Login
How do hackers hack phones? In several ways. But also, there are several ways you can prevent it from happening to you. The thing is that our phones are like little treasure chests. Theyโre loaded with plenty of personal data, and we use them to shop, bank, and take care of other personal and financial mattersโall of which are of high value to identity thieves. However, you can protect yourself and your phone by knowing what to look out for and by taking a few simple steps. Letโs break it down by first understanding what phone hacking is, taking a look at some common attacks, and learning how you can prevent it.
Phone hacking refers to any method where an unauthorized third party gains access to your smartphone and its data. This isnโt just one single technique; it covers a wide range of cybercrimes. A phone hack can happen through software vulnerabilities, like the spyware campaigns throughout the years that could monitor calls and messages. It can also occur over unsecured networks, such as a hacker intercepting your data on public Wi-Fi. Sometimes, itโs as simple as physical access, where someone installs tracking software on an unattended device.ย
Hackers have multiple avenues of attacking your phone. Among these common methods are using malicious apps disguised as legitimate software, exploiting the vulnerabilities of unsecure public Wi-Fi networks, or deploying sophisticated zero-click exploits that require no interaction from you at all. The most common method, however, remains social engineering, where they trick you into giving them access. Letโs further explore these common hacking techniques below.
Whether hackers sneak it onto your phone by physically accessing your phone or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, hacking software can create problems for you in a couple of ways:
Some possible signs of hacking software on your phone include:
In all, hacking software can eat up system resources, create conflicts with other apps, and use your data or internet connection to pass your personal information into the hands of hackers.
This classic form of attack has been leveled at our computers for years. Phishing is where hackers impersonate a company or trusted individual to get access to your accounts or personal info or both. These attacks take many forms such as emails, texts, instant messages, and so forth, some of which can look really legitimate. Common to them are links to bogus sites that attempt to trick you into handing over personal info or that install malware to wreak havoc on your device or likewise steal information. Learning to spot a phishing attack is one way to keep yourself from falling victim to one.
Professional hackers can use dedicated technologies that search for vulnerable mobile devices with an open Bluetooth connection. Hackers can pull off these attacks when they are within range of your phone, up to 30 feet away, usually in a populated area. When hackers make a Bluetooth connection to your phone, they might access your data and info, yet that data and info must be downloaded while the phone is within range. This is a more sophisticated attack given the effort and technology involved.
In August of 2019, then CEO of Twitter had his phone hacked by SIM card swapping scam. In this type of scam, a hacker contacts your phone provider, pretends to be you, then asks for a replacement SIM card. Once the provider sends the new SIM to the hacker, the old SIM card is deactivated, and your phone number will be effectively stolen. This enables the hacker to take control of your phone calls, messages, among others. The task of impersonating someone else seems difficult, yet it happened to the CEO of a major tech company, underscoring the importance of protecting your personal info and identity online to prevent hackers from pulling off this and other crimes.
While a phone call itself cannot typically install malware on your device, it is a primary tool for social engineering, known as vishing or voice phishing. A hacker might call, impersonating your bank or tech support company, and trick you into revealing sensitive information like passwords or financial details. They might also try to convince you to install a malicious app. Another common tactic is the โone-ringโ scam, where they hang up hoping youโll call back a premium-rate number. To stay safe, be wary of unsolicited calls, never provide personal data, block suspicious numbers, and check that your call forwarding isnโt enabled.
Generally, a phone that is powered off is a difficult target for remote hackers. However, modern smartphones arenโt always truly off. Features like Appleโs Find My network can operate in a low-power mode, keeping certain radios active. Furthermore, if a device has been previously compromised with sophisticated firmware-level malware, it could activate upon startup. The more common risk involves data that was already stolen before the phone was turned off or if the device is physically stolen. While itโs an uncommon scenario, the only sure way to take a device offline and completely sever all power is by removing the battery, where possible.
Hacking a phoneโs camera is referred to as camfecting, usually done through malware or spyware hidden within a rogue application. Once installed, these apps can gain unauthorized permission to access your camera and record video or capture images without your knowledge. Occasionally, vulnerabilities in a phoneโs operating system (OS) have been discovered that could allow for this, though these are rare and usually patched quickly. Protect yourself by regularly reviewing app permissions in your phoneโs settingsโfor both iOS and Androidโand revoking camera access for any app that doesnโt absolutely need it. Always keep your OS and apps updated to the latest versions.
This is a long-standing debate with no simple answer. iPhones are generally considered more secure due to Appleโs walled garden approach: a closed ecosystem, a strict vetting process for the App Store, and timely security updates for all supported devices. Androidโs open-source nature offers more flexibility but also creates a more fragmented ecosystem, where security updates can be delayed depending on the device manufacturer. However, both platforms use powerful security features like application sandboxing.ย
The most important factor is not the brand but your behavior. A user who practices good digital hygieneโusing strong passwords, avoiding suspicious links, and vetting appsโis well-protected on any platform.
Detecting a phone hack early can save you from significant trouble. Watch for key red flags: your battery draining much faster than usual, unexpected spikes in your mobile data usage, a persistently hot device even when idle, or a sudden barrage of pop-up ads. You might also notice apps you donโt remember installing or find that your phone is running unusually slow. To check, go into your settings to review your battery and data usage reports for any strange activity. The most effective step you can take is to install a comprehensive security app, like McAfeeยฎ Mobile Security, to run an immediate scan and detect any threats.
Discovering that your phone has been hacked can be alarming, but acting quickly can help you regain control and protect your personal information. Here are the urgent steps to take so you can remove the hacker, secure your accounts, and prevent future intrusions.
While there are several ways a hacker can get into your phone and steal personal and critical information, here are a few tips to keep that from happening:
Your smartphone is central to your life, so protecting it is essential. Ultimately, your proactive security habits are your strongest defense against mobile hacking. Make a habit of keeping your operating system and apps updated, be cautious about the links you click and the networks you join, and use a comprehensive security solution like McAfeeยฎ Mobile Security.
By staying vigilant and informed, you can enjoy all the benefits of your mobile device with confidence and peace of mind. Stay tuned to McAfee for the latest on how to protect your digital world from emerging threats.
The post How Do Hackers Hack Phones and How Can I Prevent It? appeared first on McAfee Blog.
FreshRSS ____ _ _
| _ \ ___ __ _ __ _ ___ _ _ ___| \ | |
| |_) / _ \/ _` |/ _` / __| | | / __| \| |
| __/ __/ (_| | (_| \__ \ |_| \__ \ |\ |
|_| \___|\__, |\__,_|___/\__,_|___/_| \_|
|___/
โโโโ โ โโโโโโ โโโโโโ
โโ โโ โ โโ โ โโโโ โโโ
โโโ โโ โโโโโโโ โโโโ โโโ
โโโโ โโโโโโโโ โ โโโ โโโ
โโโโ โโโโโโโโโโโโ โโโโโโโ
โ โโ โ โ โโ โโ โโ โโโโโโ
โ โโ โ โโ โ โ โ โ โ โโ
โ โ โ โ โ โ โ โ
โ โ โ โ โ
PEGASUS-NEO is a comprehensive penetration testing framework designed for security professionals and ethical hackers. It combines multiple security tools and custom modules for reconnaissance, exploitation, wireless attacks, web hacking, and more.
This tool is provided for educational and ethical testing purposes only. Usage of PEGASUS-NEO for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program.
PEGASUS-NEO - Advanced Penetration Testing Framework
Copyright (C) 2024 Letda Kes dr. Sobri. All rights reserved.
This software is proprietary and confidential. Unauthorized copying, transfer, or
reproduction of this software, via any medium is strictly prohibited.
Written by Letda Kes dr. Sobri <muhammadsobrimaulana31@gmail.com>, January 2024
Password: Sobri
Social media tracking
Exploitation & Pentesting
Custom payload generation
Wireless Attacks
WPS exploitation
Web Attacks
CMS scanning
Social Engineering
Credential harvesting
Tracking & Analysis
# Clone the repository
git clone https://github.com/sobri3195/pegasus-neo.git
# Change directory
cd pegasus-neo
# Install dependencies
sudo python3 -m pip install -r requirements.txt
# Run the tool
sudo python3 pegasus_neo.py
sudo python3 pegasus_neo.py
This is a proprietary project and contributions are not accepted at this time.
For support, please email muhammadsobrimaulana31@gmail.com atau https://lynk.id/muhsobrimaulana
This project is protected under proprietary license. See the LICENSE file for details.
Made with โค๏ธ by Letda Kes dr. Sobri
Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.
Last week, the Massachusetts Department of Transportation (MassDOT) warned residents to be on the lookout for a new SMS phishing or โsmishingโ scam targeting users of EZDriveMA, MassDOTโs all electronic tolling program. Those who fall for the scam are asked to provide payment card data, and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app.
Reports of similar SMS phishing attacks against customers of other U.S. state-run toll facilities surfaced around the same time as the MassDOT alert. People in Florida reported receiving SMS phishing that spoofed Sunpass, Floridaโs prepaid toll program.
This phishing module for spoofing MassDOTโs EZDrive toll system was offered on Jan. 10, 2025 by a China-based SMS phishing service called โLighthouse.โ
In Texas, residents said they received text messages about unpaid tolls with the North Texas Toll Authority. Similar reports came from readers in California, Colorado, Connecticut, Minnesota, and Washington. This is by no means a comprehensive list.
A new module from the Lighthouse SMS phishing kit released Jan. 14 targets customers of the North Texas Toll Authority (NTTA).
In each case, the emergence of these SMS phishing attacks coincided with the release of new phishing kit capabilities that closely mimic these toll operator websites as they appear on mobile devices. Notably, none of the phishing pages will even load unless the website detects that the visitor is coming from a mobile device.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year, when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various U.S. states.
According to Merrill, multiple China-based cybercriminals are selling distinct SMS-based phishing kits that each have hundreds or thousands of customers. The ultimate goal of these kits, he said, is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies.
A component of the Chinese SMS phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.
Merrill said the different purveyors of these SMS phishing tools traditionally have impersonated shipping companies, customs authorities, and even governments with tax refund lures and visa or immigration renewal scams targeting people who may be living abroad or new to a country.
โWhat weโre seeing with these tolls scams is just a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams,โ Merrill said. โEvery one of us by now is sick and tired of receiving these package smishing attacks, so now itโs a new twist on an existing scam.โ
In October 2023, KrebsOnSecurity wrote about a massive uptick in SMS phishing scams targeting U.S. Postal Service customers. That story revealed the surge was tied to innovations introduced by โChenlun,โ a mainland China-based proprietor of a popular phishing kit and service. At the time, Chenlun had just introduced new phishing pages made to impersonate postal services in the United States and at least a dozen other countries.
SMS phishing kits are hardly new, but Merrill said Chinese smishing groups recently have introduced innovations in deliverability, by more seamlessly integrating their spam messages with Appleโs iMessage technology, and with RCS, the equivalent โrich textโ messaging capability built into Android devices.
โWhile traditional smishing kits relied heavily on SMS for delivery, nowadays the actors make heavy use of iMessage and RCS because telecom operators canโt filter them and they likely have a higher success rate with these delivery channels,โ he said.
It remains unclear how the phishers have selected their targets, or from where their data may be sourced. A notice from MassDOT cautions that โthe targeted phone numbers seem to be chosen at random and are not uniquely associated with an account or usage of toll roads.โ
Indeed, one reader shared on Mastodon yesterday that theyโd received one of these SMS phishing attacks spoofing a local toll operator, when they didnโt even own a vehicle.
Targeted or not, these phishing websites are dangerous because they are operated dynamically in real-time by criminals. If you receive one of these messages, just ignore it or delete it, but please do not visit the phishing site. The FBI asks that before you bin the missives, consider filing a complaint with the agencyโs Internet Crime Complaint Center (IC3), including the phone number where the text originated, and the website listed within the text.
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices.
Image: Shutterstock, iHaMoo.
KrebsOnSecurity recently told the saga of a cryptocurrency investor named Tony who was robbed of more than $4.7 million in an elaborate voice phishing attack. In Tonyโs ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations. The phishers also abused legitimate Google services to send Tony an email from google.com, and to send a Google account recovery prompt to all of his signed-in devices.
Todayโs story pivots off of Tonyโs heist and new details shared by a scammer to explain how these voice phishing groups are abusing a legitimate Apple telephone support line to generate โaccount confirmationโ message prompts from Apple to their customers.
Before we get to the Apple scam in detail, we need to revisit Tonyโs case. The phishing domain used to steal roughly $4.7 million in cryptocurrencies from Tony was verify-trezor[.]io. This domain was featured in a writeup from February 2024 by the security firm Lookout, which found it was one of dozens being used by a prolific and audacious voice phishing group it dubbed โCrypto Chameleon.โ
Crypto Chameleon was brazenly trying to voice phish employees at the U.S. Federal Communications Commission (FCC), as well as those working at the cryptocurrency exchanges Coinbase and Binance. Lookout researchers discovered multiple voice phishing groups were using a new phishing kit that closely mimicked the single sign-on pages for Okta and other authentication providers.
As weโll see in a moment, that phishing kit is operated and rented out by a cybercriminal known as โPermโ a.k.a. โAnnie.โ Perm is the current administrator of Star Fraud, one of the more consequential cybercrime communities on Telegram and one that has emerged as a foundry of innovation in voice phishing attacks.
A review of the many messages that Perm posted to Star Fraud and other Telegram channels showed they worked closely with another cybercriminal who went by the handles โAristotleโ and just โStotle.โ
It is not clear what caused the rift, but at some point last year Stotle decided to turn on his erstwhile business partner Perm, sharing extremely detailed videos, tutorials and secrets that shed new light on how these phishing panels operate.
Stotle explained that the division of spoils from each robbery is decided in advance by all participants. Some co-conspirators will be paid a set fee for each call, while others are promised a percentage of any overall amount stolen. The person in charge of managing or renting out the phishing panel to others will generally take a percentage of each theft, which in Permโs case is 10 percent.
When the phishing group settles on a target of interest, the scammers will create and join a new Discord channel. This allows each logged on member to share what is currently on their screen, and these screens are tiled in a series of boxes so that everyone can see all other call participant screens at once.
Each participant in the call has a specific role, including:
-The Caller: The person speaking and trying to social engineer the target.
-The Operator: The individual managing the phishing panel, silently moving the victim from page to page.
-The Drainer: The person who logs into compromised accounts to drain the victimโs funds.
-The Owner: The phishing panel owner, who will frequently listen in on and participate in scam calls.
In one video of a live voice phishing attack shared by Stotle, scammers using Permโs panel targeted a musician in California. Throughout the video, we can see Perm monitoring the conversation and operating the phishing panel in the upper right corner of the screen.
In the first step of the attack, they peppered the targetโs Apple device with notifications from Apple by attempting to reset his password. Then a โMichael Keenโ called him, spoofing Appleโs phone number and saying they were with Appleโs account recovery team.
The target told Michael that someone was trying to change his password, which Michael calmly explained they would investigate. Michael said he was going to send a prompt to the manโs device, and proceeded to place a call to an automated line that answered as Apple support saying, โIโd like to send a consent notification to your Apple devices. Do I have permission to do that?โ
In this segment of the video, we can see the operator of the panel is calling the real Apple customer support phone number 800-275-2273, but they are doing so by spoofing the targetโs phone number (the victimโs number is redacted in the video above). Thatโs because calling this support number from a phone number tied to an Apple account and selecting โ1โ for โyesโ will then send an alert from Apple that displays the following message on all associated devices:
Calling the Apple support number 800-275-2273 from a phone number tied to an Apple account will cause a prompt similar to this one to appear on all connected Apple devices.
KrebsOnSecurity asked two different security firms to test this using the caller ID spoofing service shown in Permโs video, and sure enough calling that 800 number for Apple by spoofing my phone number as the source caused the Apple Account Confirmation to pop up on all of my signed-in Apple devices.
In essence, the voice phishers are using an automated Apple phone support line to send notifications from Apple and to trick people into thinking theyโre really talking with Apple. The phishing panel video leaked by Stotle shows this technique fooled the target, who felt completely at ease that he was talking to Apple after receiving the support prompt on his iPhone.
โOkay, so this really is Apple,โ the man said after receiving the alert from Apple. โYeah, thatโs definitely not me trying to reset my password.โ
โNot a problem, we can go ahead and take care of this today,โ Michael replied. โIโll go ahead and prompt your device with the steps to close out this ticket. Before I do that, I do highly suggest that you change your password in the settings app of your device.โ
The target said they werenโt sure exactly how to do that. Michael replied โno problem,โ and then described how to change the account password, which the man said he did on his own device. At this point, the musician was still in control of his iCloud account.
โPassword is changed,โ the man said. โI donโt know what that was, but I appreciate the call.โ
โYup,โ Michael replied, setting up the killer blow. โIโll go ahead and prompt you with the next step to close out this ticket. Please give me one moment.โ
The target then received a text message that referenced information about his account, stating that he was in a support call with Michael. Included in the message was a link to a website that mimicked Appleโs iCloud login page โ 17505-apple[.]com. Once the target navigated to the phishing page, the video showed Permโs screen in the upper right corner opening the phishing page from their end.
โOh okay, now I log in with my Apple ID?,โ the man asked.
โYup, then just follow the steps it requires, and if you need any help, just let me know,โ Michael replied.
As the victim typed in their Apple password and one-time passcode at the fake Apple site, Permโs screen could be seen in the background logging into the victimโs iCloud account.
Itโs unclear whether the phishers were able to steal any cryptocurrency from the victim in this case, who did not respond to requests for comment. However, shortly after this video was recorded, someone leaked several music recordings stolen from the victimโs iCloud account.
At the conclusion of the call, Michael offered to configure the victimโs Apple profile so that any further changes to the account would need to happen in person at a physical Apple store. This appears to be one of several scripted ploys used by these voice phishers to gain and maintain the targetโs confidence.
A tutorial shared by Stotle titled โSocial Engineering Scriptโ includes a number of tips for scam callers that can help establish trust or a rapport with their prey. When the callers are impersonating Coinbase employees, for example, they will offer to sign the user up for the companyโs free security email newsletter.
โAlso, for your security, we are able to subscribe you to Coinbase Bytes, which will basically give you updates to your email about data breaches and updates to your Coinbase account,โ the script reads. โSo we should have gone ahead and successfully subscribed you, and you should have gotten an email confirmation. Please let me know if that is the case. Alright, perfect.โ
In reality, all they are doing is entering the targetโs email address into Coinbaseโs public email newsletter signup page, but itโs a remarkably effective technique because it demonstrates to the would-be victim that the caller has the ability to send emails from Coinbase.com.
Asked to comment for this story, Apple said there has been no breach, hack, or technical exploit of iCloud or Apple services, and that the company is continuously adding new protections to address new and emerging threats. For example, it said it has implemented rate limiting for multi-factor authentication requests, which have been abused by voice phishing groups to impersonate Apple.
Apple said its representatives will never ask users to provide their password, device passcode, or two-factor authentication code or to enter it into a web page, even if it looks like an official Apple website. If a user receives a message or call that claims to be from Apple, here is what the user should expect.
According to Stotle, the target lists used by their phishing callers originate mostly from a few crypto-related data breaches, including the 2022 and 2024 breaches involving user account data stolen from cryptocurrency hardware wallet vendor Trezor.
Permโs group and other crypto phishing gangs rely on a mix of homemade code and third-party data broker services to refine their target lists. Known as โautodoxers,โ these tools help phishing gangs quickly automate the acquisition and/or verification of personal data on a target prior to each call attempt.
One โautodoxerโ service advertised on Telegram that promotes a range of voice phishing tools and services.
Stotle said their autodoxer used a Telegram bot that leverages hacked accounts at consumer data brokers to gather a wealth of information about their targets, including their full Social Security number, date of birth, current and previous addresses, employer, and the names of family members.
The autodoxers are used to verify that each email address on a target list has an active account at Coinbase or another cryptocurrency exchange, ensuring that the attackers donโt waste time calling people who have no cryptocurrency to steal.
Some of these autodoxer tools also will check the value of the targetโs home address at property search services online, and then sort the target lists so that the wealthiest are at the top.
Stotleโs messages on Discord and Telegram show that a phishing group renting Permโs panel voice-phished tens of thousands of dollars worth of cryptocurrency from the billionaire Mark Cuban.
โI was an idiot,โ Cuban told KrebsOnsecurity when asked about the June 2024 attack, which he first disclosed in a short-lived post on Twitter/X. โWe were shooting Shark Tank and I was rushing between pitches.โ
Image: Shutterstock, ssi77.
Cuban said he first received a notice from Google that someone had tried to log in to his account. Then he got a call from what appeared to be a Google phone number. Cuban said he ignored several of these emails and calls until he decided they probably wouldnโt stop unless he answered.
โSo I answered, and wasnโt paying enough attention,โ he said. โThey asked for the circled number that comes up on the screen. Like a moron, I gave it to them, and they were in.โ
Unfortunately for Cuban, somewhere in his inbox were the secret โseed phrasesโ protecting two of his cryptocurrency accounts, and armed with those credentials the crooks were able to drain his funds. All told, the thieves managed to steal roughly $43,000 worth of cryptocurrencies from Cubanโs wallets โ a relatively small heist for this crew.
โThey must have done some keyword searches,โ once inside his Gmail account, Cuban said. โI had sent myself an email I had forgotten about that had my seed words for 2 accounts that werenโt very active any longer. I had moved almost everything but some smaller balances to Coinbase.โ
Cybercriminals involved in voice phishing communities on Telegram are universally obsessed with their crypto holdings, mainly because in this community oneโs demonstrable wealth is primarily what confers social status. It is not uncommon to see members sizing one another up using a verbal shorthand of โfigs,โ as in figures of crypto wealth.
For example, a low-level caller with no experience will sometimes be mockingly referred to as a 3fig or 3f, as in a person with less than $1,000 to their name. Salaries for callers are often also referenced this way, e.g. โWeekly salary: 5f.โ
This meme shared by Stotle uses humor to depict an all-too-common pathway for voice phishing callers, who are often minors recruited from gaming networks like Minecraft and Roblox. The image that Lookout used in its blog post for Crypto Chameleon can be seen in the lower right hooded figure.
Voice phishing groups frequently require new members to provide โproof of fundsโ โ screenshots of their crypto holdings, ostensibly to demonstrate they are not penniless โ before theyโre allowed to join.
This proof of funds (POF) demand is typical among thieves selling high-dollar items, because it tends to cut down on the time-wasting inquiries from criminals who canโt afford whatโs for sale anyway. But it has become so common in cybercrime communities that there are now several services designed to create fake POF images and videos, allowing customers to brag about large crypto holdings without actually possessing said wealth.
Several of the phishing panel videos shared by Stotle feature audio that suggests co-conspirators were practicing responses to certain call scenarios, while other members of the phishing group critiqued them or tried disrupt their social engineering by being verbally abusive.
These groups will organize and operate for a few weeks, but tend to disintegrate when one member of the conspiracy decides to steal some or all of the loot, referred to in these communities as โsnakingโ others out of their agreed-upon sums. Almost invariably, the phishing groups will splinter apart over the drama caused by one of these snaking events, and individual members eventually will then re-form a new phishing group.
Allison Nixon is the chief research officer for Unit 221B, a cybersecurity firm in New York that has worked on a number of investigations involving these voice phishing groups. Nixon said the constant snaking within the voice phishing circles points to a psychological self-selection phenomenon that is in desperate need of academic study.
โIn short, a person whose moral compass lets them rob old people will also be a bad business partner,โ Nixon said. โThis is another fundamental flaw in this ecosystem and why most groups end in betrayal. This structural problem is great for journalists and the police too. Lots of snitching.โ
Asked about the size of Permโs phishing enterprise, Stotle said there were dozens of distinct phishing groups paying to use Permโs panel. He said each group was assigned their own subdomain on Permโs main โcommand and control server,โ which naturally uses the domain name commandandcontrolserver[.]com.
A review of that domainโs history via DomainTools.com shows there are at least 57 separate subdomains scattered across commandandcontrolserver[.]com and two other related control domains โ thebackendserver[.]com and lookoutsucks[.]com. That latter domain was created and deployed shortly after Lookout published its blog post on Crypto Chameleon.
The dozens of phishing domains that phone home to these control servers are all kept offline when they are not actively being used in phishing attacks. A social engineering training guide shared by Stotle explains this practice minimizes the chances that a phishing domain will get โredpaged,โ a reference to the default red warning pages served by Google Chrome or Firefox whenever someone tries to visit a site thatโs been flagged for phishing or distributing malware.
Whatโs more, while the phishing sites are live their operators typically place a CAPTCHA challenge in front of the main page to prevent security services from scanning and flagging the sites as malicious.
It may seem odd that so many cybercriminal groups operate so openly on instant collaboration networks like Telegram and Discord. After all, this blog is replete with stories about cybercriminals getting caught thanks to personal details they inadvertently leaked or disclosed themselves.
Nixon said the relative openness of these cybercrime communities makes them inherently risky, but it also allows for the rapid formation and recruitment of new potential co-conspirators. Moreover, todayโs English-speaking cybercriminals tend to be more afraid of getting home invaded or mugged by fellow cyber thieves than they are of being arrested by authorities.
โThe biggest structural threat to the online criminal ecosystem is not the police or researchers, it is fellow criminals,โ Nixon said. โTo protect them from themselves, every criminal forum and marketplace has a reputation system, even though they know itโs a major liability when the police come. That is why I am not worried as we see criminals migrate to various โencryptedโ platforms that promise to ignore theย police. To protect themselves better against theย law, they have to ditch their protections against fellowย criminals and thatโs not going to happen.โ
Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) โ such as .shop, .top, .xyz โ that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.
Image: Shutterstock.
A study on phishing data released by Interisle Consulting finds that new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.
Interisle was sponsored by several anti-spam organizations, including the Anti-Phishing Working Group (APWG), the Coalition Against Unsolicited Commercial Email (CAUCE), and the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG).
The study finds that while .com and .net domains made up approximately half of all domains registered in the past year (more than all of the other TLDs combined) they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share โ 37 percent โ of cybercrime domains were registered through new gTLDs.
Spammers and scammers gravitate toward domains in the new gTLDs because these registrars tend to offer cheap or free registration with little to no account or identity verification requirements. For example, among the gTLDs with the highest cybercrime domain scores in this yearโs study, nine offered registration fees for less than $1, and nearly two dozen offered fees of less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91.
Currently, there are around 2,500 registrars authorized to sell domains by the Internet Corporation for Assigned Names and Numbers (ICANN), the California nonprofit that oversees the domain industry.
The top 5 new gTLDs, ranked by cybercrime domains reported. Image: Interisle Cybercrime Supply Chain 2014.
Incredibly, despite years of these reports showing phishers heavily abusing new gTLDs, ICANN is shuffling forward on a plan to introduce even more of them. ICANNโs proposed next round envisions accepting applications for new gTLDs in 2026.
John Levine is author of the book โThe Internet for Dummiesโ and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
โThe problem is that ICANN canโt make up their mind whether they are the neutral nonprofit regulator or just the domain speculator trade association,โ Levine told KrebsOnSecurity. โBut they act a lot more like the latter.โ
Levine said the vast majority of new gTLDs have a few thousand domains โ a far cry from the number of registrations they would need just to cover the up-front costs of operating a new gTLD (~$180,000-$300,000). New gTLD registrars can quickly attract customers by selling domains cheaply to customers who buy domains in bulk, but that tends to be a losing strategy.
โSelling to criminals and spammers turns out to be lousy business,โ Levine said. โYou can charge whatever you want on the first year, but you have to charge list price on domain renewals. And criminals and spammers never renew. So if it sounds like the economics makes no sense itโs because the economics makes no sense.โ
In virtually all previous spam reports, Interisle found the top brands referenced in phishing attacks were the largest technology companies, including Apple, Facebook, Google and PayPal. But this past year, Interisle found the U.S. Postal Service was by far the most-phished entity, with more than four times the number of phishing domains as the second most-frequent target (Apple).
At least some of that increase is likely from a prolific cybercriminal using the nickname Chenlun, whoย has been selling phishing kits targeting domestic postal services in the United States and at least a dozen other countries.
Interisle says an increasing number of phishers are eschewing domain registrations altogether, and instead taking advantage of subdomain providers like blogspot.com, pages.dev, and weebly.com. The report notes that cyberattacks hosted at subdomain provider services can be tough to mitigate, because only the subdomain provider can disable malicious accounts or take down malicious web pages.
โAny action upstream, such as blocking the second-level domain, would have an impact across the providerโs whole customer base,โ the report observes.
Interisle tracked more than 1.18 million instances of subdomains used for phishing in the past year (a 114 percent increase), and found more than half of those were subdomains at blogspot.com and other services operated by Google.
โMany of these services allow the creation of large numbers of accounts at one time, which is highly exploited by criminals,โ the report concludes. โSubdomain providers should limit the number of subdomains (user accounts) a customer can create at one time and suspend automated, high-volume automated account sign-ups โ especially using free services.โ
Dec. 4, 10:21 a.m. ET: Corrected link to report.
Article tags
A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Weโll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the worldโs most visited travel website.
According to the market share website statista.com, booking.com is by far the Internetโs busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California hotel.
The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.comโs anti-fraud system required additional information about the customer before the reservation could be finalized.
The phishing message our readerโs friend received after making a reservation at booking.com in late October.
In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.
โOur security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,โ booking.com replied. โImportantly, we want to clarify that there has been no compromise of Booking.comโs internal systems.โ
The phony booking.com website generated by visiting the link in the text message.
Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.
โ2FA is required and enforced, including for partners to access payment details from customers securely,โ a booking.com spokesperson wrote. โThatโs why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.โ
โThat said, the phishing attacks stem from partnersโ machines being compromised with malware, which has enabled them to also gain access to the partnersโ accounts and to send the messages that your reader has flagged,โ they continued.
Itโs unclear, however, if the companyโs 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.
A scan of social media networks showed this is not an uncommon scam.
In November 2023, the security firm SecureWorks detailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.
โThe hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,โ SecureWorks said of the booking.com partner it investigated.
In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.
Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.comโs statement said their investments in that arena โblocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.โ
The domain name in the phony booking.com website sent to our readerโs friend โ guestssecureverification[.]com โ was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.
Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.
A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.
One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.
A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.
Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use โconfigโ files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.
SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But todayโs thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.
That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.
Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies โ including AT&T, Lending Tree and TicketMaster.
Phishing attacks have all kinds of lures. And many are so tried and true that it makes them easy to spot.
The target of a phishing attack is you. More specifically, your personal info and your money. Whether a scammer reaches out by email, with a text, or through a direct message, thatโs what theyโre after. And with a link, they whisk you off to a sketchy site designed to take them from you.
Just how much phishing is going on? To date, weโve identified more than half a billion malicious sites out there. A number that grows daily. Because these attacks often succeed. One big reason why โ they play on peopleโs emotions.
Phishing attacks always involve a form of โsocial engineering,โ which is an academic way of saying that scammers use manipulation in their attacks. Commonly, scammers pretend to be a legitimate person or business.
You can get a better idea of how this works by learning about some of the most popular scams circulating today:
The CEO Scam
This scam appears as an email from a leader in your organization, asking for highly sensitive info like company accounts, employee salaries, and Social Security numbers. The hackers โspoofโ, or fake, the bossโ email address so it looks like a legitimate internal company email. Thatโs what makes this scam so convincing โ the lure is that you want to do your job and please your boss. But keep this scam in mind if you receive an email asking for confidential or highly sensitive info. Ask the apparent sender directly whether the request is real before acting.
The Urgent Email Attachment
Phishing emails that try to trick you into downloading a dangerous attachment that can infect your computer and steal your private info have been around for a long time. This is because they work. Youโve probably received emails asking you to download attachments confirming a package delivery, trip itinerary, or prize. They might urge you to โrespond immediately!โ The lure here is offering you something you want and invoking a sense of urgency to get you to click.
The โLuckyโ Text or Email
How fortunate! Youโve won a free gift, an exclusive service, or a great deal on a trip to Las Vegas. Just remember, whatever โlimited time offerโ youโre being sold, itโs probably a phishing scam designed to get you to give up your credit card number or identity info. The lure here is something free or exciting at what appears to be little or no cost to you.
The Romance Scam
This one can happen completely online, over the phone, or in person after contact is established. But the romance scam always starts with someone supposedly looking for love. The scammer often puts a phony ad online or poses as a friend-of-a-friend on social media and contacts you directly. But what starts as the promise of love or partnership, often leads to requests for money or pricey gifts. The scammer will sometimes spin a hardship story, saying they need to borrow money to come visit you or pay their phone bill so they can stay in touch. The lure here is simple โ love and acceptance.
While you canโt outright stop phishing attacks from making their way to your computer or phone, you can do several things to keep yourself from falling for them. Further, you can do other things that might make it more difficult for scammers to reach you.
The content and the tone of the message can tell you quite a lot. Threatening messages or ones that play on fear are often phishing attacks, such as angry messages from a so-called tax agent looking to collect back taxes. Other messages will lean heavily on urgency, like a phony overdue payment notice. And during the holidays, watch out for loud, overexcited messages about deep discounts on hard-to-find items. Instead of linking you to a proper e-commerce site, they might link you to a scam shopping site that does nothing but steal your money and the account info you used to pay them. In all, phishing attacks indeed smell fishy. Slow down and review that message with a critical eye. It might tip you off to a scam.
Some phishing attacks can look rather convincing. So much so that youโll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, donโt click on the link in the message. Go straight to the website of the business or organization in question and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.
When scammers contact you via social media, that can be a tell-tale sign of a scam. Consider, would an income tax collector contact you over social media? The answer there is no. For example, in the U.S. the Internal Revenue Service (IRS) makes it clear that they will never contact taxpayers via social media. (Let alone send angry, threatening messages.) In all, legitimate businesses and organizations donโt use social media as a channel for official communications. Theyโve accepted ways they will, and will not, contact you. If you have any doubts about a communication you received, contact the business or organization in question directly. Follow up with one of their customer service representatives.
Some phishing attacks involve attachments packed with malware, like ransomware, viruses, and keyloggers. If you receive a message with such an attachment, delete it. Even if you receive an email with an attachment from someone you know, follow up with that person. Particularly if you werenโt expecting an attachment from them. Scammers often hijack or spoof email accounts of everyday people to spread malware.
On computers and laptops, you can hover your cursor over links without clicking on them to see the web address. Take a close look at the addresses the message is using. If itโs an email, look at the email address. Maybe the address doesnโt match the company or organization at all. Or maybe it looks like it almost does, yet it adds a few letters or words to the name. This marks yet another sign that you might have a phishing attack on your hands. Scammers also use the common tactic of a link shortener, which creates links that almost look like strings of indecipherable text. These shortened links mask the true address, which might indeed be a link to a scam site. Delete the message. If possible, report it. Many social media platforms and messaging apps have built-in controls for reporting suspicious accounts and messages.
On social media and messaging platforms, stick to following, friending, and messaging people who you really know. As for those people who contact you out of the blue, be suspicious. Sad to say, theyโre often scammers canvassing these platforms for victims. Better yet, where you can, set your profile to private, which makes it more difficult for scammers to select and stalk you for an attack.
Howโd that scammer get your phone number or email address anyway? Chances are, they pulled that info off a data broker site. Data brokers buy, collect, and sell detailed personal info, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shopperโs cards and mobile apps that share and sell user data. Moreover, theyโll sell it to anyone who pays for it, including people whoโll use that info for scams. You can help reduce those scam texts and calls by removing your info from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.
Online protection software can protect you in several ways. First, it can offer web protection features that can identify malicious links and downloads, which can help prevent clicking them. Further, features like our web protection can steer you away from dangerous websites and block malware and phishing sites if you accidentally click on a malicious link. Additionally, our Scam Protection feature warns you of sketchy links in emails, texts, and messages. And overall, strong virus and malware protection can further block any attacks on your devices. Be sure to protect your smartphones in addition to your computers and laptops as well, particularly given all the sensitive things we do on them, like banking, shopping, and booking rides and travel.
The post How to Spot Phishing Lures appeared first on McAfee Blog.
How do you recognize phishing emails and texts? Even as many of the scammers behind them have sophisticated their attacks, you can still pick out telltale signs.
Common to them all, every phishing is a cybercrime that aims to steal your sensitive info. Personal info. Financial info. Other attacks go right for your wallet by selling bogus goods or pushing phony charities.
Youโll find scammers posing as major corporations, friends, business associates, and more. They might try to trick you into providing info like website logins, credit and debit card numbers, and even precious personal info like your Social Security Number.
Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. Check for the following signs of phishing when you open an email or check a text:
Itโs poorly written.
Even the biggest companies sometimes make minor errors in their communications. Phishing messages often contain grammatical errors, spelling mistakes, and other blatant errors that major corporations wouldnโt make. If you see glaring grammatical errors in an email or text that asks for your personal info, you might be the target of a phishing scam.
The logo doesnโt look right.
Phishing scammers often steal the logos of the businesses they impersonate. However, they donโt always use them correctly. The logo in a phishing email or text might have the wrong aspect ratio or low resolution. If you have to squint to make out the logo in a message, the chances are that itโs phishing.
The URL doesnโt match.
Phishing always centers around links that youโre supposed to click or tap. Here are a few ways to check whether a link someone sent you is legitimate:
You can also spot a phishing attack when you know what some of the most popular scams are:
The CEO Scam
This scam appears as an email from a leader in your organization, asking for highly sensitive info like company accounts, employee salaries, and Social Security numbers. The hackers โspoofโ, or fake, the bossโ email address so it looks like a legitimate internal company email. Thatโs what makes this scam so convincing โ the lure is that you want to do your job and please your boss. But keep this scam in mind if you receive an email asking for confidential or highly sensitive info. Ask the apparent sender directly whether the request is real before acting.
The Urgent Email Attachment
Phishing emails that try to trick you into downloading a dangerous attachment that can infect your computer and steal your private info have been around for a long time. This is because they work. Youโve probably received emails asking you to download attachments confirming a package delivery, trip itinerary, or prize. They might urge you to โrespond immediately!โ The lure here is offering you something you want and invoking a sense of urgency to get you to click.
The โLuckyโ Text or Email
How fortunate! Youโve won a free gift, an exclusive service, or a great deal on a trip to Las Vegas. Just remember, whatever โlimited time offerโ youโre being sold, itโs probably a phishing scam designed to get you to give up your credit card number or identity info. The lure here is something free or exciting at what appears to be little or no cost to you.
The Romance Scam
This one can happen completely online, over the phone, or in person after contact is established. But the romance scam always starts with someone supposedly looking for love. The scammer often puts a phony ad online or poses as a friend-of-a-friend on social media and contacts you directly. But what starts as the promise of love or partnership, often leads to requests for money or pricey gifts. The scammer will sometimes spin a hardship story, saying they need to borrow money to come visit you or pay their phone bill so they can stay in touch. The lure here is simple โ love and acceptance.
Account Suspended Scam
Some phishing emails appear to notify you that your bank temporarily suspended your account due to unusual activity. If you receive an account suspension email from a bank that you havenโt opened an account with, delete it immediately, and donโt look back. Suspended account phishing emails from banks you do business with, however, are harder to spot. Use the methods we listed above to check the emailโs integrity, and if all else fails, contact your bank directly instead of opening any links within the email you received.
While you canโt outright stop phishing attacks from making their way to your computer or phone, you can do several things to keep yourself from falling for them. Further, you can do other things that might make it more difficult for scammers to reach you.
The content and the tone of the message can tell you quite a lot. Threatening messages or ones that play on fear are often phishing attacks, such as angry messages from a so-called tax agent looking to collect back taxes. Other messages will lean heavily on urgency, like a phony overdue payment notice. And during the holidays, watch out for loud, overexcited messages about deep discounts on hard-to-find items. Instead of linking you off to a proper e-commerce site, they might link you to a scam shopping site that does nothing but steal your money and the account info you used to pay them. In all, phishing attacks indeed smell fishy. Slow down and review that message with a critical eye. It might tip you off to a scam.
Some phishing attacks can look rather convincing. So much so that youโll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, donโt click on the link in the message. Go straight to the website of the business or organization in question and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.
Some phishing attacks occur in social media messengers. When you get direct messages, consider the source. Consider, would an income tax collector contact you over social media? The answer there is no. For example, in the U.S. the Internal Revenue Service (IRS) makes it clear that they will never contact taxpayers via social media. (Let alone send angry, threatening messages.) In all, legitimate businesses and organizations donโt use social media as a channel for official communications. Theyโve accepted ways they will, and will not, contact you. If you have any doubts about a communication you received, contact the business or organization in question directly. Follow up with one of their customer service representatives.
Some phishing attacks involve attachments packed with malware, like ransomware, viruses, and keyloggers. If you receive a message with such an attachment, delete it. Even if you receive an email with an attachment from someone you know, follow up with that person. Particularly if you werenโt expecting an attachment from them. Scammers often hijack or spoof email accounts of everyday people to spread malware.
Howโd that scammer get your phone number or email address anyway? Chances are, they pulled that info off a data broker site. Data brokers buy, collect, and sell detailed personal info, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shopperโs cards and mobile apps that share and sell user data. Moreover, theyโll sell it to anyone who pays for it, including people whoโll use that info for scams. You can help reduce those scam texts and calls by removing your info from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.
Online protection software can protect you in several ways. First, it can offer web protection features that can identify malicious links and downloads, which can help prevent clicking them. Further, features like our web protection can steer you away from dangerous websites and block malware and phishing sites if you accidentally click on a malicious link. Additionally, our Scam Protection feature warns you of sketchy links in emails, texts, and messages. And overall, strong virus and malware protection can further block any attacks on your devices. Be sure to protect your smartphones in addition to your computers and laptops as well, particularly given all the sensitive things we do on them, like banking, shopping, and booking rides and travel.
The post How to Recognize a Phishing Email appeared first on McAfee Blog.
Whether it tags along via a smartphone, laptop, tablet, or wearable, it seems like the internet follows us wherever we go nowadays. Yet thereโs something else that follows us around as well โ a growing body of personal info that we create while banking, shopping, and simply browsing the internet. And no doubt about it, our info is terrifically valuable.
What makes it so valuable? Itโs no exaggeration to say that your personal info is the key to your digital life, along with your financial and civic life as well. Aside from using it to create accounts and logins, itโs further tied to everything from your bank accounts and credit cards to your driverโs license and your tax refund.
Needless to say, your personal info is something that needs protecting, so letโs check out several ways you can do just that.
What is personal info? Itโs info about you that others can use to identify you either directly or indirectly. Thus, that info could identify you on its own. Or it could identify you when itโs linked to other identifiers, like the ones linked with the devices, apps, tools, and protocols you use.
A prime example of direct personal info is your tax ID number because itโs unique and directly tied to your name. Further instances include your facial image to unlock your smartphone, your medical records, your finances, and your phone number because each of these can be easily linked back to you.
Then there are those indirect pieces of personal info that act as helpers. While they might not identify you on their own, a few of them can when theyโre added together. These helpers include things like internet protocol addresses, the unique device ID of your smartphone, or other identifiers such as radio frequency identification tags.
You can also find pieces of your personal info in the accounts you use, like your Google to Apple IDs, which can be linked to your name, your email address, and the apps you have. Youโll also find it in the apps you use. For example, thereโs personal info in the app you use to map your walks and runs, because the combination of your smartphoneโs unique device ID and GPS tracking can be used in conjunction with other info to identify who you are. Not to mention where you typically like to do your 5k hill days. The same goes for messenger apps, which can collect how you interact with others, how often you use the app, and your location info based on your IP address, GPS info, or both.
In all, thereโs a cloud of personal info that follows us around as we go about our day online. Some wisps of that cloud are more personally identifying than others. Yet gather enough of it, and your personal info can create a high-resolution snapshot of you โ who you are, what youโre doing, when youโre doing it, and even where youโre doing it, too โ particularly if it gets into the wrong hands.
Remember Pig-Pen, the character straight from the old funny pages of Charles Schultzโs Charlie Brown? Heโs hard to forget with that ever-present cloud of dust following him around. Charlie Brown once said, โHe may be carrying the soil that trod upon by Solomon or Nebuchadnezzar or Genghis Khan!โ Itโs the same with us and our personal info, except the cloud surrounding us, isnโt the dust of kings and conquerors. Theyโre motes of info that are of tremendously high value to crooks and bad actors โ whether for purposes of identity theft or invasion of privacy.
With all the personal info we create and share on the internet, that calls for protecting it. Otherwise, our personal info could fall into the hands of a hacker or identity thief and end up getting abused, in potentially painful and costly ways.
Here are several things you can do to help ensure that whatโs private stays that way:
Square One is toย protect your devices withย comprehensive online protection software. This defends you against the latest virus, malware, spyware, and ransomware attacks plus further protects your privacy and identity. Also, it can provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who might try to force their way into your accounts.
Further, security software can also include a firewall that blocks unwanted traffic from entering your home network, such as an attacker poking around for network vulnerabilities so that they can โbreak inโ to your computer and steal info.
Also known as a virtual private network, a VPN helps protect your vital personal info and other data with bank-grade encryption. The VPN encrypts your internet connection to keep your online activity private on any network, even public networks. Using a public network without a VPN can increase your risk because others on the network can potentially spy on your browsing and activity.
If youโre new to the notion of using a VPN, check out this article onย VPNs and how to choose oneย so that you can get the best protection and privacy possible.ย (Our McAfee+ plans offer a VPN as part of your subscription.)
In the U.S., the Social Security Number (SSN) is one of the most prized pieces of personal info as it unlocks the door to employment, finances, and much more. First up, keep a close grip on it. Literally. Store your card in a secure location. Not your purse or wallet.
Certain businesses and medical practices might ask you for your SSN for billing purposes and the like. You donโt have to provide it (although some businesses could refuse service if you donโt), and you can always ask if they will accept some alternative form of info. However, there are a handful of instances where an SSN is a requirement. These include:
Be aware that hackers often get a hold of SSNs because the organization holding that info gets hacked or compromised itself. Minimizing how often you provide your SSN can offer an extra degree of protection.
Protecting your files with encryption is a core concept in data and info security, and thus itโs a powerful way to protect your personal info. It involves transforming data or info into code that requires a digital key to access it in its original, unencrypted format. For example,ย McAfee+ย includes File Lock, which is our file encryption feature that lets you lock important files in secure digital vaults on your device.
Additionally, you can also delete sensitive files with an application such as McAfee Shredder, which securely deletes files so that thieves canโt access them. (Quick fact: deleting files in your trash doesnโt delete them in the truest sense. Theyโre still there until theyโre โshreddedโ or otherwise overwritten such that they canโt be restored.)
Which Marvel Universe superhero are you? Does it really matter? After all, such quizzes and social media posts are often grifting pieces of your personal info in a seemingly playful way. While youโre not giving up your SSN, you might be giving up things like your birthday, your petโs name, your first carโฆthings that people often use to compose their passwords or use as answers to common security questions on banking and financial sites. The one way to pass this kind of quiz is not to take it!
A far more direct form of separating you from your personal info is phishing attacks. Posing as emails from known or trusted brands, financial institutions, or even a friend or family member, a scammerโs attack will try to trick you into sharing important info like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service.
How do you spot such emails? Well, itโs getting a little tougher nowadays because scammers are getting more sophisticated and can make their phishing emails look increasingly legitimate. Even more so with AI tools. However,ย there are several ways you canย spot a phishing email and phony websites. Moreover, our McAfee Scam Protection can do it for you.
You can take two steps to help protect your personal info from being at risk via social media. One, think twice about what you share in that post or photo โ like the location of your childโs school or the license plate on your car. Two, set your profile to private so that only friends can see it. Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what youโre doing, saying, and posting, which can help protect your privacy and gives a scammer less info to exploit.โฏUsing our Social Privacy Manager can make that even easier. With only a few clicks, it can adjust more than 100 privacy settings across their social media accounts โ making them more private as a result.
The โSโ stands for secure. Any time youโre shopping, banking, or sharing any kind of personal info, look for โhttpsโ at the start of the web address. Some browsers also indicate HTTPS by showing a small โlockโ icon. Doing otherwise on plain HTTP sites exposes your personal info for anyone who cares to monitor that site for unsecured connections.
By locking your devices, you protect yourself that much better from personal info and data theft in the event your device is lost, stolen, or even left unattended for a short stretch. Use your password, PIN, facial recognition, thumbprint ID, what have you. Just lock your stuff. In the case of your smartphones,ย read up on how you can locate your phone or even wipe it remotely if you need to.ย Apple provides iOS users with a step-by-step guide for remotely wiping devices, andโฏGoogle offers up a guide for Android users as well.
Theft of your personal info can lead to credit cards and other accounts being opened falsely in your name. Whatโs more, it can take some time before you even become aware of it, such as when your credit score takes a hit or a bill collector comes calling. By checking your credit, you can fix any issues that come up, as companies typically have a clear-cut process for contesting any fraud. You can get a free credit report in the U.S. via the Federal Trade Commission (FTC) and likewise, other nations like the UK have similar free offerings as well.
Consider identity theft protection as well.ย A strong identity theft protection package pairs well with keeping track of your credit and offers cyber monitoring that scans the dark web to detect for misuse of your personal info. With our identity protection service, we helpย relieve the burden of identity theft if the unfortunate happens to you with $2M coverage for lawyer fees, travel expenses, lost wages, and more.
The post How to Protect Your Personal Info appeared first on McAfee Blog.
If you want to protect your identity, finances, and privacy online, you have a pretty powerful tool at hand. Itโs online protection software. Todayโs protection is built to get that job done.
For starters, online protection has evolved tremendously over recent years, making it more comprehensive than ever. It goes far beyond antivirus. And it protects more than your devices. It protects you. Your identity. Your finances. Your privacy.
Given how much of daily life has shifted to our computers and phones, like our finances and shopping, thereโs a strong case for getting comprehensive online protection in place.
Granted, weโre an online protection company. And of course, we hope youโll give our protection like McAfee+ a close look. With that, a quick rundown of what it can do for you and your identity, finances, and privacy helps. In all, it shows just how comprehensive this protection gets.
This form of protection starts with Identity Monitoring. It checks the dark web for your personal info, including email, government IDs, credit card and bank account numbers, and more. If any of it shows up on the dark web, it sends you an alert with guidance that can help protect you from identity theft.
Should the unexpected happen, our Identity Theft Coverage & Restoration can get you on the path to recovery. It offers up to $2 million in coverage for legal fees, travel, and funds lost because of identity theft. Further, a licensed recovery pro can do the work for you, taking the necessary steps to repair your identity and credit.
Another way identity thieves get what they want is through scam texts, emails, and messages. You can keep clear of their shady links with our new AI-powered Scam Protection. It automatically detects links that can send you to scam sites and other destinations that steal personal info. If you accidentally click? Donโt worry, we can block risky sites if you click on a suspicious link in texts, emails, social media, and more.
As you conduct so many of your finances online, it only makes sense that you can keep tabs on them just as easily. Features like our Credit Monitoring keep an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
And if you spot something out of the ordinary, our Security Freeze can quickly stop unauthorized access. It freezes credit card, bank, and utility accounts and prevents thieves from opening new ones in your name.
Rounding things out, you also have transaction monitoring features. They track transactions on credit cards and bank accounts โ shooting you a notice if unusual activity occurs. They also track retirement accounts, investments, and loans for questionable transactions. Finally, further features can help prevent a bank account takeover and keep others from taking out short-term payday loans in your name.
Several features get the job done. Our Social Privacy Manager helps you adjust more than 100 privacy settings across your social media accounts in only a few clicks. This way, your personal info is only visible to the people you want to share it with.
Another big intrusion on your privacy comes at the hands of online data brokers. They drive a multi-billion-dollar industry by collecting, batching, and selling peopleโs personal info. To anyone. That includes hackers, spammers, and scammers who use it to their own ends. Yet you can get your info removed from some of the worst offenders out there. Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info and helps you remove it.
Another great tool for protecting your privacy comes in the form of a VPN. As a โvirtual private network,โ it encrypts your activity.โฏThink of a VPN as a private tunnel for your internet traffic. It hides yourโฏsearch habits and historyโฏfromโฏthose who might use that info to build a profile of you โ whether to serve up targeted ads or to steal personal info for identity theft. In all, a VPN gives you one of the most secure ways you can go online.
The post How to Protect Your Identity, Finances, and Security Online appeared first on McAfee Blog.
The Chinese company in charge of handing out domain names ending in โ.topโ has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in โ.com.โ
Image: Shutterstock.
On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD).
Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.
โBased on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,โ the ICANN letter reads (PDF).
ICANNโs warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. Representatives for the company have not responded to requests for comment.
Domains ending in .top were represented prominently in a new phishing report released today by the Interisle Consulting Group, which sources phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus.
Interisleโs newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.
Source: Interisle Consulting Group.
ICANN said its review was based on information collected and studied about .top domains over the past few weeks. But the fact that high volumes of phishing sites are being registered through Jiangsu Bangning Science & Technology Co Ltd. is hardly a new trend.
For example, more than 10 years ago the same Chinese registrar was the fourth most common source of phishing websites, as tracked by the APWG. Bear in mind that the APWG report excerpted below was published more than aย year before Jiangsu Bangning received ICANN approval to introduce and administer the new .top registry.
Source: APWG phishing report from 2013, two years before .top came into being.
A fascinating new wrinkle in the phishing landscape is the growth in scam pages hosted via the InterPlanetary File System (IPFS), a decentralized data storage and delivery network that is based on peer-to-peer networking. According to Interisle, the use of IPFS to host and launch phishing attacks โ which can make phishing sites more difficult to take down โ increased a staggering 1,300 percent, to roughly 19,000 phishing sites reported in the last year.
Last yearโs report from Interisle found that domain names ending in โ.usโ โ the top-level domain for the United States โ were among the most prevalent in phishing scams. While .us domains are not even on the Top 20 list of this yearโs study, โ.comโ maintained its perennial #1 spot as the largest source of phishing domains overall.
A year ago, the phishiest domain registrar by far was Freenom, a now-defunct registrar that handed out free domains in several country-code TLDs, including .tk, .ml, .ga and .cf. Freenom went out of business after being sued by Meta, which alleged Freenom ignored abuse complaints while monetizing traffic to abusive domains.
Following Freenomโs demise, phishers quickly migrated to other new low-cost TLDs and to services that allow anonymous, free domain registrations โ particularly subdomain services. For example, Interisle found phishing attacks involving websites created on Googleโs blogspot.com skyrocketed last year more than 230 percent. Other subdomain services that saw a substantial growth in domains registered by phishers include weebly.com, github.io, wix.com, and ChangeIP, the report notes.
Source: Interisle Consulting.
Interisle Consulting partner Dave Piscitello said ICANN could easily send similar warning letters to at least a half-dozen other top-level domain registries, noting that spammers and phishers tend to cycle through the same TLDs periodically โ including .xyz, .info, .support and .lol, all of which saw considerably more business from phishers after Freenomโs implosion.
Piscitello said domain registrars and registries could significantly reduce the number of phishing sites registered through their services just by flagging customers who try to register huge volumes of domains at once. Their study found that at least 27% of the domains used for phishing were registered in bulk โ i.e. the same registrant paid for hundreds or thousands of domains in quick succession.
The report includes a case study in which a phisher this year registered 17,562 domains over the course of an eight-hour period โ roughly 38 domains per minute โ using .lol domains that were all composed of random letters.
ICANN tries to resolve contract disputes privately with the registry and registrar community, and experts say the nonprofit organization usually only publishes enforcement letters when the recipient is ignoring its private notices. Indeed, ICANNโs letter notes Jiangsu Bangning didnโt even open its emailed notifications. It also cited the registry for falling behind in its ICANN membership fees.
With that in mind, a review of ICANNโs public enforcement activity suggests two trends: One is that there have been far fewer public compliance and enforcement actions in recent years โ even as the number of new TLDs has expanded dramatically.
The second is that in a majority of cases, the failure of a registry or registrar to pay its annual ICANN membership fees was cited as a reason for a warning letter. A review of nearly two dozen enforcement letters ICANN has sent to domain registrars since 2022 shows that failure to pay dues was cited as a reason (or the reason) for the violation at least 75 percent of the time.
Piscitello, a former vice president of security at ICANN, said nearly all breach notices sent out while he was at ICANN were because the registrar owed money.
โI think the rest is just lipstick to suggest that ICANNโs on top of DNS Abuse,โ Piscitello said.
KrebsOnSecurity has sought comment from ICANN and will update this story if they respond.
ICANN said most of its investigations are resolved and closed through the initial informal resolution stage, and that hundreds of enforcement cases are initiated during this stage with the contracted parties who are required to demonstrate compliance, become compliant, and/or present and implement remediation plans to prevent the recurrence of those enforcement issues.
โIt is important to take into account that, prior to issuing any notice of breach to a registrar or registry operator, ICANN Compliance conducts an overall contractual compliance โhealth checkโ of the relevant contracted party,โ ICANN said in a written response to questions. โDuring this check, ICANN Compliance proactively reviews the contracted partyโs compliance with obligations across the agreements and policies. Any additional contractual violation found during these checks is added to the Notice of Breach. It is not uncommon for parties who failed to comply with contractual obligations (whether they are related to DNS Abuse, RDDS, or others) to also be in arrears with ICANN fees.โ
Update, 11:49 p.m. ET: Added statement from ICANN. Clarified Piscitelloโs former role at ICANN.
The Russia-based cybercrime group dubbed โFin7,โ known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities. But experts say Fin7 has roared back to life in 2024 โ setting up thousands of websites mimicking a range of media and technology companies โ with the help of Stark Industries Solutions, a sprawling hosting provider that is a persistent source of cyberattacks against enemies of Russia.
In May 2023, the U.S. attorney for Washington state declared โFin7 is an entity no more,โ after prosecutors secured convictions and prison sentences against three men found to be high-level Fin7 hackers or managers. This was a bold declaration against a group that the U.S. Department of Justice described as a criminal enterprise with more than 70 people organized into distinct business units and teams.
The first signs of Fin7โs revival came in April 2024, when Blackberry wrote about an intrusion at a large automotive firm that began with malware served by a typosquatting attack targeting people searching for a popular free network scanning tool.
Now, researchers at security firm Silent Push say they have devised a way to map out Fin7โs rapidly regrowing cybercrime infrastructure, which includes more than 4,000 hosts that employ a range of exploits, from typosquatting and booby-trapped ads to malicious browser extensions and spearphishing domains.
Silent Push said it found Fin7 domains targeting or spoofing brands including American Express, Affinity Energy, Airtable, Alliant, Android Developer, Asana, Bitwarden, Bloomberg, Cisco (Webex), CNN, Costco, Dropbox, Grammarly, Google, Goto.com, Harvard, Lexis Nexis, Meta, Microsoft 365, Midjourney, Netflix, Paycor, Quickbooks, Quicken, Reuters, Regions Bank Onepass, RuPay, SAP (Ariba), Trezor, Twitter/X, Wall Street Journal, Westlaw, and Zoom, among others.
Zach Edwards, senior threat analyst at Silent Push, said many of the Fin7 domains are innocuous-looking websites for generic businesses that sometimes include text from default website templates (the content on these sites often has nothing to do with the entityโs stated business or mission).
Edwards said Fin7 does this to โageโ the domains and to give them a positive or at least benign reputation before theyโre eventually converted for use in hosting brand-specific phishing pages.
โIt took them six to nine months to ramp up, but ever since January of this year they have been humming, building a giant phishing infrastructure and aging domains,โ Edwards said of the cybercrime group.
In typosquatting attacks, Fin7 registers domains that are similar to those for popular free software tools. Those look-alike domains are then advertised on Google so that sponsored links to them show up prominently in search results, which is usually above the legitimate source of the software in question.
A malicious site spoofing FreeCAD showed up prominently as a sponsored result in Google search results earlier this year.
According to Silent Push, the software currently being targeted by Fin7 includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
In May 2024, security firm eSentire warned that Fin7 was spotted using sponsored Google ads to serve pop-ups prompting people to download phony browser extensions that install malware. Malwarebytes blogged about a similar campaign in April, but did not attribute the activity to any particular group.
A pop-up at a Thomson Reuters typosquatting domain telling visitors they need to install a browser extension to view the news content.
Edwards said Silent Push discovered the new Fin7 domains after a hearing from an organization that was targeted by Fin7 in years past and suspected the group was once again active. Searching for hosts that matched Fin7โs known profile revealed just one active site. But Edwards said that one site pointed to many other Fin7 properties at Stark Industries Solutions, a large hosting provider that materialized just two weeks before Russia invaded Ukraine.
As KrebsOnSecurity wrote in May, Stark Industries Solutions is being used as a staging ground for wave after wave of cyberattacks against Ukraine that have been tied to Russian military and intelligence agencies.
โFIN7 rents a large amount of dedicated IP on Stark Industries,โ Edwards said. โOur analysts have discovered numerous Stark Industries IPs that are solely dedicated to hosting FIN7 infrastructure.โ
Fin7 once famously operated behind fake cybersecurity companies โ with names like Combi Security and Bastion Secure โ which they used for hiring security experts to aid in ransomware attacks. One of the new Fin7 domains identified by Silent Push is cybercloudsec[.]com, which promises to โgrow your business with our IT, cyber security and cloud solutions.โ
The fake Fin7 security firm Cybercloudsec.
Like other phishing groups, Fin7 seizes on current events, and at the moment it is targeting tourists visiting France for the Summer Olympics later this month. Among the new Fin7 domains Silent Push found are several sites phishing people seeking tickets at the Louvre.
โWe believe this research makes it clear that Fin7 is back and scaling up quickly,โ Edwards said. โItโs our hope that the law enforcement community takes notice of this and puts Fin7 back on their radar for additional enforcement actions, and that quite a few of our competitors will be able to take this pool and expand into all or a good chunk of their infrastructure.โ
Further reading:
Stark Industries Solutions: An Iron Hammer in the Cloud.
A 2022 deep dive on Fin7 from the Swiss threat intelligence firm Prodaft (PDF).
Article tags
By now youโve probably heard of the term โphishingโโwhen scammers try to fool you into revealing your personal info or sending money, usually via email โ but what about โvishingโ? Vishing, or voice phishing, is basically the same practice, but done by phone.
There are a few reasons why itโs important for you to know about vishing. First off, voice phishing scams are prevalent and growing. A common example around tax season is theย IRS scam, where fraudsters make threatening calls to taxpayers pretending to be IRS agents and demanding money for back taxes. Another popular example is the phony tech support scam, in which a scammer calls you claiming that they represent a security provider.
The scammers might say theyโve noticed a problem with your computer or device and want money to fix the problem, or even request direct access to your machine. They might also ask you to download software to do a โsecurity scanโ just so they can get you to install a piece of malware that steals your personal info. They might even try to sell you a worthless computer warranty or offer a phony refund.
These kinds of attacks can be very persuasive because the scammers employ โsocial engineeringโ techniques. This involves plays on emotion, urgency, authority, and even sometimes threats. The end result, scammers manipulate their victims into doing something for fraudulent purposes. Because scammers can reach you at any time on your most private device, your smartphone, it can feel more direct and personal.
Vishing scams donโt always require a phone call from a real person. Often, scammers use a generic or targeted recording, claiming to be from your bank or credit union. For instance, they might ask you to enter your bank account number or other personal details, which opens you up to identity theft.
Increasingly, scammers use AI tools in voice cloning attacks. With readily available voice cloning apps, scammers can replicate someone elseโs voice with remarkable accuracy. While initially developed for benign purposes such as voice assistants and entertainment, scammers now use voice cloning tools to exploit unsuspecting victims.
The incoming number might even appear to have come from your bank, thanks to a trick called โcaller ID spoofing,โ which allows scammers to fake the origin of the call. They can do this by using Voice over Internet Protocol (VoIP) technology, which connects calls over the internet instead of traditional phone circuits, allowing them to easily assign incoming phone numbers.
Donโt risk losing your money or valuable personal info to these scams. Hereโs how to avoid vishing attacks:
The post How to Avoid Being Phished by Your Phone appeared first on McAfee Blog.
A Slack Attack Framework for conducting Red Team and phishing exercises within Slack workspaces.
This tool is intended for Security Professionals only. Do not use this tool against any Slack workspace without explicit permission to test. Use at your own risk.
Thousands of organizations utilize Slack to help their employees communicate, collaborate, and interact. Many of these Slack workspaces install apps or bots that can be used to automate different tasks within Slack. These bots are individually provided permissions that dictate what tasks the bot is permitted to request via the Slack API. To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack.
In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. To use EvilSlackbot to conduct a Slack phishing exercise, simply create a bot within Slack, give your bot the permissions required for your intended test, and provide EvilSlackbot with a list of emails of employees you would like to test with simulated phishes (Links, files, spoofed messages)
EvilSlackbot requires python3 and Slackclient
pip3 install slackclient
usage: EvilSlackbot.py [-h] -t TOKEN [-sP] [-m] [-s] [-a] [-f FILE] [-e EMAIL]
[-cH CHANNEL] [-eL EMAIL_LIST] [-c] [-o OUTFILE] [-cL]
options:
-h, --help show this help message and exit
Required:
-t TOKEN, --token TOKEN
Slack Oauth token
Attacks:
-sP, --spoof Spoof a Slack message, customizing your name, icon, etc
(Requires -e,-eL, or -cH)
-m, --message Send a message as the bot associated with your token
(Requires -e,-eL, or -cH)
-s, --search Search slack for secrets with a keyword
-a, --attach Send a message containing a malicious attachment (Requires -f
and -e,-eL, or -cH)
Arguments:
-f FILE, --file FILE Path to file attachment
-e EMAIL, --email EMAIL
Email of target
-cH CHANNEL, --channel CHANNEL
Target Slack Channel (Do not include #)
-eL EMAIL_LIST, --email_list EMAIL_LIST
Path to list of emails separated by newline
-c, --check Lookup and display the permissions and available attacks
associated with your provided token.
-o OUTFILE, --outfile OUTFILE
Outfile to store search results
-cL, --channel_list List all public Slack channels
To use this tool, you must provide a xoxb or xoxp token.
Required:
-t TOKEN, --token TOKEN (Slack xoxb/xoxp token)
python3 EvilSlackbot.py -t <token>
Depending on the permissions associated with your token, there are several attacks that EvilSlackbot can conduct. EvilSlackbot will automatically check what permissions your token has and will display them and any attack that you are able to perform with your given token.
Attacks:
-sP, --spoof Spoof a Slack message, customizing your name, icon, etc (Requires -e,-eL, or -cH)
-m, --message Send a message as the bot associated with your token (Requires -e,-eL, or -cH)
-s, --search Search slack for secrets with a keyword
-a, --attach Send a message containing a malicious attachment (Requires -f and -e,-eL, or -cH)
With the correct token permissions, EvilSlackbot allows you to send phishing messages while impersonating the botname and bot photo. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
python3 EvilSlackbot.py -t <xoxb token> -sP -e <email address>
python3 EvilSlackbot.py -t <xoxb token> -sP -eL <email list>
python3 EvilSlackbot.py -t <xoxb token> -sP -cH <Channel name>
With the correct token permissions, EvilSlackbot allows you to send phishing messages containing phishing links. What makes this attack different from the Spoofed attack is that this method will send the message as the bot associated with your provided token. You will not be able to choose the name or image of the bot sending your phish. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
python3 EvilSlackbot.py -t <xoxb token> -m -e <email address>
python3 EvilSlackbot.py -t <xoxb token> -m -eL <email list>
python3 EvilSlackbot.py -t <xoxb token> -m -cH <Channel name>
With the correct token permissions, EvilSlackbot allows you to search Slack for secrets via a keyword search. Right now, this attack requires a xoxp token, as xoxb tokens can not be given the proper permissions to keyword search within Slack. Use the -o argument to write the search results to an outfile.
python3 EvilSlackbot.py -t <xoxp token> -s -o <outfile.txt>
With the correct token permissions, EvilSlackbot allows you to send file attachments. The attachment attack requires a path to the file (-f) you wish to send. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -e <email address>
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -eL <email list>
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -cH <Channel name>
Arguments:
-f FILE, --file FILE Path to file attachment
-e EMAIL, --email EMAIL Email of target
-cH CHANNEL, --channel CHANNEL Target Slack Channel (Do not include #)
-eL EMAIL_LIST, --email_list EMAIL_LIST Path to list of emails separated by newline
-c, --check Lookup and display the permissions and available attacks associated with your provided token.
-o OUTFILE, --outfile OUTFILE Outfile to store search results
-cL, --channel_list List all public Slack channels
With the correct permissions, EvilSlackbot can search for and list all of the public channels within the Slack workspace. This can help with planning where to send channel messages. Use -o to write the list to an outfile.
python3 EvilSlackbot.py -t <xoxb token> -cL
As the name implies, spear phishing attacks are highly targeted scams. They often occur in professional settings, where the scammers go after one โbig phish,โ such as a ranking employee with access to finances or data. From there, the scammers employ social engineering (aka manipulation) to trick the target into transferring funds to them or giving them access to sensitive company systems. Sometimes, itโs a mix of both.
Some of the most striking examples ofย spear phishing attacks come from the Shamoon2 attacksย seen in Saudi Arabia back in 2016. Successive waves of attacks ultimately infected machines with malware and destroyed systems.
So, how did this specific spear phishing attack work, exactly? Cybercriminals targeted specific organizations in Saudi Arabia with emails that included malicious attachments in them. Then, when victims clicked and opened the attachment, they were infected, valuable company data was taken and systems were quickly wiped.
Spear phishing has been around for quite some time yet remains as effective as ever. Spear phishingโs success is based on familiarity. Usually, cybercriminals pretend to be an organization or individual that you know and include a piece of contentโa link, an email attachment, etc.โthat they know youโll want to interact with.
For example, cybercriminals have taken advantage of tragedies in the headlines and used targeted emails claiming to be a charitable organization asking for donations. In the case of Shamoon2, the attackers lured in victims with a tempting email attachment sent from organizations the victims were likely to trust. But instead of giving to their charity of choice, or opening a seemingly harmless workplace attachment, victims then self-infect their systems with malware.
Moreover, we have seen spear phishing attacks take on an entirely new form with the advent of AI deepfakes. Now, instead of reaching out to victims via email, sophisticated scammers create deepfakes that pose as employees on video calls. All in real-time. Such was the case in Hong Kong in February 2024 where a host of deepfakes pressured a companyโs finance officer into transferring $25 million to the scammers running the deepfakes.[i]
Moral of the story: spear phishing (and regular phishing) attacks can be tricky. However, fear not, thereโs a lot you can do to stay on top of this threat.
For starters:
Spear phishing attacks can be easily deceiving. In fact, cybercriminals have been able to impersonate known, credible charities or an employerโs business partners and customers. So, if you receive an email from an organization asking for donations or a partner asking you to open a file you didnโt request, a good rule of thumb is to go directly to the organization through a communications channel other than email. Go to the companyโs site and do more research from there. That way, you can ensure youโre gaining accurate information and can interact with the right people, rather than cyber-attackers.
Always check for legitimacy first. Spear phishing emails rely on youโthey want you to click a link, or open an attachment. But before you do anything, you always need to check an emailโs content for legitimacy. Hover over a link and see if itโs going to a reliable URL. Or, if youโre unsure about an emailโs content or the source it came from, do a quick Google search and look for other instances of this campaign, and what those instances could tell you about the emailโs legitimacy.
Fraudsters select their victims carefully in these targeted attacks. They hunt down employees with access to info and funds and then do their research on them. Using public records, data broker sites, โpeople finderโ sites, and info from social media, fraudsters collect intel on their marks. Armed with that, they can pepper their conversations with references that sound more informed, more personal, and thus more convincing. Just because whatโs being said feels or sounds somewhat familiar doesnโt always mean itโs coming from a trustworthy source.
With that, employees can reduce the amount of personal info others can find online. Features like McAfee Personal Data Cleanup can help remove personal info from some of the riskiest data broker sites out there. I also keep tabs on those sites if more personal info appears on them later. Additionally, employees can set their social media profiles to private by limiting access to โfriends and family only,โ which denies fraudsters another avenue of info gathering. Using our Social Privacy Manager can make that even easier. With just a few clicks, it can adjust more than 100 privacy settings across their social media accounts โ making them more private as a result.
[i] https://metro.co.uk/2024/02/05/horrifying-deepfake-tricks-employee-giving-away-20-million-20225490/
The post How to Protect Yourself From a Spear Phishing Scam appeared first on McAfee Blog.
