Gone Phishin' Volume 5: early-to-mid September 2022

Your bi-weekly update on the biggest news in phishing, hacking, and cybersecurity.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Oh boy! What a last few weeks it has been. Your intrepid correspondent here was on vacation for the last two weeks and has spent the last two days underneath a mountain of emails, meetings, and (let's be honest) food delivery boxes.

Weirdly enough, I happened to be not only in the UK when Queen Elizabeth — who is mentioned in this very article down below — died, but also happened to be staying in a hotel about a ten minute walk from Buckingham Palace. It was quite surreal, to say the least. And even more surreal to see Her Maj's name in a phishing scam when I returned to work.

Without further ado, let's get right to the news.

Holiday Inn hotel group shows no reservations for potential ransomware attack

A Holiday Inn Express, courtesy of Creative Commons

InterContinental Hotel Group (yes, it is stylised like that and no, my spellcheck doesn't like it either) — owners of the popular Holiday Inn franchise and several other hotel chains — was recently the victim of a potential ransomware attack that has left its cybersecurity and PR teams scrambling to play defence. To everyday users, the first week of September was hell if you wanted to book a room through any one of the ICHG properties websites. What was going on behind the scenes was (allegedly, we should add) a hacking group was encrypting data so that ICHG couldn't get ahold of it and then downloading/scraping the data for their own purposes.

ICHG hasn't gone public with much information about the alleged ransomware attack, but ITPro.co.uk reports that similar recent ransomware attacks (though none at this scale) have put customer payment data in jeopardy. And no, not the fun daytime game show Jeopardy, but the "putting your bank details online" kind.

ICHG hasn't gone public with the alleged breach, but the conglomerate did write about the attack, however, in a filing to the London Stock Exchange. Which is classy, if not entirely transparent.

When GIFs attack! Microsoft Teams edition

Hackers have found a way to exploit Microsoft Teams by using your intern's favorite communication method: GIFs.

That cute little picture of Pikachu below is actually doing a world of damage to your cybersecurity functions, as it has opened a backdoor to Teams that allows pretty much anyone monitoring the servers to log what is going on, including keystrokes (which means passwords and logins), and more.

H/T: BleepingComputer

How the data is acquired is actually pretty interesting, as the work that has gone into this particular hack is set up like a magic trick. This is also an excellent excuse to link to the first two minutes of the movie The Prestige if you haven't already seen it, as it does a great job of explaining how magic tricks are made. Really, truly, and honestly — this is a unique hack that deserves to be looked at up close if you're interested in how these things are made.

Here's the pledge, where the "magician" (read: hacker) shows you something ordinary: 

To initiate the attack, the threat actor can use Rauch's GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target's machine. When the target receives the message, the message and the GIF will be stored in Microsoft Team’s logs, which the malicious stager monitors.

Here's the turn, where the hacker takes something ordinary and makes it extraordinary...

When the stager detects a message with a GIF, it will extract the base64 encoded commands and execute them on the device. The GIFShell PoC will then take the output of the executed command and convert it to base64 text. This base64 text is used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker's public Microsoft Teams webhook. As Microsoft Teams renders flash cards for the user, Microsoft's servers will connect back to the attacker's server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command. The GIFShell server running on the attacker's server will receive this request and automatically decode the filename allowing the attackers to see the output of the command run on the victim's device...

And, finally, the prestige...

The threat actors can continue using the GIFShell server to send more GIFs, with further embedded commands to execute, and continue to receive the output when Microsoft attempts to retrieve the GIFs. As these requests are made by the Microsoft website, urlp.asm.skype.com, used for regular Microsoft Teams communication, the traffic will be seen as legitimate and not detected by security software. This allows the GIFShell attack to covertly exfiltrate data by mixing the output of their commands with legitimate Microsoft Teams network communication.

A huge, massive, and cavernous thanks to Bleeping Computer for that information above. And an equally huge thanks to Christopher Nolan for making The Prestige which is a damn fine movie.

TikTok possibly rocked by data leak shock, yet chooses to mock

Phone with tiktok screen

Here's an interesting one: in the early days of September this year, a hacking group by the name of AgainstTheWest went public and said that the "2 billion accounts" from the massively popular app TikTok had been breached. TikTok has spent the better part of the last week and a half pushing back against this news and saying (in my own words here) "nah, that's not true." 

After AgainstTheWest posted purported screenshots and videos of the data and alluding to having 700+GB of user data (including log-in info, location data, and more), TikTok pushed back by saying:

"This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok's backend source code, which has never been merged with WeChat data." - TikTok.

It turns out that most of the data AgainstTheWest actually published is little more than already publicly available information, yet some of that data is user data so there really has been a breach... we just don't know extensive it is yet. To play it safe, TikTok later backtracked ever-so-slightly by advising all its users to use 2FA (or 'Two Factor Authentication' for all you newbies out there). AgainstTheWest was then later banned from the Breached.to forum where they posted their supposed allegations due to unsubstantiated claims.

It gets weirder: AgainstTheWest might sound like it's a shadowy Chinese/Russian/NoKo outfit that's against western countries, but it's actually fighting for western interests, according to CyberKnow. Call me crazy and forgive me for saying "branding" out loud in a blog post, but, hey, just a thought, maybe change the name so it's a little more obvious what your intent is? Pretty sure there isn't a DownWithChickenNuggets hacktivist group working on behalf of McDonalds.

Moscow no-go after taxi app hack

Photograph of Yandex Taxi, courtesy of Creative Commons
A Yandex Taxi, courtesy of Creative Commons

Even though 'Yandex Taxi' sounds like they should be a third-round draft pick for the Cleveland Browns, it is actually one of Russia's most popular ride-hailing apps. Ukrainian hackers recently created a major traffic jam in the Russian capital city of Moscow using the app by hailing either "several dozen" or "over a hundred" (reports vary) taxis to one location, the already highly congested road of Kutuzovsky Prospect.

Yandex Taxi — who, again, are definitely not a mildy successful indie band currently on tour with Arcade Fire but are actually a Russian taxi company — have said that the hacking group Anonymous have owned up to the attack. Yandex Taxi — who, it should be mentioned is not the name of a fictitious Burt Reynolds character in an unmade Hal Needham movie — has released no further information surrounding the publicity stunt.

Is it hacking, or is it 'a mild annoyance by exploiting a loophole'? Your opinion may vary. It's worth noting, however, that this type of "flash mob" hacktivist stunt could become a bigger deal if combined with, say, the need for an ambulance to move from point A to point B, or if someone very important were being transported and a group of malicious actors wanted to harm the aforementioned very important person. (Editorial note: Every time I type "a group of malicious actors" I keep thinking of Jonah Hill and Michael Cera sitting in a basement by a computer. Apologies to Mr Hill and Mr Cera.)

And finally... don't click on The Queen

Image of Phishing Attack using Queen Elizabeth II's name

Queen Elizabeth II was by all accounts a very nice older lady who had a predilection towards corgis and tupperware. Yet her name is being used in a hacking / credential-harvesting scam that is making the rounds into inboxes around the world. The image above was first spotted by one of Hoxhunt's very own data team, and it's been popping up all over the place ever since.

Not much information is known about who is behind it (yet), but it's safe to say that the link won't actually take you to an "interactive Artificial Intelligence memory board" created by people who "arewriting the history." Jokes about 'Clippy' aside, one can safely assume that Microsoft has an actual spellchecker that works and wouldn't have let that egregious error go by. You'd be amazed how many hacking and phishing attempts can be spotted by bed spelling and poor grammar.

_________________________

That's all for now. Thanks for reading, and we'll see you again in two short weeks! 

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this