Cybercriminals are getting creative while trying to capitalize on the recent news that some buyers of a military-grade surveillance software tool are misusing it to spy on journalists, activists, and business leaders.
After news reports surfaced about unauthorized spying activities from clients of the Pegasus surveillance tool sold by Israeli company NSO Group, cybercriminals are distributing a so-called antivirus tool that is supposed to block Pegasus, but in reality, it contains a remote access tool that allows hackers to get inside the victim’s computer.
The hacking tool is getting distributed on a website that mimics the look of the Amnesty International site, Cisco Systems’s cybersecurity arm Talos said in a blog post on Sept. 30. The genius of the scheme is that Amnesty International has been one of the leading research organizations focused on Pegasus. It would make sense that the human rights group, targeted by Pegasus users, would distribute a tool to remove the spyware.
“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware,” Talos wrote. “Many users may be searching for protection against this threat at this time.”
The attackers appear to be Russian speakers, but their motivations are unclear, Talos researchers wrote. “The use of Amnesty International’s name, an organization whose work often puts it at odds with governments around the world, as well as the Pegasus brand, a malware that has been used to target dissidents and journalists on behalf of governments, certainly raises concerns about who exactly is being targeted and why,” they added. “However, our investigation has not found any other supporting data to make clear whether this is a financially motivated actor using headlines to gain new access or a state-supported actor going after targets who are rightfully concerned about the threat Pegasus presents to them.”
Talos said the phony website distributes the Sarwent malware, which gives hackers a back door into a victim’s computer. The malware can also activate the remote desktop protocol on the victim’s machine, potentially giving the hacker direct access to the desktop.
The only Pegasus tool available from Amnesty International is Mobile Verification Toolkit, designed for security specialists, a spokeswoman at the human rights organization noted.
“It is outrageous to see criminals exploiting the trust people have in Amnesty International,” she told the Washington Examiner. Because there’s only one Pegasus tool available from the group, “people should be careful before installing any software pretending to come from Amnesty.”
Cybercriminals often prey on victims’ fear related to current events to trick them into making poor decisions, cybersecurity experts said.
“This type of attack is common, whereby attackers use recent headlines to lure unsuspecting individuals concerned about their safety into malware traps,” said Eric McGee, a senior network engineer at TRG Datacenters. “The victims are often spooked by the headlines and are eagerly looking for ways to protect themselves from the security issues that are currently making headlines.”
Associating with a trusted organization or brand makes it “easy for people not to question the legitimacy” of the malware, added McGee, who has also worked as a cybersecurity manager.
These website spoofing attacks are getting sophisticated. It is difficult for the average internet user to tell the difference between a legitimate website and a fake one, added Lou Rabon, the founder and CEO of Cyber Defense Group, a cloud security vendor.
Rabon recommended that people concerned about a website’s legitimacy check the domain registrar’s record or even make a phone call to the organization to review.
Computer users should think about in-depth defenses, he added.
“This means using a trusted [domain name system] source, like OpenDNS or an equivalent subscription service, that ensures the DNS servers you are using are serving the sites you expect and filtering known bad sites, along with advanced anti-malware software with web protection,” he told the Washington Examiner.
Washington Examiner Videos
Tags: Technology, Cybersecurity, Computer Hacking, Apple, Surveillance, Malware, Privacy, Data Breach, Business
Original Author: Grant Gross
Original Location: Cybercriminals prey on Pegasus spyware fears