There’s No Such Thing as a Free Yeti, Only Social Engineering Tactics

It’s easy to think of the typical online holiday scam as something that affects mostly individuals. Sad, maybe, and unfortunate, but not something that might seriously threaten a business, or another organization.

For example, a lot of scams are circulating that offer a free Yeti cooler, or some other attractive bauble, like a Samsung Smart TV, or a snazzy dutch oven by Le Creuset.  All you have to do is enter your credit card to cover shipping and handling–fair enough, right? Because after all you’re going to get a swell Yeti. Of course, there is no Yeti, but the scammers have got the marks’ paycard information.

But there are lessons here in social engineering that can be applied by organizations, too. Vox’s Recode explains, “Basically, these scammers are deploying lots of technical tricks to evade scanners and get through spam filters behind the scenes. Those include (but aren’t limited to) routing traffic through a mix of legitimate services, like Amazon Web Services, which is the URL several of the scam emails I’ve received appear to link out to. And, [security researcher Zach] Edwards said, bad actors can identify and block the IP addresses of known scam and spam detection tools, which also helps them bypass those tools.”

There’s also more use of domain hop architecture in spam, helping the scammers hide their tracks and evade security tools. That’s not all. Recode goes on to report that, “Akamai said this year’s campaign also included a novel use of fragment identifiers. You’ll see those as a series of letters and numbers after a hash mark in a URL. They’re typically used to send readers to a specific section of a website, but scammers were using them to instead send victims to completely different websites entirely. And some scam detection services don’t or can’t scan fragment identifiers, which helps them evade detection, according to Katz. That said, Google told Recode that this particular method alone was not enough to bypass its spam filters.”

The upshot of the greater sophistication email spam now exhibits is that the social engineers are working to bypass the technical protections organizations have in place. As is so often the case, the individual user is the last line of defense, and a well-informed, properly skeptical user is to some extent armored against attempts like this. The email might look as if it came from a legitimate sender, the offer might be attractive, but new school security awareness training can help your people understand that, really, there’s no such thing as a free Yeti.

READ MORE

WhatsApp data breach sees nearly 500 million user records up for sale

Craig Hale at Techradar reported: “A post on a “well-known hacking community forum” claims almost half a billion WhatsApp records have been breached and are up for sale.

The post, which multiple sources have confirmed is likely to be true, claims to be selling an up-to-date, 2022 database of 487 million mobile numbers used on WhatsApp, which contains data from 84 countries. This means that almost one-quarter of all WhatsApp’s estimated two billion monthly active users are possible at risk.

If you use WhatsApp, your details could well be up for sale

More than 32 million of the leaked records are said to be from users in the US, with 11 million from UK users. Other affected nations include Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), Turkey (20 million), and Russia (10 million).

Leaked phone numbers could be used for any number of reasons, including marketing and phishing, highlighting the importance of a good ID theft protection tool.”  And of course new-school security awareness training!

Full article at TechRadar : https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale

READ MORE

New Instagram Support Phishing Attack Fakes “Unusual Logon” Experience Well Enough to Fool Victims

Long gone are the days of tacky landing pages that barely impersonate a brand; threat actors are improving their social engineering game well enough to make anyone believe it’s the real thing.

Security researchers at Armorblox provide imperative details into a new Instagram impersonation scam with parts of the attack looking very credible. According to Armorblox, the scam targeted over 22,000 users at a single large educational institution. The scam started with a realistic-looking email claiming to be from Instagram support:

Impersonated Instagram Support Email

Upon clicking “secure your account here”, users are taken to an impersonated Instagram support page where the victim can assert that the “unusual logon” was or wasn’t them.

instagram-attack-landing-page

Lastly, victims are taken to a page to “reset” their password. The only think on this page of interest to the scammer is the users “old” (read: current) password, which will be used to logon to the victims Instagram account and leverage it to trick followers in a subsequent scam.

fig-3_instagram-attack-landing-page-2

At the end of the day, there’s one part of just about any phishing attack that doesn’t seem to jibe – the email sender’s domain. Because threat actors are often using throwaway domains, the instance of “instagramsupport [dot] net” in the email above – which does align with the branding fairly well – is pretty impressive and unusual.

Corporate users should be taught via Security Awareness Training to be watchful for any unexpected emails and scrutinize the sender’s email address; if it looks wrong, it should be considered suspect and ignored.

READ MORE

A Recent, Complex, Ransomware Campaign

Microsoft has observed a threat actor that’s been running a phishing campaign since August 2022. The threat actor, which Microsoft tracks as “DEV-0569,” is using phishing emails to distribute malicious installers for legitimate applications, including TeamViewer, Microsoft Teams, Adobe Flash Player, Zoom, and AnyDesk. The phishing campaign leads to the installation of ransomware and information-stealing malware.

“Historical observation of [a] typical DEV-0569 attack begins with malicious links delivered to targets via malicious ads, fake forum pages, blog comments, or through phishing emails,” the researchers write. “These links lead to malicious files signed by the attacker using a legitimate certificate. The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands.”

In the most recent campaign, the threat actor is using website contact forms, legitimate software depositories, and Google Ads to distribute their links.

“In late October 2022, Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering,” the researchers write. “Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site. Microsoft reported this abuse to Google for awareness and consideration for action. Using Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP ranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security sandboxing solutions.”

New-school security awareness training can teach your employees how to recognize social engineering attacks.

READ MORE

Image-Based Phishing and Phone Scams Continue to Get Past Security Scanners

Using the simplest tactic of not including a single piece of content that can be considered malicious, these types of scams are making their way to inboxes every single time.

What happens if the malicious bit of a phishing scam is nothing more than a phone number – and it’s embedded within an image to boot? We’ve covered these kinds of scams before – particularly those pretending to be Amazon. It’s a brilliantly simple technique used to get past security scanners; by not having any known-malicious content (remember, it’s just an email with an image in it), it gets through to the users Inbox.

But security company Inky detected a recent example of these attacks impersonating Geek Squad by using optical character recognition (OCR) within the embedded images.

Geek Squad - Image-based Vishing

Because many email clients automatically display attached images, this scam is enabled and requires the victim to call the phone number displayed in the image (as there is no link to click and the sender email addresses are often indicated to be a “no-reply” type of email account.

Victims call the number and are socially engineered into giving up their credit card details.

It’s a scam that is going to require that every email scanning security solution to offer OCR as a means of detection. Until then, users need to play a role in their organization’s security – something taught through continual Security Awareness Training – and see the scam for what it is, and ignore it appropriately.

READ MORE

MFA Fatigue Attacks

Researchers at Specops Software describe a technique attackers are using to bypass multi-factor authentication (MFA). In an article for BleepingComputer, the researchers explain that attackers repeatedly attempt to login to an account protected by MFA, which spams the user with MFA requests until the user finally approves the login.

“Cybercriminals increasingly use social engineering attacks to access their targets’ sensitive credentials,” the researchers write. “Social engineering is a manipulative technique used by hackers to exploit human error to gain private information. MFA fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks. This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets’ lack of training and understanding of attack vectors.”

If the user is unaware of this technique, they may accept the request to make the notifications stop.

“Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification,” the researchers write. “As the MFA notifications appear continuously, a user may get tired and assume it’s an annoying system malfunction; hence accept the notification as they did previously. Unfortunately, this grants the hacker access to the user’s critical infrastructure.”

This technique was used by the Lapsus$ cybercriminal gang to successfully breach Uber in September 2022.

“As these MFA bombing attacks have obvious negative impacts on businesses, companies should ensure that all their critical infrastructures and resources are protected from internal or external threats,” the researchers write. “These attacks can damage a company’s reputation and erode the trust of its customers, leading to a loss of customers and sales volume. Additionally, MFA attacks can disrupt your operations, cause loss of sensitive information and alter your business practices.”

READ MORE

Over One-Third of Companies Who Pay the Ransom are Targeted for a Second Time

Despite the somewhat logical notion that once you’ve paid the ransom, the attack is over, new data shows that paying the ransom doesn’t help you anywhere near how much you think it does.

Everyone planning for a ransomware attack has some kind of scenario in mind of how it’s going to go. Even with a solid incident response plan, this is all well and fine, but it’s necessary to take a look at industry data that spells out what the reality of organizations that have actually gone through an attack looks like.

This is what we find in the Cyber Readiness Report 2022 – Ransomware Update from U.K. cyber insurer Hiscox. In it, readers get a glimpse into how ransomware attacks start, whether they paid the ransom, and what happened after they did.

The results are a bit startling.

Only 59% said they successfully recovered all their data
43% had to still rebuild systems, despite having the ransomware recovery key
34% recovered some of their data
15% said the recovery key didn’t work at all
But the story doesn’t just end there. What about the attack itself? According to the data, it’s far from being over:

36% sustained a second ransomware attack
29% had their data leaked
19% were asked for more money by the attacker
And because 62% of Hiscox respondents said phishing emails are the most common method of entry, it’s evident that this is one of the weak spots in most organizations, and is where more effort needs to be placed to protect the organization. One of the most effective ways is through continual Security Awareness Training, which educates users on the latest scams and social engineering tactics used in these kinds of attacks.

READ MORE

Phishing Attacks Misuse Microsoft Dynamics 365 Customer Voice Functionality to Hide Malicious Links

Leveraging a legitimate feature of Dynamics 365, threat actors are able to obfuscate the malicious nature of the email within content that naturally requires user interaction.

It’s been called the “static expressway” – the use of legitimate sites to bypass security scanners that would, otherwise, spot the malicious nature of the phishing emails. We’ve seen this before in attacks using Paypal invoices, for example. In this latest attack documented by security analysts at Avanan, threat actors are using a survey feature within Dynamics 365 normally used to gain feedback from customers.

Instead, threat actors are sending bogus voicemails with links to play the voicemails that send victims to credential harvesting logon pages impersonating the Microsoft 365 platform. In some cases, legitimate Customer Voice links are also embedded for additional credibility with security scanners.

fKE5pxeMYJOmiYKCssCkP4Ya5MxRuXmUTe8SELpImbqet1jxmw_2QBXTJH-7aGm8lRRhcqmImGbdURIA4ddn7vxK1DxtEWuUqoISsIq6fe8qwYbBbUk5Xc5W92SPdmfPKWUZFJT2kY1pUsFHvrto2P

Source: Avanan

The challenge here for security solutions is that many solutions see a known-good link from a legitimate platform and don’t scan it (which, of course, does not help the situation). So you’re not going to be able to rely solely on your security solutions to stop these kinds of attacks.  Instead, it’s up to the recipient user to be vigilant – something taught to those that undergo continual Security Awareness Training – when receiving emails that are unexpected, or look even the slightest bit off or out of place.

READ MORE

FBI director says he’s ‘extremely concerned’ about China’s ability to weaponize TikTok

Suzanne Smalley at Cyberscoop reported: “FBI Director Christopher Wray told Congress on Tuesday he is “extremely concerned” that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance.

Wray said during a House Homeland Security Committee hearing on worldwide threats that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to “control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.”

In his opening remarks, Wray noted that while America faces cyberthreats from a variety of nations, “China’s fast hacking program is the world’s largest, and they have stolen more of Americans’ personal and business data than every other nation combined.”

Wray said the FBI has seen a surge in cybersecurity cases and as the numbers have increased so too has the complexity of the investigations. “We’re investigating over 100 different ransomware variants and each one of those with scores of victims as well as a whole host of other novel threats posed by both cybercriminals and nation-states alike.”

He said that APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans’ personal devices.

Because Chinese companies are forced to “basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government … that’s plenty of reason by itself to be extremely concerned” about TikTok and the larger threat posed by Chinese cyber aggression, he said.”

Article CONTINUES at cyberscoop

READ MORE

“Hired Hand” in the Kingdom of Saudi Arabia Uses Domain Spoofing

Sometimes a social engineering campaign has a clear geographical focus, often shaped by language, holidays, or current events. In this case, the scammers are taking opportunistic advantage of a company whose service offerings have a significant share in a locally important Saudi market, and their preferred technique has been domain-spoofing.

Researchers have observed the production of a large number of bogus domains that misrepresent themselves as belonging to a well-known employment agency in the Kingdom of Saudi Arabia. Group-IB reports that, “Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.”

It’s thus the market for domestic workers that the criminals have been seeking to exploit. It’s a more dispersed, less centralized market, and those engaged in it may have less support and less familiarity with cybercrime than bigger organizations in the construction sector.

“The campaign, which was launched in April 2021, appeared to peak in March 2022,” the researchers say, “when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme.” Why has the campaign endured as long as it has? It’s been working. “As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money.”

They earn money in a familiar way, by inveigling victims into giving up their banking and other credentials. “The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone.” Those interested in hiring domestic help are then taken through a plausible application process, in the course of which they enter various bits of personal data, but the hook comes at the end, where they’re asked to pay a small processing fee. This is the stage at which financial credentials are taken. The hook is set, and the phish is reeled in.

Users can protect themselves by developing certain sound habits of awareness, like paying attention to a site’s actual url before they visit it (and similarly by paying attention to the email address of unsolicited messages especially). Companies can help by remaining alert for signs that their brands are being impersonated. In both cases, new-school security awareness training can help impart the knowledge and skills users and organizations can use to fend off social engineering.

READ MORE