Bitcoin Forum

Other => Beginners & Help => Topic started by: Kemarit on April 24, 2020, 03:59:27 AM



Title: Skype malicous phishing attempts uses Google's .app gTLD
Post by: Kemarit on April 24, 2020, 03:59:27 AM
Remember this one Hackers started to exploit Zoom apps to spread malware (https://bitcointalk.org/index.php?topic=5236678.0)?

Now cyber criminals are targeting Skype, another video and voice applications through sophisticated mode of attack.

- users will received a notification email "67519-81987@skype.[REDACTED EMAIL]"

- if the victim click this suspicious link, they will be redirected to:

Code:
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
and finally
Code:
hxxps://skype-online0345[.]web[.]app

https://i.imgur.com/3zqCUt0.png

Quote
The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.
Source here. (https://cofense.com/phish-uses-skype-target-surging-remote-workers/)


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: mk4 on April 24, 2020, 06:52:35 AM
Anything new here? Hackers and scammers will be using whatever domain and TLD they can take advantage. It's been the case since as far as we can remember and it will be the same until there are stricter laws with buying domains.

Phishing ain't new either. Posts like this are getting a bit too redundant in my opinion.


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: soliton on April 24, 2020, 08:55:20 AM


Thanks for warning. I have translated it in  the Russian section https://bitcointalk.org/index.php?topic=5243112.msg54287950#msg54287950  in order to alert users.


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: jackg on April 24, 2020, 05:25:38 PM

Phishing ain't new either. Posts like this are getting a bit too redundant in my opinion.

It's a beginners' section, you can't have too many warnings on phishing imo. Everyone comes across something at some point and a lot of advanced users can come under attack when clicking links in emails.

I hadn't seen this one yet either.


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: Kemarit on April 25, 2020, 12:12:14 AM
Anything new here? Hackers and scammers will be using whatever domain and TLD they can take advantage. It's been the case since as far as we can remember and it will be the same until there are stricter laws with buying domains.

Phishing ain't new either. Posts like this are getting a bit too redundant in my opinion.

Anything new? Hmm let me think.

1. We are in a lockdown, people are now working remotely, meaning Zoom and Skype are being used more than ever that's why cyber criminals are ramping up their campaign using these two apps.

2. Most schools in the States are using Zoom obviously for online education. And I'm sure this will be the trend if school years open on other countries.

Do you have kids? Do you have other 'jobs' that forces you to work from home?

I'll give you one example how it is important in your country: Privacy problems? Naked guy pops onscreen during Pasig Mayor Sotto’s Zoom talk (https://ph.news.yahoo.com/privacy-problems-naked-guy-pops-080351555.html). That's one mayor of Metro Manila in the Philippines, Zoombomb during his Covid-19 lockdown interview.

And as @jackg have pointed out, this is Beginners & Help, maybe you are far more advanced than the majority here, but it is not late on giving this sort warnings for newbies and beginners.



Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: mk4 on April 25, 2020, 06:47:23 AM
It's a beginners' section, you can't have too many warnings on phishing imo. Everyone comes across something at some point and a lot of advanced users can come under attack when clicking links in emails.

I hadn't seen this one yet either.

I completely get it. 100%. But this problem could potentially be solved by simply having a pinned warning topic concerning phishing in this section. It's a sort of "catch all" way of just teaches people to be skeptical of everything rather than individual sites.

Educating people about phishing and other schemes > informing them about every single phishing site out there

I'll give you one example how it is important in your country: Privacy problems? Naked guy pops onscreen during Pasig Mayor Sotto’s Zoom talk (https://ph.news.yahoo.com/privacy-problems-naked-guy-pops-080351555.html). That's one mayor of Metro Manila in the Philippines, Zoombomb during his Covid-19 lockdown interview.
This issue isn't the typical phishing attempt that we see like 90% of the time. I was specifically referring to posting about specific phishing sites.


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: hugeblack on April 27, 2020, 01:50:43 PM
The above topic explains several points:

 - Pandemic exploitation: Many scammers exploit the sudden use of a large number of people for applications that were not used frequently.
 - Initial knowledge: Many users believe that the "HTTPS" means that site is real one or that it contains a portion of the domain meaning that it leads to the real domain.

Responsibility It is incumbent on those companies to compel users to solve a rapid exercise to prevent scam, thereby disclaiming their responsibility for any negligence that occurs.


Title: Re: Skype malicous phishing attempts uses Google's .app gTLD
Post by: jackg on April 27, 2020, 02:17:17 PM
@mk4, we don't have a stickies thread on it yet though either... I think it's been called for in the past but no action has been done to actually make it a thing, if someone has the time though I'd suggest try making a thread like loyce's fees are low one (that they can bump when it hits page 2).



For the actual attack its attacking a different type of people from a standard attack since it's people actively looking for a padlock icon so it's moderately intelligent people on the Internet or the ones that have outdated knowledge on ssl.

Add to this the fact that most countries have sent a text out to everyone's number so it may be easy to get access to text data (since messages aren't normally encrypted and the message wasn't sent as a broadcast - afaik).