Credentials are posted to the Telegram API and the user is redirected. (Source: Cofense)
A recently discovered phishing campaign attempted to steal victims credentials by abusing the Telegram messaging app s API to create malicious domains that help bypass security tools such as secure email gateways, according to researchers at security firm Cofense.
This particular phishing attack appeared active in mid-December 2020 and has since stopped. The targets of these malicious emails mainly worked in the U.K. financial services sector, Cofense notes.
While the Telegram application offers secure, encrypted communication channels for its users, the Cofense report notes that the service also offers API options that can allow users to create programs that use the app s messages for an interface. In this case, the fraudsters used the APIs to create realistic-looking phishing domains that bypassed security tools.
Diagram shows how a second wave of Gitpaste-12 attacks targets vulnerable devices. (Source: Juniper Threat Labs)
A previously documented cryptomining worm dubbed Gitpaste-12 has returned with a wide-ranging series of attacks targeting web applications and IoT devices that exploit at least 31 vulnerabilities, according to a Juniper Threat Labs.
The botnet, which was uncovered in October by Juniper researchers, originally targeted vulnerable Linux applications as well as IoT devices, according to the report. The operators behind Gitpaste-12 were also using legitimate services, such as GitHub and Pastebin, to help hide the malware s infrastructure (see:
The initial wave of Gitpaste-12 attacks started in July but was not uncovered until October, when the GitHub repository that was hosting the bulk of the worm s payloads was removed. On Nov. 10, the Juniper researchers discovered a second round of attacks had started, according to the report.
The worm returned in recent attacks against web applications, IP cameras and routers.
The Gitpaste-12 worm has returned in new attacks targeting web applications, IP cameras and routers, this time with an expanded set of exploits for initially compromising devices.
First discovered in a round of late-October attacks that targeted Linux-based servers and internet-of-things (IoT) devices, the botnet utilizes GitHub and Pastebin for housing malicious component code, has at least 12 different attack modules and includes a cryptominer that targets the Monero cryptocurrency.
Click to register.
Now, researchers have uncovered a new slew of attacks by the malware, starting on Nov. 10, which used a different GitHub repository to target web applications, IP cameras, routers and more. The campaign was shut down on Oct. 27 after the GitHub repository hosting the worm’s payloads was removed.