A cyberhacking group has deployed malware on the websites of many news outlets in the U.S. The attack vector, according to Proofpoint appears to be a compromised a media content provider. The malware in the attack, named SocGholish, has been active since at least 2018.


### Malware Strikes Again

A cyberhacking group has deployed malware on the websites of many news outlets in the U.S. The attack vector, according to <a  href="https://www.proofpoint.com/us"  style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">ProofPoint</a> appears to be a compromised a media content provider.

The malware in the attack, named SocGholish, has been active since at least 2018.

From a quote sourced by TechCrunch, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says that the organization provides “both video content and advertising to major news outlets.” DeGrippo added that 250 U.S. national newspaper sites and regional websites are affected, including media organizations serving Boston, Chicago, Cincinnati, Miami, New York, Palm Beach and Washington, D.C.

While they still haven't figured out exactly how the malware was able to enter the systems, speculation could be made on a phishing attack which have grown greatly as the primary attack vector in recent month.

News of the site hijackings were first <a  href="https://twitter.com/threatinsight/status/1587866221847814145"  style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">tweeted out</a> Wednesday.

### How it works

The SocGholish malware is injected into a benign JavaScript file that is loaded by the news outlets’ websites, which prompts the website visitor to download a fake software update. In this campaign, the prompt takes the form of a browser update for Chrome, Firefox, Internet Explorer, Edge or Opera.

“If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.”

SocGholish serves as an “initial access threat,” which if successfully planted have historically served as a precursor to ransomware, according to Proofpoint. The threat actors’ end goal, the company says, is financial gain.

### How to Identify a Phishing Scam

Signs that the campaign is a phishing scam:

- Poor grammar and writing that no business would publish (a hallmark of phishing scams).

- Email comes from a Gmail address. A typical email will come from a an appropriate work domain.

- The email asks you to click on a link or attachment. A legitimate email will not ask you to click on a link or attachment.

- A link redirects you to a login page asking for your account username, password, and phone number.

### How you can fight back

<a  href="https://vigilante.watch"  style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">Vigilante</a> offers you a platform to report phishing attacks you encounter in the wild. We then aggregate cybercrime reports from across the globe, providing a unique opportunity to spot emerging security threats earlier than ever before. Furthermore, user reports will also be relayed to major agencies so they can pursue further legal action against perpetrators and shut down their attack vectors. <a  href="https://vigilante.watch"  style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">Report Now</a>.

_Help keep your online community safe by sharing this article. To stay up to date on new attack vectors follow us @VigilanteWatch on_ <a  href="https://twitter.com/VigilanteWatch"  style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;"><i>Twitter</i></a>

For further reading visit [TechCrunch](https://techcrunch.com/2022/11/03/hundreds-news-websites-malware/)


Hundreds of Media Outlets Compromised to Push Malware

Cybercriminals have begun using Twitter's ongoing verification chaos to send phishing emails that steal the passwords of unsuspecting users. The scam operates with Twitter users firstly receiving an email from a person posing as a Twitter Admin, asking for their username and password in order to maintain free verification status. Twitter user


## How the scam works

Cybercriminals have begun using Twitter's ongoing verification chaos to send phishing emails that steal the passwords of unsuspecting users. The scam operates with Twitter users firstly receiving an email from a person posing as a Twitter Admin, asking for their username and password in order to maintain free verification status. Twitter user
<a href="https://twitter.com/zackwhittaker/status/1587188619000922112?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1587188619000922112%7Ctwgr%5Eb761cc97c19200921489c8aefc1c12d4990a7bb0%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.secureworld.io%2Findustry-news%2Fscammers-twitter-verification-phishing" style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">Zach Whittaker</a> was the first user to identify this new scam.

<div style="text-align:center">
<img src="https://pbs.twimg.com/media/FgbTaiOXEAIp96M?format=jpg&name=large" alt="Image showing Twitter Verification Phishing Email" width="65%" >

</div>
<p style="text-align:center; margin:0">
<i> 
An actual phishing email received by a potential victim (Credit: Zach Whittaker)
</i>
<p>

The email is sent from a Gmail account and links to a Google Doc. The email contains a "Provide Information" button that takes targets to a Google Doc. Once there, users are directed to another page when they click on the link in this document---which has fields for username, password, and phone number associated with the Twitter account. The page itself contains an embedded frame from another site, hosted on a Russian web host Beget. For detailed reporting <a href="https://vigilante.watch/trending/9" style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">information.</a>

This new attack once again demonstrates the importance for users to ensure they have two-factor-authentication enabled.

### How to Identify a Phishing Scam

Signs that the campaign is a phishing scam:

- Poor grammar and writing that no business would publish (a hallmark of phishing scams).

- Email comes from a Gmail address. In this scam the email originated from Twittercontactcenter@gmail. A typical Twitter email will come from a @twitter email address.

- The email asks you to click on a link or attachment. A legitimate Twitter email will not ask you to click on a link or attachment.

- A link redirects you to a login page asking for your account username, password, and phone number.

### How you can fight back

<a href="https://vigilante.watch" style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">Vigilante</a> offers you a platform to report phishing attacks you encounter in the wild. We then aggregate cybercrime reports from across the globe, providing a unique opportunity to spot emerging security threats earlier than ever before. Furthermore, user reports will also be relayed to major agencies so they can pursue further legal action against perpetrators and shut down their attack vectors. <a href="https://vigilante.watch" style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;">Report Now</a>.

_Help keep your online community safe by sharing this article. To stay up to date on new attack vectors follow us @VigilanteWatch on_ <a href="https://twitter.com/VigilanteWatch" style="color: #684bff; text-decoration: underline;text-decoration-style: dotted;"><i>Twitter</i></a>


Vigilante

Latest

Hundreds of Media Outlets Compromised to Push Malware

Twitter Verification Phishing Campaign

Vigilante

Pages