Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
The United States and Great Britain offer $10 million for any information about the members of the group.
The cybercrime group COLDRIVER continues to actively engage in the theft of credentials from organizations from various industries, according to the Microsoft team.
The group has been active since 2017 and specializes in creating phishing sites that mimic login pages for email services and other systems. When a user enters their username and password there, attackers intercept them and use them to access personal data and corporate systems.
Microsoft said it observed attackers using server-side scripts to prevent automated scans of the infrastructure controlled by participants starting in April 2023, moving away from hCaptcha to identify targets of interest and redirecting the browsing session to the Evilginx server.
In this way, attackers mask their infrastructure from automatic analysis and focus their efforts on real users. In addition, the HubSpot email marketing platform is now used to send phishing emails leading to a disguised login collection page.
To make automatic analysis of malicious domains more difficult, the group started using random phrases when registering them. Phishing links are usually also masked in password-protected PDFs hosted on Proton Drive cloud storage.
Despite these tricks, the main goal of COLDRIVER does not change — stealing credentials for accessing corporate and personal email, as well as files uploaded there.
In connection with COLDRIVER's ongoing malicious activities, the UK and US governments have even imposed personal sanctions against several alleged members of the group, and a $ 10 million reward has been announced for information about other COLDRIVER members and their current activities under the Rewards for Justice program.
Despite the measures taken, COLDRIVER continues to actively use more and more sophisticated methods for identity theft. Businesses and ordinary users should be extremely vigilant against phishing emails and suspicious websites.
The cybercrime group COLDRIVER continues to actively engage in the theft of credentials from organizations from various industries, according to the Microsoft team.
The group has been active since 2017 and specializes in creating phishing sites that mimic login pages for email services and other systems. When a user enters their username and password there, attackers intercept them and use them to access personal data and corporate systems.
Microsoft said it observed attackers using server-side scripts to prevent automated scans of the infrastructure controlled by participants starting in April 2023, moving away from hCaptcha to identify targets of interest and redirecting the browsing session to the Evilginx server.
In this way, attackers mask their infrastructure from automatic analysis and focus their efforts on real users. In addition, the HubSpot email marketing platform is now used to send phishing emails leading to a disguised login collection page.
To make automatic analysis of malicious domains more difficult, the group started using random phrases when registering them. Phishing links are usually also masked in password-protected PDFs hosted on Proton Drive cloud storage.
Despite these tricks, the main goal of COLDRIVER does not change — stealing credentials for accessing corporate and personal email, as well as files uploaded there.
In connection with COLDRIVER's ongoing malicious activities, the UK and US governments have even imposed personal sanctions against several alleged members of the group, and a $ 10 million reward has been announced for information about other COLDRIVER members and their current activities under the Rewards for Justice program.
Despite the measures taken, COLDRIVER continues to actively use more and more sophisticated methods for identity theft. Businesses and ordinary users should be extremely vigilant against phishing emails and suspicious websites.
