Cybercriminals have once again abused a crisis to profit from in appalling techniques that are worryingly successful. Relief donation scams rely on targeting people’s emotions and luring them into donating their money before or without any prior due diligence.
According to Bleeping Computer, multiple scams are running on Twitter and abusing legitimate platforms like PayPal’s fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims. One of the scams, for example, touts itself to be a “Turkey Earthquake Relief” fundraiser on Twitter. To lend itself some credibility, the account persistently retweets updates from established news outlets and government officials. The fake Twitter account has since been suspended, although the PayPal fundraising page is still up at the time of our analysis. The very moving images and stories entice people to forget their usual ways in which they would normally spot a fraudulent site. As genuine fundraising sites or social pages are often made quickly, typical scam sites are easy to recreate and look similar with low follower numbers or even include errors on the sites. Although cryptocurrencies may be a red flag in ways to donate, when coupled with legitimate financial sites like PayPal it can be all the more convincing. Therefore, donations must be carefully given to well-established charities and checking the online register to donate safely.
Threat actors have also once again been able to hack company information by simply using a clever phishing email and website to lure an employee into divulging sensitive credentials. According to Bleeping Computer, Reddit suffered a cyberattack Sunday evening, allowing hackers to access internal business systems and steal internal documents and source code. The company says the hackers used a phishing lure targeting Reddit employees with a landing page impersonating its intranet site. This site attempted to steal employees’ credentials and two-factor authentication tokens. After one employee fell victim to the phishing attack, the threat actor was able to breach internal Reddit systems to steal data and source code. Reddit says they learned of the breach after the employee self-reported the incident to the company’s security team. Cases like these emphasise the sheer importance of making employees wholly aware of the persistent attempts from criminal groups and the potential outcome when data is accessed. Even with two-factor authentication in place with the use of security keys or authenticator apps, criminal hackers are on hand to attack in the given short time frame of opportunity when the chance arises. Not only is staff training key in mitigating the problem, but it is also an essential reminder to only give access to important files to those who absolutely need them.
ESET Ireland 