New Meta-Phish Campaign Utilizing Facebook Copyright Violation Lures
A new phishing campaign dubbed "Meta-Phish" has been identified by Trustwave researchers utilizing Facebook posts in its attack chain. This tactic is used to trick victims into providing personally identifiable information (PII), account credentials, and Facebook profile links to the actor responsible after receiving a phishing email disguised as a corporate violation notification. The email claims that access to the victim's account will be lost if no objection is made within forty-eight (48) hours of receiving the notice. The email contains a link to a webpage that looks legitimate and uses a "Page Support" profile to show the fraudulent post. The user is then prompted to make an appeal through a crafted phishing page that mimics the actual Facebook copyright appeal page. Researchers noted that the three observed domains all appeared to be online as of December 15, 2022. The fields present in the phishing page include full name, login email address, phone number, Facebook page name, and additional info. Upon submission, the campaign also captures the victim's IP address and geolocation information. All collected information is exfiltrated to the actor's Telegram account. The victim is then redirected to an additional phishing page that displays a fake six (6) digit one-time-password request with a timer. Any combination of numbers will result in an error, and if the resulting "Need another way to authenticate?" or "Get Code" options are clicked, the victim is redirected to the legitimate Facebook website that requires them to log in. Researchers emphasized that there are currently various unauthentic accounts on the platform that are utilized in social engineering campaigns and threat actors will continue to innovate to bypass security controls and filters on social media platforms. CTIX analysts will continue to monitor phishing campaigns utilizing social media, and indicators of compromise (IOCs) for the Meta-Phish campaign can be viewed in Trustwave's report linked below.
Threat Actor Activity
Shift In Tactics Shows More Aggressive Side of TA453
A notorious threat organization has begun shifting their social engineering and overall tactics, becoming more aggressive towards victims of their phishing campaigns. The group, tracked as TA453 (bearing similar TTPs as APT42, Charming Kitten, PHOSPHORUS), often launches extensive social engineering operations targeting journalists, human rights activists, academics, diplomats, and several others. Historically, TA453 threat actors often structured their attacks around the victim they were targeting, establishing a bond between threat actor and victim to increase the chance of engagement and successful malware delivery. Some subgroups of TA453 would converse with the victim for days to weeks at a time, eventually delivering a malicious link with the intent of harvesting the victim’s credentials in several fashions. Other subgroups would act like most social engineering-driven threat groups and outright send the malicious link and hope the victim clicks on the embedded content. In recent campaigns, TA453 actors have shifted to becoming more aggressive against their victims. After compromising multiple email accounts including several high-ranking military officials, threat actors spear-phished a single victim with a harsh email. After translation from Hebrew, the email reads "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in [REDACTED]… Take care of yourself". With a dramatic shift in tactics from TA453, researchers indicate this could be an intimidation tactic formed between TA453 and hostile Iranian state-aligned operations. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Microsoft Patch Tuesday Fixes Actively Exploited Windows MoTW Bypass Vulnerability Used to Deliver Magniber and Qbot Payloads
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.