Over the last two weeks, individuals and business alike have been faced with yet another batch of malicious activity.

In this edition of the newsletter we will cover:

  • DNS hijacks
  • Industry-specific news
  • Sextortion / webcam blackmail


DNS hijacks

Domain Name System is the global database that maps IP addresses to human-friendly names. DNS hijacking occurs when crooks do not actually take over the websites themselves but rather change their DNS settings to have them load content from a different (malicious) address.

If someone were to gain unauthorized access to your DNS entries and change those (ex. CNAME or A record), your customer traffic may completely stop or may start being redirected to an imposter site. DNS hijacking is not as good a result for cybercriminals as a web server hack. Nonetheless, it is still quite dangerous, especially for your brand.

A researcher – Zach Edwards – has found roughly 250 compromised subdomains belonging to large organizations in the banking, insurance, utilities, and other sectors. According to Naked Security, the subdomains are linked to several hundred temporary Azure sites which may have been forgotten when no longer needed. Companies use subdomains to set up “microsites” to support short-term initiatives such as marketing campaigns. The issue is that some hosting/cloud providers do not properly purge subdomains that are no longer being used but instead make them available for someone else to buy which allows threat actors to revive those for scams and other operations.

Recommendation: Find out what DNS precautions your hosting and domain name providers offer.


Industry-specific news


  • A Brazilian-based utilities company, Light SA, was recently affected by a ransomware attack where the perpetrators demanded 14 million U.S. dollars payable in Monero (XMR) cryptocurrency. According to analysts from AppGate Labs, the binary which was likely used belongs to a family known as Sodinokibi (also known as REvil). The whole operation is strikingly professional and includes a web page (hosted on the deep web) with a chat support feature.


  • Security experts from Avast Mobile Threat Labs have detected a dangerous app that had sneaked in to Google Play Store under the pretext of a Spanish currency converter called “Calculadora de Moneda” with the intent to distribute the Cerberus banking trojan.
  • Phishing kits are often used to make it easier to set up, launch and administer credential stealing campaigns. In a recent investigation, a phishing kit dubbed Spox was found on a compromised website. The kit, delivered in a ZIP archive under the name “account-verification” to attract less attention, had been used in targeted attacks against Chase bank and PayPal customers.
  • A new variant of the Lampion banking trojan has been observed in campaigns targeting Brazilian and Portuguese banks. The modus operandi of the malware includes the download of an MSI installation file from a fake web page, the execution of an obfuscated VBS code, the download of additional files from Google Cloud and the loading of those into memory using the popular DLL injection technique.


Sextortion / webcam blackmail

Sextortion / webcam blackmail crime occurs when someone threatens to share your private and sensitive materials with friends and family if you do not pay a certain amount of money or do not carry out actual sexual acts with the perpetrator. Mostly, these threats are groundless.

A series of reports have been flagged in July with the BitcoinAbuse database using messages translated in Bulgarian.

Recommendation: Be careful about who you befriend online, especially if you are considering sharing anything intimate with them. If you do become a victim, do not panic, stop communicating with the extortionist, do not pay, preserve evidence, and contact law enforcement.


As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.



Amatas, Cyware, Naked Security by Sophos, AppGate, Avast, Sucuri, Security Affairs, NCA, BitcoinAbuse, Imperva, The Hacker News