#AxisOfEasy 261: PayPal Scam Uses Invoices Sent Through Their Website


Weekly Axis Of Easy #261


Last Week’s Quote was  “The improver of natural knowledge absolutely refuses to acknowledge authority, as such. For him, skepticism is the highest of duties; blind faith the one unpardonable sin.” was by Thomas Huxley, 
Biologist and anthropologist.   Our winner is Len Giberson.

This Week’s Quote:  “Much of the social history of the Western world over the past three decades has involved replacing what worked with what sounded good.” … by???

THE RULES:  No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize:
First person to post the correct answer gets their next domain or hosting renewal on us.


This is your easyDNS #AxisOfEasy Briefing wherein our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.
 

In this issue:

  • PayPal Scam Uses Invoices Sent Through Their Website
  • Defense operators of the U.S. Cyber Command have returned from Croatia following an investigation of malicious cyber activity
  • An updated version of Escanor RAT malware is being distributed via Microsoft Office documents and PDF files
  • Shalev Hulio: CEO of Blacklisted Israeli Spyware Resigns his Position
  • New Russian Malware Detected by Microsoft


Elsewhere online

  • Critics doubt that spyware maker NSO Group’s struggles will lower the use of its eavesdropping tech
  • How Microsoft found a critical defect in ChromeOS, and how Google managed to fix it
  • Counterfeit Phones Found With Backdoor to Hack WhatsApp Accounts
  • NSA: Nigeria Has Become a Part Of Budapest Cybercrime Convention
  • Sferra Discloses Data Breach

 

PayPal Scam Uses Invoices Sent Through Their Website

Scammers now use invoices sent via PayPal to trick beneficiaries into calling a number to debate a pending charge. The letters come from PayPal.com and include a link that showcases the supposed transaction and states that the user’s account will be charged hundreds of dollars.

Recipients who call are asked to download a software that allows the scammers to take control over their computer. According to KrebsOnSecurity, a reader who received an email from paypal.com immediately suspected it was a scam. The subject read, “Billing Department of PayPal updated your invoice.”

Despite the awkward wording, the scam was highly convincing. All links led to PayPal.com, and the “View and Pay Invoice” button loaded a PDF showing PayPal’s email validation.

The reader who shared the email stated that he logged into his PayPal account and couldn’t find signs of the invoice. After a call to the toll-free numbers listed in the invoice, a man received it. He answered the phone as “customer service” instead of trying to spoof PayPal.

Read: https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/

 

Defense operators of the U.S. Cyber Command have returned from Croatia following an investigation of malicious cyber activity

For the first time in American Cyber Command history, a team of cyber operators returned from Croatia with a new perception to hunt for harmful activity. These hunts are conducted routinely to learn about adversary activities and defend the homeland and collective cybersecurity.

Croatian Security and Intelligence Agency’s (SOA) Cyber Security Centre experts and U.S. military personnel are exploring national networks for weaknesses and malicious cyber activity. The team has recently returned to the United Estates, sharing each other’s methodologies and abilities.

By August 2022, the team has managed 35 hunt operations in countries like Estonia, Lithuania, Montenegro, North Macedonia, and Ukraine. The concept of “hunting” in cybersecurity refers to the act of observing threats that have yet to be detected on a network or system. Hunt operation teams enable their counterparts to pursue and address the threats they have found.

Besides opposing malicious cyber activity and the actors who target allied nations’ networks, data, and platforms, the U.S. and these nations gain valuable insight into the information of adversaries’ tactics, techniques, and platforms. By knowing their plans and tools, American and allied forces are aided in disrupting and even stopping this illegal cyber activity before they cause harm.

Read: https://www.helpnetsecurity.com/2022/08/19/u-s-cyber-command-croatia/

 

An updated version of Escanor RAT malware is being distributed via Microsoft Office documents and PDF files

Security researchers at Resecurity have identified a new remote administration tool (RAT) dubbed Escanor. The researchers spotted this RAT in dark web forums and Telegram channels. They reported that hackers used it to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.

On January 26th, 2022, Escanor was released as an HVNC implant allowing you to connect silently to a victim’s computer via remote control. Eventually, it evolved into a full-scale commercial RAT, gaining over 28,000 Telegram subscribers and a big reputation on the Dark Web.

A mobile version known as “Esca RAT” is also being actively used by cybercriminals to attack online-banking customers via the interception of OTP codes. This tool can also be used to collect the victim’s GPS coordinates, activate hidden cameras, and browse their files to steal data. The actors use documents and imitate invoices and notifications from well-known online services.

Most notably, Escanor has been identified as connected to APT-C-23, a group active within the Middle Eastern region, known to target Israeli military assets. Most victims infected by Escanor have been identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with some infections in South-East Asia.

Read: https://www.infosecurity-magazine.com/news/escanor-rat-malware-microsoft-pdf/

 

Shalev Hulio: CEO of Blacklisted Israeli Spyware Resigns his Position

Shalev Hulio, CEO of NSO group (Israeli company behind Pegasus spyware), will be stepping down from a restructuring plan that will cut 100 jobs. The group announced this on Sunday, stating they’ll focus on sales in countries belonging to the North Atlantic Treaty Organization (NATO) alliance. The company is known for a July 2021 investigation that revealed that Pegasus spyware was sold to governments and used against human rights activists and reporters worldwide.

Even though NSO is privately owned, the Israeli Ministry of Defense must first approve any export of cyber warfare technologies. This has led privacy activists and political commentators to state that Israel’s political interests have influenced Pegasus’ sales to governments with human rights abuse records. Although NSO denied the wrongdoing, the company was added to a US export blacklist last year to prevent it from buying from American companies.

Recently, Pegasus spyware was spotted targeting the European Justice Commissioner in April 2022. It was used in an espionage campaign months later, targeting a pro-democracy movement in Thailand. The spyware was also found on the Spanish PM’s smartphone in May.

Read: https://www.infosecurity-magazine.com/news/ceo-israeli-spyware-nso-pegasus/

 

New Russian Malware Detected by Microsoft

Microsoft tracked a threat actor referred to as Nobelium, Cozy Bear, the Dukes, and Yttrium, thought to have orchestrated the SolarWinds hack in 2020 and the attack against the DNC (Democratic National Committee) in 2016. In 2021, Microsoft published an analysis via FoggyWeb, a data-collection tool that they were deploying on AD FS (Active Directory Federation Services) servers.

Nowadays, Microsoft is sharing details on MagicWeb, adding access capabilities on top of data theft, allowing the attackers to sign into the compromised Active Directory of any user. As was observed, Nobelium used highly privileged credentials to access, later gaining administrative advantages to an AD FS system before deploying MagicWeb.

After accessing AD FS, the threat actor replaced a legitimate DLL with a malicious one, modifying a configuration file to load the backdoor library at startup and then bypassing AD FS’s claims-based authentication. MagicWeb injects itself into the claims process, manipulating the user authentication certificates that Security Assertion Markup Language (SAML) uses and bypassing AD FS policies. Microsoft states that the attack relies on the compromise of administrator accounts that are highly privileged and that protecting them should stop the threat.

Read: https://www.securityweek.com/microsoft-details-new-post-compromise-malware-used-russian-cyberspies

 

Elsewhere Online

 

Critics doubt that spyware maker NSO Group’s struggles will lower the use of its eavesdropping tech Read: https://www.cyberscoop.com/nso-group-reorganization-spyware-abuses/

How Microsoft found a critical defect in ChromeOS, and how Google managed to fix it
Read: https://www.zdnet.com/article/microsoft-how-we-unearthed-a-critical-flaw-in-chromeos-and-how-google-fixed-it/

Counterfeit Phones Found With Backdoor to Hack WhatsApp Accounts
Read: https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html

NSA: Nigeria Has Become a Part Of Budapest Cybercrime Convention
Read: https://tribuneonlineng.com/nigeria-now-part-of-budapest-convention-on-cybercrime-%E2%80%95-nsa/

Sferra Discloses Data Breach
Read: https://www.securityweek.com/textile-company-sferra-discloses-data-breach

 
 

Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:

 

 

 

 

 

One thought on “#AxisOfEasy 261: PayPal Scam Uses Invoices Sent Through Their Website

Leave a Reply

Your email address will not be published. Required fields are marked *