phishing tactics Archives

AppWizard

March 25, 2025

NSA warned of vulnerabilities in Signal app a month before Houthi strike chat

The National Security Agency (NSA) issued an operational security bulletin in February 2025, warning employees about vulnerabilities in the encrypted messaging application Signal. This alert followed an incident where Defense Secretary Pete Hegseth accidentally shared sensitive war plans in a Signal chat shortly before U.S. military operations in Yemen. The bulletin labeled Signal as a high-value target for interception and highlighted the sophistication of Russian hacking groups using phishing tactics to breach encrypted conversations. NSA personnel were instructed not to share sensitive information via third-party messaging applications and to avoid connections with unknown individuals. National Intelligence Director Tulsi Gabbard and CIA Director John Ratcliffe testified before a Senate panel, affirming that no classified information was exchanged in the chat, but the NSA emphasized that even unclassified information should not be shared on Signal. Ratcliffe defended Signal as an approved communication tool, while both officials denied knowledge of operational details related to the military strike.

AppWizard

March 18, 2025

Malicious Android ‘Vapor’ apps on Google Play installed 60 million times

Over 300 malicious Android applications, identified as adware, have been downloaded 60 million times from Google Play. These apps, part of an operation called "Vapor," have attempted to steal sensitive user information and generate 200 million fraudulent advertising bid requests daily. The campaign was first uncovered by the IAS Threat Lab and has been active since early 2024. A total of 331 malicious applications were identified, with significant infections reported in Brazil, the United States, Mexico, Turkey, and South Korea. Notable offenders include AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, Be More, BeatWatch, TranslateScan, and Handset Locator, each with varying download counts. The apps disguise themselves as utilities and employ tactics to evade detection, such as disabling their Launcher Activity and creating fullscreen overlays for ads. Users are advised to avoid unnecessary apps from unverified publishers and regularly check installed applications.

Tech Optimizer

December 16, 2024

Novel phishing campaign uses corrupted Word documents to evade security

A recent phishing campaign exploits Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, which can bypass conventional security measures. Identified by the malware hunting firm Any.Run, these documents appear to be legitimate communications from payroll and human resources, featuring themes related to employee benefits and bonuses. The filenames of the attachments include variations such as "AnnualBenefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw.docx" and "Due&Paymentfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin." Each document contains a base64 encoded string that decodes to "##TEXTNUMRANDOM45##." When opened, Microsoft Word prompts the user about unreadable content and offers recovery options. Upon recovery, users are instructed to scan a QR code, which leads to a phishing site mimicking a Microsoft login page to harvest credentials. These documents often feature company logos to enhance credibility and have been successful due to their ability to evade detection by security solutions, with many returning "clean" results on VirusTotal. Users are advised to exercise caution with unknown emails and verify attachments' legitimacy.

Tech Optimizer

December 4, 2024

How hackers are using corrupted Microsoft Office files to fool everyone

Corrupted Microsoft Office documents and ZIP files are being used in a phishing campaign that evades antivirus detection, as reported by cybersecurity firm ANY.RUN. This tactic, active since at least August 2024, involves corrupting files to bypass email security protocols while allowing harmful content recovery. The documents are designed to avoid detection by email filters and antivirus software, using QR codes to direct users to fake Microsoft account login pages. Analysis shows these attachments often do not trigger alerts on VirusTotal, as they exploit Microsoft Word and WinRAR's recovery features. This method is categorized as a potential zero-day exploit, aiming to deceive users into opening the files and activating the QR codes for credential harvesting or malware delivery. Security experts stress the importance of user awareness and training to identify phishing attempts, while organizations are enhancing email filtering to detect file corruption patterns. The rise of QR code phishing, or "quishing," adds complexity, as many users are unaware of the risks of scanning codes.

Winsage

November 12, 2024

Watch out, that Excel document could be infected with dangerous malware

A new phishing campaign is using an Excel file to distribute a fileless version of the Remcos Remote Access Trojan (RAT). Researchers from Fortinet found that attackers are sending purchase order emails with an Excel attachment that exploits a remote code execution vulnerability in Office (CVE-2017-0199). Activating the file downloads an HTML Application (HTA) file from a remote server, which is launched via mshta.exe.malware. Remcos can log keystrokes, capture screenshots, and execute commands on compromised systems. This variant operates without leaving traditional file traces, making detection more difficult. Email phishing is a common method for cybercriminals to infect devices and steal sensitive information. Users are advised to be cautious with emails and attachments.

Winsage

September 23, 2024

Lumma Stealer deployed via fraudulent CAPTCHA pages

A wave of cyberattacks has emerged, utilizing phishing emails that contain HTML attachments or malicious links. When recipients interact with these emails, a Java-based Remote Access Trojan (RAT) is deployed, allowing attackers to manage the victim's file system, monitor and control processes, remotely access the desktop, transfer files, capture keystrokes, take screenshots, and activate the webcam without the user's knowledge.

AppWizard

September 7, 2024

280 fake Android apps used to steal crypto wallets have been unearthed

Researchers from McAfee have identified 280 counterfeit Android apps designed to infiltrate cryptocurrency wallets. These malicious apps exploit vulnerabilities by scanning devices for images containing mnemonic phrases used for account recovery. They masquerade as legitimate services and use phishing tactics to trick users into downloading them. Once installed, the apps can access sensitive information, including: - Contacts: Extracting the entire contact list. - SMS Messages: Capturing all incoming SMS messages, including two-factor authentication codes. - Photos: Uploading stored images to attackers' servers. - Device Information: Collecting details about the device, such as operating system version and phone numbers. McAfee emphasizes the importance of vigilance and recommends that users exercise caution when installing applications and granting permissions. They also highlight the necessity of security software to protect personal devices from such threats.