The first attack was uncovered in October, targeting mainly German IT businesses. The hacker, or ‘threat actor’ is known, for whatever reason, as “TA2101.” After fraudulently portraying themselves as the German Federal Ministry of Finance, they moved from Germany to Italy and there imitated the Italian Ministry of Taxation- once again targeting businesses, but mainly attacking the banking industry in Italy. On November 12th, thousands of emails were sent from the same source, but this time to email servers in the United States. The healthcare industry was targeted in the phishing campaign against American businesses. Instead of falsely claiming to be from the IRS or Department of Commerce, as one may expect based off the European campaigns, the cyber-criminals pretended to be the US Postal Service, but the gist of the scam remained roughly the same each iteration:
- A phishing email would be sent claiming to have information about the business’ tax return.
- Unwitting users would then open a word document that was attached to the emails, in turn setting off a series of events that could ultimately lead to a PC getting infected.
- Essentially, a virus known as ‘IcedID’ is deployed, allowing the hackers to redirect your web traffic with nefarious intent.
The endgame here is that a user of a compromised computer (or the end-user of an infected business’ website) would try to go to, for instance, his or her bank’s website (examplebank.com). The virus would then force a redirect to a site that looks very similar to the legitimate banking webpage, but the domain is actually examplebank.icu. If you try to log in using the imposter site, you’ve given the threat actor TA2101 access to their potential pay dirt.
More information about cloned websites and .icu domains: CLICK HERE
Until Next Time,
**Written by Benjamin Derge, Financial Planner. The information has been obtained from sources considered reliable but we do not guarantee that the foregoing material is accurate or complete. Any opinions are those of Benjamin Derge and not necessarily those of RJFS or Raymond James. Links are being provided for information purposes only. Expressions of opinion are as of this date and are subject to change without notice. Raymond James is not affiliated with and does not endorse, authorize, or sponsor any of the listed websites or their respective sponsors.