The Season of Back to School Scams

Read Time:4 Minute, 6 Second

Authored by: Lakshya Mathur and Yashvi Shah 

As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, free school kits, online lectures, and scholarships, to entice unsuspecting individuals into falling for their schemes. 

McAfee Labs has found the following PDFs targeting back-to-school trends. This blog is a reminder for parents on what to educate their children on and how not to fall victim to such fraud.

Fake captcha PDFs campaign 

McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction. The second page contained substantial content on back-to-school advice for parents and students, giving the appearance of a legitimate document. These tactics were employed to make the PDF seem authentic, entice consumers to click on the fake CAPTCHA link, and evade detection. 

Figure 1Fake CAPTCHA and scammy link 

Figure 2 – PDF Second Page

 

Figure 3 – Zoomed in content from Figure 2

 

As shown in Figure 1, there is a fake captcha image that, when clicked, redirects to a URL displayed at the bottom left of the figure. This URL has a Russian domain and goes through multiple redirections before reaching its destination. The scam URL contains the text “all hallows prep school uniform,” and leads to a malicious site that sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators. 

Figures 2 and 3 display the second page of the PDF, designed to appear legitimate to users and spam and security scanners. 

In this campaign, we identified a total of 13 domains, with 11 being of Russian origin and 2 from South Africa. You can find the complete list of these domains in the final IOC (Indicators of Compromise) section. 

All domains were created in 2020 and 2021 and use Cloudflare’s name servers. 

Geographical Distribution 

These domains were discovered operating worldwide, targeting consumers across various countries. The United States and India stood out as the top countries where users were most often targeted. 

Figure 4 – Geographical distribution of all the scam domains 

 

What more to expect? 

As the season begins, the scenario is only the beginning of back-to-school scam season. Parents and students should remain vigilant against fraud, such as: 

Shopping scams: During back-to-school season, scammers employ various tactics: setting up fake online stores offering discounted school supplies, uniforms, and gadgets, but delivering substandard or nonexistent products; spreading fraudulent social media ads with enticing deals that lead to fake websites collecting personal information and payment details; and sending fake package delivery emails, tricking recipients into clicking on malicious links to perform phishing and malware attacks.  

Tax/Loan free scams: Scammers target students and parents with student loan forgiveness scams, offering false debt reduction programs in exchange for upfront payments or personal information. They also entice victims with fake scholarships or grants, prompting fees or sensitive data, while no genuine assistance exists. Unsolicited calls from scammers posing as government agencies or loan providers add to the deception, using high-pressure tactics to extract personal information or immediate payments. 

Identity theft: Scammers employ various identity theft tactics to exploit students and parents: attempting unauthorized access to school databases for personal information, creating fake enrollment forms to collect sensitive data, and sending phishing emails posing as educational institutions or retailers to trick victims into sharing personal information or login credentials. 

Deepfake AI Voice scams: Scammers might use deepfake AI technology to create convincing voice recordings of school administrators, teachers, or students. They can pose as school officials to deceive parents into making urgent payments or sharing personal information. Additionally, scammers might mimic students’ or teachers’ voices to solicit fraudulent fundraisers for fake school programs or claim that students have won scholarships or prizes to trick them into paying fees or revealing sensitive information. These scams exploit the trust and urgency surrounding back-to-school activities. 

How to Stay Protected? 

Be skeptical, if something appears to be too good to be true, it probably is.  
Exercise caution when registering or sharing personal information on questionable sites. 
Stay informed about these scams to safeguard yourself 
Maintain a skeptical approach towards unsolicited calls and emails. 
Keep your anti-virus and web protection up to date and perform regular full scans on your devices. 

 

IOC (Indicator of Compromise) 

Filetype/URL 
Value 

PDF 
474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21 

426ad19eb929d0214254340f3809648cfb0ee612c8374748687f5c119ab1a238 

5cb6ecc4af42075fa822d2888c82feb2053e67f77b3a6a9db6501e5003694aba 

Domain 
traffine[.]ru 

leonvi[.]ru 

trafffi[.]ru 

norin[.]co[.]za 

gettraff[.]ru 

cctraff[.]ru 

luzas.yubit[.]co[.]za 

ketchas[.]ru 

maypoin[.]ru 

getpdf.pw 

traffset[.]ru 

jottigo[.]ru 

trafffe[.]ru 

The post The Season of Back to School Scams appeared first on McAfee Blog.

Read More

golang-honnef-tools-2023.1.3-1.20230802git0e3cc29.fc39

Read Time:50 Second

FEDORA-2023-65f2712f28

Packages in this update:

golang-honnef-tools-2023.1.3-1.20230802git0e3cc29.fc39

Update description:

Automatic update for golang-honnef-tools-2023.1.3-1.20230802git0e3cc29.fc39.

Changelog

* Wed Aug 2 2023 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 2023.1.3-1
– Update to 2023.1.3 – Closes rhbz#2070258 rhbz#2114542 rhbz#2163232
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> – 2021.1.2-6
– Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> – 2021.1.2-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> – 2021.1.2-4
– Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 19 2022 Maxwell G <gotmax@e.email> – 2021.1.2-3
– Rebuild for
CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang

Read More

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution

Read Time:36 Second

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

OXAS-ADV-2023-0003: OX App Suite Security Advisory

Read Time:22 Second

Posted by Martin Heiland via Fulldisclosure on Aug 02

Dear subscribers,

We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: OXUIB-2282
Type:…

Read More

RansomLord v1 / Anti-Ransomware Exploit Tool

Read Time:21 Second

Posted by malvuln on Aug 02

RansomLord is a proof-of-concept tool that automates the creation of PE
files, used to compromise Ransomware pre-encryption.

Lang: C

SHA256: b0dfa2377d7100949de276660118bbf21fa4e56a4a196db15f5fb344a5da33ee

Video PoC:
https://www.youtube.com/watch?v=_Ho0bpeJWqI

Download: https://github.com/malvuln/RansomLord

RansomLord generated PE files are saved to disk in the x32 or x64
directorys where the program is run from.

Goal is to exploit code…

Read More

Savant Web Server 3.1 – Remote Buffer Overflow (Egghunter)

Read Time:23 Second

Posted by Mahmoud Noureldin on Aug 02

This is an old app but in an easy way which not the same which in public.

Exploit Title: Savant Web Server 3.1 – Remote Buffer Overflow (Egghunter)

# Date: [30/07/2023]
# Exploit Author: [0xBOF90]
# Vendor Homepage: [link]
# Version: [app version] (3.1)
# Tested on: [Windows 10]

import socket
import sys

try:
server = b”192.168.56.102″
#x00x0ax0dx25
port = 80
size = 253
# msfvenom -p windows/shell_reverse_tcp…

Read More

USN-6268-1: GStreamer Base Plugins vulnerabilities

Read Time:24 Second

It was discovered that GStreamer Base Plugins incorrectly handled certain
FLAC image tags. A remote attacker could use this issue to cause GStreamer
Base Plugins to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2023-37327)

It was discovered that GStreamer Base Plugins incorrectly handled certain
subtitles. A remote attacker could use this issue to cause GStreamer Base
Plugins to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2023-37328)

Read More

golang-1.19.12-1.fc37

Read Time:24 Second

FEDORA-2023-1819dc9854

Packages in this update:

golang-1.19.12-1.fc37

Update description:

This update includes a security fix to the crypto/tls package, as well as bug fixes to the assembler and the compiler.

This update includes a security fix to the net/http package, as well as bug fixes to the compiler, cgo, the cover tool, the go command, the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template packages.

Read More