Hackers exploiting popular social engineering 'toolkits' to refine cyber attacks

Victims are being asked to download malware through visually compelling fake update prompts

Hackers are regularly using highly customisable online resources to add social engineering components to render their attacks more effective, according to new research from Malwarebytes.

One website identified by the team features an expansive toolkit that has drawn more than 100,000 visits in the past few weeks, offering design and framework support to attackers.

Advertisement - Article continues below

The resource, dubbed Domen, is built around a detailed client-side script serving as a framework for various update templates designed for both desktop and mobile users in almost 30 languages.

"Over time, we have seen a number of different social engineering schemes," said senior security researcher Jrme Segura.

"For the most part, they are served dynamically based on a user's geolocation and browser/operating system type. This is common, for example, with tech support scam pages where the server will return the appropriate template for each victim.

"What makes the Domen toolkit unique is that it offers the same fingerprinting, and choice of templates thanks to a client-side script which can be tweaked by each threat actor.

"Additionally, the breadth of possible customisations is quite impressive since it covers a range of browsers, desktop, and mobile in about 30 different languages."

The toolkit is loaded as an iframe from compromised websites, most of which run via WordPress, and is displayed over the top as an additional layer. The campaign works by encouraging victims to install updates, like a Flash Player update, but, instead, when clicked, downloads a malicious file.

Advertisement - Article continues below
Advertisement - Article continues below

The campaign also resembles another from 2018 known as SocGholish. Although they are different, both campaigns run on the same principles; in that, they can be found on the same compromised host, abuse a cloud hosting platform like Dropbox, then download a fake 'update' before delivering the NetSupport remote administration tool.

Variants of the social engineering toolkit include Flash Player updates, as well as prompting users to update Chrome, Firefox, or Microsoft's Edge browser.

Social engineering has become a more prominent component of malicious campaigns in recent years due to victims becoming more astute about clear giveaways when it comes to browser-embedded malware and phishing attempts.

An example arose earlier this year of a sophisticated attempt to target C-suite executives within organisations. This featured attackers sending a fake email to executives, centred on rescheduling a board meeting. By following a link, the targets were sent to a page that resembled a Doodle poll, but actually stole their Office 365 credentials.

Advertisement - Article continues below

More recently, the CEO of a UK-based energy firm was tricked into making a fraudulent payment over the phone by AI-powered voice manipulation software. He wired 200,000 to a "Hungarian supplier" at the behest of cyber criminals who were actually mimicking his parent company's chief executive using AI.

With cyber attacks becoming more personalised and sophisticated, it's crucial that organisations become more vigilant over potential threats received via email or while browsing online.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020