Cybersecurity Week in Review: 11/23

This cybersecurity week in review features two threats involving stolen Microsoft user credentials—one targeting C-suite executives and accounting staff and another targeting users of a popular video streaming service. In another story, we remind readers of the dangers of downloading gaming apps from third-party sources and unauthorized websites, as researchers announced this week the discovery that criminals are creating malware-ridden copycat versions of one popular multiplayer game.

Credentials for C-suite and Other Key Corporate Staff Available for a Price 

Corporate executives and staff at companies around the world may want to consider changing their corporate email addresses and passwords immediately. Security professionals are reporting that a threat actor working in a Russian-speaking underground forum is selling corporate email addresses and password combinations for Office 365 and Microsoft accounts’ for prices ranging from $100 to $1,500 depending on the company and the role. 

Position titles include most “C-suite” roles (CEO, COO, CFO, CMO and CTO), as well as other titles at the director and manager level, such as finance manager, controller and accounts payable. A security professional working on the issue reached out to the threat actor and confirmed the validity of the data and credentials available. The list of companies targeted has not been released, although various news outlets are reporting that the email addresses and passwords come from businesses around the world.

Researchers believe that the cybercriminal gained access to the login credentials using “Azor Logs”—a type of log that contains data collected from computers infected with an info-stealer trojan called AzorUlt.

The most likely monetization scenario will probably be a type of spear phishing and a wire-fraud scheme. This scenario will typically involve the cybercriminal using an executive’s email address to email a colleague (usually someone in accounting) requesting a large sum of money to be wired. Since the email addresses are legitimate and staff don’t often question a senior executive’s request, these scams are frequently successful. 

Alternatively, the criminal may also use the email credentials belonging to staff to contact outside entities, such as customers or banking sources to wire money to the criminal or obtain sensitive information.

The easiest and quickest way for corporate executives and staff to protect their personal and corporate data is to change their passwords. If they’re not already doing so, corporations should also immediately institute two-step verification (2SV) or two-factor authentication (2FA). 

Additional details on this story can be found here.  

Massive “Turkey Bomb” Phishing Campaign: Be on the Lookout

In another act of Microsoft credential stealing, cybercriminals are using the combination of the holiday season, the Covid pandemic and the popularity of video conferencing with friends and loved ones for a sophisticated, and purportedly massive, phishing scam aimed at pilfering Microsoft email addresses and passwords. 

Coined “TurkeyBombing” by one news report (after the type of attack called “ZoomBombing”), the massive phishing attack kicked off over the Thanksgiving holidays and involves emails that spoof links to a popular video conferencing website. 

Targeted victims receive an email telling them they have been invited to a video conference. When the victim clicks the link, they are taken to a fake web page that resembles a Microsoft login page. To make the fake website appear more credible, the user’s email address pre-populates in the login field when the victim arrives on the landing page. In addition to capturing the email address and password, the phishing page also collects the victim’s IP address and geographic location. 

Using the stolen credentials, the criminal attempts to breach the Microsoft account using Internet Message Access Protocol (IMAP) credential verification.

Security professionals warn that the attack is still ongoing and will likely continue throughout the holidays, as friends and family increase their use of video conferencing to connect with each other virtually. 

You can read more on the “TurkeyBombing” phishing scam here and here.

Malware Masquerading as a Popular Gaming App

It has been said that “imitation is the sincerest form of flattery”, although, in the case of the newly discovered fake versions of a popular multiplayer gaming app, it’s probably more accurate to say that “imitation is the sincerest form of crime and greed.” 

Researchers announced last week that more than 60 fake apps masquerading as this multiplayer game have recently appeared online. Up to nine different criminal authors appear to be involved in the creation of the fake apps, which contain everything from the adware (software that forces unwanted advertising on your screen) to malware droppers which install code designed to steal banking credentials from unsuspecting users. 

Researchers discovered that the fake apps are using the name “com.innersloth.spacemafia”, which is the actual Android package name of the game. These fake apps are found primarily on third-party app stores and websites.

Although the game was released in 2018, more individuals are looking to play the game as its popularity spiked in 2020 as a result of Twitch and YouTube streamers promoting the game.

Gamers are cautioned to only download the app from legitimate sources such as the Google Play app store and the Apple app store.

More on this story about malware apps is available here.

Final Words

The holidays are always a special time for cybercrime. Add Covid into the mix and we have the makings of the perfect cybercrime storm. The coming weeks are going to get more intense when it comes to cyber threats, as criminals take advantage of the increase in online holiday shopping to promote malware and use the changes in our lifestyles as a result of Covid to attempt to entice us into releasing personal and sensitive information.

Folks, there is no better time than now to turn on and turn up your “scam meters”. Remember, if it sounds too good to be true, then it probably is. If you aren’t aware of a planned video conference call with your siblings, then don’t assume the email you got announcing one is legitimate. And, don’t let your kids convince you that you can save money by letting them download that third-party app from an unknown source.

As always, one of the best things you can do to protect yourself is to practice safe online computing habits, such as:

• Being cautious when clicking unfamiliar links to websites or opening attached files
• Remembering to change your passwords frequently and not reuse passwords
• Never hand out personal information—such as passwords—on an unfamiliar website

 Remember security is an action. You get out what you put in.