|
Recognizing and preventing modern cyber scams is difficult. As FortiGuard's Sr. Security Strategist, Ladi Adefala, points out in his blog post, cybercriminals use a wide variety of scam tactics to gain access to your devices and networks to steal information or extort money. It is important to understand the various social engineering tactics that bad actors are using to trick users. Ladi spells out ways you can identify and minimize the impact of cyber scams by learning more about what tactics are being employed.
Cyber scams can affect anybody unaware of these common warning signs. As people continue to adopt devices that connect directly to the internet, the risk of falling victim to a scam increases. By being aware of the common cyber scam tactics that we see targeting people today, as well as recognizing those common telltale signs, you can better safeguard your valuable information.
Fortinet has a variety of security tools that will help detect or block scams, depending on the various techniques being used. For example, our Web Filtering program blocks, and blacklists scam related URLs; FortiMail leverages our powerful Anti-spam solution; Our award winning AntiVirus solution can detect scams, and block downloads when necessary. For more information on our security services visit our Security Subscriptions Webpage.
Recognizing and Preventing Modern Cyber Scams Blog
Application Vulnerabilities / IPS
|
Rank
|
Name
|
Prevalence
|
|
1
|
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow
|
41,472
|
|
2
|
Dasan.GPON.Remote.Code.Execution
|
28,000
|
|
3
|
D-Link.DSL-2750B.CLI.OS.Command.Injection
|
27,331
|
|
4
|
Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities
|
23,339
|
|
5
|
Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection
|
19,591
|
Magento.eCommerce.Web.Sites.Remote.Code.Execution – Magento is one of the most popular ecommerce platforms in use today, with an estimated install base of over 500,000 sites using it. It is now part of Adobe and provides both free and paid versions of the platform, with a big chunk of Fortune 500 companies using this as their choice of e-commerce framework.
This signature helps detect against flaws on Magento 1.9.1.0 CE and 1.14.1.0 EE: CVE-2015-1397 (SQL injection vulnerability), CVE-2015-1398 (multiple directory traversal vulnerabilities), and CVE-2015-1399 (remote file inclusion vulnerability), which can be exploited together in an attempt to try to execute attacker-controlled payload on a vulnerable web server.
One of the issues arises because of lack of sanitization on URLs that access administrative scripts on the system. Magento can be tricked to execute administrative paths only by appending "Adminhtml" (a string that Magento would append to a string in case the admin user is logged into the system at the time of a requested action) to the URL.
If successfully exploited, and with full access to the system, the attacker would then be able to grab sensitive customer data such as username, passwords, credit card information as well as other personally identifiable information.
We are seeing attackers leveraging this exploit against sensors in Spain and Australia, with close to 800,000 hits in the last 30 days. At the time of this writing, there was public information on how to exploit this vulnerability as well as proof of concept exploit code for it.
Signatures: Magento.eCommerce.Web.Sites.Remote.Code.Execution
WordPress.Multiple.Plugins.CMS.Software.Arbitrary.File.Upload – Several arbitrary remote file upload vulnerabilities exist in multiple WordPress plugin components such as the mobile and web-app-builder. In one of the flaws the code in file /server/images.php (other plugins have other paths) doesn't require authentication or prechecks that the user is allowed to upload content.
The vulnerability affects Zen App Mobile Native <=3.0 (CVE-2017-6104)n2. WordPress Plugin webapp-builder v2.0 (CVE-2017-1002002)n3. WordPress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003)n4.WordPress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001)n5. WordPress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000). If the attack is successful it could run code in the context of the running httpd process, and since on top of that, there is no validating if a user can upload code, it also does not check if the user is uploading executable code or data. We are seeing increased telemetry on this signature targeting the U.S. (17.90%) Japan (4.90%) and Taiwan (4.71%).
Signatures: WordPress.Multiple.Plugins.CMS.Software.Arbitrary.File.Upload
Malware Activity
|
Rank
|
Name
|
Prevalence
|
|
1
|
Android/Agent.FJ!tr
|
9,811
|
|
2
|
Adware/Agent
|
5,164
|
|
3
|
W32/Agent.AJFK!tr
|
3,999
|
|
4
|
W32/Injector.EALR!tr
|
3,675
|
|
5
|
Riskware/CoinHive
|
3,422
|
Panda Banker - I'd Rather Bank with a Human – FortiGuard Labs is aware of a new reemergence of the nefarious banking Trojan, Panda Banker. Discovered by researchers this week, this latest reemergence of Panda Banker appears to be targeting Canada, Japan, and the United States. Panda Banker is essentially a variant of the infamous Zeus banking Trojan, and is constantly receiving updates by its authors. Panda Banker's modus operandi is to steal banking information, specifically in the form of man-in-the-browser (MitB) attacks on a real-time web session. This is done by injecting malicious code into the session browser of the victim machine. Panda Banker will sniff for credit cards, banking accounts, and other personal information.
What makes Panda Banker dangerous is that it will perform cursory checks in real time to determine if it is running on a machine or sandbox to evade analysis and detection. It will look for various forensic and analysis tools, such as network capture tools, debuggers, disassemblers, and various other tools used in malware analysis. If it discovers these tools, it will simply exit and delete the payload.
Panda Banker will then create copies of itself on the victim machine. Once it is done, the process will then launch the newly created executable before exiting, and then the newly created copy creates two svchost.exe processes and injects itself into them. It will then look for process name of commonly used web browsers, and if it finds them, it will inject a plugin.dll into it to hijack and intercept traffic between the browser and the victim machine. This is done once it identifies that a connection is made to a website that is specified within its parameters, such as well-known or targeted financial institutions. Due to multiple layers of obfuscation along with various layers of encryption, it makes for difficult analysis of not only malware itself but its web traffic. Further tricks that Panda Banker employs to make analysis more difficult are the use of a domain generating algorithm (DGA) and Mersenne Twister to generate random values.
Signatures: W32/Kryptik.GJUV!tr.ransom, W32/Panda.BUD!tr, W32/Zbot.ADC!tr.spy, W32/GenKryptik.CJRU!tr, W32/Kryptik.GIRS!tr, W32/GenKryptik.CGCC!tr, W32/Kryptik.GATM!tr, W32/Generik.LKEPZGS!tr, W32/Panda.BPX!tr, W32/GenKryptik.CHNI!tr, W32/GenKryptik.CFWA!tr, W32/Panda.BRE!tr, W32/Kryptik.GJQC!tr, W32/Kryptik.GJOP!tr, W32/GenKryptik.CFTK!tr, W32/GenKryptik.CFSX!tr, W32/GenKryptik.CHTQ!tr, W32/Kryptik.GJKE!tr
New Targeted Attacks in Korea Discovered – FortiGuard Labs is aware of targeted attacks occurring in South Korea by Reaper/APT37/ScarCruft/Geumseong121. Discovered by researchers, it appears that this group uses multiple techniques to identify potential targets for compromise. Reconnaissance is done on targets identified via KakaoTalk, a messaging platform popular in South Korea. Once reconnaissance is complete, the targets identified are attacked via a two-pronged approach. One is the use of various known vulnerabilities in Adobe Flash CVE-2018-4878 (use after free) used in conjunction with the Hangul Word Processor (HWP) where the embedded flash file contains an encrypted binary blob that ultimately retrieves the payload from a remote site. It has been observed that the same techniques are also used in Excel (XLS + CVE-2018-4878) as well as Word documents containing malicious macros. Other Flash vulnerabilities observed being used by attackers are CVE-2015-5119 and CVE-2015-0313. Other techniques used are watering hole attacks as well as malicious Android APK files, which appear to be related to KevDroid. Interesting observations made in this attack are that the malware is set to look for a specific journalist name and machine name as well as the news institution name. If these parameters are not present, the malware simply exits. Other observations made were the use of possible false flags, as some of the language used was Romanized Chinese, with incorrect usage, which makes attribution difficult.
Signatures: MSIL/Kryptik.EGY!tr, W32/Generic.DUG!tr.bdr, Android/KevDroid.A!tr, MSIL/Agent.SIM!tr, W32/Agent.DUE!tr.dldr
Indicator(s):
hxxp://endlesspaws.com/vog/tan.php?
hxxp://endlesspaws.com/vog/denk.zip
seline[.]co[.]kr/datafiles/CNOOC[.]php
www[.]causwc[.]or[.]kr/board_community01/board_community01/index2[.]php
www[.]kumdo[.]org/admin/noti/files/iindex[.]php
www[.]icare[.]or[.]kr/upload/board/index1[.]php
cnjob[.]co[.]kr/data/blog/iindex[.]php
notac[.]co[.]kr/admin/case/iindex[.]php
hxxp://ebsmpi.com/ipin/360/down.php
hxxp://cgalim.com/admin/hr/hr.doc
175[.]45[.]178[.]133
Web Filtering Activity
Gallmaker: New Threat Group in the Middle East and Eastern Europe – The FortiGuard Labs Web Filtering team is aware of a new threat group targeting government, military, and defense sectors, mainly in Eastern Europe and the Middle East. It is believed that their attacks have begun since December 2017 and had a spike in April 2018. The actor behind the campaign uses custom malware and utilizes living-off-the-land (LotL) tactics as well as publicly available hack tools. They also exploit Microsoft Office DDE by starting off as possibly a typical spear-phishing email. It is then followed by a series of steps inclusive of controlling the victim's system remotely and executing various tools. There are specific PowerShell commands used that were tracked as suspicious and successfully led to this discovery.
The FortiGuard Labs Web Filtering team has blacklisted all the related network IOCs used by Gallmaker.
Indicator(s):
111[.]90[.]149[.]99/o2
94[.]140[.]116[.]124/o2
94[.]140[.]116[.]231/o2
|
