Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Dropbox

Well-known internet forum Reddit a victim of a phishing attack

Reddit confirmed that hackers accessed their internal documents and source code after a successful, highly targeted phishing campaign.

The company did become aware of this sophisticated attack on the 5th of February. The attacker is not yet known, but the phishing campaign was sent to employees with persuasive prompts that took them after clicking onto a fake Reddit intranet portal in an attempt to steal credentials and 2-FA tokens.

The hackers succeeded. They managed to obtain employees’ details, allowing them to access all Reddit’s internal documents, source code and business systems.

After Reddit’s employees realised they were phished, they immediately reported this incident to Reddit’s security team. They cut off the attackers and started an internal investigation.

Unfortunately, during the investigation, they found that hundreds of current and former employees and some advertisers’ information was accessed. There is no evidence that personal user data and other non-public data have been stolen, published or distributed online on the dark web.

“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills,” said Reddit’s CTO Christopher Slowe.

All the users are advised to set up MFA and strengthen their accounts even though there is no evidence of stolen personal data. We at Neuways always recommends setting up MFA for any login accounts, business and private.

Increased use of Microsoft OneNote by cyber criminals to deliver malware

Cyber criminals are increasingly using OneNote documents to deliver malware to victims’ devices to access passwords, personal details and even cryptocurrency wallets.

The virus is delivered to email attachments and URLs as .one extension.

Messages with malware are usually invoices, remittances, shipping details or Christmas bonuses.

These documents contain embedded files hiding behind a call to action, usually a button. When a user double-clicks on it, they will be prompted with a warning. If the user clicks again and executes the file despite the warning, everything that is within the attachment, shortcut (LNK) files, and script files as HTML (HTA) or Windows script will (WSF) will be automatically downloaded onto the device and injected with malware.

In multiple campaigns, the cyber criminals actually use legitimate services such as ‘OneNote Gem’ and ‘Transfer.sh’ to host payloads. However, proof of distributing XWorm and AsyncRAT was discovered too. Some of these messages contained a PowerShell script that a user could download as a batch file (system32.bat) from a URL. These attacks are only successful if the user clicks on the embedded file and ignores the OneNote warning. Like phishing campaigns, never engage with emails and files you’re not expecting to land in your mailbox.

Namecheap’s email platform hijacked to phis their customers

Customers of the popular domain hosting company Namecheap started receiving scam emails that looked like delivery notices from DHL and the crypto wallet MetaMask. Namecheap confirmed that their email service got breached, and phishing emails were sent to their customers last Sunday.

These emails urged victims to respond with Secret Recovery Phrase to access their crypto wallets. Nameservers denied that the breach accessed customers’ personal information.

“We have evidence that the upstream system we use for sending emails (third party) is involved in the mailing of unsolicited emails to our clients,” stated Namecheap in their blog post on their website.

“As a result, some unauthorised emails might have been received by you. We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”

The problem was with Namecheap’s third-party provider for their newsletters to send customers. A report released by CloudSEK confirmed that over 600 apps were found that leaked API keys, including Mailchimp, Mailgun and Sendgrid.

If you ever asked for Secret Recovery Phrase that is from MetaTask or Namecheap, don’t click, reply or engage with the email in any shape or form, but delete it immediately.

Make sure you, your colleagues or your employees know how to stay phish aware when they get one with our Managed Security and Phishing Awareness Training.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.