In our May 2023 report, we take a closer look at the cybersecurity trends that marked May2023, and other cybersecurity issues that people and organizations should be aware of.
Phishing and Malware trends and statistics
Newly registered domains
Confirmed new phishing domains
New potential similar domains
During the month of May, FYEO discovered a total of 121K (Thousand) newly registered top level domains out these a total of 721 were considered being similar domains that are likely squatting domains, e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks.
A further 508 domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing by manual content scanning and analysis. And yet another 12K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
May 2023 saw 98 security incidents that resulted in the compromise of more than 98M (Million) records. The biggest data breach of the month occurred at Luxottica Group S.p.A., where over 70M (Million) records were compromised.
During the month FYEO indexed and gathered a total of 3.6M (Million) leaked credentials from a total of 108 sources that were gathered through open sources and public releases.
On the collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
The darkside of ChatGPT - DarkBERT
The main goal of this project is to create a tool that can analyze data and provide specific answers to queries, unlike chatbot such as ChatGPT. DarkBERT is designed to assess whether using information from the dark web can assist AI technologies in gaining a deeper understanding of language used in specific situations. This makes it a potentially valuable tool for cybersecurity professionals and law enforcement agencies. DarkBERT is an exciting AI model that builds upon the RoBERTa architecture, which was developed in 2019. RoBERTa stands for Robustly Optimized BERT Approach. And it is a variant of the BERT (Bidirectional Encoder Representations from Transformers) model. Recently, researchers have discovered that DarkBERT has even more performance potential than what was initially realized. It turns out that the model was not fully optimized during its initial release, and it had much room for improvement.
To train DarkBERT, the researchers embarked on an intriguing journey into the Dark Web. They used the anonymizing firewall of the Tor network to crawl through this mysterious part of the internet. The collected data was then carefully filtered using techniques like deduplication, category balancing, and data pre-processing. This resulted in the creation of a comprehensive Dark Web database. DarkBERT was trained using this database and the powerful RoBERTa Large Language Model. This exceptional model can analyze Dark Web content, which is often written in unique dialects and heavily encoded messages. DarkBERT is able to extract valuable information from such content.
It's important to note that DarkBERT, like other language models, is a work in progress. Further training and fine-tuning can contribute to even better results. We are eager to see how DarkBERT will be utilized and what insights can be gained from its capabilities. The future holds exciting possibilities for this remarkable AI model.
Notorious RaidForums famous of sharing breached data was breached
A leaked database has provided an interesting glimpse into the world of RaidForums, a well-known online hacking and data leak forum. This forum was notorious for its involvement in hosting, leaking, and selling data obtained from breached organizations. However, in April 2022, the RaidForums website and infrastructure were seized by law enforcement agencies resulting in the arrest of the site's administrator and accomplices.
After the closure of RaidForums, users migrated to a new forum called Breached to continue their illicit activities. Unfortunately for them, Breached was also shut down in March 2023 following the arrest of its founder by the FBI and concerns about law enforcement accessing their servers. This left a void in the hacking community.
To fill this void, a new forum called 'Exposed' emerged recently and has quickly gained popularity. The leaked database that has come to light contains information about members who registered on RaidForums between March 20th, 2015, and September 24th, 2020. It seems that this database was not initially intended to be made public, but the admin of Exposed, known as Impotent, decided to leak it.
The leaked database provides both threat actors and security researchers with valuable insights into the individuals involved in the RaidForums community. It serves as a reminder of the ongoing battle between law enforcement and cybercriminals in the ever-evolving landscape of online security.
Famous Ransomware group attacking vulnerable Windows Internet Information Services (IIS) web servers
The Lazarus Group, a well-known hacking group backed by the North Korean government, has recently shifted their focus to target vulnerable Windows Internet Information Services (IIS) web servers. These servers are commonly used by organizations to host websites, applications, and services. The Lazarus Group exploits known vulnerabilities or misconfigurations in these servers to gain access and carry out their malicious activities.
In their attack strategy, the Lazarus Group utilizes various techniques. They create files on the compromised IIS server using a legitimate process called w3wp.exe. They then introduce malicious files such as 'Wordconv.exe' (which is normally a legitimate Microsoft Office file), a malicious DLL ('msvcr100.dll'), and an encoded file called 'msvcr100.dat.' By running 'Wordconv.exe,' the malicious code in the DLL is loaded into memory, making it difficult for antivirus tools to detect it.
In the next stage of the attack, Lazarus employs another malware component ('diagn.dll') by exploiting a plugin in Notepad++. This second malware receives a new payload, encrypted with the RC6 algorithm, and decrypts it using a predefined key. The decrypted payload is then executed in memory to evade detection.
To further their intrusion, Lazarus conducts network reconnaissance and lateral movement through Remote Desktop port 3389 using stolen user credentials, likely obtained in an earlier step of the attack.
To mitigate such attacks, the AhnLab Security Emergency Response Center (ASEC) advises organizations to monitor for unusual execution of processes, particularly focusing on DLL sideloading, which is a technique commonly utilized by Lazarus. By remaining vigilant and detecting abnormal activities, organizations can enhance their defenses against such threats.
Phishing, Phishing and Phishing …
Threat actors have taken advantage of the widespread use and recognition of ChatGPT to impersonate it for malicious purposes. They employ tactics like creating fake AI chatbots or using similar names to deceive users into believing they are interacting with genuine ChatGPT instances. These impersonations are designed to gain trust and extract sensitive information or carry out nefarious activities. According to a recent study conducted by Check Point, a cyber security firm, a total of 13,295 newly registered domains have been identified as fraudulent imitations of OpenAI and ChatGPT. These domains include examples such as:
It is crucial for users to exercise caution and verify the authenticity of websites claiming to be affiliated with OpenAI and ChatGPT to avoid falling victim to potential scams or malicious activities.
Google's 8 new top-level domains are another cybersecurity threat?
The introduction of new top-level domains such as .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus could potentially create new avenues for cybersecurity threats. These domains may be exploited by threat actors to deceive unsuspecting users by mimicking legitimate websites or email addresses. Phishing attacks and other social engineering techniques could be employed by leveraging these seemingly trustworthy domains to trick users into revealing sensitive information or downloading malicious content. As these new domains become more prevalent, it is crucial for users to exercise caution, employ strong security measures, and verify the authenticity of websites and email sources to protect themselves from potential cybersecurity threats.
At FYEO, we understand the importance of addressing the evolving landscape of cyber threats, including the emergence of new top-level domains (TDLs). We are at the forefront of monitoring and analyzing these new TDLs to identify any potential security risks.
Inferno Drainer - Crypto phishing scam A service called Inferno Drainer has been involved in cryptocurrency scams and phishing. They have managed to steal more than $5.9 million worth of cryptocurrency from 4,888 people. According to a report by Scam Sniffer, Inferno Drainer has created around 689 fake websites since March 27, 2023. Many of these websites started appearing after May 14, 2023, indicating a significant increase in their activity. These deceptive websites imitate more than 220 popular brands like Pepe, Bob, MetaMask, OpenSea, Collab.Land, LayerZero Labs, and others, tricking people into revealing their sensitive information.
Inferno Drainer offers various fraudulent services, including scams related to multiple cryptocurrency chains, draining Aave tokens and Art Blocks, and exploiting the approval process of MetaMask tokens. The creators of this malicious toolkit provide a user-friendly admin panel with customization options, and they even offer a trial period for interested buyers. Operators who use Inferno Drainer are required to pay them a percentage of their earnings, with the fee ranging from 20% to 30% for services that involve creating phishing sites. However, due to high demand, Inferno Drainer only provides phishing sites to clients who have proven their ability to generate significant profits, earning them the label of "good customers."
Protecting oneself from phishing attacks, such as those carried out by the Inferno Drainer service, is crucial in safeguarding personal and financial information. By utilizing FYEO Agent, individuals and organizations can significantly enhance their defense against phishing attempts. In an era where online threats continue to evolve, investing in a reliable cybersecurity product is essential. With FYEO Agent, which is completely free to use, users can mitigate the risks posed by phishing attacks, protect their sensitive information, and maintain a secure online presence.