This month's briefing from our colleagues at the Multi State Information Sharing and Analysis Center includes news about criminals using the California wildfires in email scams, updates on malware in circulation, and a report of a drone vulnerability that could allow access to account information:
Cyber criminals use California wildfires as part of email scam
Cyber threat actors leveraged the November 2018 California wildfires to conduct Business Email Compromise (BEC) scams. In this campaign, threat actors impersonated Chief Executive Officers (CEOs), informing employees that clients had been affected by the wildfires and need money. The request for donations is through Google Play gift cards. The criminals asked employees to reveal the gift card codes. The emails have generic grammatical issues that are common amongst BEC attacks.
Trickbot adds tool to steal passwords, browsing data
Trickbot added a tool that now allows cyber threat actors to steal passwords and browsing data in addition to banking credentials. The new variant utilizes malicious Microsoft Excel macros to execute a Powershell script that installs the malicious payload onto the target system and integrates it onto the system's task scheduler so it will run upon the machine booting up.
Emotet scrapes email body text, as well as header information
Emotet improved its email scraping capabilities to begin scraping email body text in addition to header information. The updated email module copies text from email messages dating back 180 days. According to researchers, Emotet also releases new binaries every two hours to evade anti-virus signature detection mechanisms. Ongoing campaigns are targeting users in the U.S., U.K., Turkey, and South Africa.
SophoLabs: Cybercriminals obfuscate operations through abuse of legitimate software
On November 14, 2018, SophosLabs released its 2019 Threat Report, evaluating changes in the 2018 cybersecurity threat landscape and expected impacts in 2019. The report highlights that cybercriminals are increasingly abusing legitimate software built into systems to conduct and obfuscate their operations and that their attacks are becoming more strategic instead of opportunistic. The report also noted an increased prevalence of malware on Internet of Things (IoT) and mobile devices.
Nearly half of phishing sites are HTTPS web sites
PhishLabs found that 49% of identified phishing sites in Q3 2018 were HTTPS websites. According to PhishLabs, the number of HTTPS phishing sites grew from 25% in Q3 2017 and 35% in Q2 2018.
Checkpoint: Drone vulnerability could allow access to account information
Researchers at Checkpoint discovered a vulnerability in certain drones that could provide a cyber threat actor full access to the user's account, cloud-based flight records, credit card details, and the drone's camera and microphone. The vulnerability was patched on September 28, 2018.
Chrome blocks websites with abusive ads
Chrome 71 added a feature that blocks websites where users reported abusive ads. The new feature is turned on by default and the site will be automatically blocked by Chrome if the ads are not fixed within 30 days.