Go to listing page

Cyware Daily Threat Intelligence, July 01, 2019

Cyware Daily Threat Intelligence, July 01, 2019

Share Blog Post

The MageCart group, which is widely infamous for Formjacking attacks, has come up with a new card-skimming malware named ‘Inter’. This highly customizable malware is reportedly being sold in dark market places for $1,300 per license. MageCart is offering this custom payload along with JavaScript loaders and bundles of software that can ensure the malicious payload is not being executed in a debugger or sandbox.

The past 24 hours also saw the discovery of two serious vulnerabilities in Cirque du Soleil mobile app and kindergarten software respectively. While the flaw in Cirque du Soleil app had left users’ mobile device open to cyber attacks, the flaw in kindergarten software had revealed the personal details of 235,543 citizens of Stara Zagora, Bulgaria. 

An extortion scam that tricked users into believing that their computers were infected by a RAT through EternalBlue exploit kit was also uncovered in the past 24 hours. The purpose of the scam was to extort $600 per victim.

Top Breaches Reported in the Last 24 Hours

Father Bill’s and MainSpring attacked
Father Bill’s and MainSpring, a non-profit organization that provides shelter to the homeless, was recently targeted in an attempted ransomware attack. The incident occurred on April 11, 2019. Despite the attack, the firm was quick at taking remedial steps and had blocked the attack in less than 30 seconds. The ransomware did not encrypt or lock any files or computer systems.

Summa Health’s phishing attack
Summa Health has revealed that it had suffered a phishing attack between March 11 and March 29, 2019. This had allowed hackers to gain access to some of its employee’s email accounts. The compromised email accounts contained patients’ personal information for over 500 patients. The details compromised includes names, dates of birth, medical records, patient account numbers, clinical and treatment information.

Top Malware Reported in the Last 24 Hours

Fake Facebook page
A Facebook page impersonating Khalifa Haftar, the head of the Libyan National Army, has tricked 50,000 users into sharing their personal information. The campaign has also deceived users into granting access to their personal devices. On the other hand, threat actors had compromised the popular ‘Grief the Unspoken’ Facebook page to post distressing images from almost 7 weeks from May 9, 2019. 

Spelevo exploit kit
A newly discovered Spelevo exploit kit has been found to be distributed via a compromised B2B website. The exploit kit is used to deliver two banking trojans - IceID and Dridex. The attackers behind the campaign are believed to be financially motivated. 

OSX/CrescentCore malware
OSX/CrescentCore is a newly discovered Mac malware that spreads as a .dmg disk image, masquerading as a fake Flash player installer. The malware uses this technique to evade detection from antivirus. 

MageCart’s Inter skimmer
Researchers have come across a new skimmer named Inter that is being used by MageCart group. The skimmer is highly customizable and is reportedly being sold in underground forums for $1,300 per license. Inter is a malicious JavaScript that connects to tracker-visitors[.]com, which is disguised as a visitor traffic tracker for a website.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Cirque du Soleil mobile app
A vulnerability in Cirque du Soleil mobile app developed for the Toruk show has left every user’s device to cyber attacks. Since the app has no authentication protocols, the attackers can exploit the flaw to execute malicious commands, tamper with volume settings, display unwanted content and remotely control the app.

Vulnerable WordPress sites hacked
A massive campaign that involves threat actors compromising vulnerable WordPress sites has come to light. The attackers have been found adding either “1800ForBail” or “1800ForBail – One+Number” keywords to the titles of vulnerable WordPress sites.  It is believed that campaign is part of a large-scale campaign that aims at exploiting newly found flaws in WordPress. 

Vulnerable software used in local kindergartens
A Bulgarian IT specialist has demonstrated a security flaw in the software used by local kindergartens. The flaw has allowed the specialist to download the details of 235,543 citizens of Stara Zagora. The compromised data includes information usually stored inside a central national database managed by the Department Civil Registration and Administrative Services.

Top Scams Reported in the Last 24 Hours

New extortion scam
A new variant of an extortion scam that tricks users into paying a ransom to retain their private videos has been observed recently. The scammers send a phishing email to the targets, informing them that their computers have been infected by a RAT through an EternalBlue exploit kit. The email says that the trojan has taken the users’ private videos silently when they were on an adult site and demands a ransom of $600 per victim in order to stop disclosing these videos to the public.  

Phone scam
New Zealand Police has issued a warning about an ongoing phone scam that dupes the public into transferring hundreds of thousands of dollars from across the country or overseas. The callers claim to be from Spark or the police and convince victims to transfer huge amounts from their bank accounts to an account belonging to scammers. The victims are often called repeatedly by the person claiming to be a police officer and talked into sending large sums of money as part of the trap.


summa health
magecart threat actor group
inter skimmer
osxcrescentcore malware
spelevo exploit kit

Posted on: July 01, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.