Publications

Phishing – another side of the tale

De Consumentenbond, which is basically the Dutch version of Consumer Reports, released an interesting press release yesterday. Thanks to this organization, eBay is no longer asking for personal information which could identify the user via email. (More information, in Dutch, can be found here.)

eBay had previously been asking some customers for personal details in order to confirm the customer’s credit status. Such requests were for copies of identity cards or passports, recent bank statements and valid phone numbers. Of course such details were juicy bait which phishers could exploit – I’m pleased to hear that eBay will be taking a different approach from now on.

This news also reminded me of some interesting cases I saw some time ago in The Netherlands.

Some big companies had been sending out emails which included no identifiable information whatsoever. Although the ‘from’ address said the email had been sent from company X, company X’s mail servers hadn’t been used to send the email. The URLs in these emails also linked to third party domains. So nothing in the email could be attributed to company X.

Pretty amazing if you ask me. Such practices are dangerous. They also make it very difficult for security companies – from a literal point of view, such emails are simply phishing emails. But antivirus companies can’t detect them.

My hat goes off to De Consumentenbond for pushing eBay in the direction of improved security. And I think that in this day and age it wouldn’t be a bad idea to make better practice mandatory.

Phishing – another side of the tale

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox