam you. Hackers do their best in mimicking the original messaging style of the companies, but cannot repeat all the details. Why do they call me “Dear user” instead of my name? And why does the sender’s email resemble a single-use one registered on a quick email box service? Notice details of this small – and any attempts to scam you will go naught.

Control social media messages. Using accounts that mimic the company one’s crooks can outreach people with relevancy. We are used to sharing a lot of information about ourselves on social networks, thus it is not a tough question to find out if you are using Binance or not. In Twitter, after the recent changes in its administration, it became even easier to counterfeit official accounts. Acting as support managers, they can easily deceive a huge number of people.

Do not trust links on the Internet. Wherever you find them – in emails or in someone’s forum post, they should not be trusted. They may look legitimate, but don’t be haste with typing your credentials or other sensitive data. First, check the URL address: if it contradicts with the contents (i.e. 1281300913.weebly.com and a PayPal login page) – close it immediately. Crooks are extremely good at copying login pages and setting up phishing traps for unsuspecting users.

The post Binance US Ban Scams Incoming: What to Expect? appeared first on Gridinsoft Blog.

What happened?

The bankruptcy of Silicon Valley Bank happened on Friday 10, 2023, after a historically fast bank run. Over $40 billon funds were withdrawn in just a couple of days, leading the bank to failure. Such a fast cycle of events confused even experienced analysts – needless to say that ordinary folks and startup founders are completely disoriented. Eventually, this incident has prompted crooks to try their luck and try to cash in by any available method, and there are several reasons for that:

• Many companies and individuals working for companies will question how to pay emergency bills. Won’t there be any problems with payroll?
• How to contact SVB now, what website to use, and what to expect generally?
• Finally, this involves much money, which is bound to lead to many scams.

Unfortunately, scammers are sometimes savvier than you think. Therefore, if you work or are connected in any way to an SVB bank, you should keep your ears open; since, in most cases, this information is more or less publicly available, you will undoubtedly face targeted attacks from scammers. Moreover, you should expect phishing attacks not only via email but also via phone or SMS. Although some fraudulent emails may be indistinguishable from the real ones, Pseudo experts will offer legal services to affected companies, and people will be offered loans. In addition, some law firms now create unique pages to attract clients for possible litigation.

Email spam

Bankruptcy-related spam mailings may contain false information about the bank and its financial situation. In addition, such emails may contain offers to receive compensation. Usually, the user is asked to follow a link and enter their information. Often this link is fraudulent, and it is obvious. However, there is already a mass registration of new SVB-related domains. Unfortunately, not all are harmless – scammers register some specifically to deceive victims.

In addition to emails asking to click on a link, attackers can send emails supposedly from bank employees and ask users to provide personal information such as full name, residence address, etc. We recommend that you be very careful with such email and pay attention to the red flags: the sender’s address, the form of speech, and the style of the letter. For example, official organizations never address customers something like “dear user”. Instead, they use a first-name address.

Social media phishing

Social media is another vector that scammers will take advantage of. They can use social media such as Facebook, Twitter, or LinkedIn to send messages to bank customers, offering to help them save their money in bankruptcy. Scammers are more likely to create fake profiles and use bank-related logos to make their messages more convincing. So it’s essential to be careful not to trust people who ask for personal information on social media, especially concerning bankruptcy.

Phone calls phishing a.k.a Vishing

Vishing is a scam involving voice communication (a phone call). One common type of vishing is when scammers call the victim and introduce themselves as bank employees that they claim are about to go bankrupt. Since you don’t even have to make anything up here, since the bank is already bankrupt, this is almost a one hundred percent win for the scammers. For example, they can tell you you must transfer your money to another bank account to save it. The standard scheme of asking for information to transfer the money follows. It can lead to the theft of your personal bank account. We only recommend providing information once you are sure you are talking to real bank representatives. You can use the official phone number on the bank’s website to do this.

Race to register domains

We can already observe the registration of new domains that contain SVB. According to statistics, the number of registrations has increased several times over the past two days. Of course, not all of these are outright scams. Some are trying to capitalize on it, not even necessarily by scamming. Here are some of the registrations associated with Silicon Valley Bank:

• login-svb.com (parked)
• svbbailout.com
• svbclaim.com
• svbcertificates.com
• svblawsuit.com
• svbhelp.com
• svbcollapse.com
• svbdeposits.com

This is just a tiny part of it.

Possible SVB Scam Directions

It is also worth mentioning the regional banks affiliated with SVB, which had a stake in it. Since they had heavy relations with SVB, it is probable that SVB’s bankruptcy will affect them as well. First and foremost, First Republic Bank, Western Alliance Bancorporation, Metropolitan Bank Holding, and Signature Bank. It will be reasonably expected if scammers send emails to users saying, “Due to current circumstances, we recommend you protect your savings. Click on the link and update your payment information.” All this is done for one purpose – to get access to the victim’s accounts.

The post Incoming Silicon Valley Bank Related Scams appeared first on Gridinsoft Blog.

How Microsoft Email Scam happens?

There are different variants of Microsoft email scam. Let’s take a couple of the most common ones as an example. We’re all used to Microsoft, Apple, Google, and other companies notifying users via email when they find potentially unusual activity on their accounts. Unfortunately, scammers have taken advantage of this situation and started sending out fake notifications. Some people can easily fall for this scam. Such an email encourages recipients to secure their Microsoft accounts by logging into them using the link provided (the “Review recent activity” button or “Sign-in added details attached”).

Clicking the link loads a fake Microsoft account login page that looks very similar to the real one. Next, the user is asked to provide their credentials. When the data is entered, it is sent to fraudsters who misuse it, for example, to hijack Microsoft accounts or sell them on the Darknet. In addition, fraudsters can use stolen accounts to spam other people’s contact lists, share various files (including malicious ones) or make purchases. Thus, people can become victims of identity theft, suffer monetary losses, and face privacy issues online. Therefore, you should ignore such emails.

Spam emails are popular among scammers who aim to get the victim to provide sensitive information, such as credentials and credit card details, or transfer money to them. For that, cybercriminals attach malicious files or links to websites designed to download malicious files. These can be ransomware, Trojans, and other malicious programs.

How does a computer get infected?

The email itself, if left untouched, will not harm. The infection only occurs when recipients open (execute) a malicious attachment or open a file downloaded from a link the email contains. In most cases, such emails include a malicious Microsoft Office or PDF document, an executable (.exe) file, a JavaScript file, or an archive file such as ZIP or RAR. Usually, these emails are disguised as critical official messages from legitimate companies.

How Can I Tell If an Email from Microsoft Is Genuine?

Sometimes Microsoft email scams are so well-crafted that it’s hard to tell if the email is genuine or fake. For example, the sender’s name and the content of the email may appear natural, but if you look closely, you see a lot of red flags. Here are essential points to help spot fake Microsoft emails:

The sender’s address

To check the sender’s address, hover your mouse over the “from” field and see if it is legitimate. For example, when you receive an email from Microsoft, ensure that the email address has the domain @microsoft.com and not something suspicious like @m1crosoft.com, @microsfot.com, @account-security-noreply.com, etc. Mismatched email domains indicate that it is a fake email.

A link leading to a suspicious website

If the email contains a link, don’t rush to click on it. These links often lead to malicious or phishing sites. Instead, make sure it is secure. You can use many tools to ensure the security of a web page, e.g. VirusTotal service. However, the easiest one is to hover over the link and look below to see where it leads.

Urgent calls to action or threats

If the message you receive looks like a threat or tells you that your account will be shut down if you don’t do what you’re told, that’s a serious red flag. For example, cybercriminals often offer to update your version of Outlook, claiming that incoming emails will be stopped unless you install the update within 48 hours. This is probably a scam or phishing Microsoft email attempt. A sense of urgency is a common scam strategy.

Generic messages

If an email doesn’t address you by your first name but uses, for example, “Dear User,” “Dear @youremail.com,” or “Dear Dear Dear Customer”, this should make you suspicious. Usually, companies call you by your first name or nickname you used to register on the website. The absence of this information can signal a Microsoft email scam attempt.

Email attachments

Is this a phishing email from Microsoft? Often legitimate companies will ask you to log into their website and view or download any documents there. However, if you receive an email with an attachment, we do not recommend downloading it, much less opening it. You can, of course, download it and check it with an antivirus application. Unfortunately, infected email attachments are a common practice used by cybercriminals.

Grammatical and spelling mistakes

Beware of emails that contain grammatical and spelling errors. This is a clear sign of Microsoft scams. A company like Microsoft (or any severe organization) would never send an email containing mistakes. Also, Microsoft will never contact users by email to ask for more account information, send out emails about updates, or provide technical support. The company does not initiate communication. Users must initiate any contact with Microsoft. Refrain from trusting emails marked Microsoft that ask you to install the latest application updates. These are most likely phishing attempts. If you’ve noticed these signs, you’ve probably come across Microsoft account email scams.

Examples of Microsoft Email Scam

Failure of delivery emails

If you’ve tried sending an email to a full or non-existent mailbox, you’ve probably received a message that the email has not been delivered. Such an email is conventionally divided into two halves – the first contains details of the error, and the second contains the text of the email itself. For example, cybercriminals send a fake email that includes a “send again” button. When you click on the link, malware is downloaded to your computer.

Re-activation requests

Office 365 phishing attacks are successful because they are based on fear and reflexive reactions. Fake re-activation requests tell recipients that their accounts are deactivated. The user needs to follow an attached malicious link to re-activate their accounts. The link leads to a fake login website, where the victim’s credentials are sent to the cybercriminals.

Alert for hitting storage limits

This Microsoft phishing email is also supposedly sent from Microsoft. If you use a subscription service, you may believe you have reached your account’s storage limit. Fraudsters send fake emails telling you that the user must activate “Quota” to resolve storage problems. This is malware, as in the case of fake delivery error emails. Be careful to avoid stumbling upon signs of Microsoft hacking scams.

How to Report a Suspicious Email to Microsoft?

You can ignore or delete a fraudulent email, but being a decent Internet user, you can help fight this scam. To do so, you need to report a suspicious email to Microsoft. Please select the message, click Report message, and choose Phishing. If you are using the web-based version of Outlook, check the box next to the appropriate email address, select Junk, and then Phishing. Alternatively, you can create a new email and add junk@office365.microsoft.com or phish@office365.microsoft.com as recipients and drag and drop the spam email into the new message. Also, remember to add the sender’s address to the blocked list.

The post Microsoft Email Scam: How to Prevent Microsoft Fraud Email Attacks appeared first on Gridinsoft Blog.

What is Norton Scam?

Norton scam email is a common name for dubious emails that may come to anybody, regardless if they are the users of their products or not. These emails may potentially contain different text and disguise, same as any other phishing. But the most common is a notification about the subscription purchase or renewal. People receive a message that says their card was charged with a hefty sum, and to cancel it and receive a refund you should follow the instructions. The sum varies from $200 to $1000. This is not very realistic as these emails usually come to single users, who will never buy a corporate license or a one for 10+ machines.

Still, the sum is pretty scary and attracts the user’s attention. Phishing Norton emails may occasionally contain a link to a third-party site or a contact number of tech support. Both of them, as you can already guess, have nothing to do with the real services of a company. Villains may use a single phishing page for multiple spam campaigns.

The link may be plain text, as well as inside of the button or email text. It leads you to a phishing page, that will ask for your personal information – name, email address, phone number, et cetera. In some cases, they can ask you about the bank card details, including the security code (CVV/2). Later, this information will be used against you – after selling it to a third party on the Darknet.

The Tech support number is no good as well. There, crooks who mimic the real support will try to lure out your sensitive information, same as in the case with a link. The other thing which repeats the previous method is the behavior around the collected data – they sell it on Darknet forums as well.

How dangerous is the Norton scam email?

Same as any other phishing, it aims at grabbing as much personal information as possible. At a glance, you may think it is not that bad, as you share this information with different online services too. However, most of them keep this data a secret, as there are data protection laws that punish data selling. Meanwhile, phishing actors are not bound by any kind of laws, as the very essence of phishing is outlawed.

It is unlikely to meet a benevolent person among the buyers for leaked information on the Darknet. If you’ve shared your personal information, that will be the base for more precise, spear phishing. Crooks will try to perform a more sophisticated fraud to make you pay them by mimicking a thing you’re expecting. Leaked bank card details, on the other hand, give them the ability to manage your money as they want – and they can find a way to circumvent the bank’s safety measures. Carding has become way less widespread over the last 5 years, but remains a threat.

How to avoid being fooled with email scams?

There are a few rules that will help you to detect and avoid any questionable emails. They do not require anything specific and only rely on your attentiveness. Even the most sophisticated scams cannot be 100% identical to genuine emails. When it comes to some massive mailing with low-quality phishing emails, it is very easy to bust their disguise.

Unrealistic claims or offers

Do you really think Norton will charge you without your knowledge? Or offer a 1-year license for free, just for taking part in a quiz? When the things in the letter look untrustworthy, get some other ways to verify such offers. For example, you can check your bank account and see if there were any debit operations as described in the letter. On the official Norton website, you can see if there are any active subscriptions, and also promotions or giveaways. Still, emails may repeat the promotions, but contain a different link, so you will get into a fraud either.

Email addresses

No one can copy the email addresses of genuine mailing services, used by companies. And phishing actors sometimes don’t even try to – they apply using hijacked accounts or single-use emails, created only for spamming. Hence, seeing a letter that pretends to be a message from Norton, and is sent from ol1209130@bilibili.com is already fishy. In advanced scams, crooks may try to spoof the genuine address by changing the letters with numbers, to make them harder to distinguish from real ones in haste. For example, you may witness the nort0nsupp0rt@norton.com instead of support@nortonlifelock.com. Here is the list of address domains used by Norton in their official mailing – crooks cannot use or counterfeit it in any way.

Typos and poor email design

Can you imagine official letters from a worldwide-known company, whose design is poor and the text is full of errors? Most companies hire several writers who review the patterns used for automated emails and check up on all hand-made correspondence. Seeing a genuine letter that looks like a kid’s scribble is hardly a case. Be sure that it is likely a scam; you can additionally confirm your expectations by looking for the signs we mentioned above.

The post What is Norton Scam Email? Tips to Protect Yourself appeared first on Gridinsoft Blog.