Vishing, doxing, and the Ruthlessness of Ransomware Gangs

At a glance.

• Vishing campaigns sneak past spam filters.
• C10p doxes more victims.
• Data taken during the Tulsa ransomware attack are published online.

Vishing campaigns sneak by spam filters.

Threatpost details two vishing campaigns taking advantage of the public’s trust in household names like Geek Squad and Norton Antivirus. In the Geek Squad campaign, the malicious email convincingly mimics Best Buy’s IT support service, containing a fake protection plan renewal confirmation and urging the target to call a fraudulent billing phone line. With the Norton scam, the email forgoes any brand-specific formatting, instead bearing a header spelling “N0RT0N PR0TECTI0N” with zeros replacing the letter O. Armorblox researchers found that the emails, sent to tens of thousands of corporate inboxes, went undetected by Microsoft spam filtering because they appeared to be sent from a source server on the ‘IP Allow’ list and contained no suspicious links. “Including phone numbers as the payload is effective because a phone number is not an IOC that the security community tracks in a structured, shareable manner right now,” explained researcher Abhishek Iyer. Though the nefarious phone numbers have been deactivated, the campaigns demonstrate how easily vishing campaigns can circumvent traditional detection methods.

C10p publishes stolen data days after recent arrests.

As the CyberWire noted last week, the National Police of Ukraine, along with South Korean and American authorities, completed a successful sting that ended in the arrest of six alleged members of the C10p ransomware gang and reportedly shut down the threat group’s server infrastructure. However, just days later, C10p appears to be up and running, releasing data purportedly stolen from a farm equipment retailer and an architecture office, TechCrunch reports. According to cybersecurity firm Intel 471, C10p’s speedy resurgence could be because last week’s arrests impacted only the money-laundering arm of the gang, not its core members: “The overall impact to C10p is expected to be minor, although this law enforcement attention may result in the C10p brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.” C10p’s top actors are believed to reside in Russia, where authorities have been hesitant to take action against cybercriminals. That said, just last week Russian Federal Security Service head Alexander Bortnikov agreed to collaborate with the US, so perhaps the tide could be turning.

Stolen data published after Tulsa ransomware attack.

The City of Tulsa, located in the US state of Oklahoma, suffered a ransomware attack in May, and now the perpetrators have released more than 18,000 stolen files on the dark web. IT Pro reports that the data consist predominantly of police citations and internal department files, containing personal data such as names, dates of birth, addresses, and driver’s license info. As the investigation continues, officials urge anyone who has shared private data with the City to monitor their accounts for suspicious activity.

We heard from Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, who reminds us of the utility such information has in rendering social engineering more plausible, more convincing:

“While the disclosure of this type of information may not seem immediately useful to cybercriminals, it can be leveraged to create incredibly powerful social engineering lures to fool victims into sending money. In this instance, the disclosure of police records can be used to construct convincing stories to trick unsuspecting victims or their families into paying fake fees or fines by claiming to be lawyers or court representatives. Even normally scam savvy people may be fooled if a fraudster has enough detailed information. 

“Municipalities must adopt a culture of security to protect their data from compromise including proper staff training, security hardening of systems and applications, regular penetration testing to identify any gaps or mistakes and finally continuous monitoring for any suspicious activity that may indicate that an attack is imminent.

“Individuals must remain vigilant to potential fraud attacks as well. Even someone contacting you with seemingly legitimate information should require independent verification before sending personal information or payments to. In this case, if you are contacted about your or a family member’s criminal case or fine, you should separately verify the information and requested actions by looking up and calling the court directly.”

Erich Kron, Security Awareness Advocate at KnowBe4, observes that the incident is another reminder of the ruthlessness of ransomware gangs:

“Conti, one of the most prolific ransomware gangs in operation, continues to show that it is ruthless in its attacks on the public sector and healthcare networks. In a May 20th alert, the same month as this attack, the FBI warned of this group and their specific targeting of first responder and healthcare networks.  

“The Conti group is showing a blatant disregard for the authority of law enforcement as they continue their attacks on these vital services. Even after the shutdown of the Darkside gang, the arrests in the takedown of the Clop group, and even in light of the Ziggy ransomware gang providing all of their encryption keys for victims due to the fear of law enforcement actions, Conti continues their attacks without skipping a beat.

“Because Conti’s typical attacks begin with email phishing or stolen RDP (Remote Desktop Protocol) credentials, organizations looking to defend themselves against the threat should concentrate on these attack vectors. Users should be provided high-quality security awareness training with a focus on spotting phishing emails, dealing with potentially infected documents or malicious email links, the importance of having secure passwords that are unique, complex and not shared or reused anywhere else, and the use of two-factor authentication. Providing password vaults and the education to properly use them can help greatly in this matter as well. In addition, organizations should review the security related to any RDP instances they have deployed, paying special attention to securing against brute force attacks, spotting unusual login times or attempts from unusual locations and ensuring that unusual behavior through these portals is quickly reported to security.”