Security researchers have identified a new phishing campaign launched by Russian cyber espionage group Fancy Bear that uses malicious blogspot.com URLs to bypass spam filters.
The latest attacks targeted Bellingcat, a group of volunteers who conduct open source and social media surveys on a variety of topics. Bellingcat was also targeted by Fancy Bear in 2015 after the outfit linked the Russian military to the destruction of Malaysia Airlines Flight 17 over Ukraine in 2014.
Bellingcat has shared a new wave of phishing emails with researchers at ThreatConnect, who have linked the attacks to the domain names and infrastructure used in the past by Fancy Bear.
Also known in the security industry as APT28, Pawn Storm, or Sofancy, Fancy Bear is a sophisticated cyber espionage group that has targeted a wide variety of organizations over the years, including the Democratic National Committee ( DNC) in the US election.
The phishing emails that ThreatConnect scanned masqueraded as notifications from Gmail and Dropbox prompting users to change their account passwords or edit a shared file. The links included in the emails actually pointed to blogging sites created on Google’s Blogger platform, blogspot.com.
“Blogspot’s use of URLs bears some similarities to the theoretical tactics identified in a September trade show article on Fancy Bear leveraging Google’s Accelerated Mobile Pages (AMP) to create URLs for their news gathering pages from Google. identification, ”ThreatConnect researchers said in a blog post. “This likely allowed some of Fancy Bear’s spear-phishing messages to bypass security filters that would otherwise have identified malicious URLs. Likewise, a URL hosted on Google’s own systems, in this case Blogspot, may be more likely to pass spam filters than URLs hosted on a third-party IP address or hostname.
Fancy Bear is known for his constant use of sophisticated and new techniques, including zero-day exploits. The group has its own malware implant with versions for Windows, Linux, macOS, and Android, and its targeting largely reflects Russia’s geopolitical interests. Many security experts believe the group is at least coordinated by, if not part of, the Russian Military Intelligence Service (GRU).
Between March 2015 and May 2016, Fancy Bear targeted hundreds of email addresses belonging to U.S. citizens, including senior officials, former Secretary of State John Kerry, former Secretary of State Colin Powell, former NATO Supreme Commander and US Air Force General Philip Breedlove and the United States. Army Gen. Wesley Clark, The Associated Press reported on November 2 after analyzing a list of results obtained from one of the group’s servers by security firm SecureWorks.
The targets also included employees of defense contractors Boeing, Raytheon and Lockheed Martin and at least 130 people associated with the Democratic Party – supporters, party workers and campaign staff. Some targets of the Republican Party have also been identified.
Also on November 2, the Wall Street Journal reported that the US government had identified more than six Russian government officials allegedly involved in the DNC hack and the organization’s subsequent email leak. US prosecutors and law enforcement officials have gathered enough evidence to indict Russian officials and plan to press charges next year, the newspaper reported.
Banking Trojans are reviving the old technique: Black Hat SEO
Security researchers at Cisco Systems’ Talos Group have identified a campaign that distributes the Zeus Panda banking Trojan by manipulating Google search results through compromised websites.
The group has successfully leveraged the search rankings of hacked websites to inject malicious pages into the first page of Google search results for particular keyword combinations. This technique is known as black hat search engine optimization (BHSEO).
“The attacker targeted many groups of keywords, most of them tailored to banking or financial information that potential victims might be looking for,” Cisco Talos researchers said in a blog post. “In addition, certain geographic regions appear to be directly targeted, with many groups of keywords being specific to financial institutions in India as well as the Middle East.”
BHSEO, or Search Results Poisoning, is not a new technique and was popular with scareware users about seven years ago. Scareware was the forerunner of ransomware and consisted of malware masquerading as antivirus or security products with the aim of scaring users into paying a fee to clean their computers. It seems that the hackers behind this new Zeus Panda campaign are also involved in similar scams.
Ironically, we have observed the same redirect system and associated infrastructure used to direct victims to tech support and bogus AV scams that display images informing victims that their systems are infected with Zeus and asking them to contact the phone number listed, ”the researchers said.
– Lucien Constantin