[ad_1]
The scammers responsible for launching phishing campaigns that drew dozens of employees and more than 100 computer systems last month to WiproAccording to new evidence, also appears to have targeted a number of competing providers, including Infosys and Cognizant, the third largest computer outsourcing company in India. Clues suggest up to here the work of a fairly experienced criminal group that focuses on gift card fraud.
On Monday, KrebsOnSecurity announced that many sources reported a cybersecurity breach at Wipro, a leading provider of trusted IT outsourcing for US companies. The story quoted reports from several anonymous sources that Wipro networks and trusted systems were being used to launch cyberattacks against the company's customers.
In an article that followed on Wednesday about the deaf and tonal nature of Wipro's public reaction to the incident, KrebsOnSecurity released a list of tradeoff indicators, or tradeoff indicators, indicating the tactics, tools, and procedures used by the perverts. a successful attempt or intrusion.
If we examine the subdomains related to only one of the malicious domains mentioned in the IoC list (internal-message[.]app), a very interesting Internet address is connected to all – 185.159.83[.]24. This address is owned by King Servers, a well-known armored hosting company based in Russia.
According to the archives kept by Farsight Security, this address hosts a number of other likely phishing domains:
securemail.pcm.com.internal-Message[.]app
secure.wipro.com.internal-Message[.]app
securemail.wipro.com.internal-Message[.]app
secure.elavon.com.internal-Message[.]app
securemail.slalom.com.internal-Message[.]app
securemail.avanade.com.internal-Message[.]app
securemail.infosys.com.internal-Message[.]app
securemail.searshc.com.internal-Message[.]app
securemail.capgemini.com.internal-Message[.]app
securemail.cognizant.com.internal-Message[.]app
secure.rackspace.com.internal-Message[.]app
securemail.virginpulse.com.internal-Message[.]app
secure.expediagroup.com.internal-Message[.]app
securemail.greendotcorp.com.internal-Message[.]app
secure.bridge2solutions.com.internal-Message[.]app
ns1.internal-Message[.]app
ns2.internal-Message[.]app
mail.internal-Message[.]app
ns3.microsoftonline-secure-login[.]com
ns4.microsoftonline-secure-login[.]com
tashab solutions[.]X Y Z
www.tashabsolutions[.]X Y Z
The subdomains listed above suggest that the attackers may also have targeted the US retailer Sears; Green Dot, the world's leading provider of prepaid cards; Elavon payment processing company; Rackspace hosting company; Avanade business consulting company; PCM Computer Provider; and the French consulting firm Capgemini, among others. KrebsOnSecurity has contacted all these companies for comments and will update this story in case any of them gives any relevant information.
WHAT IS THEY AFTER?
It seems that the attackers in this case are turning to companies that, in one form or another, have access to a ton of resources from third-party companies, and / or companies that can be abused to defraud their gift cards.
Wednesday's follow-up on Wipro's violation revealed an anonymous source close to the investigation, saying that the criminals responsible for Wipro's violation seemed to want everything they could quickly turn into cash. The source, who works for a major US retailer, said the scammers who broke Wipro had used their access to commit gift card fraud in the retailer's stores.
Another source said the Wipro violation investigation by a third company had determined up to now that intruders had compromised more than 100 Wipro systems and installed on each of them. ScreenConnect, a legitimate remote access tool. Investigators believe that intruders used ScreenConnect software on hacked Wipro systems to connect remotely to Wipro client systems, which were then used to optimize Wipro client network access.
This is remarkably similar to the activity in 2016 and 2017 against Cognizant, one of Wipro's competitors and probably the target of the same attackers. In May 2018, Maritz Holdings Inc., a Missouri-based company that runs customer loyalty and gift card programs for third parties, sued Cognizant (PDF), claiming that a criminal investigation had revealed that hackers had penetrated Cognizant's systems and used them to rotate attacks in Maritz's loyalty program over $ 11 million in fraudulent eGift cards.
This investigation revealed that the attackers also used ScreenConnect to access computers owned by Maritz employees. "It was the same tool used for the spring 2016 cyberattack. Intersec [the forensic investigator] also determined that the attackers had been researching the Maritz system in search of certain words and phrases related to the spring 2016 attack ".
According to the lawsuit filed by Maritz Holdings, the investigators also determined that the "attackers had access to the Maritz system with the help of registered accounts at Cognizant, for example, in April 2017, a person using a Cognizant account used the "hacking" program to bypbad the cyber-protections that Maritz had installed several weeks ago. "
Maritz stated that his forensic investigator had discovered that the attackers had searched the Maritz system for certain words and phrases related to the withdrawal of the eGift card from the spring of 2016. Similarly, my dealer in the attack Wipro told KrebsOnSecurity that the attackers who had defrauded them had also searched their system for specific phrases about gift cards and clues about the security systems used by the retailer.
It is unclear if the work of these hackers is related to a specific and known threat group. But it seems likely that the scammers who have hit Wipro have been targeting similar businesses for some time, and with some success in translating their access to cash, given the statements of my sources in the Wipro infringement and this action. in court against Cognizant.
What is remarkable is the fact that many antivirus vendors still do not report as malicious many Internet addresses and domains listed in the IoC, as evidenced by a search on virustotal.com.
Tags: Avanade, Capgemini, Elavon, Green Dot, King Servers, Maritz Holdings Inc., PCM, Rackspace, ScreenConnect, Sears, Virustotal.com, Wipro Data Violation
This entry was posted on Thursday, April 18th, 2019 at 1:42 pm and is filed under A Little Sunshine, Breadcrumbs.
You can follow the comments of this entry via the RSS 2.0 feed.
You can go to the end and leave a comment. Ping is currently not allowed.
Source link