According to research by cybersecurity firm PIXM there is a huge phishing campaign which peaked in April and may of this year (2022), and it is still ongoing.
This campaign lured millions of users to phishing sites by using Facebook and Facebook Messenger to abuse them and trick them into entering their account credentials.
Worse, hackers used the credentials to send additional messages of phishing to friends of affected users, further luring them into the scam and continuing the chain.
These tactics have allowed the attackers to make millions of dollars.
Worst is the fact that PIXIM's research has shown that this campaign has been ongoing for a while. Even though the group discovered it recently, evidence that they have uncovered indicates that the campaign has been ongoing at least since September 2021.
While the group is still conducting research, they have found over four hundred Facebook accounts that are tied to the campaign. These accounts contain hooks for phishing pages. These poisoned profiles pages have been only viewed a few thousand times. Other cases have millions of views. Each view is another potential victim.
According to the information the group was able to gather, they estimated that 2.7 million people had visited one of these phishing sites by 2021. Today, over 8.5 million people were lured to the pages by phishing. There is no end in sight.
Although this is only a small fraction of all the Facebook users, it's still a huge campaign. Be vigilant if you are a regular Facebook user. You can be lured in by groups that want to steal your data. Do not let this happen to your family, friends, and coworkers.
New Malware uses Word Documents to get on your system
Researchers at HP discovered a new malware loader, which they have named SVCReady. Although new malware strains are quite common, SVCReady is different for two reasons.
This malware spreads via phishing emails, as with many other malicious programs. This new strain is different in that it is loaded onto the target computer via specially-crafted Word documents attached as an email.
This is because these Word documents use VBGA macro code to execute the shellcode stored in the properties. This is both novel and dangerous.
Researchers at HP found evidence that links the malicious code back in April 2022. The developers released several updates in May, one month later. This is a sign that the developers are committed to continuing development of their new toy.
SVCReady currently boasts these capabilities:
- Save a file for the infected client
- Take a photo
- Run a shell command
- Verify that it is running on a virtual machine
- System information (a shorter and a normal)
- You can check the USB status (i.e. the number of devices that are plugged in).
- A scheduled task can help you establish persistence
- Run a file
- Run a file in memory using RunPeNative
SVCReady is able to fetch additional payloads from the command and control server in addition to these capabilities. Although the bullet points are extremely dangerous, the latest malware strain is even more dangerous. This allows hackers to customize the level of destruction that each target will suffer.
Worse, this new strain also contains code that leads HP researchers to believe that threat actor TA551 is behind it. This group is large and well-organized, with connections to many other hacking groups and ransomware affiliates. This suggests that SVCReady could soon be more widely accessible than it is currently.
Keeping track of all the ways your data can be compromised is an impossible task. Integrated Technology Systems partners with your staff to ensure you are safe.
Integrated Technology Systems
6 East 45th Street, Suite 400
New York, NY 10017
212-750-5420
https://www.itsnyc.com/
