Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts. These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!
The report details the operations of W3LL, a threat actor behind a phishing empire that has remained largely unknown until now. Group-IB’s Threat Intelligence and Cyber Investigations teams have tracked the evolution of W3LL and uncovered that they played a major role in compromising Microsoft 365 business email accounts over the past 6 years. The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks. Group-IB investigators identified that W3LL’s phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the USA, Australia and Europe between October 2022 and July 2023. According to Group-IB’s rough estimates, W3LL’s Store’s turnover for the last 10 months may have reached $500,000. All the information collected by Group-IB’s cyber investigators about W3LL has been shared with relevant law enforcement organizations.
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents.
This article explores a phishing technique that emulates a file archiver software in the browser while using a .zip domain.