Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes…

The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets.

Secure List, Loki Bot: On a hunt for corporate passwords

 

Experts from Kapresky lab have come upon several incidents of spam activity targeting corporate emails. As per the article published on Secure List, experts believe that the objective of these activities is to steal passwords from browsers, messaging applications, and mail and FTP clients; or to say- to compromise business networks.

These malicious messages are all said to contain an attachment with .iso extension. The malware identified is Loki Bot.

As per Kapresky experts, hackers used diverse range of email messages to spread the malware. The three types of emails noted in their blog are:

  1. Fake notifications from well-known companies

Emails are imitated to look as if the messages were being sent by well-known companies.

  1. Fake notifications containing financial documents

Emails contain malicious files dressed-up as financial documents, such as invoices, wire transfers, etc.

  1. Fake orders and offers

Hackers pose as customers placing an email order, or a vendor offering their services.

 

Tatyana has posted snapshots of such malicious emails at the Secure list blog. Do check them.

In a similar article published in June, Cofense Intelligence, too, has observed an increase in targeting of corporate email accounts via phishing emails. In her blog, Mollie Holleman writes, “Almost all the emails reference supposed payments, financial advice, or account information—often for corporate accounts.”

These attacks too were skillfully targeted campaigns against individuals who could have access to the corporate financial network. The intent was to lure them with phishing techniques, and then gain access to financial information and as many accounts as they can.

The campaigns analyzed by Cofense pointed at use of several malware, such as Trickbot, Poni and Loki Bot.

Targeting of UK user financial accounts has surged in past two months. Follow the link for email snapshots by Cofense.

In a related article, Ian Murphy notes that the phishing lures used to contaminate corporate email networks are becoming professional and difficult to detect.

For example, last month, as per Security Boulevard, Air Canada detected unusual login behavior through their app, and had to force all 1.7 million mobile application users to change their passwords. Another example is of the UnityPoint Health data breach. The breach affected about 1.4 million patients. It is yet the largest data breach of 2018 on the HHS ‘Wall of Shame’.

The point is, simple and overly complicated corporate processes have become vulnerable to phishing attacks.

Under such circumstances, organizations should consider safeguarding their networks with better intrusion detection systems and two-factor authentication systems. The biggest challenge, however, as Ian points out, is training employees against phishing lures and ensuring that everyone pays attention to the emails that open.

Do check our article on Business Email Compromise (BEC) to understand how to protect your business network against such malware attacks.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *