Incidents

Phishing extreme

Recent advances in browsers as seen in Netscape 8 or IE7 have made it harder for the bad guys to succeed with their phishing schemes. In the malware world, technological advances stimulate the development of new ways to evade detection. And we’ve came by some interesting e-mails which seem to indicate the same is happening in the phishing area as well.

Our colleague Michael Molsner in Japan got an odd phishing e-mail on his address. The text is the usual “help keep your identity safe” and it pretends to come from PayPal. What’s interesting is the URL to the spoofed site, which points to a page on www.aafe.cn – the “Academy of Armoured Force Engenering”.

The Academy of Armoured Force Engenering

While the website appears to be legit, the page from the PayPal e-mail is not. It redirects the browser to a page on http://www.skycar.net.cn/ which loads an interesting Javascript.

This script runs maximized in the browser and presents the user with a window which looks like this:

As you can see, there is an Address field in the window which says “https://www.paypal.com/us”, but it is not the real browser address editbox! It’s a special field inside the Java applet which makes it look like it’s part of the browser window. Do note the real website address, as displayed by Opera – www.skycar.net.cn, in the blue bar. However, users who aren’t too careful about entering their PayPal data on websites might well be fooled.

Interestingly, Firefox doesn’t fall for this “trick” – it shows the fake “address bar” for a short time, then it hides it.

Phishing extreme

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox