Phishing Emails related to T-20 are sent to government officials
Cyberattacks are occurring almost everyday. News of cyberattacks are now like morning tea. This time the hackers have been targeting senior government officials with phishing emails related to the ongoing T-20 World Cup in Australia, claiming to know who will win the tournament and tempting them to place bets.
Sectrio, the cybersecurity division of Bengaluru-based telecom analytics firm Subex, said in a blog Thursday that it had found at least 20 emails over the past two weeks “.. targeted at senior executives from the government, manufacturing, oil and gas, healthcare, and utility sectors”. Subex rebranded its cybersecurity division Sectrio in September 2021.
Sectrio said that the majority of these emails and WhatsApp messages targeted businesses and government agencies in India, The next highest number of targets were based in Australia, Singapore and South Africa, respectively, according to the blog.
“Most emails claimed to know which team would eventually lift the trophy this month and encouraged recipients to use that knowledge to place bets with a leading sports betting agency in England,” Sectrio said in the blog.
If a victim ends up replying to one of these phishing (fraudulent communication from cybercriminals) mails, there is a follow-up email from the hackers under the pretext of giving more information. But the actual purpose of the follow-up email is to seek personal information from the victim.
Replying to ThePrint’s question on whether the targeted government officials or the related government agencies have been informed about the phishing emails and WhatsApp messages, Sectrio marketing head Prayukth K.V. said, “We have not informed anyone directly, but we do publish such alerts on our blog periodically to raise awareness on the latest tactics used by scammers and to warn specific targets.”
The division had earlier published findings on subjects such as India being the most cyberattacked country for three months in 2019, and how hackers used the coronavirus panic to target India through WhatsApp and email.
ThePrint reached director general of Cert-In, Dr Sanjay Bahl, and other officials of the team, over email for comments on the phishing mails and if any action had been taken to prevent government officials from falling victim to such targeted campaigns, but received on response till the time of publication of this report. The copy will be updated once their response is received.
Indian Computer Emergency Response Team (Cert-In) is a government agency dealing with cybersecurity incidents in the country.
According to Sectrio, if a victim divulges personal information, it can then be used to hack their online accounts or validate information already collected from other sources. Some targets also received a link to “a website infected with crypto-mining malware”, said the blog.
The malware is a new version of a well-known crypto-mining malware named Nitrokod that has been active since 2019.
Sectrio did not elaborate on how the new and older versions of Nitrokod are different and only said that it is still studying the new variant.
Nitrokod malware was hidden in desktop versions of popular software such as Google Translate that don’t have an official desktop version. The illegitimate software was made available via dozens of websites that give software downloads for free, according to Israel-based cyber intelligence firm CheckPoint, which first discovered the Nitrokod malware campaign in July 2022.
According to antivirus provider Kaspersky, “Cryptojacking is a threat that embeds itself within a computer or mobile device and then uses its resources to mine cryptocurrency”.
“Once downloaded, the malware stays latent for a period of almost 45 days keeping a low signature by running multiple processes in the backend to hide its footprint. The actual infection is triggered much later,” said Sectrio.
When a line of communication is established between a hacker and a victim’s computer via the malware, information stored on the victim’s computer can be accessed by the hacker, the blog explained.