One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8491736 |
| Date de publication | 2024-05-01 10:00:00 (vue: 2024-05-01 10:07:13) |
| Titre | Histoires du SOC & # 8211;Combattre les escroqueries «alertes de sécurité» Stories from the SOC – Combating “Security Alert” Scams |
| Texte | Executive Summary
The “Security Alert” scam is a prevalent tech-support fraud that threatens both Windows and Apple users. It exploits the trust of users by masquerading as an official support site, using fake pop-up warnings to lure users into dialing scam phone numbers by conveying a sense of urgency. The ultimate goal is gaining remote access to the user’s system and pilfering personal data to extort money.
Combating a “Security Alert” scam is difficult on many fronts because most of the time attackers leverage newly registered domains, which means there is a lack of malicious OSINT (open-source intelligence), and they are able to bypass traditional detection methods. To gain remote access, attackers need the end user to call into a fraudulent support team to install a Remote Desktop Protocol (RDP) tool. An endpoint detection and response (EDR) tool might not catch the initial intrusion as such tools are also used for legitimate business reasons. The most successful way to combat phishing/scams is by end-user education and communication with the IT department.
In a recent incident, a fake “Microsoft Security Alert” domain targeted one of our Managed Endpoint Security with SentinelOne customers, causing alarm for the end users and IT staff, but fortunately, the end user did not fall into the trap of calling the fraudulent number.
The customer immediately contacted their assigned Threat Hunter for support and guidance, and the Threat Hunter was able to quickly utilize the security measures in place, locate multiple domains, and report them to the Alien Labs threat intelligence team.
AT&T Cybersecurity was one of the first cybersecurity companies to alert on the domains and share the information via the Open Threat Exchange (OTX) threat intelligence sharing community, helping other organizations protect against it.
Investigation
Initial Alarm Review
Indicators of Compromise (IOCs)
The initial security layers failed to raise alarms for several reasons. First, the firewalls did not block the domain because it was newly registered and therefore not yet on any known block lists. Second, the platform did not create any alarms because the domain’s SSL certificates were properly configured. Finally, the EDR tool did not alert because no downloads were initiated from the website. The first indication of an issue came from an end user who feared a hack and reported it to the internal IT team.
Utilizing the information provided by the end user, the Threat Hunter was able to locate the user\'s asset. Sniffing the URL data revealed a deceptive “Microsoft Security Alert” domain and a counterfeit McAfee website. These were detected largely because of improvements recommended during the customer\'s monthly meetings with the Threat Hunter, including a recommendation to activate the SentinelOne Deep Visibility browser extension, which is the tool that was instrumental in capturing URL information with greater accuracy after all the redirects.
Figure I – Fake Microsoft Support page
Figure 2 – Fake McAfee page
Artifact (Indicator of Compromise) IOC Fake McAfee Page bavareafastrak[.]org Website Hosting Scam Pages Galaxytracke[.]com Zip file hash Tizer.zip - 43fb8fb69d5cbb8d8651af075059a8d96735a0d5
Figure 3 – Indicators of compromise
Expanded Investigation
Events Search
With the understanding that the e |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “microsoft “security 43fb8fb69d5cbb8d8651af075059a8d96735a0d5 able access accessed according accuracy activate activating active activity actors added additional additionally adversaries after against alarm alarms alert alert” alert” alien all also although always any app apple applications are arrived artifact asset assets assigned assisted associated at&t attacker attackers authentic bavareafastrak because been before behind better block blocked blocking both browser business but bypass call calling calls came can capabilities capture capturing case catch categorizes causing certificates change changed clickable code com combat combating commonly communication community companies complete component compromise compromised conceptual conduct configured construct contacted contained continue conveying correlate correlating could counterfeit create critical customer customers cybersecurity daily data deceptive deduced deep department desktop detected detection dialing did difficult directories discovered discuss display dive does doing domain domain’s domains download downloads during edr education enables encountered end endpoint enhance environment environments event events exchange exclude executive expanded exploits explore extension extent extort eye failed fake fall fallen falling feared featuring figure file files filter finally find findings fine firewall firewalls first fleet focus fortunately found frame fraud fraudulent from fronts future gain gaining galaxytracke gauge giving goal greater guidance hack had hash have having held help helping hosting how however html hunt hunter hunts identified images immediately improve improvements incident including indicate indication indicator indicator of indicators information initial initiated install installation installations installed instrumental intelligence interestingly internal intrusion inventory investigation ioc iocs issue its keen known labs lack landing largely latest layer layers leading legitimate leverage leveraging likely limited link lists locate lowest lure machine machines main malicious managed manually many masquerading match may mcafee means measures meetings methods microsoft might model money monitored monthly most move multiple must names necessary need newly noise not number numbers occurred official once one ongoing only open operations org organization organizations osint other otx out page pages pain parameters past personal phishing/scams phone pilfering place platform pop posing potential precaution prevalent prevent prey procedures promptly properly protect protocol provide provided pulse pyramid quickly raise rdp reasons recent recommend recommendation recommended redirected redirects registered related remain remote report reported requests response results revealed review reviewed reviewing safety same sandbox scam scammer scams search searches second security see sense sentinelone sentinelone’s sequence several share shared sharing should significantly site sites sniffing soc some sounds source specific ssl staff stories storyline strategy streamlined successful successfully such summary support system tactics targeted team teams tech techniques technology temporarily thanks them therefore these third those threat threatens through time tizer took tool tools tracking traditional training trap trust ttp ttps tuned two types ultimate ultraviewer uncovered understand understanding unnecessary urgency url use used user user’s users using utilize utilizing victim virtual visibility visit visited warnings way web website websites where which who why will windows within would yet yielded zip “security |
| Tags | Hack Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.