Centre Proposes New Bills for Criminal Law

Introduction 

Netflix is no stranger to its subscribers being targeted by SMS and email-led phishing campaigns. But the most recent campaign has been deployed at a global scale, affecting paid users in as many as 23 countries according to cybersecurity firm Bitdefender. In this particular campaign, attackers are using the carrot-and-stick tactic of either creating a false sense of urgency or promising rewards to steal financial information and Netflix credentials. For example, users may be contacted via SMS and told that their account is being suspended due to payment failures. A fake website may be shared through a link, encouraging the individual to share sensitive information to restore their account. Once this information has been input, it is now accessible to the attackers. This can create significant stress and even financial loss for its users. Thus, they are encouraged to develop the necessary skills to recognize and respond to these threats effectively.

How The Netflix Scam Works 

Users are typically contacted through SMS. Bitdefender reports that these messages may look something like this:

"NETFLIX: There was an issue processing your payment. To keep your services active, please sign in and confirm your details at: https://account-details[.]com"

On clicking the link, the victim is directed to a website designed to mimic an authentic user experience interface, containing Netflix’s logo, color scheme, and grammatically-correct text. The website uses this interface to encourage the victim to divulge sensitive personal information, such as account credentials and payment details. Since this is a phishing website, the user’s personal information becomes accessible to the attacker as soon as it is entered. This information is then sold individually or in bundles on the dark web.

Practical Steps to Stay Safe 

1. Know Netflix’s Customer Interface: According to Netflix, it will never ask users to share personal information including credit or debit card numbers, bank account details, and Netflix passwords. It will also never ask for payment through a third-party vendor or website.
2. Verify Authenticity: Do not open links from unknown sources sent by email or sms. If unsure, access Netflix directly by typing the URL into the browser instead of clicking on links in emails or texts. If the link has been opened, do not enter any information.
3. Use Netflix’s Official Support Channels: Confirm any suspicious communication through Netflix’s verified help page or app. Write to phishing@netflix.com with any complaints about such an issue.
4. Contact Your Financial Institution: If you have entered your personal information into a phishing website, you should immediately reach out to your bank to block your card and change your Netflix password. Contact the authorities via www.cybercrime.gov.in or by calling the helpline at 1930 in case of loss of funds.
5. Use Strong Passwords and Enable MFA/2FA: Users are advised to use a unique, strong password with multiple characters. Enable Multi-Factor Authentication or  Two Factor Authentication to your accounts, if available, to add an extra level of security.

Conclusion

Phishing campaigns which are designed to gather customer data through fraudulent means often involve sending links to as many users as possible, with the aim of monetizing stolen information. Attackers exploit user trust in online platforms to steal sensitive personal information, making such campaigns more sophisticated as highlighted above. This underscores the need for users of online platforms to practice good cyber hygiene by verifying information, learning to detect suspicious information and ignoring it, and staying aware of the types of online fraud they may be exposed to. 

Sources 

• https://www.bitdefender.com/en-gb/blog/hotforsecurity/netflix-scam-stay-safe
• https://help.netflix.com/en/node/65674
• https://timesofindia.indiatimes.com/technology/tech-news/netflix-users-beware-this-netflix-subscription-scam-is-active-in-23-countries-how-to-spot-one-and-stay-safe/articleshow/115820070.cms

Executive Summary:

‍The internet has become a hub for fraudsters, and a new fraudulent scheme has been circulating, stating a free 84-day recharge of ₹719 given by the Honourable Prime Minister Narendra Modi  in celebration of the BJP Government formation in 2024. This is yet another scam that uses tricks to lure the users, for instance by fake questionnaires, fake promises and the use of the Honourable Prime Minister Narendra Modi’s image to give a fake impression of legitimacy. The following blog post analyzes the scam and offers recommendations on how to recognize similar frauds and avoid them.

False Claim:

A viral link trending on various social media platforms states that Narendra Modi, the Honourable Prime Minister of India, is giving a free 84-day free recharge worth ₹719 to all users in India and this is an Election Bonus  in celebration of the BJP government formation in 2024.  The claim insists the users are required to click on the link (https://offerraj.in/Congress2024-Recharge/id=9jMiaeN1) and complete a questionnaire to get the offer.

‍

The Deceptive Scheme:

1. Mobile-Only Access:  The malicious link (https://offerraj.in/Congress2024-Recharge/id=9jMiaeN1) is designed to open only on mobile devices; this makes it easier for more people to be affected. 
2. Multiple Redirects: After clicking the link, the users are led through a sequence of other links in order to conceal the actual source of the deception, and probably a try of making it difficult to track the notorious activity.
3. Fake Comments & Images: First, the landing page contains a banner with the photo of India’s Honourable Prime-Minister Narendra Modi which gives the site’s visitors the impression of the official source. Also, fake comments can be made for the same reason, stating that the author has received a free recharge and supporting the so-called initiative.
4. Fake Prize Notifications: For instance, after responding to the questions in the questionnaire, users may be presented with messages such as ‘Congratulations, you have won a free recharge’; this further creates an impression of a genuine offer.
5. Social Sharing Requirement: To collect the so-called ‘prize’, the users are requested to share the link in the WhatsApp or other social networks, thus contributing to the spread of the scam.

‍

Analyzing the Fraudulent Campaign:

1. No Official Announcement: The internet and other social platforms are the only places where such an offer has been mentioned, and there is no official announcement from the Government or any other authorized body.
2. Multiple Redirects: After clicking the link, users are taken through multiple redirects to obfuscating the source of the deception and to trace the malicious activity. 
3. Suspicious Domain and Hosting: The campaign is hosted on a third-party domain (offerraj.in) instead of any official government website, raising suspicion about its authenticity.
4. Personal Data Collection: The questionnaire prompts users to provide personal information, which legitimate Government initiatives would not typically request through unofficial channels.
5. Insecure HTTP Link: The link provided is an insecure HTTP link, whereas legitimate government websites employ secure HTTPS encryption.

‍

Domain Analysis:

The actual url is hosted on a third party domain instead of the official website of the BJP or any Government website. This is the common way to deceive users into falling for a Phishing scam. Whois information reveals that the domain has been registered recently i.e on 28-03-2023 and the domain is registered with godaddy.com and state is from Rajasthan, India. Cybercriminals used Cloudflare technology to mask the actual IP address of the fraudulent website.

‍

• Domain Name: offerraj.in
• Registry Domain ID: D9483D0EB38264263958C9609D2DCEA70-IN
• Registrar WHOIS Server:
• Registrar URL: www.godaddy.com
• Updated Date: 2024-05-03T07:30:03Z
• Creation Date: 2023-03-28T04:33:12Z
• Registry Expiry Date: 2026-03-28T04:33:12Z
• Registrar: GoDaddy.com, LLC
• Registrar IANA ID: 146
• Registrant State/Province: Rajasthan
• Registrant Country: IN
• Name Server: johnathan.ns.cloudflare.com
• Name Server: braelyn.ns.cloudflare.com

‍

Similar offer surfing with different links: Several similar kind of offers through various links such as https://offerintro.com/BJP2024-Recharge/id=QYntPBDU,  https://mahaloot2.xyz, https://mahaloot3.xyz, https://pmoffer4.online,  are available in the social media. All these links are analysed and validated to be malicious or phishing links. 

CyberPeace Advisory and Best Practices:

‍

1. Stay Informed: Be aware of potential scams and rely on official government channels for verified information.
2. Verify Website Security: Do not click on links that have the ‘http’ at the beginning and focus on sites that have encryption (‘https’).
3. Protect Personal Information: Be careful when there is any request to send some type of personal information, especially if it is done through informal companies.
4. Report Suspicious Activity: When you notice that you have been scammed or a certain activity is fraudulent, ensure to report the incidents to the necessary authorities and the platforms to prevent others from being scammed.

‍

Conclusion: 

The claim of 84 day free recharge worth ₹719 to all users in India as an “Election Bonus”  is false and similar kinds of various links are consistently surfing through the internet. The deceptive practices employed in these kinds of links are insecure and it has multiple redirects to false promises which highlights the need for heightened awareness and caution among internet users.  In this digital world, it is important to stay informed, verify the authenticity of resources to protect personal information. Individuals can safeguard themselves against such fraudulent schemes and contribute to a safer online environment.

‍

Overview:

After the blackout on July 19, 2024, which affected CrowdStrike’s services worldwide, cybercriminals began to launch many phishing attacks and distribute malware. These activities mainly affect CrowdStrike customers, using the confusion as a way to extort information through fake support sites. The analysis carried out by the Research Wing of CyberPeace and Autobot Infosec has identified several phishing links and malicious campaigns.

The Exploitation:

Cyber adversaries have registered domains that are similar to CrowdStrike’s brand and have opened fake accounts on social media platforms. These are fake platforms that are employed to defraud users into surrendering their personal and sensitive details for use in other fraudulent activities.

Phishing Campaign Links:

• crowdstrike-helpdesk[.]com
• crowdstrikebluescreen[.]com
• crowdstrike-bsod[.]com
• crowdstrikedown[.]site
• crowdstrike0day[.]com
• crowdstrikedoomsday[.]com
• crowdstrikefix[.]com
• crashstrike[.]com
• crowdstriketoken[.]com
• fix-crowdstrike-bsod[.]com
• bsodsm8r[.]xamzgjedu[.]com
• crowdstrikebsodfix[.]blob[.]core[.]windows[.]net
• crowdstrikecommuication[.]app
• fix-crowdstrike-apocalypse[.]com
• supportportal-crowdstrike-com[.]translate[.]goog
• crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com
• crowdstrikeoutage[.]info
• clownstrike[.]co[.]uk
• crowdstrikebsod[.]com
• whatiscrowdstrike[.]com
• clownstrike[.]co
• microsoftcrowdstrike[.]com
• crowdfalcon-immed-update[.]com
• crowdstuck[.]org
• failstrike[.]com
• winsstrike[.]com
• crowdpass[.]com

In one case, a PDF file is being circulated with CrowdStrike branding, saying ‘Download The Updater,’ which is a link to a ZIP file. The ZIP file is a compressed file that has an executable file with a virus. This is a clear sign that the hackers are out to take advantage of the current situation by releasing the malware as an update.

‍

‍

‍

In another case, there is a malicious Microsoft Word document that is currently being shared, which claims to offer a solution on how to deal with this CrowdStrike BSOD bug. But there is a hidden risk in the document. When users follow the instructions and enable the embedded macro, it triggers the download of an information-stealing malware from a remote host. This is a form of malware that is used to steal information and is not well recognized by most security software. Also it sends the stolen data to the samesame remote host but with different port number, which likey works as the CnC server for the campaign.

• Name New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows[.]docm
• MD5 dd2100dfa067caae416b885637adc4ef
• SHA-1 499f8881f4927e7b4a1a0448f62c60741ea6d44b
• SHA-256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  
• URLS http://172.104.160[.]126:8099/payload2.txt, http://172.104.160[.]126:5000/Uploadss

‍

Recent Outage Impact:

On July 19, 2024, CrowdStrike faced a global outage that originated from an update of its Falcon Sensor security software. This outage affected many government organizations and companies in different industries, such as finance, media, and telecommunications. The event led to numerous complaints from the users who experienced problems like blue screen of death and system failure. Although, CrowdStrike has admitted to the problem and is in the process of fixing it. 

Preventive Measures:

• Organize regular awareness sessions to educate the employees about the phishing techniques and how they can avoid the phishing scams, emails, links, and websites.
• MFA should be used for login to the sensitive accounts and systems for an improvement on the security levels.
• Make sure all security applications including the antivirus and anti-malware are up to date to help in the detection of phishing scams.
• This includes putting in place of measures such as alert on account activity or login patterns to facilitate early detection of phishing attempts.
• Encourage employees and users to inform the IT department as soon as they have any suspicions regarding phishing attempts.

Conclusion:

The recent CrowdStrike outage is a perfect example of how cybercriminals take advantage of the situation and user’s confusion and anxiety. Thus, people and organizations can keep themselves from these threats and maintain the confidentiality of their information by being cautious and adhering to the proper standards. To get the current information on the BSOD problem and the detailed instructions on its solution, visit CrowdStrike’s support center. Reported problems should be handled with caution and regular backup should be made to minimize the effects.

References:

• https://app.any.run/tasks/2c0ffc87-4059-4d6f-8306-1258cf33aa54/
• https://app.any.run/tasks/48e18e33-2007-49a8-aa60-d04c21e8fa11
• https://www.virustotal.com/gui/file/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0/relations
• https://www.virustotal.com/gui/file/803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61/detection
• https://www.joesandbox.com/analysis/1478411#iocs

‍