• A fraud technique that aims to collect and misuse confidential user data
• A quick reaction of the user is expected - clicking on a link, opening an attachment in an email, accepting a request on Social Networks, etc.
• Carefully open emails from unknown senders

The National CERT of the Republic of Serbia wishes to inform the citizens that a new phishing campaign is under way, which abuses the name of the National Bank of Serbia. Phishing attempts are initiated from Facebook page named ’’NBS’’, mimicking the legitimate web page of the National Bank of Serbia, whereby the citizens are offered a false possibility to double their Dina Card balance, if they provide required information.

The message reads:

Since the phishing page is created with an intent to collect citizens’ personal data, the advertized reward being fraudulent and not associated in any way with the National Bank of Serbia, the National CERT urges the citizens not to disclose their personal information.

Notification and recommendations of National Bank of Serbia, regarding this fraud, are available at the link.

The National CERT of the Republic of Serbia wishes to inform all Internet users of a new ongoing phishing campaign titled „**SPAM** Ulazak u sistem je uspešno završen, svi podaci sa Vašeg uredaja su kopirani. Pročitajte uputstva dalje.“ The phishing message further reads a threatening information about all the user’s data having been copied and locked, and even a video caption of the user been taken, including all of his/her social network contacts. In exchange for the „recovery“ of the stolen data, a Bitcoin payment in the amount of 1400 USD within 50 hours is requested. The message itself does not contain a fake link, but fraudulently influences the user to willingly make a payment in order to recover their data.

The National CERT recommends that all such emails be deleted. Careful scrutiny of similar incoming messages makes it harder for the attackers to take advantage of your lack of attention on the Internet. Users are advised to be particularly watchful when receiving emails from unknown senders, containing grammatical errors, where an immediate action is required from them.

The National CERT of the Republic of Serbia wishes to inform the public that a new SMS phishing campaign against users of postal services is under way. A fraudulent SMS is sent to the user, saying that a parcel supposedly could not be delivered to them due to an unpaid customs fee, asking them to open the link contained in the text message in order to retrieve their parcel. Fake links currently in circulation are: https://rs-posta.com, https://rs-posta.net, https://posta-serbia.com and https://posta-srbija.com.

The link from the text message leads to a fake page where the user is asked to fill in their bank or credit card details, which ultimately enables the attackers to clear the victim’s bank account.

The PE „Post of Serbia“ reminds the public that this is not how this company communicates with its users, therefore extra attention is warranted.

This is how the PE „Post of Serbia“ legitimate page looks like:

The National CERT urges all users who have possibly received such SMS neither to open the link contained therein, nor to disclose their personal data, but to delete such text messages permanently.

On the National CERT’s website, several publications about these threats have been made available, including the way current phishing campaigns are being carried out. In addition, our platform „For a Safer Click“ contains interactive content about various cybersecurity topics.

The above fraud can be reported to the „Post of Serbia“ via the official contact center telephone numbers 0700 100 300 and 011 3607 788, on business days from 8h to 20h and on weekends from 8h to 15h, as well as to the National CERT.

The National CERT of the Republic of Serbia wishes to inform and warn all users that a new phishing campaign targeting postal service users is under way. The users usually receive an email notifying them about „unsuccessful“ parcel delivery, due to an unpaid customs fee.

Figure 1 shows an example of an email sent to users:

Figure 1 – Phishing email example

The user is asked to click on the email link, leading to a fake page of the Post of Serbia, where the user is required to make payment by filling in his credit card information. Figure 2 shows the look of the fake page where the user is asked to make a payment:

Figure 2 – Example of fake payment page 

All the information provided by the user on the fake page can be abused. The National CERT recommends to the users who happen to receive such email, not to open it nor enter the required data, but to delete it right away.

The above fraudulent activity can be reported to the „Post of Serbia“ via the official contact center telephone numbers 0700 100 300 and 011 3607 788, on business days from 8h to 20h and on weekends from 8h to 15h, as well as to the National CERT.

A new case of abuse of the Internet page WeTransfer used for free Internet database transfer up to 2GB was detected yesterday. This phishing campaign uses an illegal ascmgpr[.]ir domain posing as WeTransfer website.

Since the ascmgpr[.]ir domain is still active, caution is advised to the users of Internet, to pay attention to all e-mails sent by WeTransfer. Since the contaminated mail looks different than the regular one, the National CERT advises all users to check if the link downloading the content is legitimate and whether or not it leads to wetransfer.com domain, before opening it. This can be done by placing the mouse on the Download link without clicking, which then reveals the address of redirection (see picture below). If the domain is not wetransfer.com, the content is not safe for downloading.

It is also possible that the users receive similar messages from info@cert.rs e-mail address. Such e-mails should not be opened.

For more, please visit: https://wetransfer.zendesk.com/hc/en-us/articles/208554176-Phishing-attempts-and-weird-WeTransfer-imitations.

Tha National CERT of the Republic of Serbia wishes to inform and warn all users that a Viber phishing campaign is under way, recognizable by links beginning with hypertext “https://www.viber.com/activate_secondary/.“ Should you receive such message, the National CERT recommends you not to click on the link, otherwise you could compromise your Viber account.

The click on the link enables the attacker to add their device as one of the legitimate devices your personal access to Viber is authorized from. This means the attacker can read your messages, access your contact list and assume your identity.

Tips to stay protected:

• Do not open suspicious links.
• If you receive an unusual text or a message with an unexpected link, do not open it.
• Confirm the source: If a link is sent to you by some of your contacts, check with that person by other communication channel if they really intended to send you the link.
• Use official links: Always use an official web location or Viber app for all necessary activities concerning your account.
• Update your Viber app regularly.

What to do if your account gets compromised?

If that happens, you are advised to disable access to your Viber account on other devices (PCs or tablets), by taking the following steps:

• Open the Viber app on your mobile device.
• Select option More at the bottom right part of the screen in order to access the menu.
• Select option Settings in order to access the settings menu.
• Select Account.
• By selecting Desktop and Tablets, you will be able to access the list of devices where your Viber account is active.
• From the list you should select the device you wish to deactivate.
• Confirm deactivation when asked to.

By applying the above steps, you will be able to remove your Viber account from the selected devices and thus disable the use of your account on them.

The National CERT wishes to inform all Internet users that a phishing campaign abusing the COVID-19 pandemic and current situation pertaining to Digital green certificates is under way. This phishing campaign is usually being carried out via e-mail messages.

The phishing message contains a link to download an e-document on vaccination, instructing the user to click on the link and download a supposed Digital green certificate. The e-mail sender is certain Zorica Torlak, Head of Pharmacy Service Belgrade.

The legitimate issuer of the Digital green certificate in the Republic of Serbia is the Office for IT and e-Government, therefore the National CERT urges the users to pay attention if they receive any similar suspicious e-mail message offering the Digital green certificate, not to open it, but to delete it immediately.

An example of the phishing e-mail can be viewed below:

The Kaspersky Lab has detected a new type of malicious software called Rakhni Trojan (Trojan-Ransom.Win32.Rakhni). This type of malicious software has multifunctional abilities. It can be run as ransomware, crypto-miner or net-worm depending on the attacker's decision. Initially, it runs content checks on the victim's PC after which the attacker triggers one of the three possible options.

This type of malicious software emerges on the territory of Russia and spreads further via spam and phishing campaigns. It contains e-mails with fake corporate financial documents. Once they have opened the e-mail, users get instructions on how to open the attached PDF file. By clicking on the PDF, the victim launches an executable file written in Delphi which uses a fake Adobe Systems Incorporated digital signature.

If an attacker decides to launch the ransomware option, the user will receive a MESSAGE.txt file with the ransom request (please visit decryption tools).

If an attacker decides to start the crypto-mining option, a VBS script will start mining Monero and Dashcoin cryptocurrency.

If the previous two options are not suitable, the attacker may decide to run net-worm option which allows the Trojan to copy itself on all computers of the local network.

For more details please visit: threatpost.com