Iceland hit by a serious cyber attack mimicking local police
Recently, security researchers reported a very dangerous and also tricky cyber attack that was spotted in Iceland. The phishing attack was launched on the 6th of October and involved malware capable of stealing banking details and passwords by recording victim's keystrokes. Experts claim that it involved “thousands of people.” However, we should take into account that Iceland has only over 300,000 citizens.
Even though similar attempts are noticed almost every day, this one had some features that made it stand out from others. An IT researcher named Martin Jartelius commented that this attack was not difficult to launch, however, it was directly targeted:
This attack is neither novel nor hard to perform, but it is extremely targeted and it does involve a greater effort for a smaller audience than what we usually see in those cases.
Criminals used almost the same domain name as the one used by police
While trying to trick as many people as possible, criminals used one important trick – they bought a domain almost identical to the one used by the local police. As a result, all targeted victims received email messages urging users to contact the authority to prevent an arrest warrant. While trying to drive victims to a predetermined site, the email came with a seemingly-safe link.
The attackers hiding behind this phishing attack used logregian.is as the name of their website. It is almost exact to the one used by the local police and the only difference that can be found is a lowercase “i” used instead of the “l.” Naturally, the trick managed to convince the victims into believing that the email and web page were truly legal.
Additionally, criminals asked their victims to give them social security numbers what it is a common practice in Iceland if you are being inspected by the police. Additionally, the authentication of SSN would require logging to your bank, but the criminals were able to verify these numbers without any logins.
Remcos tool helped attackers access the target systems remotely
Victims were also urged to open a file that was named .scr as the crooks claimed that it is the information about the committed crime. As you might have already guessed, such content appeared to be a malicious executable file pushing the attack to another level.
If the malicious executable was launched, cybercriminals were given remote access to the victims' computer systems as they used the Remcos tool for connection. Furthermore, they get an ability to gather their sensitive information such as bank account data. Cybersecurity experts have found that Remcos was also set to work as a keylogger and sent the collected data to its remote servers located in Holland and Germany.
Gladly, the malicious website was eliminated a day after the cyber attack launched. However, it is still unknown how many victims have been affected.