Catches of the Month: Phishing Scams for January 2023

Welcome to our January 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.

This month, we delve into a scam that attempts to trick cyber security professionals and look at a new banking trojan that has experts worried.

Criminal hackers target infosec professionals in Flipper Zero scam

A new phishing campaign has been discovered that imitates Flipper Zero, a cyber security tool used by penetration testers and white-hat hackers.

The tool, which allows researchers to tinker with a range of hardware by supporting techniques including digital access key cloning, radio communication, NFC and Bluetooth, was created in 2020.

Flipper Zero has been widely popular despite production issues that have caused supply shortages and revenue holdbacks that put the project at risk. As is so often the case, cyber criminals are using people’s eagerness to get their hands on the product to leverage their scams.

In this case, they have created phishing campaigns promoting a fake shop that pretends to sell Flipper Zero.

The scam was discovered by security analyst Dominic Alvieri, who spotted three fake Twitter accounts and two fake Flipper Zero stores.

The bogus accounts artfully recreate the genuine Flipper Zero Twitter accounts, with the only significant difference being that they use a capital ‘i’ in their handle and website rather than a lowercase ‘l’.

The fake Twitter account (left) and the real one (right). Source: BleepingComputer.

Alvieri noted that the bogus accounts were responding to tweets, and specifically to people who queried about the availability of Flipper Zero.

In the above screenshot, the email address listed in the account directs users to a bogus shop, which pretends to sell Flipper Zero at its genuine market price of $199 (about £165). Users can supposedly purchase the item, as they are asked to enter their email addresses, full names and shipping address.

Source: BleepingComputer

The victims are then asked to pay via cryptocurrency and are told that their order will be processed within 15 minutes.

BleepingComputer observes that the “listed wallet addresses have not received any payments, so either the particular shop hasn’t managed to trick any security researchers or used new wallets after each transaction”.

The scams’ success should decrease now that it has been widely reported on, but potential Flipper Zero customers should remain cautious about any online interactions with the company unless they’re visiting the official store.

Malware campaign uses stolen bank data for phishing

Cyber criminals have been using stolen information from bank customers as lures in scams designed to infect people with malware.

According to research from the Cloud security firm Qualys, the infrastructure of an unnamed Colombian cooperative bank had been hijacked by criminal hackers, with 418,777 records being exposed.

The information included customers’ names, phone numbers, email addresses, postal addresses, ID numbers, payment records and salary information.

Qualys had been investigating a phishing campaign in which victims were infected with BitRAT malware when they traced the damage to the leak. The malicious file is a type of banking trojan that’s hidden within a macro of an Excel document.

The tool can be used to perform a range of operations, including data exfiltration, DDoS (distributed denial-of-service) attacks, clipboard monitoring and credential theft.

In this case, the researchers discovered that the criminal hackers had used the malware to access customer data.

“[T]he lures themselves contain sensitive data from the bank to make them appear legitimate. This means that the attacker has gotten access to customers’ data,” Qualys said.

“While digging deeper into the infrastructure we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps.”

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.