Welcome to the latest edition of the Cyber Safe Threat Updates, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Scammers Exploit Wilko’s Administration with Fake Discount Websites: Stay Alert

In the wake of retailer Wilko’s recent announcement of entering administration, opportunistic scammers have swiftly taken advantage of the situation. These fraudsters have turned to social media platforms, particularly Facebook, to promote counterfeit Wilko websites promising extravagant discounts.

Sponsored advertisements on Facebook entice users with the allure of up to 90% off on Wilko products. These adverts, however, lead unsuspecting individuals to fraudulent copycat websites designed to steal personal information and banking details. This scam follows a pattern seen before, where struggling retailers become targets for malicious schemes. Recently, similar scams involving counterfeit Joules websites were reported.

How the Scam Operates and Identifying Fake Websites

The deceptive advertisements on Facebook showcase Wilko ‘clearance sales,’ accompanied by claims of limited stock availability to create a sense of urgency. Once clicked, these ads direct users to websites showcasing Wilko merchandise, with detailed product descriptions to imitate authenticity. The fraudulent websites even include standard pages such as ‘about us,’ ‘contact us,’ and ‘privacy policy.’ However, a closer examination reveals numerous grammatical errors, and the ‘contact us’ section needs to include legitimate contact information.

A disconcerting number of ten fake websites were discovered, all posing as Wilko:











Upon being notified of these fraudulent sites, Wilko promptly confirmed their inauthenticity and asserted that all its sales exclusively transpire in physical stores, not online. The matter was also reported to Meta (formerly known as Facebook), resulting in removing the scam ads for violating platform policies.

Individuals encountering such deceptive Facebook adverts can report them by clicking on the three dots in the ad’s corner and selecting the ‘report’ option.

Recognising Scam Websites and Taking Action

Vigilance is crucial when navigating potential retail websites, especially when they exhibit signs of being dubious. Some indicators of scam websites include:

Poor spelling and grammar.

Offers that appear excessively generous to the point of being implausible.

Absence of essential pages like ‘about us,’ contact details, or privacy policy.

Inconsistent or substandard branding, including unclear logos.

Immediate action is advised for those who unwittingly make purchases from fraudulent websites. Reach out to your bank using the contact number provided on the back of your card to freeze the card and halt any transactions. If this proves ineffective, recourse can be sought through chargeback for transactions below £100, provided they were made using debit or credit cards. For transactions exceeding £100 on credit cards, Section 75 can be utilised.

Source: https://bit.ly/3qIPR1c

Past Cyber Attack: UK Businesses Issued Deadline by Suspected Russian Group

New facts are emerging about a recent Cyber Attack which impacted worldwide and globally renowned companies. In a disconcerting cyber incident that unfolded two months ago, a suspected Russian cyber gang known as Clop orchestrated a large-scale attack targeting prominent UK entities, including British Airways (BA) and Boots. This group, which has claimed responsibility for the breach, issued an ultimatum on the dark web, stipulating that victims must negotiate or risk having the compromised data published online.

The attack’s focal point revolved around exploiting a zero-day vulnerability within the MOVEit software, extensively used by numerous businesses for their operations. This security gap allowed the hackers to infiltrate servers and pilfer personal and financial data, impacting the privacy of over 100,000 employees across multiple organisations. The compromised information included sensitive details such as bank and contact information.

Clop’s audacious move to reveal its responsibility for the attack was coupled with a demand for affected parties to negotiate by a specified date. The group extended this ultimatum via a blog post on the dark web, asserting that negotiations must be initiated by June 14th. This move left a sense of urgency for the targeted companies, urging them to assess the severity of the breach and decide whether to comply with the cyber gang’s demands.

Even well-established institutions like the British Broadcasting Corporation (BBC) and Aer Lingus were not immune to the consequences of the attack, as they found themselves grappling with compromised data and potential negotiations with the hackers. Moreover, new victims emerged as the attack’s scope widened, encompassing institutions as varied as the University of Rochester in New York and the government of Nova Scotia in Canada.

Clop, however, attempted to quell some concerns by claiming to have deleted data linked to government, city, or police services. They issued a message of reassurance, stating, “Do not worry, we erased your data. You do not need to contact us. We have no interest in exposing such information.”

The attack’s aftermath highlighted the potential vulnerabilities within widely used business software and the importance of proactive cybersecurity measures. Zellis, a payroll software company that utilised the compromised MOVEit software, acknowledged that the attack directly impacted eight customers. While some victims were publicly known, others were not disclosed.

Businesses employing the vulnerable software included names such as Jaguar Land Rover, Harrods, and Dyson. The exact motivations behind the attack remained enigmatic, with Clop’s motives still unclear. In a communication with Reuters, the group confirmed its role in the breach.

In response to the crisis, MOVEit promptly investigated the vulnerability, alerting its customers about the issue and providing immediate guidance to mitigate risks. The company committed to cooperating with cybersecurity experts and relevant authorities to address the incident effectively.

The incident underscored the importance of cybersecurity vigilance for all organisations, emphasising the need for constant monitoring, prompt response, and proactive measures to safeguard against cyber threats. While this incident occurred in the past, its implications and lessons continue to resonate in today’s interconnected digital landscape.

Source: https://bit.ly/3OW6LkR

Tesla Data Breach and Action

Electric car manufacturer Tesla revealed that two former employees orchestrated a data breach impacting 75,735 individuals. In violation of Tesla’s IT security and data protection policies, these ex-employees accessed sensitive company information. This breach included personally identifiable information of employees, customer bank details, production secrets, and complaints regarding Tesla’s Full Self-Driving features. The compromised data was shared with German media company Handelsblatt. Tesla swiftly responded by initiating legal actions against the former employees, leading to the seizure of electronic devices believed to contain the stolen data. Handelsblatt stated it did not intend to publish the data, abiding by legal restrictions.

Duolingo User Data Compromised

In another data breach incident reported by Bleeping Computer, information about 2.6 million users of the language learning platform Duolingo was released on a hacking forum. The compromised data encompassed public login names, real names, email addresses, and internal Duolingo-related information. Initially offered for sale on a forum, the data was priced at $1,500 before reappearing on a different forum for only $2.13 worth of site credits. The breach exploited an exposed API and led to data already present in the Have I Been Pwned database.

Lapsus$ Gang Trial Outcome

After a trial lasting two months, an alleged leader of the Lapsus$ cyber gang, Arion Kurtaj, was deemed responsible for multiple cyber offences, including breaches under the Computer Misuse Act, blackmail, and fraud. The gang gained notoriety for attacks on prominent entities, such as Microsoft, Nvidia, Samsung, and Uber, among others. After hacking their servers and data files, they demanded a ransom of four million US dollars from BT and EE. The verdict highlighted the complex nature of modern cybercrime, as Kurtaj, an autistic teenager, could not be found guilty due to criminal intent being deemed unfit for trial by psychiatrists.

These incidents are stark reminders of the constant threat posed by cyber attacks and the importance of robust security measures to safeguard sensitive information in the digital age.

St Helens Council Faces Suspected Cyber-Attack: Services Disrupted

A suspected cyber-attack has struck St Helens Council, causing disruptions to its IT systems. The council identified the incident as a “suspected Ransomware incident” and initiated an investigation into the matter. The discovery was made on Monday, prompting the council to swiftly implement security measures to maintain the integrity of its networks.

While the council assured residents that services would continue to be accessible via its website, the incident impacted some of its internal systems. Acknowledging the complexities of such situations, the council highlighted that it is working alongside cyber-security experts to resolve the incident. The evolving nature of the situation emphasises the challenges inherent in addressing cyber threats.

St Helens Council emphasised the importance of vigilance among residents, urging them to remain attentive to signs of potential attackers. The incident serves as a reminder of the continuous threats institutions face from cyber criminals and the need for robust cybersecurity protocols to safeguard sensitive information and maintain uninterrupted services.

WinRAR Zero-Day Exploited to Target Crypto Traders with Malware

A zero-day vulnerability in WinRAR, identified as CVE-2023-38831, has been actively exploited since April 2023, allowing hackers to install malware through seemingly harmless files in archives. This flaw, which was resolved in WinRAR version 6.23 released on August 2, 2023, enabled threat actors to create malicious .RAR and .ZIP archives containing files like JPG images, text files, and PDF documents. A script is executed when a user opens these files, installing malware on the device.

The vulnerability’s exploitation aimed to breach crypto traders’ online cryptocurrency trading accounts. Cybersecurity researchers from Group-IB uncovered this campaign, revealing that the hackers disguised themselves as trading enthusiasts sharing strategies on trading forums. These fake forum posts contained links to specially crafted malicious archives, appearing to include trading strategies.

Upon opening these malicious archives, users saw seemingly harmless files alongside folders with matching names. However, the exploit silently launched a script to install malware while loading the decoy document to avoid suspicion. The malware strains DarkMe, GuLoader, and Remcos RAT were distributed through this method, granting attackers remote access to infected devices.

Targeting crypto traders, potentially for stealing crypto assets, underscores the financial motivations behind the campaign. The Remcos RAT’s capabilities suggest that espionage could also be a motive.

Group-IB discovered CVE-2023-38831 in July 2023 and published a detailed report on its exploitation. Users of WinRAR are strongly advised to update to the latest version, 6.23, to mitigate the risks associated with this vulnerability and the broader range of attacks it enables.

Contact Neuways to help your business become

Cyber Safe

If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.