MSP cybersecurity news digest, November 6, 2024

LastPass has warned users of an ongoing scam campaign where fake customer support numbers are promoted in five-star reviews for its Chrome extension. These reviews direct users to call a specific number, 805-206-2892, which connects them to scammers posing as LastPass support.

When users call, the scammers instruct them to visit a fake support site (dghelp[.]top) and enter a code to download a remote support tool (ConnectWise ScreenConnect agent), giving scammers access to their computers. This access allows attackers to control devices, steal data and install additional malware.

Researchers found that this number is used for similar scams involving companies like Amazon, Facebook and PayPal, indicating a larger fraud campaign. LastPass reminds users never to share their master passwords with anyone, even customer support.

French ISP Free confirmed a breach, reporting that attackers accessed subscriber personal data. With over 22.9 million subscribers, Free is France's second-largest telecom provider and part of the Iliad Group.

The company filed a criminal complaint and notified the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI). Free stated that passwords, bank card data and communications were not accessed, and affected customers have been or will be notified via email.

The stolen data, reportedly affecting 19.2 million customers, is now for sale on BreachForums, with the attacker claiming it includes IBANs of certain fixed subscribers. Free reassured customers that stolen IBANs alone are insufficient for direct debit and advised vigilance against phishing attempts.

Researchers have identified an active malvertising campaign using Meta’s ad platform and compromised Facebook accounts to spread the SYS01stealer malware. This campaign relies on trusted brands and nearly a hundred malicious domains for both malware distribution and real-time command and control (C2).

SYS01stealer, first documented in early 2023, primarily targets Facebook business accounts, aiming to steal login credentials, browsing history, and cookies, as well as Facebook ad and business data. Hijacked accounts are then used to promote additional malicious ads, increasing the malware’s reach without creating new accounts. Ads are distributed across Facebook, YouTube and LinkedIn, often promoting games, AI software and streaming services, and primarily target men aged 45 and above.

The malware uses sophisticated techniques to avoid detection, such as sandbox checks and updating its code to bypass security measures when flagged.

In a recent phishing campaign, attackers are misusing Eventbrite’s services to steal personal and financial information. Eventbrite’s platform, hosting over five million events annually, and trusted by millions of users, has become a new channel for these phishing attacks, which have surged by 900%.

Researchers have intercepted thousands of phishing emails targeting individuals and organizations worldwide, impersonating brands like banks, airlines and postal services.

These phishing emails, sent from “noreply@events.eventbrite.com,” appear as legitimate event notifications, urging recipients to take actions like resetting a PIN or verifying an address. By using Eventbrite’s verified domain, attackers bypass email filters, making recipients more likely to click malicious links. When victims follow these links, they are led to fake websites where they’re asked for sensitive details, completing the phishing scam.

AEP, a German pharmaceutical wholesaler in Bavaria, has reported a ransomware attack that could impact medicine supply to thousands of pharmacies.

The company described the attack as "targeted and criminal," leading to partial encryption of its IT systems. After detecting the attack, AEP took protective measures, disconnecting external connections and shutting down affected systems.

AEP, which supplies over 6,000 pharmacies in Germany, stated that pharmacies can source medicine from other wholesalers to mitigate disruptions, as noted by the Bavarian Pharmacists Association. The Bavarian State Criminal Police are investigating the incident, and AEP is working with cyber experts to restore operations. Currently, AEP’s phone lines are down, and it has limited email access.