Need top-of-the-line ins and outs of the cybersecurity landscape? Stay a step ahead of cybercriminals with the latest cybersecurity news of the week with us.
From Microsoft taking down 750 million fraud accounts to new BazarCall phishing campaigns, critical WordPress plugin bugs, and unfixed Android bugs threatening your login information, we will share the details so you can stay informed and take necessary phishing protection measures to keep your devices safe. Let’s get started.
Microsoft Takes Down Cybercrime Syndicate Responsible for 750 Million Fraudulent Accounts
The Digital Crimes Unit at Microsoft took down multiple domains that were used by Storm-1152.
The Vietnam-based threat actor group had registered over 750 million accounts and collected millions by selling these to other cybercriminals for malicious purposes. The threat actor group is the number one seller of harmful Outlook accounts. The threat actors also sell automatic CAPTCHA-solving services.
Since 2021, the threat actors have been obtaining millions of MS Outlook email accounts using fake names and selling these to malicious actors. Many of these accounts were used by Storm-0252, Storm-0455, and Octo Tempest in mass phishing campaigns, data theft, spreading ransomware, and malware. Microsoft seized Storm-1152’s infrastructure on 7 December 2023 after obtaining a court order from NY.
The complaint by Microsoft also showcases how the threat actors developed code for many malicious websites, and also published video guides on using these accounts for fraudulent services.
BazarCall Exploits Google Forms in Phishing Emails
A new wave of BazarCall attacks came to light this week which uses Google Forms.
The attacks generate and send payment receipts to the victims to make the phishing campaign appear genuine. BazarCall was first documented in 2021 when the threat actors used an email containing a payment notification or subscription to lure victims. It asked victims to cancel highly charged subscriptions or fees. However, the emails contained links to phishing websites impersonating real ones. The page urged victims to cancel the charges over a call, which was answered by a threat actor. The threat actors tricked the victims into installing malware on their systems.
This time, Abnormal Reports shared a new variant of the BazarCall attack which uses Google Forms. The threat actors make a fake Google Form with fake transaction details including payment methods, invoices, and such information. They send the form to the victim’s email and wait to carry out the attack.
Google Forms is an authentic service, so it is not blocked or flagged by emails. You should be on your guard, with proper malware protection solutions, if you receive an email like this as it could be a phishing attempt.
Critical Bug in Backup Plugin Exposes 50,000 WordPress Sites to RCE Attacks
A critical severity was found in a WordPress plugin that has over 90,000 installs.
The severity was found in Backup Migration, a plugin that allows you to automate site backups to local storage or Google Drive. Threat actors can misuse this to gain RCE (Remote Code Execution) on systems and carry out malicious harm. Tracked as CVE-2023-6553, the bug has a severity score of 9.8 and was discovered by the Nex Team. The bug impacts all versions of the plugin up to Backup Migration 1.3.6, and allows threat actors to take over websites via RCE.
These actors can use PHP code injection using the /includes/backup-heart.php file. On line 118 of the file, an attempt is made to include bypasser.php from the BMI_INCLUDES directory, formed by merging BMI_ROOT_DIR with the includes string. Yet, BMI_ROOT_DIR, determined by the content-dir HTTP header on line 62, is influenced by user input. A patch was released promptly with an updated version (Backup Migration 1.3.8).
There are still nearly 50,000 WordPress websites using an older, vulnerable version of the plugin. If you’re still using it, you should update it to the latest version.
AutoSpill Attack Pilfers Credentials from Android Password Managers
Security researchers have developed a new attack called AutoSpill. It can steal account login information on Android devices during autofill.
Researchers from IIIT (International Institute of Information Technology) at Hyderabad shared the results of their tests at the Black Hat Europe security conference. They revealed how most password managers on Android are vulnerable to AutoSpill attacks without JavaScript injection. Android applications use WebView controls for web content, and password managers often use it to autofill your passwords. But, it is possible to exploit weaknesses in this and capture the auto-filled credentials. Android does not enforce or define responsibility for the secure handling of autofill data, resulting in this vulnerability.
The researchers disclosed their findings from multiple tests carried out on different Android versions and devices. They also shared proposals for addressing the vulnerability. No fixing plans have been shared as of yet and the devices remain vulnerable.