COVID-19 RELATED SCAMS
  • Advisory

The syndicates operates several fraudulent portals. The following are some of the identified phishing links, amongst others:

  1.  https://survivalfund-gov-ng.freefunds.xyz/#1609249530133 
  2. https://sable.madmimi.com/c/398118?id=2400362.559.1.6440814247df5cfd7b16c5e7b5450849 
  3. https://bit.ly/FG-survival-fund) 
  4. https://careers.pawo.ng/covid-19-emergency-response-fund-grant/ 
  5. https://careers.pawo.ng/apply-cbn-reopens-n50bn-covid-loan-portal-for-households-businesses/ 
  6. https://careers.pawo.ng/npower-batch-c-shortlisted-candidates-2021-2022/ 
  7. https://sable.madmimi.com/c/398118?id=2376842.554.1.ed06eacfdd83f6a196f82d619820d4bb 

Members of the public are being asked to check their eligibility for the Covid-19 Survival Fund scheme and N-Power Batch-C Shortlisted Candidates for 2021, as well as click a link to apply for the CBN COVID-19 Loan by providing their account details on the portals in order to receive certain grants.

Fortinet Leaked VPN Account Credentials
  • Advisory

The list of Fortinet credentials was leaked for free by a threat actor known as 'Orange,' who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation. Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.

Browser’s DNS Rebinding Attacks
  • Advisory

The attacks begins with fooling victims into opening malicious websites with social engineering tactics such as sending phishing emails and cybersquatting. After launching a malicious site on victims' browsers, attackers look for private IP addresses and ports that host vulnerable services prior to launching the DNS rebinding attack. The open ports provide details regarding exposed web applications behind IP addresses. Moreover, using the WebRTC method, malicious websites can scan the open web services inside local networks. After locating the targeted services, an attacker's website can launch the DNS rebinding attack inside an iframe. The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.

Facebook, Instagram and WhatsApp global outage
  • Advisory

Cybercrime reporters attribute this global outage to a major DNS problem as DNS allows web addresses to take users to their desired web location which is currently inaccessible. A cybercrime reporter also explained that the DNS records that tell devices how to find Facebook and Instagram got withdrawn this morning from the global routing cables and it is unclear how this occurred. However, security experts tracking the situation observed that the outage was likely triggered by configuration error redirecting Facebook servers. It is also likely that the challenges could be as a result of an internal mistake, though sabotage by an insider could be theoretically possible.

An outside hack was viewed as less likely. A massive denial-of-service attack that could overwhelm one of the world's most popular sites, on the other hand, would require either coordination among powerful criminal groups or a very innovative technique.

OpenOffice and LibreOffice Digital Signature Spoofing Vulnerabilities
  • Advisory

OpenOffice, is a discontinued open-source office suite. LibreOffice is a free and open-source office productivity software suite. It was forked in 2010 from OpenOffice.org, which was an open-sourced version of the earlier StarOffice. In two out of the three attack scenarios, LibreOffice incorrectly displays a validly signed indicator that suggests that the document has not been tampered with since it was signed. A trusted party that presents the signature of an unknown algorithm as a legitimate signature issued

Google Warn Users of Government-Sponsored Attacks
  • Advisory

Google discovered activities used by government-backed attackers to steal a password or other personal information. Such activity includes receiving an email with a malicious attachment, links to malicious software downloads, or links to fake websites designed to steal passwords.

Additionally, Google has also revealed that it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed "Operation SpoofedScholars" aimed at think tanks, journalists, and professors with the goal of soliciting sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS).

Other past attacks involved the use of a spyware-infested VPN app uploaded to the Google Play Store that, when installed, could be leveraged to siphon sensitive information such as call logs, text messages, contacts, and location data from the infected devices.

Furthermore, an unusual tactic adopted by APT35 concerned the use of Telegram to notify the attackers when phishing sites under their control have been visited in real-time via malicious JavaScript embedded into the pages.

Latest Articles