Hackers exploiting popular social engineering 'toolkits' to refine cyber attacks

Victims are being asked to download malware through visually compelling fake update prompts

Hackers are regularly using highly customisable online resources to add social engineering components to render their attacks more effective, according to new research from Malwarebytes.

One website identified by the team features an expansive toolkit that has drawn more than 100,000 visits in the past few weeks, offering design and framework support to attackers.

The resource, dubbed Domen, is built around a detailed client-side script serving as a framework for various update templates designed for both desktop and mobile users in almost 30 languages.

"Over time, we have seen a number of different social engineering schemes," said senior security researcher Jrme Segura.

"For the most part, they are served dynamically based on a user's geolocation and browser/operating system type. This is common, for example, with tech support scam pages where the server will return the appropriate template for each victim.

"What makes the Domen toolkit unique is that it offers the same fingerprinting, and choice of templates thanks to a client-side script which can be tweaked by each threat actor.

"Additionally, the breadth of possible customisations is quite impressive since it covers a range of browsers, desktop, and mobile in about 30 different languages."

The toolkit is loaded as an iframe from compromised websites, most of which run via WordPress, and is displayed over the top as an additional layer. The campaign works by encouraging victims to install updates, like a Flash Player update, but, instead, when clicked, downloads a malicious file.

The campaign also resembles another from 2018 known as SocGholish. Although they are different, both campaigns run on the same principles; in that, they can be found on the same compromised host, abuse a cloud hosting platform like Dropbox, then download a fake 'update' before delivering the NetSupport remote administration tool.

Variants of the social engineering toolkit include Flash Player updates, as well as prompting users to update Chrome, Firefox, or Microsoft's Edge browser.

Social engineering has become a more prominent component of malicious campaigns in recent years due to victims becoming more astute about clear giveaways when it comes to browser-embedded malware and phishing attempts.

An example arose earlier this year of a sophisticated attempt to target C-suite executives within organisations. This featured attackers sending a fake email to executives, centred on rescheduling a board meeting. By following a link, the targets were sent to a page that resembled a Doodle poll, but actually stole their Office 365 credentials.

More recently, the CEO of a UK-based energy firm was tricked into making a fraudulent payment over the phone by AI-powered voice manipulation software. He wired 200,000 to a "Hungarian supplier" at the behest of cyber criminals who were actually mimicking his parent company's chief executive using AI.

With cyber attacks becoming more personalised and sophisticated, it's crucial that organisations become more vigilant over potential threats received via email or while browsing online.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Tesla Megapack goes up in flames at Australian battery site
Hardware

Tesla Megapack goes up in flames at Australian battery site

30 Jul 2021