Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Be on the lookout for text message attacks
“Smishing” or SMS-based phishing attacks aren’t as common as email-based phishing, but they can be dangerous too, so stay cyber savvy! To limit your risk, don’t click on any unexpected or suspicious links received in mobile device text messages; use a separate browser or call the company at a trusted number to follow up. And help stop the spread by reporting spam texts to the authorities: in Canada and the United States, you can forward these messages to #7726 (which spells “spam” on a phone keypad) – free of charge.
New SMS malware attack targets Android phones in Canada and the U.S.
A new malware campaign nicknamed “TangleBot” is targeting Android devices in Canada and the United States with convincing coronavirus-themed messages. The fake messages encourage users to click a link mentioning: “New regulations about COVID-19 in your region,” or purporting to confirm a COVID-19 vaccination booster shot with the message: “You have received the appointment for the 3rd dose. For more information visit…”
The provided links actually take the user to dummy websites that attempt to collect sensitive information from the victim and dupe them into installing fake PDF reader software on their device.
Security firm Cloudmark, a division of Proofpoint, describes the campaign in detail in a September 23 report. The study explains that TangleBot features “many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone.” Once installed, the malware allows threat actors to harvest passwords, monitor website usage, place calls from the device, block incoming calls, send and receive text messages, put fake screen overlays on the device display, and even record audio and video.
It is important to note that TangleBot does not exploit flaws in the Android operating system, but concentrates on “social engineering” to convince users to click fake links to install the malware. Android users are cautioned to be on the lookout for these types of messages, and to only install software from known, trusted sources or app stores.
Microsoft report reveals huge phishing-as-a-service operation
In a September 21 blog post, Microsoft provides details of an elaborate “Phishing-as-a-Service” operation discovered on the dark web.
The operation, which Microsoft researchers have dubbed “BulletProofLink”, sells access to phishing kits, email templates, hosting, and automated services starting at about $800 (all figures USD). Microsoft researchers determined that hacking campaigns launched from the service can generate huge numbers of new, unique subdomains – over 300,000 in some cases – all fake.
The professional operation offers over 120 phishing templates that mimic well-known brands and services, and is available in “one-off or monthly subscription-based business models, creating a steady revenue stream for its operators,” according to the Microsoft report. Once a site has been set-up, subscribers can purchase additional fake templates for $80-100 per page.
BulletProofLink (also known variously as BulletProftLink or Anthrax by its operators in underground ads and promotional materials) has placed an emphasis on ease-of-use and customer service. After paying the registration fee (usually in Bitcoins), the site offers would-be criminals built-in hosting for their phishing sites, installation and configuration of the phony templates, and bulk email services to target victims. The service harvests credentials from anyone who falls for the scam, and the stolen login data is delivered to the subscriber for them to exploit as they choose.
The service delivers tutorials to help customers use the phishing platform, and even offers a variety of methods of receiving personalized support over Skype, ICQ, and forums or chat rooms.
Unsurprisingly, though, the site operators could not resist biting the hand that feeds them: researchers reportedly found that the service has also been stealing data from its own subscribers and re-selling the credentials elsewhere on the dark web.
As always, companies are encouraged to stay vigilant for unexpected or suspicious email communications, and provide security awareness training for their staff. Companies using threat intelligence defenses may also refer to listings of indicators of compromise (IOCs) detailed in the report in the form of password-processing URLs and domains.
New IBM study sends clear messages about the perceptions of cybersecurity in Canada
A September 2021 study conducted for IBM shows widespread concern about cybercrime at the federal level among the study’s hundreds of corporate respondents. Highlights of the report include:
+ 93% are concerned about cybersecurity risks and the impact of cyber crime in Canada;
+ 81% feel that the federal government should increase spending on technology and cloud modernization, particularly to address issues created by the COVID-19 pandemic;
+ 71% feel that Canada has the technology capabilities to compete globally;
+ 35% of respondents do not feel that the country is prepared to respond to a large-scale cyber attack; and
+ 83% of respondents felt that the technical debt in aging federal data systems has a direct negative impact on the digital experiences of Canadians.
Two-thirds of the respondents were concerned that progress on the necessary changes would be hampered by government bureaucracy, partisan politics, and costs.
DDoS attack on Quebec VOIP provider enters second week
While progress is being made, Quebec-based Internet telephony service provider VoIP.ms is still reporting outages due to a persistent Distributed Denial of Service (DDoS) attack. First confirmed by the company on Twitter on September 16, the attack has disrupted the company’s websites, internal operations, and virtualized phone/fax services.
“A Distributed Denial of Service (DDoS) attack continues to be targeted at our Websites and POP servers. Our team is deploying continuous efforts to stop this however the service is being intermittently affected. Click here to see all the updates on our Twitter feed. We apologize for all the inconveniences,” advises a banner on the VoIP.ms website.
The company has been diligent in providing frequent updates via its Twitter account. According to the latest post on September 26, the main U.S. provider used by VoIP.ms “has confirmed they are again experiencing intermittent issues on their network affecting inbound and outbound calls and messaging to some US numbers,” prolonging the outages.
During the ten-day disruption, the company has tried moving its services to different Internet providers, giving customers instructions on reconfiguring their systems on the fly. However, the hackers have attempted to match them step for step, launching attacks on the new IP addresses and services as soon as they were deployed.
Unconfirmed reports said the original ransom for terminating the attack was set at $45,000 (all figures USD). However, as the incident has dragged on, the hackers have jumped the price dramatically to $4.5 million. The hackers are calling themselves REvil, but their communications and tactics appear to suggest that they are not affiliated with the notorious Russian-based hacker group.
According to its website, the VoIP.ms supports over 80,000 customers across 125 countries, though the majority of the issues have affected the company’s Canadian and U.S. customers.