GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks

GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks

October 11, 2024 at 02:00PM

A new malware campaign targets the finance and insurance sectors using GitHub links in phishing emails to deliver Remcos RAT, exploiting trusted repositories. This technique, involving malware uploads to GitHub issues, allows attackers to bypass security. Recent research reveals expanded phishing tactics targeting accommodation platforms, improving scam effectiveness through automation.

### Meeting Takeaways:

1. **New Malware Campaign**:
– A tax-themed malware campaign is targeting the insurance and finance sectors, utilizing GitHub links within phishing emails.
– The campaign delivers Remcos RAT, indicating a shift in tactics among threat actors.

2. **Use of Trusted Repositories**:
– Legitimate open-source repositories, including UsTaxes and HMRC, are being exploited instead of less-known repositories. This tactic leverages the trust associated with recognized names.

3. **Abuse of GitHub**:
– Attackers are utilizing GitHub’s infrastructure to stage malicious payloads by creating issues on recognized repositories and uploading malware, which remains accessible even after issues are closed.

4. **Phishing Techniques**:
– Emails with GitHub links effectively bypass traditional security measures due to the site’s trusted status, allowing direct connections to malware without needing additional redirects.

5. **Emerging Threats**:
– New phishing tactics include using ASCII/Unicode QR codes and blob URLs to mask malicious content and evade detection.
– The Telekopye Telegram toolkit is expanding its operations by targeting accommodation platforms like Booking.com and Airbnb using compromised accounts.

6. **Scam Characteristics**:
– Scammers contact recent bookers via legitimate messages, leading victims to fraudulent links for financial information capture, significantly increasing success due to personalized touch and familiar communication channels.

7. **Operational Improvements**:
– Enhanced toolkit functionalities allow quicker scam execution, automated phishing page generation, and improved engagement with targets through chatbots.

8. **Enforcement Actions**:
– Law enforcement in Czechia and Ukraine has arrested cybercriminals associated with the Telekopye operations, who were using Telegram bots for phishing and maintaining anonymity.

9. **Recruitment of Cybercriminals**:
– Cybercriminal organizations reportedly recruit individuals in precarious situations, promising easy money through job postings and targeting skilled foreign students.

### Recommendations:
– Increase vigilance regarding incoming emails containing GitHub links, even from trusted sources.
– Regularly update security measures to recognize and block emerging phishing tactics.
– Consider implementing educational programs to inform employees about the characteristics of sophisticated phishing schemes.

For further insights and updates, follow us on Twitter and LinkedIn.

Full Article