Wouldn’t it be great if the government and internet service providers worked hand in hand to stop us from accidentally clicking on fraudulent websites in the first place? Our lead story shares details of how the UK government has done exactly that with the new Share and Defend service. There’s also good news from Microsoft, which has successfully stopped one of the world’s most popular phishing services.
In other news, we discuss how the UK is a prime target for Russian hackers because of its stance on Ukraine – this time, it’s public sector websites caught in the crosshairs.
And finally, we offer a quick overview of the trend of typosquatting and how a simple misspelling in a website URL could lead to serious malware infections.
UK government’s new cyber tool blocks one billion early-stage hacks
The UK government has successfully blocked almost one billion attempts to view malicious websites (as well as early attempts at cyber attacks) by criminals. The National Cyber Security Centre’s Share and Defend service is run in partnership with internet provider BT.
The Share and Defend service aims to stop cyber crime by preventing the British public and businesses from accidentally visiting fraudulent websites, as well as blocking cyber criminals’ access to scam websites. It does this by sharing real-time data on fraudulent websites with internet service providers, who can then block people from viewing malicious content.
The service offers protection against some cyber crimes and cyber-enabled fraud, such as malicious links hidden in text messages or website URLs in phishing emails.
While this is a welcome move, it’s worth noting that the service currently only offers protection against some known threats and those considered dangerous by the NCSC and its partners. Not all cyber threats are known, and the NCSC has urged the public to stay alert for signs of fraud.
Microsoft catches phishing Raccoon
Microsoft has foiled one of the world’s fastest-growing phishing services by disrupting over 300 websites used by cyber criminals. RaccoonO365 is a globally popular cyber crime tool that offers subscription-based phishing kits. These kits allow even the most non-technical cyber criminals to steal Microsoft 365 usernames and passwords.
Microsoft’s Digital Crimes Unit (DCU) used a New York court order to seize websites and sabotage the criminals’ technical and operational infrastructure. The operation led to the identification of RaccoonO365’s ringleader – a Nigerian hacker named Joshua Ogundipe who is believed to have written a large part of the code for the tool. The gang is understood to have received at least US $100,000 in cryptocurrency payments.
Microsoft has called on all users to follow security best practices to avoid falling prey to phishing scams. They should:
- Configure Microsoft Entra with heightened security
- Use the Microsoft Authenticator app for MFA and passkeys
- Bolster privileged accounts with phishing-resistant MFA
- Supplement MFA with risk-based Conditional Access Policies
Read the full best practice list here.
Russian hacktivists target UK websites
A pro-Russian hacktivist group has admitted to targeting several British public sector websites in retaliation for the UK’s support of Ukraine. Internal investigations by the NMC Threat Intelligence Team (a unit within the Police Digital Service) have revealed a new wave of activity by pro-Russian groups.
NoName057(16) has claimed responsibility for launching denial-of-service attacks against many UK government and local authority website domains. Other Russian hacking groups, such as ServerKillers and DarkStormTeam, have also claimed attacks against councils, central government bodies and aviation websites.
The attacks appear to have ramped up since the news that the UK was considering potentially unfreezing Russian finances and transferring them to Ukraine – a move seen as hostile by Russia.
The impact of the attacks has so far been limited to temporary service disruption. Government cyber security teams are monitoring the situation for further developments.
That simple typo could cost you – big time
Security researchers are warning of the increased use of typosquatting (or URL hijacking) as a popular hacker ploy. Cyber criminals create domain names that are common misspellings or variations, or look very similar to well-known, legitimate websites. Think “Gogle.com” instead of “Google.com” or “get.activate.win” instead of “get.activated.win”. By leaving out just one letter in the latter example, hackers created a dubious replica of the Microsoft Activation Scripts (MAS) site; this unofficial, open-source website is commonly used for its tools to help activate Windows and Office products.
The fake domain had a PowerShell script, which installed a malware called Cosmali Loader. This malware specialises in infecting systems with crypto mining software.
Security experts have warned about the dangers of using unofficial activation tools, because they are often hijacked by cyber criminals due to their weaker cyber security when compared to official sites.
They have further stressed the importance of supply chain security and user education when using open-source tools. If your organisation does have to use such tools, it’s important to ensure tight controls are in place, such as testing software in a sandbox environment first, as well as regular code integrity checks. Ensure that your users know how to verify sources and, if possible, avoid typing commands manually, as this can increase the likelihood of human error.
Other vulnerabilities
Microsoft Windows Information Disclosure Vulnerability
Hewlett-Packard Enterprise (HPE) OneView Code Injection Vulnerability