Author: Josh Breaker Rolfe

New research from Palo Alto Networks has revealed that cybercriminals are taking advantage of high-profile sporting events to conduct scams, phishing, and malware attacks through suspicious domain registrations and other malicious activities. Domain Abuse Surges During Paris Olympics For example, researchers uncovered significant spikes in newly registered domains (NRDs), DNS anomalies, and URL traffic during the Paris Olympics. During the event, Olympic-related domain registrations tripled compared to normal periods. 16% of these domains were suspicious, 13 times higher than the general rate for NRDs. Attackers used these spoof domains to sell fake tickets, trick users into participating in cryptocurrency scams,…

Cybercriminals are using phish kits developed by authoring group SpartanWarriorz to target over 300 global brands, new research from Fortra has revealed. Attackers using the kits tend to target financial institutions in North America and Europe, retail, delivery services, and social media platforms. Distribution Techniques Like many cybercriminal groups, SpartanWarriorz primarily markets and distributes phishing kits through Telegram, a popular encrypted messaging service. The group’s channel boasts over 5300 subscribers and is managed by two moderators. On November 21, the SpartanWarriorz Telegram channel was shut down, but the group quickly resumed operations by launching a new channel on the same…

Phishing scams impersonating major holiday brands like Walmart, Target, and BestBuy increased by more than 2000% during Black Friday week, new research from Darktrace has revealed. These findings come as part of a wider increase in phishing activity during the early holiday shopping season. From November 25th to November 29th, 2024, attempted Christmas-themed phishing attacks leaped 327% worldwide, while Black Friday-themed phishing attacks jumped 692% compared to the 4th to the 9th of November. According to Nathaniel Jones, VP of Threat Research at Darktrace, we can attribute these surges to the rise of AI, which, combined with automation and growing cybercrime-as-a-service marketplaces,…

More than half of M&A security incidents in 2024 were non-malicious, resulting instead from integration-induced investigation delays, policy and compliance challenges, and issues baselining internal tools, a report from ReliaQuest has revealed. These findings suggest that inherited assets present a significant risk during M&A activities. However, discussions on cybercriminal forums suggest that threat actors deliberately target companies engaged in M&A processes, abusing perceived security weaknesses while staff are preoccupied with merger logistics. Forum discussions reveal that cybercriminals believe they can monetize M&A information for profit and use it for insider trading or blackmail. M&A Security Incidents by Sector The manufacturing sector faced…

A sophisticated cyberattack using the SmokeLoader malware targeted multiple industries in Taiwan in September 2024, new research from FortiGuard Labs has revealed. SmokeLoader is notorious for its versatility, advanced evasion techniques, and modular design, which allow it to perform a wide range of attacks. Attackers have traditionally used SmokeLoader as a downloader to deliver other malware; in this case, it carries out the attack itself by downloading plugins from its C2 server. Impacted industries include manufacturing, healthcare, and information technology. Launching the Attack Attackers initiated the attack using phishing emails, which, despite containing convincing, localized language, were sent to multiple…

Spearphishing attacks with links and attachments increased in Q3 2024, accounting for 46% of security incidents, ReliaQuest’s Top Cyber Attacker Techniques report has revealed. Initial access methods like spear phishing were the most common MITRE ATT&CK techniques last quarter and have remained so in Q3 2024. According to ReliaQuest, high employee turnover and the accessibility of phishing kits on cybercriminal forums are driving the persistence of these attacks. “Even if employees are properly trained to recognize the signs of phishing, the constant influx of untrained new hires creates opportunities for cybercriminals,” the report said. “Despite the importance of employee training, sometimes…

Cloudflare’s Pages and Workers platforms have experienced a surge of malicious activity in the past year, research from Fortra’s Suspicious Email Analysis (SEA) team has revealed. Phishing incidents on Cloudflare Pages have surged nearly 200% over the past year, while abuse of Cloudflare Workers has increased by 104%. These findings indicate that cybercriminals are increasingly exploiting Cloudflare’s popular web hosting services to facilitate phishing schemes, data exfiltration, and other malicious attacks. Cloudflare Pages and Phishing Activity Cloudflare Pages is a platform for developers to deploy static websites, supported by Cloudflare’s global content delivery network (CDN). It provides features such as…

Ransomware attacks on the healthcare sector surged in 2024, analysis from SafetyDetectives reveals. The year has already seen 264 attacks on healthcare providers by September, nearly surpassing the 268 attacks recorded for all of 2023. Escalating Cyber Threats SafetyDetectives argues that the growing number of ransomware groups and variants in 2024 contributed to the increasing number of attacks on the healthcare sector. In 2023, 68 active groups were responsible for nearly 4,841 attacks globally. This year, 87 groups averaged 394 monthly attacks. The report also reveals that cybercriminals are changing tactics: cybersecurity experts discovered 177 new ransomware variants between April…

A malicious package on the Python Package Index (PyPi) has been quietly exfiltrating Amazon Web Service credentials from developers for over three years, a new report from cybersecurity researchers at Socket has revealed. The package “fabrice” is a typosquat of the popular Python library “fabric” used for executing remote shell commands. It has been downloaded more than 37,000 times and, despite detection, remains available on PyPi. For Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, the long-term nature of the campaign suggests a calculated approach by advanced threat actors. “This approach aligns with a trend where attackers prioritize persistent access over…

Despite the recent takedown of the RedLine malware variant and a crackdown on “problematic” Telegram content, the credential abuse market is as vibrant as ever. This was revealed by new research from ReliaQuest. According to the company, cybercriminals appear undeterred by Telegram CEO Pavel Drurov’s recent arrest, promise to remove problematic content, and announcement of a more proactive approach to complying with government requests. Bad actors have long used Telegram, an end-to-end encrypted online messaging service, as a marketplace for selling stolen credentials. Despite Drurov’s promise to share user information with law enforcement, they continue to do so. ReliaQuest’s researchers observed…