Email Spam Campaign Targets U.S. Retail, Restaurant Sectors

A cybercriminal group has launched a malware campaign via personalized spear-phishing emails against large retail, restaurant and grocery chains in the United States, as well as against other organizations from the food and beverage industries.

The spam campaigns, which distributed several Trojans including Remote Manipulator System (RMS) and FlawedAmmyy, were attributed by researchers from Proofpoint to a known group tracked as TA505. This group has been responsible for the largest Dridex and Locky ransomware campaigns over the past two years and is generally known for sending large volumes of spam indiscriminately to victims.

However, these latest campaigns against the retail industry, which started around Nov. 15, were marked by a change in tactics.

“Each intended target received a personalized attachment, a technique that TA505 has not previously used and that remains unusual at this scale,” the Proofpoint researchers said in their report.

The emails were crafted to appear as if they were sent from a Ricoh printer and contain a scanned document. The attached documents were unique for every targeted company and even contained each company’s logo.

The documents contained malicious macros and instructed victims to enable their execution. If this was allowed, the code downloaded and executed a .msi file that installed the Trojan.

“TA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with their campaigns through the end of 2017,” the Proofpoint researchers said. “When this group changes tactics, it tends to correspond to broader shifts and, throughout the year, we have seen both TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans, often in smaller, more targeted campaigns. Threat actors follow the money and, with dropping cryptocurrency values, the return on investment in better targeting, improved social engineering, and management of persistent infections now seems to be greater than that for large ‘smash and grab’ ransomware campaigns.”

Companies from the retail, hospitality and food and beverage industries are popular targets, especially over the holiday season when their business is at a peak and they handle a lot of payment data.

Botnet of 20,000 WordPress Sites Used to Attack Other Websites

A group of hackers control a botnet made up of around 20,000 infected WordPress websites and are using it to launch brute-force credential guessing attacks against other WordPress sites.

According to researchers from security firm Defiant, the hacker group controls the botnet through four command-and-control servers that route their commands through 14,000 proxy servers provided by a Russian proxy service.

The commands instruct brute-force scripts running on the compromised sites to make authentication attempts via the XML-RPC interface of other WordPress sites. The scripts use wordlists with common passwords but also generate password combinations dynamically based on common patterns.

The WordPress XML-RPC interface has been targeted in large-scale brute-force attacks in the past because it allowed attackers to pass multiple user and password combinations in a single request. That behavior was changed silently in WordPress 4.4 to make such attacks more difficult and the interface will stop testing user/password pairs after the first login failure in a request.

However, according to the Defiant researchers, this change hasn’t been backported to older WordPress branches that might still receive security updates. Even so, the attackers seem to be aware of this improvement and have limited their scripts to trying only one user/password combination per request.

Most of the “slave” websites used in the attacks are hosted by popular web hosting providers. The Defiant team has contacted some of the service providers to notify them about the compromised sites on their networks.

The company has also shared the results of its investigation into the command-and-control infrastructure with law enforcement companies. The C&C servers are hosted in Romania, the Netherlands and Russia.

WordPress site owners should use web firewalls or plug-ins that enforce rate-limits for failed login attempts and automatically blacklist abusive IP addresses. They should also make sure they run the latest version of WordPress that has all the security patches.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin