WyzGuys Tech Talk

Phishing Email Alerts

Catch of the Day: Hotel Booking Phish
Chef’s Special: Job Scam Phish
Also serving:

Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.

You can send phishing samples to me at phish@wyzguys.com.

My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.

“Mr. Anon” Infostealer Attacks Start with a Fake Hotel Booking Query Email

This new attack is pretty simple to spot on the front, but should it be successful in launching the attached malicious code, it’s going to take its victims for everything of value they have on their computer.

The new Mr. Anon infostealer captures much more than just browser caches and passwords. It also uses basic social engineering tactics that prove to be effective enough to make attacks successful.

It begins with a simple hotel booking email seemingly sent to the victim recipient by mistake, using a subject of “December Room Availability Query” and what appears to be a PDF booking attachment.

Once opened, the PDF pretends to need a Flash update, requiring the user to interact and launch the malicious attachment, which is a combination of a dotNET executable, embedded zip files, PowerShell scripts, and a downloaded payload – a python script.

This attack has a few interesting aspects to it. First is the social engineering tactics used. There’s the email premise of the room request, but then there’s also a step when the python script is run; the attackers purposely post a window with the title of “File Not Supported” with a status message indicating “Not Run: python[dot]exe.” to make the victim think the script never ran (helping to maintain a state of stealth).

There’s also all the obfuscation done to evade detection. The malicious code is, in essence, the python executable. This file is encoded with cx-freeze, requires being downloaded from code held within a zip file that is, in turn, embedded within the exe attachment – all to avoid detection. The use of PowerShell itself is another step in attempting to avoid detection, given it’s a part of the Windows OS.

Lastly, there’s the actual infostealer capabilities of this attack. The Mr. Anon infostealer captures more info that most of its predecessors:

• Browser data
• Desktop-based digital wallets
• Password or connection-related browser extensions
• Messages
• VPN clients
• Browser-based digital wallets
• Data from within 26 different file types

Any data gathered is compressed into a single zip file and then uploaded to a public file-sharing website.

Because users habitually maintain passwords to cloud-based corporate resources within their browsers, it’s necessary to protect against this attack by educating users through new-school security awareness training on how to spot this attack and avoid engaging with included attachments or links.

Blog post with links:
https://blog.knowbe4.com/infostealer-attacks-start-hotel-booking-email

New Remote “Job” Scam Tells Victims They’ll Get Paid For Liking YouTube Videos

Researchers at Bitdefender warn that scammers are tricking victims with fake remote job opportunities. In this case, the scammers tell victims that they’ll get paid for liking YouTube videos.

Notably, the scammers send the victims a small amount of money (around six dollars) to gain their trust. After this, the victim is invited to a Telegram channel, where the scammer offers to give them much higher-paying tasks if they pay an entry fee of between $21 and $1,083.

Nicolae Postolachi, Manager at Bitdefender’s Cyber Threat Intelligence Lab, stated, “This is not the first time the scammers have tried to pitch this type of scam to consumers in search for extra income. What makes this campaign different from previous iterations is that victims actually get paid something, a highly successful tactic that earns their trust, and plays an important role in convincing the users to ‘invest’ in becoming VIP members that will help them earn even more easy money on simple tasks such as liking videos on YouTube.”

Bitdefender offers some tips to help users avoid falling for phony job postings:

• “Research the job listing and company to ensure that it is legitimate.
• “Never share your bank details or other personally identifiable information with strangers. Even if the scammers make a small payment to you and then you figure out it’s a scam, they now have your contact info, name and other details that can be used in future schemes in an attempt to defraud you.
• “Never pay upfront to receive a job opportunity: a legitimate business will never ask you to pay your own money to receive a job. Anyone who asks you too is a scammer.
• “Never trust job offers that sound too good to be true. A high-paying job for very little work or small expenses on your part is a huge red flag.
• “Report and block the number. Do not engage in further communication with the individual.

Blog post with links:
https://blog.knowbe4.com/new-remote-job-scam