The Internal Revenue Service headquarters building in the Federal Triangle section of Washington, D.C. Among phishing schemes to emerge recently is one targeting university students with promises of tax refunds. (Photo by Chip Somodevilla/Getty Images)
A series of published reports are cautioning end users and employers to watch out for several newly discovered or trending sneaky social engineering techniques – include the use of personalized job lures, false promises of tax refunds for university staffers and students, and even voice manipulation for vishing campaigns.
Rotten eggs: Golden Chicken group cooks up fake job offers
Experts at the Threat Response Unit at eSentire this week warned in a blog post report that the hacking group Golden Chickens is spear phishing business professionals on LinkedIn with fake job offers that appear to perfectly match their expertise and experience – all in attempt to infect them with a fileless backdoor trojan called more_eggs.
The backdoor, which is sold as a malware-as-a-service offering to affiliate cybercriminal entities including the infamous FIN6, Cobalt Group and Evilnum groups, comes packaged in a malicious zip file with a file name that includes the exact job position that’s listed on the individual target’s LinkedIn profile.
“For example, if the LinkedIn member’s job is listed as Senior Account Executive—International Freight, the malicious zip file would be titled Senior Account Executive—International Freight position (note the ‘position’ added to the end),” the blog post states. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.” Infected individuals are then prone to secondary infections initiated by the MaaS user, including ransomware or credential stealers.
While this observed behavior is similar to a 2019 campaign targeting employees of U.S. companies that offer online shopping, eSentire said this time it caught attackers spear phishing a professional working in the health care technology industry.
“It is likely the target was chosen by an attacker interested in gaining access to an organization’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure controlling medical devices,” said Chris Hazelton, director of security solutions at Lookout. “Connected devices, particularly medical devices, could be a treasure trove for cybercriminals.”
Hazelton also noted that the current job climate and state of the health care industry in the midst of the COVID-19 pandemic makes this a particularly effective time for this campaign.
“With vaccinations being rolled out in some countries at an impressive rate, companies are looking to increase staff as the economy recovers,” Hazelton explained. “This increase in LinkedIn messaging traffic means users are receiving more messages since the pandemic started, so they are spending less time vetting each message. Users of social media continue to put too much trust in those platforms to protect them from criminals.”
Aside from the personalization aspect, the campaign employs another sneaky technique: the abuse of normal Windows processes such as Windows Management Instrumentation, Cmstp and Msxsl – allowing the malware to avoid anti-virus software and automated security solutions. “These… elements make more_eggs, and the cybercriminals which use this backdoor, very lethal,” said Rob McLeod, senior director of eSentire’s Threat Response Unit, at eSentire, in the report.
Gaza Cybergang members altering voices to sound like women?
On Tuesday, Cado Security issued an odd report offering new details on the toolkits used by actors affiliated with the Middle Eastern, Arabic speaking APT group known as MoleRats, or the Gaza Cybergang. The group is known to target Palestine- and Israel-based interests, officials or institutions and, in the past, certain Western targets.
Having found a misconfigured server belonging to the group, the researchers were able to rifle through the group’s assets and strangely found Morph Vox Pro, a legitimate voice modulation tool that the attackers coopted for their own operations. Researchers suspect the actors may have abused the tool in vishing campaigns to disguise their voices, perhaps to sound like women.
MoleRats has been known to try to woo victims, including members of the Israel Defense Forces, into infecting their devices with spyware by impersonating women on messaging apps and then sending a malicious link – supposedly for watching videos or for downloading a photo-sharing app where they could exchange provocative images.
The actors have even repurposed publicly available photos of random women on the internet to perpetrate such ruses, and have reportedly sent generic voice messages of women’s voices saying quick phrases like “yes” and “no” in Hebrew. So the idea of male actors altering their voices to sound female is not especially far-fetched.
“We think probably it’s these guys pretend[ing] to be women. And it’s an easy, better way for them to send simple short messages,” said Christopher Doman, co-founder and chief technology officer of Cado, in an interview with SC Media. “And the way that has been done in attacks in the past is by sending recorded messages on things like WhatsApp, Facebook.”
This tactic likely won’t see widespread adoption among highly sophisticated state-sponsored actors, but “we can see this definitely being useful for other… individual hacktivists, low-end APTs like these guys are,” Doman said. For small groups who are already relying more on social engineering than expensive exploits, “this is probably something nice to add to the repertoire, anything that increases that slight percent chance of those spear phishes working.”
This technique is almost a baby step that inches toward the future possibility of cyber threat groups widely adopting of audio deepfakes technology to convincingly impersonate employees’ CEOs, bosses or third-party partners to trick them into approving and executing a financial transaction. However, this technology is far more rudimentary in nature.
Still, “just because this stuff isn’t sophisticated, doesn’t mean there aren’t real impacts,” Doman said.
Scammers target .edu addresses with IRS-themed phish
And last week, the U.S. Internal Revenue Service issued an advisory warning of an influx of ongoing phishing attacks that impersonate the tax-collecting federal agency, while targeting university students and staff members.
“The IRS’ [email protected] has received complaints about the impersonation scam in recent weeks from people with email addresses ending in ‘.edu,’ said the IRS release. “The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.”
According to the IRS, the phishing emails fraudulently display the IRS logo and use subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment” to trick recipients into clicking malicious links that lead to phishing pages that ask for Social Security numbers, driver’s license numbers and other personally identifiable information.
Citizens are urged to report incidents of this scam to [email protected]. “Taxpayers who attempt to e-file their tax return and find it rejected because a return with their SSN already has been filed should file a Form 14039, Identity Theft Affidavit to report themselves as a possible identity theft victim,” the notification adds.
“Students and staff are not only dealing with the chaos of the pandemic, but now are being targeted in relation to their tax refunds,” said Niamh Muldoon, global data protection officer at OneLogin. “Distractions are plentiful as people start to reconnect and adjust to hybrid learning and schedules. Information floods in, typically by email and collaboration tooling. Unfortunately, recipients are often ill-prepared to determine if devices are configured with security in mind.”
“Seeing that cybercriminals have consistently targeted academic institutions through various threat vectors including phishing campaigns, it would be wise for these education institutions to offer support and training,” Muldoon continued. “The training really should be provided prior to providing devices and online system access.”