phishing tactics Archives

Tech Optimizer

December 16, 2024

Novel phishing campaign uses corrupted Word documents to evade security

A recent phishing campaign exploits Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, which can bypass conventional security measures. Identified by the malware hunting firm Any.Run, these documents appear to be legitimate communications from payroll and human resources, featuring themes related to employee benefits and bonuses. The filenames of the attachments include variations such as "AnnualBenefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw.docx" and "Due&Paymentfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin." Each document contains a base64 encoded string that decodes to "##TEXTNUMRANDOM45##." When opened, Microsoft Word prompts the user about unreadable content and offers recovery options. Upon recovery, users are instructed to scan a QR code, which leads to a phishing site mimicking a Microsoft login page to harvest credentials. These documents often feature company logos to enhance credibility and have been successful due to their ability to evade detection by security solutions, with many returning "clean" results on VirusTotal. Users are advised to exercise caution with unknown emails and verify attachments' legitimacy.

Tech Optimizer

December 4, 2024

How hackers are using corrupted Microsoft Office files to fool everyone

Corrupted Microsoft Office documents and ZIP files are being used in a phishing campaign that evades antivirus detection, as reported by cybersecurity firm ANY.RUN. This tactic, active since at least August 2024, involves corrupting files to bypass email security protocols while allowing harmful content recovery. The documents are designed to avoid detection by email filters and antivirus software, using QR codes to direct users to fake Microsoft account login pages. Analysis shows these attachments often do not trigger alerts on VirusTotal, as they exploit Microsoft Word and WinRAR's recovery features. This method is categorized as a potential zero-day exploit, aiming to deceive users into opening the files and activating the QR codes for credential harvesting or malware delivery. Security experts stress the importance of user awareness and training to identify phishing attempts, while organizations are enhancing email filtering to detect file corruption patterns. The rise of QR code phishing, or "quishing," adds complexity, as many users are unaware of the risks of scanning codes.

Winsage

November 12, 2024

Watch out, that Excel document could be infected with dangerous malware

A new phishing campaign is using an Excel file to distribute a fileless version of the Remcos Remote Access Trojan (RAT). Researchers from Fortinet found that attackers are sending purchase order emails with an Excel attachment that exploits a remote code execution vulnerability in Office (CVE-2017-0199). Activating the file downloads an HTML Application (HTA) file from a remote server, which is launched via mshta.exe.malware. Remcos can log keystrokes, capture screenshots, and execute commands on compromised systems. This variant operates without leaving traditional file traces, making detection more difficult. Email phishing is a common method for cybercriminals to infect devices and steal sensitive information. Users are advised to be cautious with emails and attachments.

Winsage

September 23, 2024

Lumma Stealer deployed via fraudulent CAPTCHA pages

A wave of cyberattacks has emerged, utilizing phishing emails that contain HTML attachments or malicious links. When recipients interact with these emails, a Java-based Remote Access Trojan (RAT) is deployed, allowing attackers to manage the victim's file system, monitor and control processes, remotely access the desktop, transfer files, capture keystrokes, take screenshots, and activate the webcam without the user's knowledge.

AppWizard

September 7, 2024

280 fake Android apps used to steal crypto wallets have been unearthed

Researchers from McAfee have identified 280 counterfeit Android apps designed to infiltrate cryptocurrency wallets. These malicious apps exploit vulnerabilities by scanning devices for images containing mnemonic phrases used for account recovery. They masquerade as legitimate services and use phishing tactics to trick users into downloading them. Once installed, the apps can access sensitive information, including: - Contacts: Extracting the entire contact list. - SMS Messages: Capturing all incoming SMS messages, including two-factor authentication codes. - Photos: Uploading stored images to attackers' servers. - Device Information: Collecting details about the device, such as operating system version and phone numbers. McAfee emphasizes the importance of vigilance and recommends that users exercise caution when installing applications and granting permissions. They also highlight the necessity of security software to protect personal devices from such threats.