• Home
  • Hosting
  • Tech
  • Server
  • Security
Mex Linux
  • Home
  • Hosting
  • Tech
  • Server
  • Security
No Result
View All Result
mexlinux.com
  • Home
  • Hosting
  • Tech
  • Server
  • Security
No Result
View All Result
mexlinux.com
No Result
View All Result

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

admin by admin
May 5, 2020
Home Hosting
Share on FacebookShare on Twitter

Group IB has launched a complex new phishing campaign called PerSwaysion against the executives of more than 150 companies worldwide.

IB Group, a Singapore based cybersecurity company, has identified a series of sophisticated and successful phishing attacks on executives and managers from more than 150 companies worldwide. The campaign, called Sway PerSwaysion because of the widespread abuse by Microsoft, has been running since mid-2009 and is attributed to Vietnamese developers and Nigerian operators. The cybercriminals behind the PerSwaysion campaign had access to numerous confidential emails from MS Office365, mainly from financial companies, law firms and real estate groups.

The PerSwaysion campaign is growing at an alarming rate, using compromised email account data to select other targets that play an important role in their business and share business relationships with victims. IB Group will continue to cooperate with the parties concerned in the local countries in order to inform the companies concerned of the infringements.

No brute force, just PerSwaysion.

PerSwaysion is a highly targeted phishing campaign. One of the characteristics of PerSwaysion is that it spreads like a forest fire and jumps from one victim to another while there is no malware on the user’s device during the attack. A new round of phishing attempts using the victim’s current account usually takes less than 24 hours.

The campaign resulted in a compromise by 156 leaders from global and regional financial centres such as the United States, Canada, Germany, the United Kingdom, the Netherlands, Hong Kong, Singapore and others.

The PerSwaysion campaign is mainly aimed at financial companies (~50%), law firms and real estate companies in order to further approach their clients and business contacts. The IB Group has created a website where everyone can check if his or her e-mail has been compromised by PerSwaysion.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

The IBDFIR team was tasked to investigate the incident at an Asian company where it was discovered that PerSwaysion is a complex three-phase phishing operation using special tactics and methods to prevent detection. Threats use established social engineering techniques to convince key people in companies to open malicious PDF email attachments from the authentic addresses of their contacts.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

The PDF attachment is a well-written Office 365 file exchange message that simulates a legitimate format. After clicking the Read Now button, the victim, who in most cases is a high-ranking civil servant, is removed from a file that in this case is placed on MS Sway. Attackers opt for legitimate cloud-based content sharing services such as Microsoft Sway, Microsoft SharePoint and OneNote to prevent traffic detection. This page is similar to the original Microsoft Office 365 file exchange page. However, this is a specially made presentation page that takes advantage of the standard unlimited swing view.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

From this page, the target is redirected to the final destination, a real hidden phishing site like the 2017 version of Microsoft’s Single Sign-On site. Here the victim is given a unique serial number using a phishing set, which serves as a rudimentary fingerprint method. Repeated requests for the same URL will be rejected. It ends all automatic threat detection efforts on URLs visited by targets. When a senior employee sends the Office 365 references to the company, this information is sent to a separate data server with an additional email address hidden on the page. This additional email is used as a real-time notification method to ensure that attackers respond to newly acquired credentials.

We leave in 24 hours.

Threats from PerSwaysion are quickly followed by newly collected references from senior officials. The researchers of the IB group discovered that cybercriminals are taking three important steps to promote a new round of phishing attempts against users with whom victims have recently corresponded, which on average take less than 24 hours. Once the data has been sent to your NCC, PerSwaysion staff logs into the compromised email accounts. They download email data via APIs and establish high-level business relationships with the owners. Finally, they create new phishing PDF files with the full name of the current victim, the email address and the legal name of the company. These PDF files are sent to new people who are usually outside the victim’s organization and who hold important positions. PerSwaysion operators generally remove messages claiming to be email addresses from outgoing mail to avoid suspicion. A detailed technical analysis of the PerSwaysion operations and attack models is available on the IB group blog.

PerSwaysion’s threat players do not yet have a clear preference for financial profit models, said Feysyan He, senior analyst at the IB Group Threat Intelligence division. Attackers have hidden access to many corporate email accounts and a large pile of sensitive email data from older business people. This opens up great possibilities. Access to the account can be sold in large quantities to other cybercriminals to perpetrate traditional financial scams. Sensitive business information from email, such as non-public financial documents, covert business strategies and customer lists, can be sold to the highest bidder in underground markets.

Who are the PerSweiders?

The PerSwaysion campaign is a series of malicious malware-based operations. An analysis of the anti-phishing campaign kit showed that it was mainly developed by Vietnamese actors who are highly specialised in the threat. The user input validation module (VeeValidate) used in the code contains only the Vietnamese language, while 48 languages are supported. Further research has shown that development groups do not conduct phishing campaigns themselves. Instead, the developers probably sold their phishing set and PDF generator to various cybercriminals for direct profit.

The Threat Intelligence Team found several loosely connected subgroups of threat actors who carry out phishing attacks themselves. They monitor a total of 27 email addresses used to collect and report stolen email accounts. These messages are integrated in PerSwaysion phishing kits. Some of these letters have been used to register LinkedIn accounts to collect profiles of potential victims. This data helps PerSwaysion’s attackers to select people who hold key positions in the company.

Other research suggests that one of the first PerSweysion reaction teams was a group of threat actors active in Nigeria and South Africa. The group will be led by a Nigerian named Sam. Since 2017, this group has been engaged in various activities, ranging from online shopping fraud to phishing attacks. The large differences in geolocation and culture between the developers of phishing kits and the campaigners indicate a greater specialization of cyber criminals.

According to Fakesang He, the PerSwaysion campaign is a living example of how highly specialized phishing experts work together to effectively attack high-ranking government officials on a large scale. They use a variety of tactics and methods to avoid traffic detection and automatic threat detection, such as file sharing and web hosting services from well-known providers. The campaign uses non-trivial counterintelligence techniques, such as randomizing the victims’ malicious JS filenames and fingerprint browsers and denying them a new visit. These actions by cybercriminals trying to access confidential business information require an unusual approach to identifying and responding to them.

Cloud-based business services, such as MS Sway, pose new challenges to traditional cyber threat management systems. A good cloud migration plan should take into account changes in early warning, the detection of deviations and the response to incidents. When implementing cloud-based business services, it is important to implement 2FA authentication to reduce the risk of identity theft. In addition, when planning the cloud service architecture, system administrators need to evaluate the different log management options of service providers and integrate the transaction log data into the existing risk discovery workflows.

The original article is available:

https://www.group-ib.com/blog/perswaysion

About the IB Group

IB Group is a Singapore based provider of solutions for the detection and prevention of cyber attacks, online fraud, IP address protection and high-level cyber research.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Vote for the European Blogger Award for Cyber Security – Vote for YOUR PERSPECTIVE
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini

(Security issues – Facebook, hacking)

 

Part

 

admin

admin

Next Post
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Most Malicious Coronavirus-Related Domains in the U.S.

Recommended.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Visa Warns of Attack Involving Mix of POS Malware

October 9, 2020
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

US CISA report shares details on web shells used by Iranian hackersSecurity Affairs

September 17, 2020

Trending.

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Got Kids? Limit Computer Usage Per Account in Linux With Timekpr-nExt

October 29, 2020
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

How to restart the Ubuntu 20.04-Linux Hint network

September 25, 2020
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

LockBit ransomware seamlessly encrypts 225 systems

May 13, 2020

Digital marketing: definition, examples and more

December 15, 2020
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Avoid getting cut up in an intergalactic slaughterhouse, Disc Room is out now

November 2, 2020
mexlinux.com

MexLinux.com

We develop for Linux for a living, We used to develop for DOS.
Going from DOS to Linux is like trading a glider for an F117.

Categories

  • Hosting
  • Latest
  • Security
  • Server
  • Tech

Recent News

PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Delivering value to a remote workforce: A practical approach

November 19, 2020
PerSwaysion, a sophisticated phishing campaign aimed at executives from around the world.

Tetrade hackers target 112 financial apps with Ghimob banking TrojanSecurity Affairs

November 18, 2020
  • Home
  • Hosting
  • Tech
  • Server
  • Security

© 2020 MexLinux - Sitemap

No Result
View All Result
  • Home
  • Hosting
  • Tech
  • Server
  • Security

© 2020 MexLinux - Sitemap