Phishing Trap for Microsoft Users | Phishing Attacks – Comodo

Phishing Email
Reading Time: 4 minutes

Phishing trap for One Drive users. How to avoid falling prey?

Cybercriminals often use very cunning and inventive tricks to manipulate victim’s mind in phishing attacks. They aimed at eliciting data in such a way the victim doesn’t aware of it. For that purpose, the crooks use social engineering tricks. Recently Comodo specialists discovered a phishing attack that consists of a rather complicated chain of tricks to deceive the users and cover the tracks to make detecting the attackers harder. The attack was targeted at Microsoft One Drive users. Many of them keep their important documents, logins and passwords there, so it’s a real tidbit for a cybercriminal.

The perpetrators sent out phishing email that asked users to log in to their One Drive accounts and contained a link to the One Drive sign in page. But, in reality, the link leads to the phishing website.

If a user clicks on the link, he gets to the following page.

OneDrive

As you can see, it imitates real One Drive page. Not only the logo but also even favicon seems to be Microsoft’s original. More of that, even the lock sign of secure connections is present, and it’s not faked — the phishing page has real SSL-certificate! The perpetrators used free SSL certificate from “Let’s encrypt” Certificate Authority valid from March 31 2018 to June 29 2018. Obviously, they expect to finish their attack by the date.

But if you look carefully at the browser address bar, you’ll see that URL has nothing to do with Microsoft. As indeed, the link in the email. Let’s examine them closely.

The link in the email is https://kfz-ross.de/6/doc/docs/share/. But if you click, it will redirect you on a URL modified by the hackers: https://kfz-ross.de/6/doc/docs/share/file.html?websrc=59c275dc2e97dd3b896ed4ff2b82a8fd&dispatched=29&id=1775043298

What is http://kfz-ross.de? Is it the perpetrators’ domain? Let’s check it and see what we can find on this URL.

Kfz Service

As you can see, it’ looks like a legitimate website. And it really is. It’s the website of a car service company in Germany. So how can it relate to the phishing attack?

The last update of information about the company on the website was made in 2011. And in general, it looks like an out-of-date website without adequate security protection, recklessly abandoned by its owners. Cybercriminals specially look for such websites to use them as a springboard for covering their malicious activity. It helps them to mislead the victims and cover the tracks. When the cybercrime will be detected, the police suspects the website owner in the first turn.

But let’s see what happens if a user takes the bait and put in her credentials.

OneDrive Bait Login

Unexpectedly, right? You get the message about the error: “Your account password is incorrect. If you don’t remember your password. Please Try Again”. And this time it is not in textual form — it’s an image.

It looks weird for the first sight, is not it? Why do the perpetrators need this construction?

“There can be a few reasons and all of them related to social engineering tricks”, comments Fatih Orhan, the Head of the Comodo Threat Research Labs.” First, it can be done to strengthen the confidence of the users that they deal with the legitimate website. Because for phishers it’s very important to have users staying unaware that their credentials were stolen. Otherwise, if they will suspect something, they can change credentials immediately, so cybercriminals achieve nothing and the whole attack is in vain.

Second, the users often make typos when typing passwords, so the attackers could use this trick to be sure that they got correct credentials”.

After a user enters the credentials for the second time, she will be redirected to a
Google Drive link with the following .pdf file.

PDF File Link

Obviously, it does not look like One Drive but it doesn’t look like something malicious also. So inexperienced user, most likely, will be a bit confused but suspect nothing and just forget about the case. Meantime, the attackers will steal her data and use them for their criminal purposes.

Is it a way to prevent this type of attack? Sure. The most effective antidote is awareness.

The matter is that such phishing attacks exploit the common vulnerability of human brain: habit to judge on something by one sign. When a person sees a well-familiar logo, she usually doesn’t go for a deeper check. That’s exactly what the perpetrators count on. Because with paying attention to the link, she would understand easily it has nothing with the real Microsoft One Drive.

So our advice to avoid such scam and outsmart the crooks is simple: always check links and pay attention to your browser address bar. And what is even better, never click on links in emails. Just type the address in the browser with your own hands. Thus, you can be 100% sure that you get exactly to the website you want to get.

Live secure with Comodo!

Facebook Distributed Trojan Targets Cryptocurrency

Chrome Extentsion
Reading Time: 1 minute

Do you use Facebook Messenger? Do you use Chrome on your desktop? Do you also use Bitcoin and have a wallet? Would you install something that says that it’s a codec in order to watch a video? Then I hope you didn’t get hit by FacexWorm.

FacexWorm was originally discovered in August 2017. By prompting a target on Facebook to click a link that directs to a malicious website, they’d get exposed to cryptocurrency scams. Then malicious cryptomining codes are injected into a webpage and they’d be redirected to the cyber attacker’s cryptocurrency referral program. FacexWorm would continue to hijack cryptocurrency web wallets and trading platforms, replacing the target’s address with the cyber attacker’s. So not only would the target’s CPU and memory get bogged up by mining cryptocurrency for someone else, but any cryptocurrency funds that the target may have would get stolen and transferred to the attacker. It sounds like a very profitable sort of criminal activity.

When FacexWorm, a malicious Chrome extension, was initially discovered, Google did everything they could to get rid of it, including removing it from the Chrome Web Store.

Well, FacexWorm came back with a vengeance. It engages in the same malicious activities, but perhaps with some modifications in its code in order to evade detection.

FacexWorm’s April 2018 Revival

On April 8th, malware researchers discovered a reappearance of FacexWorm. The researchers observed significant FacexWorm activity that day, mainly in Taiwan, South Korea, Spain, Japan, Germany, and Tunisia. If a target follows a malicious link found on Facebook, the target’s Facebook friends will also receive the cyber attacker’s message, and a process is started which eventually results in the target’s cryptocurrency wallet getting hijacked, and possibly money is stolen which is sent to the attacker.

How FacexWorm Works

When a target is attacked, it all starts with a message sent by Facebook Messenger. The link in the message directs to a YouTube video. That sounds innocent enough, because Rickrolling is harmless. But instead of being greeted by the captivating 80s blue-eyed soul of Rick Astley, the user is prompted to install a codec in order to watch a different video. All YouTube videos through the web are delivered by HTML5 with the h.264 video codec and WebM these days, so almost all web browsers from the past few years should be able to play any YouTube video without having to install anything extra. Anyway, once the target is prompted to install the fake codec Trojan, they’ll be asked to give the malware permission to change data in the webpage.

Once installed, FacexWorm will start communicating with the cyber attacker’s command and control servers. More malicious code is sent by the command and control servers to the target, and they get redirected to Facebook once again. FacexWorm will try to acquire the target’s Facebook OAuth access token. If that’s successful, the target’s Facebook friends will also receive the same malicious Facebook Messenger message if they are in online or idle status and are using desktop Chrome. If they’re using a different web browser, they’ll get some sort of advertisement instead as they won’t be able to install the FacexWorm Chrome extension.

FacexWorm proceeds to inject malicious JavaScript code that’s acquired from the cyber attacker’s command and control servers, and more malicious code will be injected into as many of the target’s webpages as possible.

These malicious web browser extensions that communicate with command and control servers usually engage in a plethora of harmful activities. Here’s what FacexWorm does.

Some of the JavaScript that the Trojan tries to inject into webpages is a cryptominer based on a Coinhive script but with modifications. 20% of the CPU’s power is used for cryptomining on each thread and the malware will attempt to run four threads. That’s a total of 80% of the CPU’s power for cryptomining! There should be an obvious significant decrease in PC performance, even if the target has an excellent multicore CPU with lots of cache and RAM.

The malware looks for Coinhive, MyMonero, and Google credentials. The first two are cryptocurrency wallet related and may result in stolen money, whereas unauthorized Google account access can further ruin a user’s life by tampering with their Gmail and a wide assortment of other Google services. Any such credentials found are sent to the command and control servers.

If the user opens a tab in Chrome to one of FacexWorm’s 52 targeted cryptocurrency trading platforms, or if the user inputs keywords such as “ethereum” or “blockchain,” the user will be directed to a webpage for a cryptocurrency scam. They’ll be asked to send 0.5 to 10 ether in order to receive 5 to 100 ether in return. Of course, there’s no such thing as free money that way. If it sounds too good to be true, it probably is.

If the user opens a cryptocurrency transaction webpage, FacexWorm tries to acquire their cryptocurrency address, and replace it with the cyber attacker’s address. That way, the user will inadvertently send money to the attacker. The targeted cryptocurrencies include Bitcoin, Bitcoin Gold, Bitcoin Cash, Litecoin, Ripple, Ethereum, Ethereum Classic, Dash, Zcash, and Monero. So the most popular cryptocurrencies are affected.

If the user tries to visit DigitalOcean, Binance, FreeDoge.co.in, FreeBitco.in, or HashFlare, Facexworm will redirect them to the attacker’s referral link for the website. The attacker receives money for every successful referral.

The Aftermath So Far

Security researchers have only found one hijacked Bitcoin transaction so far, for about $2.49 USD. That’s gotta be a very tiny fraction of a Bitcoin, but maybe there are a lot of hijacked transactions which they haven’t found yet.

The researchers have notified Facebook and Google about the reappearance of FacexWorm. The newer version of FacexWorm has been removed from the Chrome Web Store, and Facebook has banned some domains that are associated with FacexWorm’s malicious activity.

I think FacexWorm is a great example of how new web malware can relaunch several months later after initially being stopped by antivirus vendors, and developers and online services like Facebook and Google. These sorts of cyber attacks keep big tech companies on their toes. But as FacexWorm is a Trojan, more should be done to educate users about avoiding social engineering.

Password Stealer Hides In The Payment File And Hunts For Credentials

what is phishing attack
Reading Time: 3 minutes

Cybercriminals’ big hunt for users’ credentials is gaining momentum rapidly. Their strategy usually stays the same: get attention of the victim, use social engineering techniques to make her run a malicious file, and then steal logins and passwords. But the tactic and the malware hackers use constantly changes. Let’s consider in detail the freshest example of such attack with a new variant of a password stealer recently intercepted by Comodo antimalware tools.

The disguise

phishing-email

As you can see, it contents a few social engineering tricks to manipulate the victims. Let’s have a closer look at them.

First, it’s the subject of the message. A rare human being would miss an information relating to her money. Thus, the perpetrators gain the victims’ attention. They can be sure that most receivers will read the message.

Next, the cybercriminals named the file “PAYMENT- PDF” for adding more credibility (in fact, it’s a .ZIP archive, but many non-techy people might not notice that). Then, to imitate authenticity, they add the photo of the “bank telex copy”. A picture is worth a thousand word, so it also raises the chances a victim will open the file.

Now let’s see what is hidden inside the “PAYMENT- PDF” in reality?

The malware

As Comodo analysts revealed, “PAYMENT- PDF” is an .html file containing an obfuscated VBScript. If the user runs it, the script downloads and executes a Portable Executable file from hdoc.duckdns.org:1133/PAYMENT.exe

Payment Pdf

And the malware becomes act covertly on the infected machine. First, it ferrets out information about the applications installed on the PC. It chooses the browsers as the first target and tries to extract logins, passwords, and other private data from them.

regopenkey

Notably, the malware attacks a big bunch of various browsers: Mozilla Firefox, IceDragon, Safari, K-Meleon, SeaMonkey, Flock, BlackHawk, Chrome, Nichrome, RockMeIt, Spark, Chromium, Titan Browser, Torch, Yandex, Epic, Vivaldi, Chromodo, Superbird, Coowon, Mustang, 360Browser, Citrio, Orbitum, Iridium, Opera, QupZilla and more.

After that, it reads each application’s data files to find all FTP and SSH accounts saved in the system. To be precise, it targets applications MyFTP, FTPBox, sherrodFTP, FTP Now, Xftp, EasyFTP, SftpNetDrive, AbleFTP, JaSFtp, FTPInfo, LinasFTP, Filezilla, Staff-FTP, ALFTP, WinSCP, FTPGetter, SmartFTP and some more.

Finally, the malware searches for various email clients — FoxMail, Thunderbird, PocoMail, IncrediMail, Outlook, etc. – to extract the accounts information from them.

After collecting all the data, the password stealer sends it to the cybercriminals’ server hta.duckdns.org/excel/fre.php.

Frame summary

And that’s the sad final. Now all the victim’s credentials are in the hands of the attackers, and she doesn’t have even a guess about it. Unfortunately, when she’ll have realized what’s happened it could be already too late to take rescue actions…

The heat map and details of the attack

As you can see, the cybercriminals conducted the attack from Italy-based IP 80.211.7.236 using email “hnym.hnyemei@gmail.com”. The attack started on April 18, 2018 at 14:28 UTC and ended on April 20, 2018 at 07:23 UTC.

Heat Map

“In the Comodo Q1 2018 report we pointed out the surge in password stealers, and the case confirms this trend continues growing. This kind of malware is not too sophisticated in its design, but very dangerous in its consequences” comments Fatih Orhan, the Head of Comodo Threat Research Labs. ”Its sneaky behavior let the attackers provide their malevolent activity covertly, so the victims often stay unaware of being hacked until the perpetrators use the stolen credentials.

It’s better to care about the protection in advance to prevent your network or PC from the malware break-in than sorry for not doing it later. The one, who prepares better, wins the battle. That’s just the case. Comodo technologies protected our clients from the attack and made the cybercriminals go away with empty pockets”.

Live secure with Comodo!

Website Security Checklist of 2018

Website Security check
Reading Time: 2 minutes

Protect Your Website Against Security Threats

Criminals follow money.

Now that money has gone digital, it’s only natural that criminals have shifted their gaze to the online world in search of some easy money.

They are scouring the avenues of the world wide web looking for security loopholes to accomplish their devious motives.

Therefore if you have a website, you need to take security measures to protect it.

So how would you protect your website? What security measures can you take?

For 2018, here are the website security checklist guidelines:

1) Update Your Website Regularly: Websites are apps and apps need updates! Your website is an application that needs to be updated regularly to be secure against threats.

For example, the following elements should always be kept up-to-date:

  • The OS of the server on which your website is hosted
  • The CMS on which your website may have been designed
  • Any third-party app associated with your website

2) Use Secure Communication Protocol (aka SSL): This is crucial for website security and should be done immediately! Secure communication protocol – https – ensures your website interacts with others sites, users, applications, etc., in a secure way – using SSL encryption – without any data compromise.

3) Test Your Website For Security Vulnerabilities: Any website security checklist would be incomplete without this step, which is also known as penetration testing. Pen testing, for short, is the practice of testing a system or application for security weaknesses that a hacker could exploit. Due to the high complexity of pen testing, you must pay close attention to the next step.

4) Scan Your Website At Regular Intervals: Since the cybersecurity threat landscape keeps changing and pen testing is not a viable option for the majority of us. An effective way of checking your website security for threats is by using an online scanner.

5) Web Inspector: One of the most reliable website scanning tools is Comodo Web Inspector. It’s a website scanning tool that comes equipped with impressive security features such as Daily Malware Scanning, Blacklist Monitoring, Immediate Threat Notifications, Trust Seal and 24/7 Phone Support. You can scan your websites comprehensively and expose vulnerabilities before they get exploited.

In 2018, perform your website security check with Web Inspector and keep your website protected from thieving criminals.

website security checklist

 
Related Resources:

Free Online Website Scan

How to Choose your Antispam Software

email security
Reading Time: 2 minutes

The ages when spam emails were easily spotted and the risks were not high are gone. In the current age of cyber crime, spam emails are becoming extremely difficult to manage and it has been quite challenging to drive away such notorious and sophisticated spam emails that are increasingly aggressive. Due to this, it is critical to choose the right antispam solution for your organization. Antispam software is deployed to remove unwanted spam emails and is easy to use.

Possible threatening impacts of spam email

Spam comes in different forms – including phishing attacks, as well as other malware types.

Malware – Threats intend to install a malicious software on the user’s system through genuine-looking emails. The reasons may be different – whether the attacker wants to access personal information or encrypt the users’ files so they cannot access their data until they pay the demanded ransom. The malicious code is concealed as a genuine looking email with attractive offers and captions which looks convincing for the users to click the link or download the attachment from the email – this would either direct you to a malicious website or let the hacker install a malicious software to get the work done.

Phishing – The main objective behind a phishing attack is to extract personal, sensitive data and even the most sensitive financial information. The attacker tries to represent a well-known organization like a prestigious bank claiming to update personal details.This results in the user unveiling their information which creates high risk.

What can a user expect from a good anti-spam software?

Key factors to consider while choosing the anti-spam software

  1. Easy to use
  2. Innovative Advanced Threat Protection
  3. How scalable it is
  4. Flexible Usage
  5. Possibility of the software’s latest updates
  6. Effectiveness to protect against zero-day threats
  7. Robust System

There are many antispam providers who accommodate all the above-mentioned factors. However Comodo Cybersecurity’s Antispam can provide you will all of the above and more.

Why is Comodo Cybersecurity’s Anti-spam software the best option?

It comes with a large array of benefits – it’s easy to install, simple and flexible to navigate, as well as extremely user-friendly.

Comodo Dome Antispam offers a comprehensive set of features:

Antispam Features

Considering all of the above features and benefits – Is Comodo Cybersecurity’s Antispam can eliminate the burden of spam emails while also providing you with advanced security to protect your business from all types of threats – known and unknown.

If you would like to learn more about Comodo Cybersecurity’s Antispam, visit https://cdome.comodo.com/antispam.php?track=9764&af=9764

dome anti-spam

Related Resource:

Here’s What I Learned at RSAC 2018

Cyber Security 2019
Reading Time: 4 minutes

The RSA Conference is one of the biggest events in the world of cybersecurity. I wasn’t there this year, but most of my colleagues were. They weren’t replying to my emails while RSAC 2018 was happening, but I can certainly understand why. A lot of the most important people and companies in information security share very useful information during the event. Thankfully, I got to find out a bit about what happened during the event, thank goodness for the internet. Some of the things I learned were rather surprising!

RSA Conference App Vulnerability

First of all, there was a breach in RSA’s conference app. No, this wasn’t some sort of demonstration. It was a genuine and embarassing mistake on RSA’s part. Imagine if a conference of Cordon Bleu chefs served pre-frozen microwave dinners. Or if a conference on building fire regulations took place in a venue with blocked fire exits. Or if we discovered that the editor of MacWorld used a Windows 10 PC and a Samsung Android device exclusively. (That’s almost certainly not true.) I could go on.

Twitter user svblxyz noticed the huge vulnerability and announced their discovery on the platform.

Through the RSA Conference Mobile App, users could find URLs that allowed easy access to sensitive data. Some of the data included all of the app user’s real names. RSA then confirmed the vulnerability officially.

“Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.”

First and last names aren’t the most sensitive type of data that a user can have. Everyone who has heard about me on the internet knows mine. Nonetheless, these sorts of mistakes can lead to much more sensitive data being leaked, such as credit card and bank account numbers, usernames and passwords, and government ID numbers. Let’s hope that the RSA’s own app development team has learned from this mistake.

Forget Buzzwords, Think Risk Management

In my job writing about cybersecurity, I get exposed to buzzwords about my area of expertise. I also get exposed to so many general Silicon Valley buzzwords that they disrupt the innovation potential of the metaphorical gig economy of the CPU in my skull, my brain. Netwrix’s Marc Potter warned that buzzwords are a distraction from what we should really be focusing on, risk management. He mentioned these buzzwords in particular:
 

  • Social engineering
  • Crime-as-a-service
  • State-sponsored attacks
  • APT
  • Denial of service
  • Insider threat
  • Ransomware

“What has actually happened is vendors are so intent on matching solutions to buzzwords that the solution is often becoming the problem. What then happens is new companies are then launched to fix the problems that the last set of solutions caused,” said Marc Potter. “There is no silver bullet and vendors are trying to do everything and be everything for everyone. They search for taglines to match solutions to buzzwords.”

I presume a focus on risk management is a return to the basics. Matters like ransomware and insider threats are huge and growing problems. But yeah, maybe focusing security hardening and incident response efforts on each of the very numerous specific cybersecurity threats may be a waste of time.

GDPR-mania

GDPR is a new set of data security regulations in the European Union which will take effect on May 25th. Most international internet service companies are affected by it, and their European datacenters must comply. Pretty much everyone who uses the internet worldwide is affected by GDPR in some way because we all have data on European servers. It seems to be the biggest thing in corporate cybersecurity, like The Beatles to popular music.

RSAC board member Dmitri Alperovitch discussed the overwhelming challenge of GDPR compliance.

“(GDPR makes companies have to) think long and hard about whether they need to store this data. That is a very, very good thing.”

But apparently, only about 25% of affected companies have prepared for GDPR compliance. Ouch!

RSAC board member Todd Inskeep doesn’t think that organizations are ready for cyber attacks on data in general.

“Companies aren’t fully ready (for future data attacks),” he said. “Our adversaries have been much more focused on information, either using it for propaganda or manipulating information. This country is behind in thinking about it—not just to defend ourselves but also in leveraging it ourselves.” Companies need to think more creatively about how to fend off nefarious actors but also to use intelligence proactively.”

Could thinking more creatively about data security and GDPR compliance involve blockchain somehow? RSAC board member Benjamin Jun thinks so.

“What (blockchain has) showed us that there were ways to let people work together who had no existing reason to trust each other. Through these systems, we could build enough consensus and enough trust to exchange money, to exchange contracts. Most of the stuff we see right now deals with using these technologies in a very transaction oriented way… These are just the beginnings of how things are going to change.”

Silicon Valley Versus State-Sponsored Attacks

Thirty-four of the largest tech companies in the world are concerned about how government-sponsored cyber attacks may be affecting ordinary people. The group includes Facebook, Microsoft, and HP (a company I worked with earlier this year.) They’ve combined their efforts to form the Cybersecurity Tech Accord. Microsoft President Brad Smith, no relation to my boyfriend Jason Smith (hi Jay!), discussed the Accord at RSAC 2018.

“This is a sobering time. When World War II ended, governments of the world pledged a moral responsibility and legal duty to protect civilians in the time of war. Then in May and June of last year, we saw governments attacking civilians in a time of peace. We have a message to the governments of the world – that’s an attack that endangers people’s lives.”

You can read more about the Cybersecurity Tech Accord on their website. The Accord says, “the companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.”

The world of cybersecurity is evolving at a rapid pace. Between an embarrassing mistake and a lot of passionate keynote speakers, 2018’s RSA Conference was as eventful as ever.

Massive identity theft attack stroke at universities from IP of … Brazilian law enforcement agency

identity theft attack
Reading Time: 4 minutes

Cybercriminals not only steal credentials or infect computers with malware. They also hunt for users’ personal data, including passports and IDs, physical addresses, phone numbers and much more. These cybercrimes can be classified as identity theft: utilizing the stolen data, crooks impersonate the victims to provide malicious activity. The perpetrators use a variety of cunning tricks to make users give away their data. Here’s the most recent example: an identity theft attack targeted 409 email addresses of universities and municipalities in the last decade of April.

The attackers used the email message below to lure the users:

email-message

The mail imitates a message from EL Cordo Lottery. In order to receive the prize, the email informs the receiver that they’re the lottery winner and asks to fill in a “Login Processing form” available through the link. The message itself is rather simple and obviously doesn’t look extremely enticing. But there are some interesting nuances about it.

The attackers used an e-mail of a well-known university department as the sender address (we don’t name the university here to protect the innocent). But in reality, the malicious message was sent from IP 189.72.174.152 that, as you can see below, belongs to The Secretariat of Public Security and Penitentiary Administration of Brasilia. This agency coordinates the activity of the public security forces in the country.

inetnum: 189.72.174.128/26
aut-num: AS8167.
abuse-c: CSIOI
owner: SECRETARIA DE SEG PÚB E ADMINISTRAÇÃO PENITENCIÁRI
ownerid: 01.409.606/0001-48
responsible: RODRIGO TAPIA PASSOS DE OLIVEIRA
owner-c: RTPOL
tech-c: RTPOL
created: 20171109
changed: 20171109
inetnum-up: 189.72.0.0/14

nic-hdl-br: RTPOL
person: Rodrigo Tapia Passos de Oliveira
created: 20130104
changed: 20130104

nic-hdl-br: CSIOI
person: CSIRT OI
created: 20140127
changed: 20140127

It’s hard to say precisely if whether the attacker is an employee of the Secretariat or the cybercriminals compromised the server of the organization. However, in both cases, Brazilian law enforcement definitely have valid reasons to investigate the situation.

Now, let’s find out what happens if a user takes the bait and clicks on the link.

As you can see, a form to fill in appears.

Claim Process

The form is was created by a legitimate Jotform service, which positioned itself as “the easiest way to create forms and collect data”, so we have here one more example of using legal services and tools for committing a crime. No doubt, this nuance also helps to lure the users. Many of them for sure would give away what the form requires: full name, physical address, email, phone number, date of birth, marital status and even a copy of the passport!

After seeing the graphics, you may be wondering: why do the perpetrators collect this information?

First, they can utilize the stolen data for an identity theft to cover their malicious activity. Identity theft is a crime when perpetrators impersonate a victim by using their private information. They can use it in various ways, to name a few: registering a website for illegal activity, opening a financial account for money laundering or drug selling, and impersonating the victim in state institutions or business companies etc.

Second, they can use this data to attack the victim in the future. They can prepare a spear-phishing attack based on the stolen data. Or even simply penetrate their house — why not, they’ve already got the victim’s physical address and a bunch of private information to make the penetration easier.

At the very least, they can just sell the data to other criminals in the Dark web.

However, cybercriminals are not the only ones hunting for personal data. Intelligence services of many countries also look for such information to provide cover for their agents in clandestine operations.

The attack started on April 20, 2018, at 07:39 UTC and ended on April 20, 2018, at 11:14 UTC. The attackers sent 409 emails, 392 of which were targeted to the email addresses of a few universities.

“Identity theft is a very dangerous cybercrime”, says Fatih Orhan, the Head of Comodo Threat Research Lab. ”Unfortunately, many people still underestimate it and easily give away their personal data. They don’t see any threat in filling in some questionnaire. Thus, for a cybercriminal to extract this information from a victim is even easier than make her download a malicious file. But the consequences of an identity theft may be no less disastrous than a malware infection. That’s why technical means of protection like Comodo KoruMail are especially helpful in such situations: they can identify the threat and neutralize it even before it reaches people. That just what happened in this case. The attack failed, the Comodo clients remained in safety”.