Author Archives: TecAdmin

With so many fans worldwide wanting to watch the race online, cybercriminals have stepped up to meet the demand with fraudulent websites intent on stealing credit card details.

So you want to catch some or all of the Formula One race this weekend and do a search on the web for “Italian Grand Prix Streaming”. U.S. residents can find it on NBC’s sports website, while others can find plenty of articles talking about websites streaming for free.

But be careful!

Security vendor Kaspersky analyzed a number of sites claiming to offer “free” streaming, only to be asked to pay a small fee of $1 USD. While it seems inexpensive enough, it’s not the $1 the site owners want… it’s your credit card details. In other instances, phishing websites are setup to steal online credentials.

No matter the particular scam, cybercriminals are keen to take advantage of any heightened sense of need (in this case, to watch something you can’t easily do for free) as the hook for providing scammers with valuable details they can use or sell.

These kinds of scams are generally targeting individuals rather than corporations, but it’s just as easy for cybercriminals to target those wanting to watch a sporting event that occurs during business hours. And, instead of stealing credit card data, they use a simple “install our streaming viewer app” which turns out to be malware.

Keep your employees vigilant against such scams – whether they are at home or work – through continual Security Awareness Training, educating them on current scams, methods, techniques, and themes so phishing attacks that occur via email or the web can be easily spotted before it’s too late.

Researchers at Expel offer a useful list of the top keywords used in phishing emails. First on the list is the word “invoice,” which is a general term that will be relevant to most organizations.

“Generic business terminology doesn’t immediately stand out as suspicious and maximizes relevance to the most potential recipients by blending in with legitimate emails, which presents challenges for security technology,” the researchers write. “Most people are also inclined to respond promptly to communications from co-workers, vendors or clients if they believe action is required, like returning an invoice.”

The word “new” is another potential red flag, since it will grab a user’s attention.

“‘New’ is commonly used in legitimate communications and notifications, and aims to raise the recipient’s interest,” Expel says. “People are drawn to new things in their inbox, wanting to make sure they don’t miss something important.”

Another common word used in phishing emails is “required,” which preys on a user’s sense of urgency.

“Keywords that promote action or a sense of urgency are favorites among attackers because they prompt people to click without taking as much time to think,” the researchers write. “‘Required’ also targets employees’ sense of responsibility to urge them to quickly take action.”

Expel notes that multifactor authentication (MFA) is an extremely important layer of defense against phishing attacks. While MFA isn’t foolproof, it makes it much more difficult for an attacker to breach an account even if they have the account’s credentials. The researchers add that employee education is another important layer of defense.

“Another important thing orgs can do to prevent successful phishing campaigns is to develop comprehensive phishing education programs,” Expel says. “Orgs should stay up-to-date on the latest phishing trends to update their policies and educate employees when new tactics are at play. Beyond training sessions, regularly test employees with mock phishing emails (and provide feedback on what in the email was suspicious) so they continue to learn, hone their detection skills, and know how to report suspicious emails in their inbox.”

New-school security awareness training can teach your employees to follow security best practices and enable them to recognize red flags associated with social engineering attacks.

Over 2.9 Billion email-based threats were detected in the first half of 2021. Business Email Compromise, obfuscation, and living off the land reigned, according to new data from Zix.

We’ve seen massive spikes before in the number of ransomware and other cyber attacks – usually when comparing a previous year to the current one. But rarely do we see a significant increase within just six months. According to the Global Threat Report: Mid-Year 2021 from Zix and AppRiver that’s exactly the case, with about 300,000 attacks in January of this year and over 600,000 in June.

The report provides several examples of attack trends observed by security researchers at Zix, including:

• Increases in security solution obfuscation using Captcha and creatively encoding malicious attachments
• The targeting of those looking for new jobs as workers return to the workplace
• Living off the land using cloud resources, with Google APIs leading the way
• Lots of Business Email Compromise
• Use of many forms of banking trojans to steal banking and browser data

While most of the attack examples have equivalents here on our blog, this report does bring to light the increases in attack numbers and creativity you should expect to continue. The obfuscation is a particular focus for threat actors working to avoid detection by security solutions. Should they be successful, the last layer of defense is a well-prepared and vigilant user who, through continual Security Awareness Training, is always on the lookout for suspicious email content that may be the launching point for the next cyberattack.

The leveraging of Google Docs, a spoofed website, a realistic-feeling buying process, and asking for payment in cryptocurrency is all it takes to separate victims from thousands of dollars.

Despite news stories around phishing attacks resulting in stealing computer processing time for cryptomining, there are legitimate businesses out there that mine cryptocurrency to make money; it’s a simple business really – purchase needed hardware and use it to mine specific cryptocurrency that yields a positive return.

The one piece of hardware that’s most needed is the high-end video card; it’s internal processor is used to perform the calculations that represent the actual “mining”. Cryptomining is so widespread as a money-making operation that such video cards are hard to come by, driving up prices and lowering availability of inventory.

Security researchers at Kaspersky have identified a new scam that targets those involved with cryptomining. Using Google Docs to tag and notify a potential victim, scammers impersonate a legitimate mining hardware vendor, Bitmain.

Bitmain’s website (left) and the impersonated site (right)

Source: Kaspersky

This scam uses a well built and functional spoofed website made to look like the real Bitmain site – including shopping cart, checkout process, etc. Because of the convincing nature of the site, scammers trick victims into purchasing hardware that doesn’t exist (and, in real life, it’s not available anywhere due to demand). The kicker to the transaction is victims are only able to pay for the fake hardware using cryptocurrency, with the cybercriminals providing cryptowallet details and a warning that the transaction must be completed within two hours or it will be cancelled.

Once the transaction is complete, the digital currency is gone, the users “account” on the faux Bitmain page is deactivated, and the scam is complete.

The US Federal Bureau of Investigation (FBI) has issued an advisory describing a ransomware affiliate that calls itself “OnePercent Group,” the Record reports. The Record notes that the OnePercent Group is an affiliate of the REvil, Maze, and Egregor ransomware gangs. The threat actor gains initial access via phishing emails.

“OnePercent Group actors gain unauthorized access to victim networks through phishing emails with a malicious zip file attachment,” the FBI says. “The zip file includes a Microsoft Word or Excel document that contains malicious macros that allow the actors to subsequently infect the victim’s system with the banking Trojan IcedID. The actors use IcedID to install and execute the software Cobalt Strike on the victim’s network to move laterally to other systems within the environment through PowerShell remoting. The actors use rclone for data exfiltration from the victim’s network. The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware.”

The FBI says the gang exfiltrates the victim’s data before encrypting it, then holds the stolen data for ransom.

“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication,” the Bureau says. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”

The Bureau offers the following technical controls for organizations, but unfortunately forgot one of the most important ones when bad actors come in with phishing attacks: train those users with frequent simulated phishing attacks.

• Back-up critical data offline.
• Ensure administrators are not using ‘Admin Approval’ mode.
• Implement Microsoft LAPS, if possible.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
• Keep computers, devices, and applications patched and up-to-date.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.
• Use multi-factor authentication with strong passphrases.

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize phishing and other social engineering attacks.