External Attack Surface Management: Protecting Your Organization in the Digital Age
In an increasingly interconnected digital world, organisations face a growing number of cyber threats. As businesses expand their online presence, their attack surface increases, making it more vulnerable to cyberattacks. This is where External Attack Surface Management (EASM) comes into play.
In this blog, we will explore the concept of EASM, what it includes, its importance, how it differs from security ratings, and what the future holds for this crucial aspect of cybersecurity. Additionally, we’ll discuss how CTM360 HackerView can help your organisation effectively manage its external attack surface.
What is EASM?
External Attack Surface Management (EASM) involves the continuous discovery, monitoring, and management of an organisation’s external-facing digital assets. These assets include websites, IP addresses, cloud services, and any other publicly accessible resources. A comprehensive EASM would also have the organisation’s mobile apps, genuine social media inventory, Executive Management profiles and more. EASM focuses on first building a comprehensive “Digital Asset Register” and next identifying vulnerabilities and potential entry points that could be exploited by malicious actors. By gaining a deep understanding of the external attack surface, organisations can proactively mitigate risks and prevent breaches before they occur.
From the management perspective, EASM is an essential component of a robust cybersecurity strategy. It enables organisations to see their digital footprint from the perspective of an attacker, allowing them to identify and secure weak points that could be targeted.
What is Included in an Organization’s Attack Surface?
An organisation’s attack surface consists of all the external-facing digital assets that could potentially be targeted by cybercriminals. These include:
Domains, Hosts, and Sub-Domains:
An organization’s collection of domains, along with their associated hosts and sub-domains, creates numerous potential entry points for attackers. Each sub-domain may have unique vulnerabilities that can be exploited if not properly secured.
Web Applications:
Public-facing websites and web applications are common targets for attackers seeking to exploit vulnerabilities such as outdated software or weak authentication mechanisms.
Cloud Services:
With the rise of cloud computing, organisations often use cloud-based services for data storage and processing. Misconfigurations or insufficient security measures in these services can expose sensitive information.
IP Addresses:
Public IP addresses can be scanned by attackers to identify open ports or vulnerable services that can be exploited.
Third-Party Integrations:
Organisations often rely on third-party vendors or services that have access to their systems. These integrations can introduce additional vulnerabilities if not properly managed.SSL/TLS Certificates:
Weak or expired certificates can leave encrypted communications vulnerable to interception.
A comprehensive EASM solution would also include -
Inventory of Genuine Social Media Profiles:
An organisation's presence on social media platforms can be targeted by attackers for impersonation or phishing attempts.
Mobile Apps:
Attackers can create rogue mobile apps on third party stores to impersonate trusted brands, with the goal of gaining unauthorised access to information that can be used to commit fraudulent transactions.
Executive Management Names/Profiles:
Attackers may attempt to impersonate an organisation's executive leadership for social engineering attacks.
BIN Numbers:
Payment card information, including BIN (Bank Identification Number) data, can be exposed and used for fraudulent activities.
Environments & Technologies:
The list of technologies and their respective versions visible in the organisation's attack surface can help identify potential vulnerabilities and misconfigurations.
The attack surface also includes shadow IT, which refers to information technology systems implemented by departments outside of the central IT department to circumvent the limitations and restrictions set by the central information systems.
Why is EASM Important?
EASM is critical for several reasons:
1. Technology consolidation
EASM promotes a unified security strategy, enabling organizations to consolidate their ever growing digital assets and stack of technologies and enhance the overall management of external cyber risk.
2. Reducing Attack Surface
Through continuous monitoring and assessment, EASM assists organizations in reducing their attack surface by proactively managing and securing external assets.
3. Proactive Risk Management:
EASM allows organisations to identify vulnerabilities before they are exploited. By continuously monitoring the attack surface, organisations can address security gaps promptly, reducing the likelihood of a successful attack.
4. Real-Time Visibility:
Cyber threats are constantly evolving, and new vulnerabilities emerge regularly. EASM provides real-time visibility into an organisation’s external assets, ensuring that security teams are always aware of the current state of the attack surface.
5. Regulatory Compliance:
Many industries are subject to strict regulatory requirements regarding data protection and cybersecurity. EASM helps organisations maintain compliance by ensuring that all external assets are properly secured.
6. Cost Efficiency:
Preventing a cyberattack is often far less expensive than dealing with the aftermath of a breach. EASM enables organisations to allocate resources more efficiently by prioritising the most critical vulnerabilities.
How is EASM Different from Security Ratings?
While both EASM and security ratings play a role in assessing an organisation’s cybersecurity posture, they serve different purposes and offer distinct benefits:
1. Scope of Analysis:
Security ratings are typically based on a broad assessment of an organisation’s overall security practices, often using data from public sources. EASM, on the other hand, focuses specifically on the external attack surface, providing a more detailed and targeted analysis of potential vulnerabilities.
2. Continuous Monitoring:
EASM involves continuous monitoring of external assets, offering real-time insights into the attack surface. Security ratings are often static, providing a snapshot of an organisation’s security posture at a specific point in time.
3. Actionable Insights:
EASM provides actionable insights that organisations can use to address specific vulnerabilities. Security ratings are more generalised and may not offer the same level of detail needed to implement targeted security measures.
4. Perspective:
EASM approaches cybersecurity from the attacker’s perspective, identifying entry points and weaknesses that could be exploited. Security ratings focus on the organisation’s overall security practices and controls.
What Does the Future Hold?
As cyber threats continue to evolve, the importance of EASM will only grow. Organisations are increasingly adopting digital transformation strategies, expanding their digital footprints, and moving more services to the cloud. This expansion introduces new vulnerabilities, making EASM an essential component of any comprehensive cybersecurity strategy.
In the future, we can expect EASM tools and technologies to become more sophisticated, incorporating advanced AI and machine learning algorithms to identify and mitigate risks more effectively. The integration of EASM with other cybersecurity solutions, such as Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), will provide organisations with a more holistic approach to managing their security posture.
How Can CTM360 HackerView Help?
CTM360’s HackerView is an innovative External Attack Surface Management (EASM) platform designed to give organisations a comprehensive understanding of their digital presence from an attacker’s perspective. By combining automated asset discovery, issue identification, remediation guidelines, security ratings, and third-party risk management, HackerView empowers businesses to proactively defend against potential cyber threats.
Here’s how CTM360 HackerView can significantly enhance your organisation's cybersecurity strategy:
1. Continuous & Automated Digital Asset Discovery
One of the most critical aspects of EASM is the ability to identify and map all external-facing digital assets. HackerView excels in this area by automatically discovering and mapping your organisation’s digital footprint. Operating in a passive and non-intrusive manner, it leverages data available in the public domain to uncover assets that may otherwise be overlooked.
The platform comes pre-populated, ensuring that from the moment you start using it, you have a comprehensive view of your digital assets. This includes websites, IP addresses, cloud services, and more. Automated discovery ensures that no asset is left unmonitored, reducing the risk of shadow IT and other unsecured entry points.
One of the key advantages of HackerView is how often it continuously discovers, updates, and refreshes all assets belonging to the organisation. The platform automatically updates its inventory of digital assets every 24-48 hours, ensuring that your security team has access to the most current and complete information about your attack surface.
2. Comprehensive Digital Risk Scorecard
HackerView provides a detailed digital risk scorecard that assesses your organisation’s visible cyber vulnerabilities. This scorecard is essential for understanding your current security posture and identifying areas that require immediate attention. The scorecard is updated continuously, allowing you to track improvements or new risks as they emerge.
3. Detailed Inventory of Digital Assets
Understanding what you have is the first step toward protecting it. HackerView provides a detailed inventory of your digital assets, allowing you to keep track of all external-facing resources. This inventory is continually updated as new assets are discovered or changes are made, ensuring that your records are always accurate and up-to-6.
4. Remediation Plans & Ongoing Guidance
Identifying vulnerabilities is only half the battle; addressing them effectively is the key to maintaining a robust security posture. HackerView not only identifies issues but also provides detailed remediation plans and ongoing guidance. These plans are tailored to your specific vulnerabilities, offering step-by-step instructions on how to address each issue.
5. Third-Party Risk Monitoring
In today’s interconnected world, organisations rely heavily on third-party vendors and partners. However, these relationships can introduce additional risks if not properly managed. HackerView’s third-party risk monitoring feature allows you to assess the security posture of your vendors, partners, and other third parties with whom you share data or systems.
6. Pre-built and Custom Portfolios
The platform allows you to access pre-built portfolios that include entities from important industry sectors within your geographic region. This allows you to benchmark your organisation's cybersecurity posture against your peers, gaining valuable insights into how you measure up. Additionally, you can create custom portfolios of your key vendors and third-party providers, continuously tracking their security health and potential vulnerabilities.
In conclusion, as organisations continue to navigate the complexities of the digital landscape, EASM will remain a vital component of cybersecurity. By leveraging advanced tools like CTM360 HackerView, businesses can protect their digital assets, stay ahead of potential threats and ensure the security of their operations.
Fraudulent Immigration Scam
Global Fraudulent Scheme Targeting National Immigration Services
Overview
CTM360 has identified a fraudulent scheme involving fake websites targeting National Immigration services globally. The deceiving campaign extends to Electronic Travel Authorization, Evisa, and Electronic Custom Declaration processes. These scams have increased dramatically as more things shifted online and require less paperwork. Scammers take advantage of this by making fake websites. People need to be aware of this and be careful not to get tricked.
These fake websites usually use a basic web design and are hosted on well-known hosting services to look real. Additionally, these fake websites put up disclaimers in fine print stating to be private companies and have no affiliation with any government entities. By doing this, it makes it challenging for the Hosting Providers and Domain Registrars to take action on them.
CTM360 Observations
Based on our analysis of the suspicious infrastructure, we believe these fake websites are part of a broader scam campaign targeting multiple immigration services at the same time. Some of the top countries being targeted include Singapore, South Korea, the Philippines, and Turkey. We expect this scam to also occur in other countries in the near future.
The scam initiates with scammers paying for fake ads on search engines, so they show up at the top of search results. They manipulate the search engine algorithms to get their fake sites noticed more easily. This technique makes it more likely for people to accidentally find these fake websites. The ads are constructed in a way that makes the fake sites seem real, so people might trust them without realizing they're being tricked.
When clicking on the fake ad, users will be redirected to a fake website. On the fake website, they will be prompted to initiate the online visa application process. The process found on the fake website is crafted closely to mimic the procedures found on the official website.
After entering the card details, users will be consistently displayed with error messages falsely claiming payment failures. In reality, the sensitive carding information has already been captured and submitted to the server controlled by the scammers.
Moreover, numerous countries have issued official warnings advising against such fake websites. Please refer to the following sources for more information:
- https://www.cgisf.gov.in/page/important-advisory-on-fake-indian-e-visa-websites/
- https://ircc.canada.ca/english/helpcentre/answer.asp?qnum=1233&top=16
- https://www.perthnow.com.au/news/bali/bali-scam-warning-for-aussie-travellers-to-watch-out-for-fake-websites-providing-counterfeit-visas-c-10513578
- https://www.kenyaembassyaddis.org/2021/06/fraudulent-visa-application-websites/
Recommendations
How to avoid becoming a victim of such scams
For individuals:
- Be very cautious about the sponsored ads specifically about government services.
- When applying for any travel-related services, only use the official website provided by the immigration authorities of the country you're visiting. This may require some research by individuals to ensure they have reached the genuine website.
- Be cautious about clicking on suspicious web URLs, even if they seem to come from people you know.
For Government agencies, ISPs and Domain Registrars:
- Government service providers should publish a list of authorized agents on their websites. This will enable end-users to verify the right provider. Furthermore, it will also provide evidence for the Domain registrar to take prompt action.
- Government agencies are advised to regularly monitor such fake websites that do not have any authorization from the government and update the list of these fake websites on their official portal.
- Government agencies should actively engage with security vendors to identify and take down these fake websites and fake ads.
- There should be national procedures for Local ISPs and National CERTs to block such websites once notified by the right authorities.
Cyber Advisory: Credit/Debit Card Theft via Phishing Campaign Impersonating Known Brands
CTM360 has noticed a surge in phishing websites targeting both local and global brands in the GCC. Scammers are employing a common website design to create phishing pages that imitate the products and logos of these established brands.
OVERVIEW
These phishing campaigns result in significant financial losses and the compromise of personal data for the customers of these brands.
Some well-known brands like Tea Time, Hardees, Jasmis, Caribou, and others are being targeted in this campaign. Because these brands are popular in the GCC and have lots of customers, scammers are going after them. CTM360’s WebHunt platform is actively tracking such phishing campaigns; 100+ phishing sites targeting different brands have been identified as part of this campaign.
CTM360’s observation of the trend
- Mode of Delivery: Fake ads via social media platform
- Scammers have created fake accounts on Facebook and Instagram, which they leverage to promote fake ads with attractive offers from targeted brands. These ads ultimately direct users to phishing sites.
- Scammers then take advantage of users' trust by making these phishing sites on domain names that are related to GCC countries and using the .shop TLD. For instance, they might mix the name of a GCC country with a well-known brand they're copying, like "jasmis-bh- mega-offers[.]shop" or "hardees-kuwait[.]shop". These tricky website addresses are designed to fool users into thinking they're on real websites.
- Brands targeted: The phishing campaign targets major fast food and coffee shops in GCC countries. Scammers create website pages that closely resemble authentic websites, making them appear genuine to unsuspecting individuals. Scammers use a similar phishing layout/template to target various brands.
- Scammers also advertise these websites using flashy promotions, such as "happy hour" images, offering big discounts like 50% off everything and free delivery on orders. This strategy is meant to make users feel like they need to act quickly and tempt them into buying from the fake site.
- Motive: Harvesting Debit/Credit Card Information
- Once the victim has completed adding products to their cart, they are redirected to the payment page, which serves as the motive of the scammer. At this stage, the user is prompted to enter their debit/credit card information to obtain the victim's funds.
Recommendations
How to avoid becoming a victim of such Phishing campaigns:
For individuals:
- Don't click on suspicious URLs, even if they appear from people you know.
- Always verify the official website's appearance and pay attention to the domain name
- and website’s interface.
- Avoid any suspicious resources that ask for personal or payment information.
For businesses:
- Regularly monitor references to your brand in domain name and phishing website databases, which can be accessed by companies that provide brand protection and anti- fraud services.
- Quickly identify and eliminate networks of fraudulent websites that use your brand
Baiting Facebook Groups
CTM360 discovered an ongoing fraudulent activity on Meta's social media platform, ‘Facebook’.
Threat Overview
While conducting fraud hunting exercises, CTM360 discovered an ongoing fraudulent activity on Meta's social media platform, ‘Facebook’. This particular scam involves scammers using Facebook public groups to disseminate fraudulent schemes. These groups are created solely to bait victims. By leveraging these groups, the scammers can reach a large audience that shares common interests or belongs to specific regions. Unfortunately, this fraudulent activity has resulted in financial losses for many unsuspecting individuals.
Fraud Methodology
The scammers begin by either scouting Facebook groups OR creating new groups that serve the scammer's goal, aiming to identify the target audience. This is likely done through various criteria such as:
- Page Topic: the main drive and title that define the overall niche.
- User Interests: the general interest and posts shared in the group by the members.
- Targeted Region: the location where the scammer wants to target the users.
- Scammers are carrying their scams through Facebook and specifically through Facebook groups to abuse its private nature with the ability to mask the profile’s name causing a noticeable rise in fraudulent activities advertised with untraceable users - through the "Anonymous Participant" feature in Facebook Groups.
- Within the suspicious posts, scammers are claiming to provide bogus services like:
- Fraudulent Payment Installments
- Loans or loan restructuring
- Issuance of Credit Cards with high limits
- Fake Job Posting
- Stolen Gift cards
Why Should Organizations Be Concerned?
To reflect legitimacy of the fraudulent promotional post the scammers abuse genuine company name or genuine product brands.
Scammers adopt various tactics, such as presenting themselves as authentic sellers offering enticing deals on products. So they are “impersonating” your organization, brand or identity of your executive management.
Their goal is not to deliver the promised items at all or to provide counterfeit goods. Hence they impersonate well-known brands, celebrities, or even users' friends within these groups, leveraging these false identities to deceive individuals into disclosing sensitive information or making monetary transactions.
One variation of the scam posts claims to host free giveaways or contests. These seemingly attractive offers often serve as a guise to harvest personal information or involve users in deceptive activities. The other scam cases range from inquiries about installment options, salary transfers, credit card applications, loans, and job opportunities to scams like Advance-Fee Fraud.
The unauthorized use of an organization's brand name in posts within such Facebook groups poses a significant concern. At minimum it has implications on reputation, furthermore your customers could suffer financial losses or compromise their personal information, leading to broader implications for both the organization and the affected individuals.
Threat Impacts
The fraudulent posts published in these groups can have various threat impacts on the users such as:
- Financial Loss: These posts often involve fraudulent loan offers that target individuals who are in need of financial assistance. Scammers may request upfront fees or personal information, promising a loan that never materializes.
- Expose Personal Information: When users share personal and financial information in response to fake offers in Facebook groups, there is a risk that this information may be shared or sold to third parties without their consent.
- Phishing Attack: Some loan scams may involve indirect phishing attempts, where scammers might trick individuals into providing their login credentials or other sensitive information through fake loan application forms or websites.
Recommendations
For Businesses:
- Spread Awareness: Conduct awareness campaigns on official social media to educate customers about such scams.
- Active Monitoring & Takedowns of Baiting Facebook Groups: Such baiting groups should be actively monitored and any infringement identified related to your brand should be reported to vendors for further actions such as Takedown.
For Individuals:
- Be cautious with personal information: Avoid sharing personal information in Facebook groups, especially if the posts seem suspicious or potentially fraudulent. Protect your identity and be wary of any requests for sensitive information.
- Don't Pay Upfront Fees: Legitimate lenders typically deduct fees from the loan amount or include them in the repayment plan. Be cautious of these scammers who request upfront fees before providing the loan. This is a common red flag for scams.
A browser-in-the-browser (BitB) attack - Cyber Advisory
A Browser-in-the-Browser (BitB) attack is a sophisticated cyber threat involving injecting malicious code into a victim's web browser.
Threat Overview:
This code creates a secondary browser within the victim's existing browser, allowing the attacker to manipulate web content, intercept network requests, and potentially gain control over the victim's browser and system. Understanding the BitB attack is crucial for organizations to develop effective mitigation strategies.
Once the website is opened, it appears as shown above (this will be the first step).
After enforcing the Full-screen display mode, only the inner browser will appear with the customized URL by the attacker.
Real-Case Scenarios of BitB Attacks:
CTM360 recently observed ongoing attack campaigns utilizing the BitB technique targeting ministries and government websites, specifically the interior ministries.
In the previously mentioned scenario, the official website of MOI Singapore remains unaffected and secure. However, the threat actor is carrying out a phishing attack by creating a fake website. Within this fraudulent site, instead of using traditional phishing methods, such as fake forms or malicious content, the attacker employs a fake browser interface within the phishing site, which appears to be the genuine site for MOI. When the victim accesses the site, they are presented with a full-screen display mode of this embedded browser, which tricks them into submitting their sensitive information.
Attack Methodology
To execute a Browser-in-the-Browser (BitB) attack, the attacker employs tactics to lure the user into visiting a malicious or compromised website. This website contains a phishing page hosted on the attacker's server. The phishing page utilizes JavaScript code to create a simulated browser window, simulating the appearance and behavior of a legitimate browser window. Within this simulated window, various types of fraudulent activities can be displayed.
Moreover, the simulated window displays a URL of the attacker's choice, such as https://accounts.google.com or https://login.microsoftonline.com. This is achieved by modifying the simulated address bar of the pop-up window using JavaScript. It may appear to the user that the specified URL is loaded within the pop-up window, but in reality, it is only shown as an image or text. The user may not notice the absence of SSL certificates or other security indicators typically present in a genuine browser window due to the full-screen display mode, which blocks the appearance of the main website’s URL due to the full-screen display model.
If the user falls victim to the BitB attack and enters their login credentials into the fake login form, the information is sent to the attacker's server via an AJAX request or a concealed form submission. Subsequently, the attacker gains access to the user's account on the legitimate service or proceeds with additional malicious activities such as identity theft or account takeover.
Potential Threats
Browser-in-the-Browser (BitB) attacks pose several potential threats and risks to victims. Here are some of the common threats associated with BitB attacks:
- Data Theft: Attackers can exploit BitB attacks to steal sensitive information, such as login credentials, financial details, personal data, or intellectual property. This stolen data can be used for identity theft, financial fraud, or sold on the dark web.
- Account Takeover: By manipulating the victim's browser and intercepting login credentials, BitB attacks can lead to unauthorized access to the victim's online accounts. Attackers may gain control over email accounts, social media profiles, online banking, or other services, enabling them to impersonate the victim or perform malicious activities.
- Malware Distribution: BitB attacks can be used as a vector to distribute malware onto the victim's system. The secondary browser created by the attacker can be used to download and execute malicious software, potentially leading to further compromise of the victim's device and sensitive data.
- Phishing and Social Engineering: Attackers can utilize BitB attacks to create convincing phishing scenarios. By simulating legitimate websites or services, they trick users into entering their login credentials or other sensitive information, which the attacker then captures and exploits.
Mitigation
The BitB attack is a tricky and risky phishing technique that can trick even careful users and bypass typical security measures. However, there are steps you can take to protect yourself from this attack:
- Be cautious of full-screen prompts: Exercise caution if a website unexpectedly opens a full-screen prompt or overlay. Take a moment to assess the situation and ensure that you are interacting with a legitimate website before entering any sensitive information.
- Be vigilant about website URLs: Pay close attention to the URL before entering any sensitive information. Check for any discrepancies or variations in the domain name or spelling that may indicate a phishing site.
- Pay attention to the details of the pop-up window, such as the size, position, appearance, and behavior of the elements. If something looks off or unusual, you should close the window and report it.
- Use a security-focused browser extension that can detect and block such phishing attempts automatically.
- Keep your browser up to date with the latest security patches and update whenever prompted by your browser.
- Make sure you have 2FA enabled for all of your critical services.
CTM360 is actively monitoring this phishing campaign and taking the necessary action by disrupting the attack and suspending the malicious site/domain. If you encounter any of such malicious sites, please report it to business@ctm360.com.
References
Social Media Account Takeover Fraud
CTM360 has recently observed a spike in the compromise of genuine social media accounts impacting organizations and individuals. The compromise sees the original account holder losing control of their account, and then followers targeted in each successive breach..
These attacks are not seen to be isolated incidents and are part of a campaign that operates based on a network ripple effect. The threat actor targets each compromised account’s followers through social engineering, offering bitcoin or financial investment opportunities. Victims typically treat these posts as genuine as messages originate from within the account holder’s trusted network. Scammers take over your social media account to:
● Pretend to be you and trick the people who follow you.
● Share posts on the account saying they made a lot of money by investing a certain amount.
● Convince the account's followers to share their personal information.
● Lure them with high monetary returns and make them join fake trading platforms that require initial investment.
● Trick the victims into giving away SMS OTP codes sent to their phones, eventually letting the scammers hack the accounts.
● Upon gaining control, the scammer changes all details, including passwords, mobile numbers, and corresponding details.
Commonly known as Social Media Account Takeover Fraud, the evolution of this attack is that it continues to move from account to account, allowing the scammer a window of opportunity to target all followers. This advisory is designed to give you important advice and details on keeping your social media accounts safe and preventing your online connections from becoming targets of these scams. Account takeover fraud isn't restricted to just social media platforms; it can also apply to email accounts, online banking accounts, online shopping accounts, and more. Whilst CTM360 has historically facilitated the process of recovering compromised Instagram accounts for victims with considerable success, there have been policy changes wherein the platforms are increasingly entertaining only direct requests from the original account holder. Recovery for such accounts is challenging for the end-user due to changes in the policies of the social media platforms impacted, notably Instagram and Facebook.
How do scammers take over your social media accounts?
1. Phishing attacks: Through deceptive emails, texts, or calls, they impersonate reputable companies to trick you into divulging sensitive information or visiting phishing sites.
2. Malware Infostealers: Hackers infect your device with software that records your input and sends it to them.
3. Credential stuffing: Scammers use software bots for brute-force attacks on passwords, often evading website security measures.
Recommendations:
- Enabling Two-Factor Authentication (2FA) on all your social media accounts is the best way to minimize risk. Ensure the second factor is linked to your active mobile number, or use an authenticator app with securely stored backup codes.
- For organizations that engage third parties, such as marketing agencies and PR firms, there is elevated risk, and it is recommended to ensure the following: a. Ensure 2FA is a mandatory requirement and emphasize the criticality across all engaged subcontractors. b. Actively audit access of all third-party contractors and ensure a need-basis level of minimum access. Granting administrator privileges is actively discouraged and should reside with an internal stakeholder. c. Do not allow personal accounts of the employees of third parties to be used for handling your organization’s account.
- Exercise caution when it comes to clicking on links shared in messages, even if they appear to be from trusted friends. Be vigilant about potential phishing attempts.
- If 2FA is enabled, do not share One-Time Password (OTP) codes with anyone, including friends and family, unless you are certain it's for a legitimate and known purpose.
- Understand the risks associated with oversharing personal information online. Be mindful of the data you disclose, as malicious actors can exploit it. Protect your privacy by sharing only what's necessary.
Card Loading Schemes on Social Media
We have recently observed various groups on social media platforms where individuals are engaging in the act of “Credit or Debit card loading”, “Bank loading” or “Gift-card loading” etc.
These practices involve inviting individuals to deposit/receive funds through different payment service providers and banking channels. In exchange for their deposits, participants are promised attractive returns or opportunities.
Various individuals were also observed on social media sharing and inquiring about card loading based on BIN numbers referring to loading funds on cards or digital cards based on specific BIN numbers. An example of such posts can be seen in the screenshots below. Since specific BIN ranges are allocated for prepaid or digital cards, these BIN ranges are targeted for loading purposes.
"Loaders" and "Receivers" are terms used to describe the roles of individuals involved in a particular type of scheme. These roles are often associated with money laundering and illegal transfer of funds. Here's what each term means:
Loader: A loader is an individual or group responsible for loading funds onto cards or other payment instruments using various means, including stolen credit card information, compromised bank accounts, or illicitly obtained funds. They may use techniques like credit card bust-out scams or unauthorized transfers to load money onto cards.
Receiver: A receiver is an individual or group who receives the loaded funds, typically through cards, and is responsible for converting or transferring the funds to the fraudsters or the next stage in the money laundering process. The receiver may receive loaded cards, withdraw cash from ATMs, or use the cards to launder the money for purchases.
Risks involved in such Loading / Receiving schemes:
Once the target BINs are identified, funds are transferred or loaded onto the cards or accounts associated with those BINs. Depending on the card's capabilities, the cards or accounts with loaded funds can then be used for various purposes, such as making purchases, online transactions, or ATM withdrawals. Such practices can potentially be abused for fraudulent purposes leading to the following:
Credit Card Bust-Out Scams: In a bust-out scam, fraudsters obtain credit cards using stolen identities or fake information. They load these cards with funds, either through illicit means or by taking advantage of introductory offers with low or zero interest rates. Once the cards are loaded, they quickly max out the credit limit and disappear without making any payments. This leaves the legitimate cardholder or the card issuer responsible for the debt.
Money Laundering: Criminals may use credit card loading to launder money obtained through illegal activities. They load illicitly gained funds onto cards and then use those cards for legitimate purchases or withdrawals, making it difficult for law enforcement to trace the origin of the money.
Money Mule Accounts: Illegally obtained card details or hacked accounts may be exploited to transfer funds to a mule account controlled by fraudsters swiftly. Subsequently, the funds are instantaneously dispersed to various colluding recipients, who, in turn, forward the money or convert it to cash, thereby complicating the money trail and evading detection by anti-money laundering (AML) systems.
Various loading/receiving schemes that we have observed are as follows:
- Bank account Loading
- Credit or Debit Card Loading
- Crypto Loading
- Gift card or prepaid card Loading
- Paypal / Sendwave Loading
It's important to note that credit/debit card loading itself is not inherently fraudulent. Many legitimate uses exist, such as loading funds onto cards for personal budgeting or gifting purposes. However, it is crucial for individuals and financial institutions to be vigilant about potential abuse and to implement security measures to prevent fraudulent activities.
Recommendations:
To protect financial institutions and customers from fraudulent activities involving loaders and receivers, here are some recommendations they can implement:
- Raise awareness by issuing notices on official channels to the customers to avoid such card-loading practices.
- Educate customers about the risks of loading/receiving funds from unknown sources or through suspicious methods. Encourage them to report any unauthorized or suspicious transactions promptly.
- Strengthen identity verification processes when opening new accounts, issuing prepaid cards, or processing transactions. This includes using multi-factor authentication and conducting thorough background checks on customers to detect potential fraudulent actors.
A Closer Look at Gaming Ads Misusing Bank Logos
Recently, CTM360 has observed a surge in fake ads misusing the logos of prominent Banks in the Middle East. These deceptive ads have found their way onto popular social media platforms, including Facebook and Instagram, where they promote gaming mobile applications.
The deceptive nature of these fraudulent ads lies in their use of authentic bank logos, enticing unsuspecting users with the promise of substantial winnings. Such misleading tactics create a false perception, leading users to believe that these reputable financial institutions are somehow affiliated with the promoted gaming apps.
Upon further investigation, it appears that the advertised gaming apps are linked to gambling activities. While these apps present themselves as kid-friendly and suitable for all audiences on the App stores, users who installed these apps were subsequently redirected to casino or betting websites.
CTM360 has detected more than 140+ fake ads on Facebook and Instagram targeting users in the Middle East in the last week. These fake ads redirect users to five distinct mobile applications centered around casino and betting games (refer to Appendix for details). Notably, four of these applications have secured listings on the Apple App Store, while the fifth is available for download on Google Play.
Once the user clicks on the given link, they will be redirected to the app store. The primary target of these fake ads primarily comprises IOS users, therefore Android and Windows users will be redirected to an irrelevant website if they click the given link.
This campaign of fraudulent ads has significantly boosted the download rates of these apps, resulting in their ascent to prominent rankings within the ‘casino’ category on the Apple App Store. Below we have listed the app’s ranking based on countries on the Apple App Store at the time of making this report.
Recommendations
CTM360 has successfully taken down 60+ fake ads from Facebook and Instagram targeting the brand names of Middle East Banks. Additionally below are remediation steps that can be taken to stop the overwhelming amount of fraudulent ads and unregulated gambling apps:
- Run a social media campaign to alert customers about such fake apps and ads.
- Unlicensed and unregulated casino/betting apps should be banned from the Application stores in the country to prevent the general public from falling victim to such apps.
Appendix
List of casino and betting game apps found on official stores.
Quishing / QR code Phishing
CTM360 has observed a recent scam tactic involving phishing emails that use QR codes. This scam represents a prevalent phishing variant where individuals scanning the QR code are directed to a fake login page that closely mimics a legitimate email service.
What is QR Code Phishing?
QR code phishing involves the malicious use of Quick Response (QR) codes to redirect unsuspecting users to fraudulent websites, capture sensitive information, or install malware on their devices. QR codes, which are commonly used for convenient access to various digital content, can be manipulated by cybercriminals to mislead and exploit victims.
Types of QR Code Phishing:
- Malicious QR Codes: Attackers can generate and place their QR codes in public spaces or on fake promotional materials. These QR codes may lead to fake websites that mimic legitimate ones, designed to steal your personal information.
- Overlay Attacks: Cybercriminals can create a malicious overlay on top of a legitimate QR code, leading users to a fraudulent website or application. This overlay can be placed on physical objects like posters or product packaging.
- Fake App Downloads: Attackers may encourage users to scan a QR code to download a malicious application that mimics a legitimate service. These fake apps can compromise your device and steal sensitive data.
Why do Threat Actors Use QR Code Phishing?
QR codes are particularly effective in these attacks as they can evade standard email security measures, including URL scanners, making it difficult to detect any signs of a suspicious link or attachment in the messages the QR code is pasted in. This allows attackers to bypass email protections and trick unsuspecting victims into providing their login credentials or other sensitive information.
Example of the Attack:
The attacker generates a legitimate QR code by claiming that your email password has expired. They distribute the QR code through different channels, including email, social media, or even physical flyers.
When the victim scans the code using their smartphone or other devices, it redirects them to a malicious website that resembles a genuine site. The website prompts the victim to enter their login credentials, which the attacker can then steal and use for malicious purposes.
Recommendations:
- Always verify the source and authenticity of QR codes before scanning them. Use official company websites or trusted sources to obtain QR codes. Be cautious when scanning codes from unknown or unsolicited sources.
- Raise awareness among employees and individuals about QR code phishing risks. Conduct regular training sessions to educate them on safe QR code practices, including verifying the source and checking URLs.
- Before scanning a QR code, take a moment to inspect the associated URL or website address. Look for unusual or suspicious elements such as misspellings, extra characters, or unfamiliar domains.
- Be extremely cautious when a QR code takes you to a website that asks for your personal information, login credentials, or payment.
- Make sure to enable two-factor authentication to enhance the security of your accounts and protect them from unauthorized access.
Unrestricted Resource Consumption
Introduction
API keys are crucial for controlling and monitoring access to APIs. However, their misconfiguration can lead to severe security issues. Exposing API keys externally and failing to set proper restrictions are the most common misconfigurations. These misconfigurations can result in potential risks such as unauthorized access to sensitive data, illegitimate requests, resource consumption, and significant costs. In this advisory, we will examine these issues and provide guidance on identifying and preventing them, using Google API key as an example.
In the context of Google products, API keys serve as authentication credentials. They are unique alphanumeric strings that associate your Google billing account with your project and grant access to specific APIs or SDKs (Software Development Kits).
Issue
If a Google API key that has no restrictions is made public in a source code, it can be used by bad actors to gain unauthorized access to Google APIs using your or your application's identity.
Impact
The impact of a compromised Google API key:
- A compromised API key can lead to financial loss through unauthorized consumption of resources on your account.
- Attackers can use your API key to access your online services and cause service disruption.
- Unauthorized API usage can cause your application to malfunction, potentially affecting user experience.
- Recovering from a compromised API key can be time-consuming and resource-intensive, potentially disrupting your workflow.
How to Exploit
- Find public Google API key(s) in source code. Most commonly, Google maps integrations have the highest possibility of being exposed.
- Check if the key(s) have permissions or restrictions set to them by using them in API queries (Consult the documentation at https://developers.google.com/maps/documentation for possible API enumerations like routes or directions). If a key is vulnerable, the API should respond with the expected data (i.e.: street directions, addresses, image of location).
- If interested in possible incurred costs, consult the Google maps platform pricing at https://mapsplatform.google.com/pricing/ to calculate the cost of using the APIs that the key(s) allow(s).
How To Resolve
To prevent this from happening, it is important to properly secure and restrict access to your API keys through your management console. This can include limiting access to the keys to allow certain API usage, certain applications, restricting the budget, regularly monitoring API key usage, and revoking any keys that have been compromised or are no longer needed. By taking these steps, you can help ensure the security of your API keys and prevent unauthorized and unintentional costs from being incurred.
https://developers.google.com/maps/api-security-best-practices
Phishing Campaigns Abusing IPFS
IPFS is a decentralized system for storing and accessing files, and it has gained popularity due to its potential to improve the efficiency and security of file sharing. However, like any new technology, it also comes with its own set of risks and challenges.
Due to its decentralized nature, threat actors use IPFS to host fake websites, as the files are stored on multiple nodes, rather than on a central server. This makes it challenging to take down the fake website since no central authority can be contacted to remove the website. Furthermore, IPFS websites can be accessed through a content identifier (CID) (a unique string of letters and numbers) which is a label used to point towards the content in IPFS rather than a traditional URL, which can make it more difficult for victims to recognize a phishing attempt.
When a file is uploaded to IPFS, it is split into smaller parts and distributed across different nodes. Each part has a separate hash, which helps the network identify different parts of the file on different nodes. In order to retrieve the files, the hash is entered into the browser. Once identified, the IPFS requests all the parts of the file through a P2P connection. Even if the file is deleted from one node, it can still be accessible on other nodes. IPFS URLs often follow this format:
hxxps://ipfs[.]io/ipfs/
{46 random character string}#{user email address}hxxps://ipfs[.]io/ipfs/
{46 random character string}?filename={file name}.html &emailtoken={email address}hxxps://ipfs[.]io/ipfs/
{46 random character string}?(filename|key)={random character string}
The content stored within the IPFS network can be accessed using IPFS nodes called ‘gateways’ which act as a bridge between the HTTP protocol used by all the web browsers and the IPFS network. The gateways can be set up by anyone using various publicly available tools. The most popular gateways used are the ipfs.io ,Fleek, Dweb.link. Other publicly available IPFS gateways can be found in Appendix.
Various Phishing cases observed on IPFS
Below are some phishing cases observed using IPFS services:
Sharing IPFS links through emails
Phishing attacks are carried out by attackers using social engineering techniques to lure the victim into clicking a link or file embedded in the email. The email contains an IPFS link or an embedded HTML file that looks like a legitimate site, such as Microsoft or DHL. URL Observed:
hxxps\[:]//ipfs\[.]io/ipfs/bafybeibgsqc62urteqhu2l3bq3mql5j2sceysff6wyf5kgqvl7ixiq3icm/ef\[.]html
HTML File hosted on IPFS
In another case, CTM360 has witnessed threat actors utilizing HTML files in their phishing attacks. The HTML file redirects the victims in turn to the destination URL hosted in the IPFS network for stealing their credentials. Upon opening the file, the user is redirected to a document page asking for login credentials.
URL Observed
hxxps://ipfs\[.]fleek\[.]co/ipfs/QmVpwAbNJ8tQUH9h9qTuvaMy5678E6eHmyetKqdanPTSL/#adminiev
IPFS hosted phishing exploiting Google Translate service
Scammers have also implemented a technique where the Google Translate service is being abused. Google Translate lets you translate entire websites simply by passing it a link and selecting the source and target languages. Therefore, it can pose a fake “good” reputation for the websites due to the abuse of Google's official domain, and hence, getting it fraudcasted on safe browsing is also challenging since it is associated with a genuine Google service. Phishing URL:
hxxps\\[:]//z4db4kcmazkuxame2l2iy42m7yf5b2mysb7lqepzngrhk33a-ipfs-dweb-link\\[.]translate\\[.]goog/ML\\[.]html?victim@victim.com+&\_x_tr_hp=bafybeifjos&\_x_tr_sl=auto&\_x_tr_tl=en-GB&\_x_tr_hl=en-GB
Conclusion
By integrating the idea of decentralized cloud services with IPFS, phishing tactics have advanced significantly. This malicious usage of IPFS is expected to rise further, highlighting the importance of being cautious. Organizations need to provide regular training and awareness programs that will educate employees and their customers on new phishing techniques, how to spot and report different phishing cases. Further, blocking identified phishing URL patterns could also mitigate some risks.
Navigating The Risks Of ChatGPT On Financial Institutions
What is ChatGPT?
ChatGPT, an advanced AI language model created by OpenAI, is gaining popularity and attention for its ability to generate human-like responses to natural language input. Trained on large amounts of data, ChatGPT's context comprehension and relevant response generation have made it a popular choice for businesses seeking to enhance customer experience and operations.
Major technology corporations are making significant investments in Artificial Intelligence (AI). Microsoft, for instance, has declared that it will invest $10 billion in OpenAI and intends to merge ChatGPT into its Azure OpenAI suite. This will allow businesses to include AI assets, including DALL-E, a program that generates images, and Codex, which transforms natural language into code, in their technology infrastructure.
While ChatGPT has several benefits for financial institutions, such as improving customer service and automating certain tasks, it also carries some risks that need to be addressed. Major banks and other institutions in the US have banned the use of ChatGPT within the organization. Concerns over sensitive information being put into the chatbot.
Risks associated with incorporating ChatGPT
Let's delve into the potential risks that are currently being debated regarding the use of ChatGPT:
- Data Exposure: One potential risk of using ChatGPT in the workplace is the inadvertent exposure of sensitive data. For example, employees using ChatGPT to generate data insights and analyze large amounts of financial data could unknowingly reveal confidential information while conversing with the AI model, which could lead to breaches of privacy or security. Another known data exposure case observed is Employees could potentially expose private code if they inadvertently include confidential information in the training data. This could occur if an employee includes code snippets that contain sensitive data or proprietary information, such as API keys or login credentials.
- Misinformation: ChatGPT can generate inaccurate or biased responses based on its programming and training data. Financial professionals should be cautious while using it to avoid spreading misinformation or relying on unreliable advice. ChatGPT’s current version was only trained on data sets available through 2021. In addition, the tool pulls online data that isn’t always accurate.
- Technology Dependency: While ChatGPT offers useful insights for financial decision-making, relying solely on technology may overlook human judgment and intuition. Financial professionals may misunderstand ChatGPT's recommendations or become over-reliant on it. Thus, maintaining a balance between technology and human expertise is crucial.
- Privacy Concerns: ChatGPT gathers a lot of personal data that users, unassumingly, might provide. Most AI models need a lot of data to be trained and improved, similarly, organizations might have to process a massive amount of data to train ChatGPT. This can pose a significant risk to individuals and organizations if the information is exposed or used maliciously.
External Risks associated with ChatGPT
- Social Engineering: Cybercriminals can use ChatGPT to impersonate individuals or organizations and create highly personalized and convincing phishing emails, making it difficult for victims to detect the attack. This can lead to successful phishing attacks and increase the likelihood of individuals falling for the scam.
- Creating malicious scripts and malware: Cybercriminals can train ChatGPT on vast amounts of code to produce undetectable malware strains that can bypass traditional security defenses. By using polymorphic techniques like encryption and obfuscation, this malware can dynamically alter its code and behavior, making it challenging to analyze and identify.
Recommendations:
- Financial institutions should establish clear policies and guidelines for using ChatGPT in the workplace to safeguard confidential information and mitigate the risks of data exposure.
- Anonymized data should be used to train an AI model to protect the privacy of individuals and organizations whose data is being used.
- Specific controls should be applied to how employees use information from ChatGPT in connection with their work.
- Awareness training should be provided to Employees who have access to ChatGPT on the potential risks associated with the use of the technology, including the risks of data exposure, privacy violations, and ethical concerns.
- Restricting access to ChatGPT will limit the potential for data exposure and misuse of the technology.