email

The Scarlet Widow Gang Entraps Victims Using Romance Scams

Posted on Updated on

Originally seen on: Bleepingcomputer by Lawrence Abrams, Febraury 13th, 2019

We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but  the emotional entanglement ultimately leads to heartbreak.

Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.

This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com.

For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.

“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”

The fake persona for Captain Michael was posted to dating sites such as MilitaryCupid.com and MarriedDateLink.com during a 6 month period in 2017.

Captain Michael Persona
Captain Michael Persona

Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.

Example of email from Captain Michael
Example of email from Captain Michael

It’s all about the money

Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.

Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.

If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.

Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.

This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.

Distraught email from victim
Distraught email from victim

It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.

While this sounds like something that few would fall for, according to Agari it is not that unusual.

“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “

Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.

E-ticketing system exposes airline passengers’ personal information via email

Posted on Updated on

Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019

At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.

“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.

Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.

The airlines appear to be using unique servers for automated marketing that fail to protect user information.

“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”

There is no evidence outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.

CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.

In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”

A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”

Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.

“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.

“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

 

Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Microsoft: Russians targeted conservative think tanks, U.S. Senate

Posted on

Originally Seen: Cybersecurity.com on August 21, 2018 by Sean Lyngaas

The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.

The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”

The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.

The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.

There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.

The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.

“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.

Greg Otto contributed to this story. 

Fancy Bears hackers target International Olympic Committee

Posted on

Originally seen on Tech Target and written by: Madelyn Bacon

News roundup: The hacking group called Fancy Bears claims to have hacked the Olympics again.

The International Olympic Committee has had its email stolen again, this time in a response to its ban on Russia from the 2018 Winter Olympics.

A hacking group that calls itself Fancy Bears posted email messages allegedly from officials at the International Olympic Committee (IOC), the U.S. Olympic Committee (USOC) and other associated groups, like the World Anti-Doping Agency (WADA). There’s no confirmation yet that the email messages are authentic, but Fancy Bears focuses on anti-doping efforts that got Russia banned from this year’s Olympic Games.

“The national anti-doping agencies of the USA, Great Britain, Canada, Australia, New Zealand and other countries joined WADA and the USOC under the guidance of iNADO [Institute of National Anti-Doping Organisations],” Fancy Bears said on its website. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”

Fancy Bears is believed to be the same hacking group known as Fancy Bear that claimed responsibility for the 2016 hack on the U.S. Democratic National Committee, which interfered in the 2016 presidential election. Fancy Bear hackers have been linked to Russia’s military intelligence unit, the GRU, by American intelligence officials.

The batch of email messages Fancy Bears posted is from 2016 through 2017 and mainly focuses on discrediting Canadian lawyer Richard McLaren, who led the investigation into Russia’s widespread cheating in previous Olympic Games. It was because of the findings in his investigation that many Russian athletes are banned from the 2018 games in Pyeongchang, South Korea.

The IOC declined to comment on the “alleged leaked documents” and whether or not they are legitimate.

It’s not clear how Fancy Bears allegedly breached the IOC email. However, in 2016, the same group targeted WADA with a phishing scheme and released documents that focused on previous anti-doping efforts following the 2016 Summer Olympics. In that case, the hacking group released the medical records for U.S. Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne. The medical records showed that these athletes were taking prohibited medications, though they all obtained permission to use them and, thus, were not violating the rules. This release happened in the midst of McLaren’s investigation into the widespread misconduct by Russian athletes.

In one email released in this week’s dump, IOC lawyer Howard Stupp complained that the findings from McLaren’s investigation were “intended to lead to the complete expulsion of the Russian team” from the 2016 Summer Games in Rio de Janeiro and now from the 2018 Pyeongchang Games.

What do you think about this alleged Olympics hack?