Kworld Trend / Microsoft disarms 50 booby-trapped domains and websites, After identifying and taking action to take down hundreds of hacked and fraudulent domains and websites impersonating their services from China, Russia and Iran, Microsoft has successfully taken down the Thallium hacker group. This group a priori operated from North Korea.
Microsoft disarms 50 booby-trapped domains and websites
The race to steal usernames and passwords is endless. Among the favorite targets of many groups of cybercriminals, we find users of very popular computer services such as messaging, online office automation, etc. So it is not surprising to know that Microsoft users care a lot about hackers who are using more and more techniques to steal the precious sesame. In order to track down fraudulent activities that attempt, in particular, via phishing campaigns to recover login/password pairs, the Redmond company has several resources including a Digital Crime Unit or Threat Intelligence Centre.
Several operations were carried out that led to the dismantling of infrastructures that control hundreds of malicious domains and websites run by groups of cybercriminals in China (Barium), Russia (Strontium) and Iran (Phosphorus). The last group on Earth, Thallium – most likely from North Korea – experimented with about fifty scopes and boxed spots. In a post, the editor gave some details about the modus operandi used by hackers. A lawsuit filed by Microsoft in the Eastern District Court of Virginia was also announced.
Thoroughly thought out hacking techniques
An example of an email sent by hackers using IP spoofing technology. (credit: Microsoft)
Thallium usually attempts to trick victims through a technique known as phishing. By gathering information about targeted individuals from social media, public employee directories that individual organizations participate in, and other public sources, they are able to create a personalized phishing email in a way that gives them credibility,” said Tom Burt, vice president of the company. In an illustrative example, the spoofing IP address “accountprotection.rmicrosoft.com” was used to better deceive the user .
“The link in the email redirects the user to a website that requests the user’s account credentials. By tricking victims into clicking on fraudulent links and providing their credentials, Thallium can log into the victim’s account. In the event of a successful hack of the victim’s account, Thallium can consult Emails, contact lists, calendar appointments, and any other item related to the compromised account.This also often creates a new mail forwarding rule in the victim’s account settings.
This mail rule forwards all new emails that the victim receives to accounts controlled by Thallium. With these rules, Thallium can continue to see emails a victim receives, even after updating their account password. In addition to targeting user credentials, Thallium also uses malware to breach systems and steal data. Once installed on a victim’s computer, this malware siphons information, and lies dormant while waiting for further instructions. Tom Burt explained that thallium threat actors use known malware called BabyShark and KimJongRAT.
