Loading...
Cover Image of Fake donation request for OMS

Fake donation request for OMS

-->

The already traditional SCAM campaign, active for years, has always been adapting to the circumstances in order to maximize its probability of success.

These emails usually send us threats of a different nature that will become a reality if we do not agree to the immediate payment of an amount of money in some cryptocurrency (generally Bitcoins).

Sometimes they threaten us with making our data public, other times they tell us that we have been caught visiting illegal websites, etc. In some cases the threats go beyond dark brown, such as when they indicate that they have planted a bomb in our office or that they will implicate us in false causes of pedophilia, etc.

The current world situation generated as a result of the Covid-19 Coronavirus is being massively exploited by cybercriminals. To the tens of thousands of domains that we already have on the blacklist related to Covid-19, now a curious new form of SCAM is added, disguised as a request for an Economic Donation for the WHO, with the aim of delving into scientific research by regarding the virus.

In the image you can see a real sample, where donations are requested to the crypto wallet 16gmYrbqMr4SZeA7SqNVmirhnhDG3maYPK, which has already been reported as fraudulent.

There are police forces that pursue this type of fraud and extortion, placing special vigilance on the activity of cryptocurrency wallets, which are traceable when conversions are made to real currency, shipments of goods purchased with them, etc.

This fact, well known by cybercriminals, is being used by them when they want to harm a third party: to do so, they find out what the victim's cryptocurrency wallet is, which will surely be totally legal and clean, and include it as a destination of payment in a new shipment of SCAM!!!!

In this way, all suspicions will fall on the victim, and their wallet, which will be reported as fraudulent, will have serious problems from that moment on for all kinds of movements, to the point of being able to render it almost useless in many places .

We are detecting cases of this type in SCAM+Coronavirus campaigns. Iberlayer Email Guardian does not report cryptocurrency wallets, but it does block emails containing reported wallets.

 

Cover Image of Phishing: Telecommuting + Coronavirus

Phishing: Telecommuting + Coronavirus

-->

 Due to reasons of force majeure, known to all, a huge number of companies have been forced to urgently implement the teleworking model among their employees.

 In many cases, this sudden urgency has come so suddenly that many companies have been forced to set it up without being able to count on adequate security measures and without being able to give employees minimal training in this regard.

 Cyber-criminals, well aware of this fact, are taking advantage of it: We are detecting emails that impersonate the technical departments of companies, CAUs, etc. and request data from users, with the excuse of being able to keep the teleworking service operational.

 These emails usually use the generic term "Technical Service" in the subject and/or in the signature, their writing does not contain errors, and the "from:" field shows the domain of the company, so for an end user they are difficult to detect.

 Given the circumstances, the probability that the user provides the data is very high, which makes this campaign especially dangerous.

 
Recommended actions:

  • Iberlayer marks the email subject with a special text when an external email is detected that uses an internal domain in the "from:" field. It is important to remember the importance of this mark, because it serves precisely to prevent scams like this.
  • As far as possible warn users about this threat.
  • As far as possible, remind users of the contact mechanism with the IT/CAU department, etc. and that it will never ask for your personal data, access data, etc.
  • It is highly likely that after these emails a phone call will be produced to the user, again making
  • Go through the Technical Service. With these lines we allow ourselves to suggest that whenever some type of data has to be given, it is the user who initiates the call or sends the first email.
 

Cover Image of Emotet auto-adaptation

Emotet auto-adaptation

-->

The Emotet campaign, reactivated after the Christmas break, has stopped sending generic messages to get its victims to "bite" and has gone on to particularize the messages to the "work slang" of each victim, which implies a prior analysis of the companies ...

Thus, for example, we are detecting that:

Shipments addressed to insurance entities contain matters such as:

  • Appraisal of...
  • policy of...
  • Sinister of...
  • Vehicle photo...

Mailings to hospitals and health-related companies contain items such as:

  • Nursing report....
  • Health of...

Mailings addressed to large construction companies contain matters such as:

  • Budget of...
  • Garden of...

It is evident that this technique will be able to deceive a greater number of users.

These emails contain either a malicious attachment or a malicious URL that often alternate for weeks: one week they used attachments, the next they used URLs, and so on.

In this sense, in recent times the rotation time has decreased and they tend to always send attachments until noon and URLs from that moment until the end of the working day, when shipments practically cease.

 

Cover Image of Alert Ransomware Malware

Alert Ransomware Malware

-->

During the last hours from Iberlayer we are detecting a new very aggressive campaign of mass mailings that claim to come from the Argentine Ministry of Security.

These emails include malicious files in OLE format (mainly under the name note_management_adm.doc) and links to infected servers. Both attack vectors point to a Ransomware-type virus.

Our Email Guardian service has detected the campaign from its very beginning thanks to our AMBAR technology based on generation algorithm detection. 90% of shipments are made from domains with well-configured SPF (in hard fail mode) and in many cases they even include correct DKIM signatures, which suggests a massive and automated use of hijacked accounts, probably through a Phishing attack prior to those domains.