• Gone Phishing
  • Posts
  • Big spamming op sees 8,000+ domains of trusted brands spoofed

Big spamming op sees 8,000+ domains of trusted brands spoofed

Author

Cyber Dawg
February 27, 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s like an educational #cybertruck to protect you from cybercrime πŸ›‘οΈ

Today’s hottest cybersecurity news stories:

  • ⚠️ Big spamming op sees 8,000+ domains of trusted brands spoofed 🎭

  • πŸ‘¨β€πŸ’» IDAT loader uses steganogrophy to deploy Remcos RAT. Watch out! πŸ‘€

  • πŸš€ Rocket man strikes again! N. Korean hackers target devs w/ packages πŸ“¦

Domain thing to remember is… πŸ‘€πŸ™ˆπŸ˜¬

πŸ“§πŸ” SubdoMailing Saga Unveiled! πŸŒπŸ”“

In a shocking revelation, Guardio Labs has uncovered a massive spam operation dubbed SubdoMailing, orchestrated by a threat actor ominously known as ResurrecAds! πŸ˜±πŸ’»

This sophisticated scheme involves hijacking over 8,000 domains and 13,000 subdomains belonging to reputable brands like eBay, McAfee, and UNICEF. πŸ›‘οΈπŸ”

But wait, there's more! ResurrecAds isn't playing by the rules. They've crafted a devious distribution architecture, slipping past security measures with ease and dodging text-based spam filters like a pro! πŸ•΅οΈβ€β™‚οΈπŸ”’

And it gets even trickier - these malicious emails are cleverly disguised as images, bypassing standard security blocks and luring unsuspecting victims into a maze of redirects, leading to malicious content tailored for maximum profit! πŸ’ΈπŸ”—

But fear not! Guardio isn't backing down. With their SubdoMailing Checker, domain administrators and site owners can now detect signs of compromise and safeguard against this nefarious campaign. πŸ›‘οΈπŸ”

The battle against cyber threats rages on, but with vigilance and determination, we'll keep our digital world safe from harm! πŸ’ͺ🌐

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Who dat? IDAT πŸ’€

πŸ›‘οΈ Ukrainian Entities in Finland Targeted by Malicious Campaign! 🎯

Threat actors identified as UAC-0184, tracked by CERT-UA, unleash a devious assault using the IDAT Loader to spread the Remcos RAT. πŸŽ―πŸ’»

Morphisec researcher Michael Dereviashkin sheds light on the attack's sophisticated use of steganography, a well-known but formidable technique for defence evasion. πŸ”πŸ•΅οΈβ€β™‚οΈ

The IDAT Loader, often associated with the Hijack Loader family, serves as a conduit for various payloads, including DanaBot and RedLine Stealer. πŸ“¦πŸ’Ό

This onslaught aligns with a phishing campaign unveiled by CERT-UA, employing war-themed lures to initiate an infection chain leading to Remcos RAT deployment via embedded steganographic PNG files. πŸ“§πŸ”’

πŸ’‘ FYI: Steganography is the technique of hiding data within an ordinary, nonsecret file or message to avoid detection; the hidden data is then extracted at its destination. πŸ’‘

Meanwhile, defence forces face another threat as UAC-0149 leverages the Signal app to distribute booby-trapped Excel documents, facilitating the execution of COOKBOX, a PowerShell-based malware. πŸ“‰πŸ”₯

Adding to the turmoil, PikaBot malware reemerges with a revamped variant boasting new unpacking methods and heightened obfuscation, signalling active development efforts. πŸ”„πŸ”“

As cyber adversaries evolve their tactics, vigilance and robust defences remain paramount in safeguarding against malicious incursions. πŸ’ͺπŸ›‘οΈ

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘ (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Time to rethink a Korea in dev? πŸ™ƒ

πŸ” North Korean Actors Tied to Malicious npm Packages! πŸ“¦

Phylum's latest findings unveil a sinister link between fake npm packages and North Korean state-sponsored threat actors. πŸ•΅οΈβ€β™‚οΈπŸ’Ό

Dubbed execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils, these packages pose as legitimate Node.js utilities, infiltrating developers' systems with malicious intent. βš οΈπŸ”’

In a clever ploy, the adversaries concealed nefarious code within a test file, triggering the installation of cryptocurrency and credential stealers upon execution. πŸ’°πŸ”‘

Further investigation revealed telltale signs pointing to a deleted GitHub profile, leading to a repository housing Python scripts utilised to fetch additional payloads and steal browser credentials. πŸπŸ•ΈοΈ

🌐 Connections to North Korean Actors Uncovered! πŸ”„

The discovery of similar JavaScript-based malware, including BeaverTail, suggests ties to known North Korean threat campaigns, like Contagious Interview. 🦠πŸ‘₯

Attempts to obfuscate identities through fake job postings and repository names underscore the adversaries' sophisticated tactics. πŸŽ­πŸ’Ό

As developers remain prime targets, heightened awareness and vigilance are essential to combating these insidious attacks. πŸ›‘οΈπŸ‘€

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree πŸ’πŸŒ΄ with his stick and banana approach 🍌😏

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Give us a rating?

Login or Subscribe to participate in polls.