{"id":18573,"date":"2022-03-23T11:40:07","date_gmt":"2022-03-23T19:40:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/23\/news-12306\/"},"modified":"2022-03-23T11:40:07","modified_gmt":"2022-03-23T19:40:07","slug":"news-12306","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/23\/news-12306\/","title":{"rendered":"Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Many thanks to Fred Gutierrez and Geri Revay for their contributions to this blog.<\/i><\/p>\n<h2><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/b><\/h2>\n<p><b>Affected Platforms:\u00a0<\/b>Windows<br \/> <b>Impacted Users:\u00a0<\/b>Windows users<br \/> <b>Impact:\u00a0<\/b>Compromised machines are under the control of the threat actor. Stolen personally identifiable information (PII), credential theft, monetary loss, etc.<br \/> <b>Severity Level:\u00a0<\/b>Medium<\/p>\n<p>Malicious email and phishing scams are usually topical and follow a pattern of current events. They are usually crafted around calendar and\/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origination of the term \u201cphishing.\u201d<\/p>\n<p>Threat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to thousands of targets. Even if less than one percent of victims respond, the return on investment is still significant due to the gain of personally identifiable information (PII) and\/or establishing a foothold within an organization using stolen credentials, malware, or other means.<\/p>\n<p>This blog highlights some examples we\u2019ve encountered that may help users better spot suspicious emails. Recent examples observed by FortiGuard Labs include emails related to tax season and the Ukrainian conflict, which reflect the timeliness of current and newsworthy events at the time of writing.<\/p>\n<h2>Tax Season Scams<\/h2>\n<p>Tax season comes around annually, like other seasonal events or holidays. Targeting calendar-based events enables threat actors to prepare ahead of time and have a new selection of targets on rotation.<\/p>\n<p>The following set of examples highlights two IRS\/tax-themed scams.\u00a0 The first is a malicious email pretending to originate from the U.S. Internal Revenue Service (IRS) containing a maliciously crafted Microsoft Excel file to deliver malware (Emotet). The second is a phishing scam that asks a recipient to send personally identifiable information (PII) via written correspondence to a phone number.<\/p>\n<h3><b>IRS-themed email delivering Emotet<\/b><\/h3>\n<p>This attack starts with an IRS impersonation email that contains a ZIP attachment called \u201cW-9 form.zip\u201d. The email is sent to the target, and a password is provided within the body of the email for convenient extraction. The zipped attachment contains a file, \u201cW-9 form.XLM.\u201d The XLM extension is simply an Excel file that contains Excel 4.0 macros:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image.img.png\/1647550267060\/img1.png\" alt=\"Figure 1. Fake IRS email with malicious attachment\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Fake IRS email with malicious attachment<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>For those not familiar with Form W-9 (Request for Taxpayer Identification Number and Certification), it is used by U.S. individuals to provide a correct taxpayer identification number (TIN) to payers (or brokers) who are required to file information returns with the IRS. Red flags that this is a phishing scam include the non-capitalization of \u201cassistant\u201d and the incorrect usage of \u201cTreasure\u201d instead of \u201cTreasury\u201d in the signature body. It should also be noted that the IRS does not communicate with U.S. taxpayers via email and instead uses the traditional postal service for all communications.<\/p>\n<h3><b>Analysis<\/b><\/h3>\n<p>Upon observation, and in a similar fashion to our recent Emotet <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\">blog<\/a>, the XLM file asks the user to enable macros upon opening the file.<\/p>\n<p>The XLM file contains the following obfuscated Excel 4.0 macro:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_187682406.img.png\/1647550490959\/img2.png\" alt=\"Figure 2. Screenshot of Excel 4.0 macro\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Screenshot of Excel 4.0 macro<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The document contains five hidden sheets: &quot;Vfrbuk1&quot;, &quot;Sheet&quot;, &quot;Lefasbor1&quot;, &quot;EFALGV&quot;, \u201cJe1\u201d and \u201cJe2\u201d. Sheet EFALGV contains the main code, which uses the other sheets to compile commands. It does this without user interaction, performing its behind-the-scenes magic to download a copy of Emotet from multiple remote locations:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_77959955.img.png\/1647550529754\/img3.png\" alt=\"Figure 3. Hidden Sheets\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Hidden Sheets<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another variation observed was sent to a State Attorney General\u2019s office in the United States. The \u201cFrom\u201d address is clearly seen in the email. It was sent from an automotive tire shop located in Japan, which is most likely compromised and serves as an open mail relay:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_788992063.img.png\/1647550583015\/img4.png\" alt=\"Figure 4. Variation of the same scam\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Variation of the same scam<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>Microsoft takes action<\/b><\/h3>\n<p>Microsoft <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/excel-blog\/excel-4-0-xlm-macros-now-restricted-by-default-for-customer\/ba-p\/3057905\" target=\"_blank\">announced<\/a> in January 2022 that Excel 4.0 macros are disabled by default starting in Excel (Build 16.0.14427.10000). The move came as no surprise because the feature is continuously abused by threat actors. Other welcome news from Microsoft is the restricted usage of macros in Access, Excel, PowerPoint, Visio, and Word by default starting in April 2022 via the disablement of VBA macros (also abused by Emotet). Based on the examples shown above, we can see this did not deter the attacker one bit from abusing Excel 4.0 macros.<\/p>\n<p>Also, administrators are able to control the usage of Excel 4.0 macros via group policy settings, as well as cloud and ADMX policies. This feature was introduced in July 2021. For more details, please visit Microsoft\u2019s tech community page &#8211; \u201c<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/excel-blog\/restrict-usage-of-excel-4-0-xlm-macros-with-new-macro-settings\/ba-p\/2528450\" target=\"_blank\">Restrict usage of Excel 4.0 (XLM) macros with new macro settings control<\/a>\u201d.<\/p>\n<p>It\u2019s important to note that these potential victims were not targeted. Emotet utilizes what is colloquially known in the industry as a \u201cspray and pray\u201d tactic to spread via malicious email campaigns. Emotet is known to have delivered other malware variants in the past, with the most disruptive being ransomware. Some ransomware as a service (RaaS) groups have specific policies to not deploy ransomware to government sectors, defense industry, and other critical infrastructures (hospitals, etc.). However, actual attacks are often carried out by RaaS affiliates who may or may not abide by the policy set by RaaS groups.\u00a0<\/p>\n<h3><b>Request to fill and send a W-8 form via a fax number<\/b><\/h3>\n<p>A different scam recently observed is an email with the subject line of: \u201cNEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE.\u201d This example contains an attachment, titled \u201cW8-ENFORM.PDF.\u201d While not malicious, this PDF file is essentially a photocopy of the IRS W-8 form. It is simply the W8 form from the IRS with an appended number added by the bad actors at the end of the document.\u00a0<\/p>\n<p>Red flags within the body of the email are the improper usage of grammar, typos, and punctuation:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_1346333414.img.png\/1647550920254\/img5.png\" alt=\"Figure 5. W-8 themed tax scam\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. W-8 themed tax scam<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This scam uses social engineering verbiage to target nonresident aliens of the United States based on \u201cofficial\u201d records discovery. However, in a weird miscue, the email contains a contradictory statement:<\/p>\n<p style=\"text-align: center;\">\u00a0\u201cif you are a USA citizen and resident, this W8BEN-FORM is not meant for you\u2026\u201d<\/p>\n<p>The email continues with instructions to reply back and to state on the attached form that the recipient is, indeed, a U.S. citizen\/resident. After this step is completed, the bad actor provides a different form to complete.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_1014918595.img.png\/1647551992808\/img6.png\" alt=\"Figure 6.  W-8 Form\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.  W-8 Form<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_1907828708.img.png\/1647552035133\/img7.png\" alt=\"Figure 7. W8 Form with added phone number to document\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. W8 Form with added phone number to document<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once this form is filled out, all PII included on this form appears to be sent to an 806 phone number, which is the area code for the state of Texas. As we have not called this phone number, it could either be one that is internet-based and can receive attachments, or simply a fax. We can assume that all details are manually kept for later use by the attacker. Perhaps if there are a lot of respondents they could be using OCR (Optical Image Recognition) image technology to store victim data in a database for later use.<\/p>\n<p><u>It is important to again note that the IRS does not handle any official correspondence via email. Official W-9 forms are available on the IRS Web <\/u><a href=\"https:\/\/www.irs.gov\/pub\/irs-pdf\/fw9.pdf\" target=\"_blank\">page<\/a><u>. Official W8 forms can be found <\/u><a href=\"https:\/\/www.irs.gov\/forms-pubs\/about-form-w-8\" target=\"_blank\">here<\/a><u>.<\/u><\/p>\n<h2><b>Refugee war scams<\/b><\/h2>\n<p>Spam commonly uses techniques such as current events (sports, tax season), using money as an incentive to click, playing on our natural greed (tax refunds, free money) and use the threat of running out of time to get us to take immediate action.<\/p>\n<p>In the example below, \u00a0all three techniques are employed, albeit in a more unusual way \u2013 with an impassioned plea give money to others with the subject line \u201cURGENT RESPONSE REQUIRED! (UKRAINE).\u201d\u00a0<\/p>\n<p>While the email does not contain a malicious attachment or link, the scammer is asking for a response. This is likely to contain a follow up message for further information. Perhaps the threat actor may engage in dialog with the victim and will ask the victim to send payment via wire transfer, third-party payment processors (such as Venmo, Zelle, etc.), or via cryptocurrency. The email address of the sender uses a gmail.com email address to likely evade spam filters.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_2019750349.img.png\/1647552083686\/img8.png\" alt=\"Figure 8. Email Screenshot\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Email Screenshot<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Bitcoin Variation<\/h3>\n<p>The screenshot below highlights a brazenly opportunistic scam with the subject line \u201cURGENT DONATION RESPONSE FOR WAR REFUGEE CAMP IN UKRAINE.\u201d It purports to originate from a trusted organization, The United Nations. Red flags are the forged email address of the UN High Commissioner \u201cinfo@seca[.]cam\u201d in the \u201cFrom\u201d line, as well as some grammatical and punctuation errors. Another red flag is that the seca[.]cam domain was only registered a few weeks ago, on February 23, 2022.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_320709829.img.png\/1647552334940\/img9.png\" alt=\"Figure 9.  Refugee scam soliciting for Bitcoin\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9.  Refugee scam soliciting for Bitcoin<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Checking the Bitcoin wallet address, we can see that this is an active wallet that had its first transaction on September 29<sup>th,<\/sup> 2021. Since the first discovery of the campaign on the 7<sup>th<\/sup> of March, several transactions have been made to this wallet. Its current value at time of writing is $46.82 USD, with total transactions valued at $712.79 USD. Assuming that this wallet was used for malicious purposes, it appears that various campaigns have netted the threat actor a modest profit. However, it can also be safely surmised that this might not be the scammers only wallet. As with the IRS, it is also important to mention is that the U.N. will never send unsolicited emails for donations.\u00a0 For further details, please reference the <a href=\"https:\/\/www.un.org\/en\/about-us\/fraud-alert\" target=\"_blank\">U.N. Fraud Alert<\/a> page.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image_2110861130.img.png\/1647552365899\/img10.png\" alt=\"Figure 10. Bitcoin wallet details\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Bitcoin wallet details<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Conclusion<\/b><\/h2>\n<h4><i>Emotet and the War in Ukraine<\/i><\/h4>\n<p>With the current tragic situation in Ukraine unfolding, internal chatter within ransomware groups have surfaced. Some ransomware groups side with Russia and other groups side with the West. A well-known RaaS group (which used Emotet)\u2014that we will not publicize for obvious reasons\u2014has made a very strong statement that any attacks directed towards Russia will be met with a retaliatory act towards the West.<\/p>\n<p>As the situation is fluid, and with potentially compromised government sectors likely being infected or targeted with ransomware at this very moment either for monetary or political reasons, this threat is not out of the question. The point is that important sectors such as government agencies are no longer exempt from attacks, especially from Emotet threat actors, regardless of bias or opinion.<\/p>\n<p>Phishing scams aren\u2019t going anywhere. They are a part of the threat landscape and will likely always be a component of an attackers\u2019 arsenal. This is because the return on investment for an attacker is very high. A crafted email containing specific language designed to trick users into opening an attachment, following a link, responding with confidential or sensitive information, etc. will always work on a percentage of targets. This is because of the one major weakness security software cannot address: the human element.<\/p>\n<p>Training programs constantly remind and teach users how to spot malicious email\/phishing\/spearphishing scams for a good reason. Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact\u2014they work and will continue to work for the foreseeable future.<\/p>\n<h3><b>Things to Consider:<\/b><\/h3>\n<ol>\n<li>Think twice when enabling macros (they are disabled by default for good reason) especially in tax form XLM files.<\/li>\n<li>The IRS will never send correspondence via email (including attachments) without first obtaining your consent. <b>IGNORE<\/b> all unsolicited emails purporting to be from the IRS as they are not real.<\/li>\n<li>The IRS has a dedicated webpage to report scams along with an FAQ page &#8211; <a href=\"https:\/\/www.irs.gov\/privacy-disclosure\/report-phishing\" target=\"_blank\">Report Phishing | Internal Revenue Service (irs.gov)<\/a>\u00a0 (Note: Scams mentioned in this blog have been sent to the IRS before publication)<\/li>\n<li>The UN will also never send unsolicited emails for donations. According to the UN website, \u201cThe United Nations strongly recommends that the recipients of solicitations, such as those described above exercise extreme caution in respect of such solicitations\u201d Please see the <a href=\"https:\/\/www.un.org\/en\/about-us\/fraud-alert\" target=\"_blank\">U.N Fraud Alert<\/a> page for further details. <b>IGNORE<\/b> all unsolicited emails purporting to be from the UN as they are not real. (Note: Scams mentioned in this blog have been sent to the UN before publication)<\/li>\n<li>Unsolicited emails asking for donations of any kind via email (especially via cryptocurrency) is a red flag regardless of cause.<\/li>\n<li>Responding to any email (even if it doesn\u2019t contain a link or malicious attachment) from an untrusted sender will validate your email address to threat actors, either adding you to spam lists or subjecting to future attacks and scams.<\/li>\n<\/ol>\n<h3><b>Remember:<\/b><\/h3>\n<p>Threat actors are playing the numbers game. If they spam out 1,000 emails at a very minimal cost, and 10 people bite giving them valuable data, then the effort spent was well worth the return on investment.<\/p>\n<h3><b>Fortinet Coverage<\/b><\/h3>\n<p>Fortinet customers are protected from this campaign by FortiGuard Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>The malicious macro inside the Excel sample (Emotet) can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>FortiEDR detects both the Excel file and Emotet-related files as malicious based on behavior.<\/p>\n<p>All relevant URIs to campaigns mentioned in the blog are blocked by the FortiGuard Web Filtering service.<\/p>\n<p>The malicious\u00a0Excel sample and associated downloaded files are detected as:<\/p>\n<p style=\"margin-left: 40.0px;\">\u201cXML\/Dloader.802!tr, \u201cW32\/Emotet.C!tr&quot;, \u201cW32\/Emotet.CV!tr\u201d, and \u201cW32\/Emotet.1150!tr\u201d are blocked by the FortiGuard AntiVirus service.<\/p>\n<p>The IRS phishing email targeting nonresident aliens is detected as:<\/p>\n<p style=\"margin-left: 40.0px;\">IRS PDF\/Fraud.10F1!phish<\/p>\n<h3><b>Ukraine Related Scams<\/b><\/h3>\n<p>URGENT RESPONSE REQUIRED! (UKRAINE) campaign<\/p>\n<p style=\"margin-left: 40.0px;\">ecres231[.]servconfig[.]com<\/p>\n<p>Is classified as a spam server and is blocked by our Web Filtering client.<\/p>\n<p>\u00a0<\/p>\n<p>URGENT DONATION RESPONSE FOR WAR REFUGEE CAMP IN UKRAINE campaign<\/p>\n<p style=\"margin-left: 40.0px;\">seca[.]cam<\/p>\n<p>is classified as a spam sender and is blocked by the Web Filtering client.<\/p>\n<p>In addition to these protections, we suggest that organizations have their end users also go through the\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types phishing attacks.<\/p>\n<h2><b>Indicators of Compromise<\/b><\/h2>\n<h3><b>URLs (Emotet)<\/b><\/h3>\n<p>hxxp:\/\/piajimenez.com\/Fox-C\/dS4nv3spYd0DZsnwLqov\/<br \/> hxxps:\/\/getlivetext.com\/Pectinacea\/AL5FVpjleCW\/<br \/> hxxp:\/\/inopra.com\/wp-includes\/3zGnQGNCvIKuvrO7T\/<br \/> hxxp:\/\/biomedicalpharmaegypt.com\/sapbush\/BKEaVq1zoyJssmUoe\/<br \/> hxxp:\/\/janshabd.com\/Zgye2\/<br \/> hxxps:\/\/justforanime.com\/stratose\/PonwPXCl\/<\/p>\n<h3><b>Sample SHA-256 involved in the attack: (Emotet)<\/b><\/h3>\n<p>e5a1123894f01197d793d1fe6fa0ecc2bf6167a26ec56bab8c9db70a775ec6bc<br \/> 6fa0c6858688e1c0cbc9072c9d371f2183e0bf0c30a1187453cbbe080e0167ca<br \/> 06ac89a138858ed0f5eb5a30a43941b67697f8a3b47106170d879f3d51bc0e8d<br \/> 9f2686b83570b7940c577013d522b96ba19e148dac33b6983267470be6a6064b<br \/> 4c0ae17817c218c4b7973670f0458978efac4e6a67d1ec3abfb11ab587560d49<br \/> 0758b3cde229886a039202120cda4485426c56eed3596be75fbce0d38986bf03<br \/> 9a40dfc271fa3adf20e76cb6f7a27036c77adbe9882a8ef73bc977a0ea9c36ff<br \/> feec12c64c8bf47ae20dc197ac1c5f0c087c89e9a72a054ba82a20bf6266b447<br \/> 50351e6d541f57fccb0261514acb43cb905e4f6dde7e8716ce1b82df7d3c4867<br \/> 91795e5b49eabd94c9d8b70067f68f45f9bf56e36ec9d3529576e13569074113<br \/> 8ac29489154a4c39e74070063ce71bfada00cd9883466c1e28cd1e66cab1b56c<br \/> 7d4897d33893f0835a982424af2f3eb77463dad1ef96fcb4021eaf15fd28c9e9<br \/> 64d3d585c41577b0cfa2f9c63035a95ac785f9b5aeefeaba2490110c84aa7d00<br \/> 809c990279928640c23ecc27d134f73967c7ec7269e90bb8d916f9e35b69654f<br \/> 7536ed21e14ee026424d9c07edbcecb59706129d31f6be4e8788edd904df6a20<br \/> 8f05a6ee54b89de50e84fcd9db9191f3dd80c701a436ab4c81a1309b2d649368<br \/> 3a1f0cfbea0de5acca77595a6a5384c31859c255defa12449861e6755b41aa20<br \/> 6516d944f93186e7d422e7b93a476d4b04db0ed279ba93c4854d42387347d012<br \/> 9ca7f4e809a8d381fa0bc8e02627d597add2de4c5d57632cae422c59a1e971e2<\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/bad-actors-capitalize-current-events-email-scams\/_jcr_content\/root\/responsivegrid\/image.img.png\/1647550267060\/img1.png\"\/><br \/>FortiGuard Labs uncovered tax themed phishing scams. Read our blog to learn more about how to avoid these socially engineered lures this season and stay ahead of threat actors.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18573","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18573"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18573\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18573"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}