Connect with us

Cyber Security

Group-IB Uncovers Wide-Scale Phishing Campaign that Sees Scammers Mimic KSA Manpower Provider

Published

on

Group-IB has today published its research into a wide-scale phishing scheme that sees scammers impersonate one of the leading manpower agencies in the Kingdom of Saudi Arabia (KSA). In total, analysts from the Group-IB Computer Emergency Response Team (CERT-GIBand Digital Risk Protection Team based at the company’s Threat Intelligence and Research Center in Dubai, UAE analyzed more than 1,000 rogue domains created to impersonate the manpower provider in question as part of a long-term scam campaign.

Group-IB analysts uncovered how one individual claimed to be offering more than 100 domain names that contained a logical connection to, or a variation of, the brand name in question. In line with Group-IB’s zero-tolerance policy towards cybercrime, Group-IB analysts notified the Saudi Computer Emergency Response Team (CERT-SA), a fellow OIC-CERT member, of their findings to assist their regional partners in taking any relevant action to combat this scheme.

Scam in Action
In 2021, more than $55 billion was stolen from victims as a result of scams, according to a Global State of Scam Report that Group-IB contributed to. The need to combat scammers is all the more pertinent given that recent Group-IB research found that scams accounted for 57% of all financially motivated cybercrime, and, according to the Global Anti Scam Alliance, the number of scams is growing more than 10% year on year. The same report also revealed that users in Saudi Arabia are targeted by the most phishing scams in the Middle East.

Domain spoofing, known as the faking of a website or email domain to make malicious sites or emails look credible, has long been a tactic of cybercriminals across the globe, and we are seeing new schemes appearing with alarming regularity. This past July, Group-IB uncovered more than 270 domain names that mimicked over a dozen postal and logistics brands across the Middle East in a separate scam campaign.

However, the postage scam scheme identified by Group-IB has been dwarfed in size by a new wide-scale domain and website spoofing campaign targeting users in Saudi Arabia. Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.

The campaign, which was launched in April 2021, appeared to peak in March 2022, when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme. As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate money.

A breakdown of the scheme’s timeline can be found below:

In April 2022, when the phishing campaign surged, financial bodies in Saudi Arabia warned of a sharp increase in financial fraud in the country in the preceding year. Group-IB analysts assume that the subsequent reduction in the number of new domains registered per month imitating the manpower provider has followed in the wake of warnings to users by financial authorities in Saudi Arabia, government institutions, and the brand itself. However, the creation of 32 new spoof domains in September 2022 alone shows that scammers are still attempting to impersonate the company.

According to Group-IB’s findings, the driving factor for this scam scheme is an unholy alliance between scammers and spoof domain brokers. This alliance sees the brokers purchase the rights to dozens of domain names containing a typographical or phonetic variation of the attacked brand, and offer them for sale at a low price to scammers.

Imitation – the Sincerest Form of Flattery
The URLs and the design of the scam pages created as part of this campaign are intended to convincingly imitate the manpower provider in question and trick users into entering their credentials for banking services and online government portals. The scammers can harvest both login information and two-factor authentication (2FA) codes to gain access and complete fraudulent transactions.

The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone. 

From there, the victims begin interacting with the scammers via SMS or WhatsApp communication, and a full breakdown of an average victim journey can be found below:

The phishing pages created by the scammers contain the official logo of the targeted brand as a means of building legitimacy in the eyes of the victims.

Figure 2: Phishing page containing the logo of the brand (blurred) to make it look legitimate.

Upon landing on the homepage of the phishing site, the victim is directed to click the large green button that has “apply” written on it. Once they do this, they are transferred to a second page where they are requested to enter their personal information.

Figure 3: Phishing page where users are asked to fill in their name, phone number, address and national ID number. After filling in the requested data, the user has to click on apply.

After entering their personal information and clicking “apply”, the victims are redirected to a page that asks them to select the nationality of the domestic worker they wish to hire.

Figure 4: After clicking apply, the victims are transferred to the next phishing page, where they are asked to choose the nationality of the domestic worker they want to request.

The next stage of the scam sees victims choose the type of domestic service they require (e.g., hourly, in-house).

Figure 5: Phishing site containing the range of domestic worker services the scammers purport to be offering to users.

Once they have completed these steps, the victim is transferred to a page on which they are asked to pay a small processing fee of 50 or 100 SAR (approximately $13 or $27). In fact, this transaction will not take place, as it is merely a ploy for the scammers to harvest credentials, but the victims are presented with the choice of making this fake transaction either via bank payment or a Saudi government portal.

Figure 6: Users are presented a choice, either via bank payment or card transaction, to pay what they believe to be a 50 or 100 SAR processing fee, although this transaction, which isn’t credited, is a ploy to steal users’ login details.

Irrespective of how the victim chooses to make the fake payment, they are sent either to a page emulating 11 regional banks or a website impersonating a Saudi government portal. The likelihood of the victim of being directed to the fake bank page or the fake portal page appeared to be random. In both cases, the victim’s login credentials and two-factor authentication (2FA) code are harvested by the scammers.

 

 

 

Figure 7: Phishing page on which the victim is prompted to make the fake processing payment via one of 11 leading regional banks.

 

Figure 8: After clicking on the image of the bank of their choice, the victim is asked to enter their login and password.

 

Figure 9: Phishing page mimicking a Saudi governmental portal asking for the two-factor authentication code, which the user receives once the scammers attempt to log in to the real governmental portal using the credentials harvested in the previous step.

Once the victim enters their data, the threat actors harvest the victim’s login credentials and 2FA code, which can be used to gain access to the victim’s bank or governmental portal account and begin making fraudulent transactions until the account is emptied.

Interestingly, the domain names identified by Group-IB in this scam campaign are registered with the same popular and affordable hosting providers as seen in many other phishing schemes. This underlines how fraudsters worldwide are utilizing similar tactics, such as launching domains with cheap, easy-to-register, and stable hosting providers, to target victims across the globe.

The primary goal of this research is to raise public awareness in the Middle East of the latest phishing attacks, and to call for internet users to remain vigilant as threat actors continue to convincingly, and with increased regularity, impersonate some of the region’s largest organizations. Scammers are becoming increasingly resourceful and collaborative, and spoof domain brokers are coming to the assistance of cyber criminals. We encourage companies and organizations to monitor for signs of brand abuse, and we also urge internet users to remain vigilant so that they do not become victims of scams such as this,” Mark Alpatskiy, CERT-GIB Senior Analyst, said.

In order to prevent further phishing attacks using spoof domains, companies and organizations should monitor for signs of brand abuse across the internet, including on social media which is often used by scammers to advertise their phishing pages. There are solutions that help firms and organizations secure their digital assets by continuously and automatically monitoring millions of online resources where the brand or intellectual property may be present.

Internet users are urged to show caution and always check the URL domain of the page they are accessing and verify it to see if it is the official website before entering any personal or payment details. Another recommendation is to maintain communication with online chat services or call centers of the official company or organization.

Cyber Security

Positive Technologies Reports 80% of Middle East Cyberattacks Compromise Confidential Data

Published

on

A new study by cybersecurity firm Positive Technologies has shed light on the evolving cyber threat landscape in the Middle East, revealing that a staggering 80% of successful cyberattacks in the region lead to the breach of confidential information. The research, examining the impact of digital transformation, organized cybercrime, and the underground market, highlights the increasing exposure of Middle Eastern nations to sophisticated cyber threats.

The study found that one in three successful cyberattacks were attributed to Advanced Persistent Threat (APT) groups, which predominantly target government institutions and critical infrastructure. While the rapid adoption of new IT solutions is driving efficiency, it simultaneously expands the attack surface for malicious actors.

Cybercriminals in the region heavily utilize social engineering tactics (61% of cases) and malware (51%), often employing a combination of both. Remote Access Trojans (RATs) emerged as a primary weapon in 27% of malware-based attacks, indicating a common objective of gaining long-term access to compromised systems.

The analysis revealed that credentials and trade secrets (29% each) were the most sought-after data, followed by personal information (20%). This stolen data is frequently leveraged for blackmail or sold on the dark web. Beyond data theft, 38% of attacks resulted in the disruption of core business operations, posing significant risks to critical sectors like healthcare, transportation, and government services.

APT groups are identified as the most formidable threat actors due to their substantial resources and advanced technical capabilities. In 2024, they accounted for 32% of recorded attacks, with a clear focus on government and critical infrastructure. Their activities often extend beyond traditional cybercrime, encompassing cyberespionage and even cyberwarfare aimed at undermining trust and demonstrating digital dominance.

Dark web analysis further revealed that government organizations were the most frequently mentioned targets (34%), followed by the industrial sector (20%). Hacktivist activity was also prominent, with ideologically motivated actors often sharing stolen databases freely, exacerbating the cybercrime landscape.

The United Arab Emirates, Saudi Arabia, Israel, and Qatar, all leaders in digital transformation, were the most frequently cited countries on the dark web in connection with stolen data. Experts suggest that the prevalence of advertisements for selling data from these nations underscores the challenges of securing rapidly expanding digital environments, which cybercriminals are quick to exploit.

Positive Technologies analyst Alexey Lukash said, “In the near future, we expect cyberthreats in the Middle East to grow both in scale and sophistication. As digital transformation efforts expand, so does the attack surface, creating more opportunities for hackers of all skill levels. Governments in the region need to focus on protecting critical infrastructure, financial institutions, and government systems. The consequences of successful attacks in these areas could have far-reaching implications for national security and sovereignty.”

To help organizations build stronger defenses against cyberthreats, Positive Technologies recommends implementing modern security measures. These include vulnerability management systems to automate asset management, as well as identify, prioritize, and remediate vulnerabilities. Positive Technologies also suggests using network traffic analysis tools to monitor network activity and detect cyberattacks. Another critical layer of protection involves securing applications. Such solutions are designed to identify vulnerabilities in applications, detect suspicious activity, and take immediate action to prevent attacks.

Positive Technologies emphasizes the need for a comprehensive, result-driven approach to cybersecurity. This strategy is designed to prevent attackers from disrupting critical business processes. Scalable and flexible, it can be tailored to individual organizations, entire industries, or even large-scale digital ecosystems like nations or international alliances. The goal is to deliver clear, measurable results in cybersecurity—not just to meet compliance standards or rely on isolated technical fixes.

Continue Reading

Cyber Security

Axis Communications Sheds Light on Video Surveillance Industry Perspectives on AI

Published

on

Axis Communications has published a new report that explores the state of AI in the global video surveillance industry. Titled The State of AI in Video Surveillance, the report examines the key opportunities, challenges and future trends, as well as the responsible practices that are becoming critical for organisations in their use of AI. The report draws insights from qualitative research as well as quantitative data sources, including in-depth interviews with carefully selected experts from the Axis global partner network.

A leading insight featured in the report is the unanimous view among interviewees that interest in the technology has surged over the past few years, with more and more business customers becoming curious and increasingly knowledgeable about its potential applications.

Mats Thulin, Director AI & Analytics Solutions at Axis Communications

“AI is a technology that has the potential to touch every corner and every function of the modern enterprise. That said, any implementations or integrations that aim to drive value come with serious financial and ethical considerations. These considerations should prompt organisations to scrutinise any initiative or investment. Axis’s new report not only shows how AI is transforming the video surveillance landscape, but also how that transformation should ideally be approached,” said Mats Thulin, Director AI & Analytics Solutions at Axis Communications.

According to the Axis report, the move by businesses from on-premise security server systems to hybrid cloud architectures continues at pace, driven by the need for faster processing, improved bandwidth usage and greater scalability. At the same time, cloud-based technology is being combined with edge AI solutions, which play a crucial role by enabling faster, local analytics with minimal latency, a prerequisite for real-time responsiveness in security-related situations.

By moving AI processing closer to the source using edge devices such as cameras, businesses can reduce bandwidth consumption and better support real-time applications like security monitoring. As a result, the hybrid approach is expected to continue to shape the role of AI in security and unlock new business intelligence and operational efficiencies.

A trend that is emerging among businesses is the integration of diverse data for a more comprehensive analysis, transforming safety and security. Experts predict that by integrating additional sensory data, such as audio and contextual environmental factors caught on camera, can lead to enhanced situational awareness and greater actionable insights, offering a more comprehensive understanding of events.

Combining multiple data streams can ultimately lead to improved detection and prediction of potential threats or incidents. For example, in emergency scenarios, pairing visual data with audio analysis can enable security teams to respond more quickly and precisely. This context-aware approach can potentially elevate safety, security and operational efficiency, and reflects how system operators can leverage and process multiple data inputs to make better-informed decisions.

According to the Axis report, interviewees emphasised that responsible AI and ethical considerations are critical priorities in the development and deployment of new systems, raising concerns about decisions potentially based on biased or unreliable AI. Other risks highlighted include those related to privacy violations and how facial and behavioural recognition could have ethical and legal repercussions.

As a result, a recurring theme among interviewees was the importance of embedding responsible AI practices early in the development process. Interviewees also pointed to regulatory frameworks, such as the EU AI Act, as pivotal in shaping responsible use of technology, particularly in high-risk areas. While regulation was broadly acknowledged as necessary to build trust and accountability, several interviewees also stressed the need for balance to safeguard innovation and address privacy and data security concerns.

“The findings of this report reflect how enterprises are viewing the trend of AI holistically, working to have a firm grasp of both how to use the technology effectively and understand the macro implications of its usage. Conversations surrounding privacy and responsibility will continue but so will the pace of innovation and the adoption of technologies that advance the video surveillance industry and lead to new and exciting possibilities,” Thulin added.

Continue Reading

Artificial Intelligence

CyberKnight Partners with Ridge Security for AI-Powered Security Validation

Published

on

The automated penetration testing market was valued at roughly $3.1 billion in 2023 and is projected to grow rapidly, with forecasts estimating a compound annual growth rate (CAGR) between 21% and 25%. By 2030, the sector is expected to reach approximately $9 to $10 billion. The broader penetration testing industry is also expanding, with projections indicating it will surpass $5.3 billion by 2027, according to MarketandMarket.

To support enterprises and government entities across the Middle East, Turkey and Africa (META) with identifying and validating vulnerabilities and reducing security gaps in real-time, CyberKnight has partnered with Ridge Security, the World’s First Al-powered Offensive Security Validation Platform. Ridge Security’s products incorporate advanced artificial intelligence to deliver security validation through automated penetration testing and breach and attack simulations.

RidgeBot uses advanced AI to autonomously perform multi-vector iterative attacks, conduct continuous penetration testing, and validate vulnerabilities with zero false positives. RidgeBot has been deployed by customers worldwide as a key element of their journey to evolve from traditional vulnerability management to Continuous Threat Exposure Management (CTEM).

“Ridge Security’s core strength lies in delivering holistic, AI-driven security validation that enables organizations to proactively manage risk and improve operational performance,” said Hom Bahmanyar, Chief Enablement Officer at Ridge Security. “We are delighted to partner with CyberKnight to leverage their network of strategic partners, deep-rooted customer relations, and security expertise to accelerate our expansion plans in the region.”

“Our partnership with Ridge Security is a timely and strategic step, as 69% of organizations are now adopting AI-driven security for threat detection and prevention,” added Wael Jaber, Chief Strategy Officer at CyberKnight. “By joining forces, we enhance our ability to deliver automated, intelligent security validation solutions, reaffirming our commitment to empowering customers with resilient, future-ready cybersecurity across the region.”

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.