‘Hire military heroes’ is what meets the eye once you get to this spoofed website. A spoofed website is one that’s a hoax that’s specifically intended to mislead people that a different person or corporation has developed it. Usually, this spoof website will be similar to the target website in terms of the design and will sometimes almost have the same target URL.
According to Cisco Talos, a threat group has been targeting U.S. Veterans, promising those who are looking for jobs that it can help. However, this particular website, instead of giving them jobs, it will install spyware and malware on an innocent victim’s phone or PC. This is what the report states.
Digging deeper into the report, it does not indicate the aim of these hackers. What it clears shows is that the spoofed website collects quite a substantial amount of data. Some of what it receives from infected devices is the network configuration, patch level of software installed, firmware versions, domain controller, name of the administrator, and accounts on the particular device.
An analyst from the Department of Homeland Security tried to crack the aim and said that the attackers’ main aim is to target active U.S. military people who are just about to leave service. The attackers are mainly hoping that the victim installs the spyware on computers of the Defense Department which could pause a series of risks.
This particular Cisco report relates this attack to Tortoiseshell, a relatively new threat group that mainly operates in the Middle East. Tortoiseshell was responsible for hacking an IT provider in Saudi Arabia as Cisco was the one who tracked them down.
Phony Job Site
In this particular case, the attackers supposedly are using a website that almost looks like a legitimate job site by the U.S Chamber of Commerce to trap unknowing veterans.
What this phony website does is, it supposedly connects U.S. military veterans to companies that are looking to hire people. The website’s design is to mimic “https://www.hiringourheroes.org” a site that’s designed to help veterans and their spouses secure jobs.
It’s quite unfortunate that innocent people may fall victim unknowingly. You need to stay protected in the case of any hacking attempts. It is recommended that you seek the Best Identity Protection Services (Our Top 3 Picks of 2019) to ensure you and your family are protected in case you fall victim to such incidences.
Cisco researchers say that this spoofed site must have been designed to share across social media handles.
Cisco researchers say that this particular attack has the potential of many people falling victim because Americans love supporting veterans.
Process of downloading
As part of this attack, victims are encouraged to download and install the desktop application that supposedly helps them view the current job listings.
What’s sad is that, when the victim tries to install the app, a popup appears indicating that the application failed to download. What they don’t know is that in the background, the malware starts to download and automatically infects the PC.
The attack is in two parts. The first one involves installing a malicious binary which will then conduct reconnaissance on the victim’s PC or tablet/phone. The second part of this attack involves installing a remote access RAT or Trojan, which helps in communicating with a command and control server. This server will help the attackers take over the victim’s device. Once Trojan starts collecting data from the device, it is then packaged and sent as an email to a specific Gmail account belonging to the attackers.
Is this attack connected to Tortoiseshell?
While looking at Trojan, known as “IvizTech” Cisco researchers say they found code similar to what was used by Tortoiseshell hackers that had been earlier described by Symantec in a report that was released early this month.
What’s surprising is that the Tortoiseshell group has been in existence since July 2018, but researchers became aware of its existence like two months ago. Symantec released a report and said that these particular attackers were mostly focused on IT service providers in the Middle East.
If Cisco is accurate in the information, we could be looking at a much bigger problem. Tortoiseshell has been involved in off-the-shelf malware and has previously affected 11 companies in Saudi Arabia, where they have at least gained domain-level access to two of the companies as reported by Symantec.
As the days go by, hackers keep on getting more unique ways of attacking. Phishing attacks are becoming more common. It is essential for people and organizations to be on the lookout to avoid falling victim.
The necessary steps need to be taken to ensure your organization is safe. Have an IT expert create safety walls to ensure that attackers have fewer chances of attacking and crippling your business.