At a glance.
- Iranian surveillance operations.
- A look at the stolen payment card market.
- DHL impersonation campaign.
Iranian surveillance operations.
Bitdefender describes a spyware campaign that appears to be targeting Iranian citizens. The spyware is distributed via the Trojanized installer of a VPN used by Iranians to bypass the nation's Internet restrictions:
"Due to EyeSpy’s capabilities, user privacy is seriously affected. The malware steals sensitive information from an infected system, like stored passwords, crypto-wallet data, documents and images, contents from clipboard, and logs key presses. This can lead to complete account takeovers, identity theft and financial loss. Moreover, by logging keypresses, attackers can obtain messages typed by the victim on social media or e-mail, and this information can be used to blackmail the victims."
In a separate story, the University of Toronto's Citizen Lab has analyzed leaked documents that appear to outline Tehran's plans to set up an Iranian mobile network with an integrated lawful intercept solution:
"The surveillance and censorship capabilities resulting from this level of integration with mobile service providers cannot be understated. Because Iranian authorities would receive information from all mobile service providers, they would have deep visibility into all services used, who is communicating with whom, for how long, how often, and where. They could also identify the current phone numbers used in certain geographic areas based on CellID or street address. This information could be used to decide who, what, and when to place restrictions or make changes to a user’s mobile service plan, such as the user’s social community or the location of political demonstrations. They could also view extensive personally identifiable details when users sign up for mobile services."
Citizen Lab found references to companies based in the UK, Canada, and Russia that appeared to be interested in assisting with the project, but the British and Canadian companies have denied these allegations.
A look at the stolen payment card market.
Recorded Future's Insikt Group observed a 62% drop in card-present payment card records posted to the dark web over the course of 2022. Likewise, card-not-present records dropped by 24% last year compared to 2021. The researchers believe this is due to Russia's crackdown on cybercrime within the country at the beginning of 2022, as well as its invasion of Ukraine in February. The researchers state:
"It is highly likely that the war has significantly affected Russian and Ukrainian threat actors’ ability to engage in card fraud as a result of troop mobilization, refugee and voluntary migration, energy instability, inconsistent internet connectivity, and deteriorated server infrastructure. (Russian-occupied areas of the Donbas region of Ukraine were long suspected to have hosted cybercriminal server infrastructure.)"
DHL impersonation campaign.
Armorblox describes a phishing campaign that’s using phony shipping invoices that purport to come from DHL. The campaign targeted an organization in the education industry with more than 100,000 emails:
“The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department. The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment.”
The email contains an Excel document which, when opened, will display a blurred out preview of an invoice. The user will then be asked to enter their Microsoft account login credentials in order to view the invoice.