• A fraud technique that aims to collect and misuse confidential user data
• A quick reaction of the user is expected - clicking on a link, opening an attachment in an email, accepting a request on Social Networks, etc.
• Carefully open emails from unknown senders

The National CERT of the Republic of Serbia wishes to inform the citizens that a new phishing campaign is under way, which abuses the name of the National Bank of Serbia. Phishing attempts are initiated from Facebook page named ’’NBS’’, mimicking the legitimate web page of the National Bank of Serbia, whereby the citizens are offered a false possibility to double their Dina Card balance, if they provide required information.

The message reads:

Since the phishing page is created with an intent to collect citizens’ personal data, the advertized reward being fraudulent and not associated in any way with the National Bank of Serbia, the National CERT urges the citizens not to disclose their personal information.

Notification and recommendations of National Bank of Serbia, regarding this fraud, are available at the link.

The National CERT of the Republic of Serbia wishes to inform all Internet users of a new ongoing phishing campaign titled „**SPAM** Ulazak u sistem je uspešno završen, svi podaci sa Vašeg uredaja su kopirani. Pročitajte uputstva dalje.“ The phishing message further reads a threatening information about all the user’s data having been copied and locked, and even a video caption of the user been taken, including all of his/her social network contacts. In exchange for the „recovery“ of the stolen data, a Bitcoin payment in the amount of 1400 USD within 50 hours is requested. The message itself does not contain a fake link, but fraudulently influences the user to willingly make a payment in order to recover their data.

The National CERT recommends that all such emails be deleted. Careful scrutiny of similar incoming messages makes it harder for the attackers to take advantage of your lack of attention on the Internet. Users are advised to be particularly watchful when receiving emails from unknown senders, containing grammatical errors, where an immediate action is required from them.

The National CERT of the Republic of Serbia wishes to inform the public that a new SMS phishing campaign against users of postal services is under way. A fraudulent SMS is sent to the user, saying that a parcel supposedly could not be delivered to them due to an unpaid customs fee, asking them to open the link contained in the text message in order to retrieve their parcel. Fake links currently in circulation are: https://rs-posta.com, https://rs-posta.net, https://posta-serbia.com and https://posta-srbija.com.

The link from the text message leads to a fake page where the user is asked to fill in their bank or credit card details, which ultimately enables the attackers to clear the victim’s bank account.

The PE „Post of Serbia“ reminds the public that this is not how this company communicates with its users, therefore extra attention is warranted.

This is how the PE „Post of Serbia“ legitimate page looks like:

The National CERT urges all users who have possibly received such SMS neither to open the link contained therein, nor to disclose their personal data, but to delete such text messages permanently.

On the National CERT’s website, several publications about these threats have been made available, including the way current phishing campaigns are being carried out. In addition, our platform „For a Safer Click“ contains interactive content about various cybersecurity topics.

The above fraud can be reported to the „Post of Serbia“ via the official contact center telephone numbers 0700 100 300 and 011 3607 788, on business days from 8h to 20h and on weekends from 8h to 15h, as well as to the National CERT.

A new case of abuse of the Internet page WeTransfer used for free Internet database transfer up to 2GB was detected yesterday. This phishing campaign uses an illegal ascmgpr[.]ir domain posing as WeTransfer website.

Since the ascmgpr[.]ir domain is still active, caution is advised to the users of Internet, to pay attention to all e-mails sent by WeTransfer. Since the contaminated mail looks different than the regular one, the National CERT advises all users to check if the link downloading the content is legitimate and whether or not it leads to wetransfer.com domain, before opening it. This can be done by placing the mouse on the Download link without clicking, which then reveals the address of redirection (see picture below). If the domain is not wetransfer.com, the content is not safe for downloading.

It is also possible that the users receive similar messages from info@cert.rs e-mail address. Such e-mails should not be opened.

For more, please visit: https://wetransfer.zendesk.com/hc/en-us/articles/208554176-Phishing-attempts-and-weird-WeTransfer-imitations.

The Kaspersky Lab has detected a new type of malicious software called Rakhni Trojan (Trojan-Ransom.Win32.Rakhni). This type of malicious software has multifunctional abilities. It can be run as ransomware, crypto-miner or net-worm depending on the attacker's decision. Initially, it runs content checks on the victim's PC after which the attacker triggers one of the three possible options.

This type of malicious software emerges on the territory of Russia and spreads further via spam and phishing campaigns. It contains e-mails with fake corporate financial documents. Once they have opened the e-mail, users get instructions on how to open the attached PDF file. By clicking on the PDF, the victim launches an executable file written in Delphi which uses a fake Adobe Systems Incorporated digital signature.

If an attacker decides to launch the ransomware option, the user will receive a MESSAGE.txt file with the ransom request (please visit decryption tools).

If an attacker decides to start the crypto-mining option, a VBS script will start mining Monero and Dashcoin cryptocurrency.

If the previous two options are not suitable, the attacker may decide to run net-worm option which allows the Trojan to copy itself on all computers of the local network.

For more details please visit: threatpost.com

Regulatory Agency for Electronic Communications and Postal Services along with its National CERT (SRB-CERT) is celebrating October, the European and global cyber security month, with a campaign "Active and Safe on the Internet". This campaign promotes the importance of information security to citizens, state organizations, public and private companies and aims to raise awareness and change behavioral patterns by providing basic information to all Internet users about available protection measures while being online.

As part of the Cyber Security Month, RATEL i.e. National CERT will hold a set of workshops intended for different user profiles, such as "Improvement of protection measures for safe Internet business" designed for small and medium enterprises in the Republic of Serbia (promotion of the Safety Act model), in cooperation with Serbian Chamber of Commerce.

In cooperation with NALED, with the participation of the Ministry of Trade, Tourism and Telecommunications and the Office for Information Technologies and e-Government, workshops are organized for local self-government units (Kragujevac, Belgrade, Niš, Novi Sad).

By means of the workshop titled "Active and Safe on the Internet", intended for the press and media companies in the Republic of Serbia, National CERT informs the journalists about current security risks on the Internet.

According to the National CERT's statistical data, the most frequent attack types remain phishing (in the region, different phishing campaigns in the banking sector are currently under way) and ransomware, followed by cryptomining and theft and leakage of personal and business data.

Cyber crime activities such as phishing, ransomware, data breach, DDoS and cryptomining account for 81.7% of the malware content, cyber espionage for 16%, while cyber warfare and hacktivism account for 1.2%  each.

The Regulatory Agency for Electronic Communications and Postal Services, in its capacity of the National CERT of the Republic of Serbia, will mark this year's international Cybersecurity Month with a campaign entitled “Knowledge is power”.

The cybersecurity month is celebrated throughout the world, while in Europe it was first observed in 2012, with the slogan „Cybersecurity is a common responsibility", uniting the European countries in their combat against cyber threats. Ever since, this capmaign has yearly promoted not only a safer and more responsible online behaviour, but also introduced trainings and seminars aimed at educating end-users, preparing them for ever-emerging challenges. In 2019, the year when the Republic of Serbia joined in, 525 activities were recorded in 36 countries.

This year's campaign „Knowledge is power“ kicks off with a workshop for the media representatives, with presentations on current cyber news, events and advices on how to prevent the most frequent cyber attacks and threats.

A webinar for the small and medium-sized enterprises will provide information about legal regulations in the area of cyber security, current free tools and recommendations for a safe work and reduced business risk. The webinar is set to take place on October 15, 2020, whereas all interested parties can apply by email (office@cert.rs).

In order to raise awareness on the issue of cybersecurity, the National CERT regularly updates its website with news, notifications, recommendations, publications and brochures on best prevention measures and practices against security risks, including information about current cyber threats to citizens, companies and governmental bodies. Since the beginning of the COVID-19 pandemic, the National CERT's recommendations have been focused on how to safely work from home and maintain cybersecurity, with the following brochures being published: Safety recommendations for remote workers, VPN access for small and medium-sized enterprises, Abuse of COVID-19 pandemic in cyberspace, Social engineering, How to reduce the risk of receiving phishing emails (SPF, DMARC, DKIM), Compromised business emails – all of which can be found in the Publications segment of the website. In addition, a promotional video has been created, to be available soon on the same platform.

The National CERT invites you to follow the prepared content featuring as part of the „Knowledge is power“ campaign, as well as on social media.

The National CERT wishes to inform all Internet users that a phishing campaign abusing the COVID-19 pandemic and current situation pertaining to Digital green certificates is under way. This phishing campaign is usually being carried out via e-mail messages.

The phishing message contains a link to download an e-document on vaccination, instructing the user to click on the link and download a supposed Digital green certificate. The e-mail sender is certain Zorica Torlak, Head of Pharmacy Service Belgrade.

The legitimate issuer of the Digital green certificate in the Republic of Serbia is the Office for IT and e-Government, therefore the National CERT urges the users to pay attention if they receive any similar suspicious e-mail message offering the Digital green certificate, not to open it, but to delete it immediately.

An example of the phishing e-mail can be viewed below: