The threat actors begin by submitting a contact us form via a vendor or company’s website using a spoofed company and identity. The characteristics of the attacks that zvelo has seen in the last few weeks are consistent with the same tactics, techniques, and procedures ( TTPs ) that were originally observed by TAG. ![]() EXOTIC LILY operates by spoofing legitimate companies and employees as a means of gaining trust of targeted organizations, using legitimate file-sharing services like Smash and WeTransfer to evade malicious detection tools and deliver their payload disguised as business requirements or proposals. In September of 2021, Google Threat Analysis Group (TAG) began observing Bumblebee malware and identified EXOTIC LILY as the threat actor.įinancially motivated, EXOTIC LILY operates as an Initial Access Broker (IAB) and has been associated with data exfiltration and human-operated ransomware, including Conti and Diavol. Bumblebee is distributed by phishing email campaigns recently observed masquerading as a Product Requirement Document (PRD) or a Request for Proposal (RFP). Bumblebee Threat Overview and Attack Characteristicsīumblebee is a stealthy malware loader that is not easily detected by antivirus vendors because it often can install itself in memory without touching the disk which then allows additional malware to be installed such as ransomware or Cobalt Strike. As a follow up to that post, we wanted to share a couple of additional recent examples showing how attackers are using the file sharing sites WeTransfer and Smash to distribute Bumblebee malware via sales Request For Proposals (RFPs). One of the posts from January featured several basic social engineering attack examples. You can try marking it as spam in your email app, but the email domains used by the fraudsters change so quickly that it’s unlikely to have any effect.Over the last couple of months, we have been sharing blog posts on the topic of social engineering with the intent to help raise awareness about the increasingly sneaky tactics attackers are using. What should I do with a fake WeTransfer email? If you’re not expecting a WeTransfer message, it’s normally best to ignore it. Again, the sender address is the strongest clue that it is genuine, although even they can be spoofed, so don’t rely on that alone. It looks pretty similar to that faked message and you can see why people are caught out. What does a genuine WeTransfer email look like?Īt the time of writing in August 2022, a genuine WeTransfer email looks like this: ‘Invoice’ or ‘Your receipt’ are other common traps. The fraudsters are trying to con you into thinking someone has placed an order using your or your company’s account details. ![]() The list of files you’re being invited to click on includes ‘Purchase Order’ and ‘List of items’. Mistakes like this are a warning bell that something isn’t right.ģ. The brand name is WeTransfer, with a capital W and T. ![]() It says “You have received some files via wetransfer”. Look again at the full email shown above. That’s clearly not coming from WeTransfer. Although the sender of this email is called ‘WeTransfer’, when I click on that sender’s name it reveals the sender’s email address is actually, as shown below. ![]() Most email apps hide the actual address, so you may have to click on the sender’s name to reveal the full email address. The first thing to check is the sender’s address. There are a few telltale signs that a WeTransfer email, such as the one shown above, is a scam.ġ. We’re going to show you how to spot a fake WeTransfer email. However, the service is also a common target for fraudsters, who create fake WeTransfer emails to get people to click on malicious links. WeTransfer is a great way to send large files to people via email.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |