17Dec

Data Breaches Are Expected to Decline While Ransomware and BEC Gain Steam

December 17, 2020By 0 comment

A new report from the Identity Theft Research Center discusses which cybersecurity attacks will be most impactful next year as part of the ITRC’s 2021 predictions.

It’s a pivotal moment with an organization primarily focused on helping individuals with identity theft bothers to say that cybercriminals are less focused on making the consumer a victim and more interested in attacking organizations. When they say it, you should be listening.

And that’s exactly what was reported in this year’s ITRC 2021 predictions. According to the ITRC, cybercriminals are generating more revenue through ransomware attacks and business email compromise (BEC) via phishing schemes than they are via individual consumer scams or consumer behavior.

According to the report:

“Cybercriminals are focusing on cyberattacks that require logins and passwords to get access to corporate networks for ransomware or Business Email Compromise (BEC) scams. These attacks require less effort, are largely automated, the risk of getting caught is less, and the payouts are much higher than taking over an individuals’ account. The average ransomware payouts for all businesses have grown from less than $10,000 in Q3 2018 to more than $178,000 per event by the end of Q2 2020. Large enterprises are making average ransomware payments of over $1 million. BEC scams cost businesses more than $1.8 billion in 2019.”

And because a consumer-focused organization is saying this, it’s even more imperative that you take note and do something about it. The use of phishing is a constant in both BEC and ransomware scams. Teaching users not to engage with such malicious content via Security Awareness Training is a critical part of a strong security defense that stops attacks before they gain a foothold within your organization.

READ MORE
16Dec

Zoom Phishing is Still Rampant

December 16, 2020By 0 comment

Cybercriminals are still using Zoom and other conferencing platforms as phishbait, according to Zlati Meyer at Fast Company. This phishing theme isn’t likely to let up any time soon, so employees need to know how to recognize these scams.

“The bait is decorated with the Zoom logo and sent via text, email, or social media message to say that your account has been suspended (but can be reactivated by clicking on the attached link), that you missed a meeting (but can click on the link to find out the details and schedule), or that Zoom is welcoming you (but you need to click on the link to activate your account), according to the Better Business Bureau,” Meyer writes. “Of course, the link does none of those things and instead downloads malware to your computer or mobile device or takes you to a login page where you need to enter your login and password, which lets the thieves gain access to other accounts with similar combinations.”

Edgar Dworsky, founder of Consume World, told Fast Company that this trend isn’t surprising, since scammers always capitalize on what’s popular at the moment.

“For people who are in this business of doing phishing schemes, it becomes the scam du jour,” Dworsky said. “What’s popular now? How can I capitalize on something that’s in people’s minds, that they use? The timeliness and popularity is something they look for.”

Dworsky added that scammers exploit the fact that Zoom notifications are something they have to pay attention to for their jobs.

“They create a sense of urgency, because they know you have some upcoming meeting and need to fix this,” Dworsky said. “With any one of theses phishing scams, you have to look before you click. The relevance lends credence to the fact that that’s legit.”

New-school security awareness training with realistic, up-to-date phishing simulations can help your employees recognize social engineering tactics.

READ MORE
15Dec

85% Of Employees are More Likely to Leak Files Now Than Pre-Coronavirus

December 15, 2020By 0 comment

According to research released Thursday by Code42, 85% of employees are more likely to leak files today than before the COVID-19 pandemic.

“By malicious insiders we are not talking about terrible people who are criminals,” said Joe Payne, Code42’s President and CEO. “More often than not it’s the coder who wrote some software and takes it to the next job, or a person who takes a customer list. On the careless side, people are using DropBox for their kids’ soccer team and then they decide to use it for their sales team, but the tool is not approved by corporate IT.”

This study clearly shows that companies are continuing to struggle with insider risk during this time, especially as employees continue to work remote. The new research discovered is incredibly alarming, including:

  • 76% of IT security leaders say that their organizations have experienced one or more data breaches since work-from-home started
  • 59% say insider threats will increase in the next two years caused by users having access to files they shouldn’t, employees preferring to work the way they want regardless of security protocols, and the continuation of remote work
  • 54% of organizations still don’t have a formal insider risk response plan
  • 40% of companies don’t assess how effectively their technologies mitigate insider threats

With the continual remote environment work, it’s important to ensure your end users are properly educated of the latest attacks. New-school security awareness training can assist in securing the human layer of defense for your organization.

READ MORE
14Dec

Just How Far Can Three Cybercriminals Reach? How about 150 Countries!

December 14, 2020By 0 comment

As three members of the cybercriminal group TMT were recently arrested, details emerge around the breadth and depth of their attacks from a year-long Interpol investigation.

The cybercriminal group known as TMT are responsible for attacks on nearly half a million government and private sector companies, according to Group-IB. Last month, Interpol’s year-long investigation, known as “Operation Falcon” resulted in the arrests of three Nigerian individuals.

According to reports, TMT’s cyberattacks have involved malware distribution, phishing, and extensive BEC fraud. While most of their phishing scams were sent via web-based mailing platforms, it was noted that compromised email accounts were also used to send phishing messages –one of the key elements in establishing credibility within BEC scams.

The group utilized over 26 different pieces of malware, spyware and remote access tools. TMT used them to infiltrate and monitor the systems and applications of victim organizations to gather intel, then launching scams and syphoning funds.

Dubbed a “well-established criminal business model” by Interpol, TMT represents what’s both possible in cybercriminal groups, as well as what exists today.

TMT relied heavily on phishing and spear phishing attacks as the initial attack vector, putting your user directly in the crosshairs. It’s imperative that your users undergo Security Awareness Training as a means of reducing the attack surface by having a vigilant user at the keyboard. TMT continues to operate, as these three are just the first to be arrested. Realizing the effectiveness of such organizations should be reason enough to get started on improving your security stance.

READ MORE
11Dec

Updates on Vishing

December 11, 2020By 0 comment

Voicemail scams are on the rise, according to Paul Ducklin at Naked Security. These scams are a form of voice phishing (“vishing”) in which scammers churn out automated phone calls and leave pre-recorded messages when the calls go to voicemail. Like Nigerian prince email scams, this tactic allows scammers to weed out the people who are savvy enough to recognize the scam immediately.

“The theory behind recognising and reacting to voicemail prompts is obvious: many people understandably refuse to answer calls from numbers they don’t know, and program them to go through to voicemail automatically,” Ducklin explains. “By leaving automated messages in the same way that many legitimate companies do, such as taxi-booking firms, the criminals avoid having to get involved personally at the start. This not only saves the crooks time, but also – by asking you to make a voicemail choice such as pressing ‘1’ or staying on the line – pre-selects those people who haven’t figured out right away that it’s a scam.”

Fortunately, most of these scams are easy to recognize once you know what they look like. Ducklin concludes with advice on how to avoid falling victim to scams:

“Don’t try. Don’t buy. Don’t reply. Memorise this easily-remembered saying that the Australian cybersecurity industry came up with many years ago. It’s a neat way of reminding yourself how to deal with spammers and online charlatans.

“Don’t let yourself get sucked or seduced into talking to the scammers at all. We advise against what’s called ‘scambaiting’ – the pastime of deliberately leading scammers on, especially over the phone, in the hope that it might be amusing to see who’s at the other end. You’re talking to a crook, so the best thing that can happen to you is nothing.

“Contact companies you know using information you already have. If you are worried about a fraudulent transaction, login to your account yourself, or call the company’s helpline yourself.

“Never rely on information provided inside an email, or read out to you in a call. Don’t return a call to a number given by the caller. If it’s a scammer, you will not only end up talking to them, but also confirm any guesses (e.g. ‘you applied for a loan’ or ‘it’s about your Amazon account’) that the scammer made in the initial contact.”

New-school security awareness training can help your employees recognize social engineering tactics and follow security best practices.

READ MORE
10Dec

They’re Here! COVID-19 Vaccine Phishes Finally Arrive

December 10, 2020By 0 comment

Anticipating that media attention surrounding the development and distribution of COVID-19 vaccines would undoubtedly spur malicious actors to launch new vaccine-themed phishing campaigns, we recently announced the release of eight new simulated phishing templates for the KMSAT security awareness training platform. Now, just two weeks after that announcement (and on the very day that the UK launched its own mass vaccination program), the first real vaccine-themed phishing emails have arrived. Let’s take a look.

The first one reported to us by customers using the Phish Alert Button (PAB) uses the very kind of social engineering scheme that we anticipated:

vaccine-personal-1a

This email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2. Predictably enough, the link in the email body takes unwitting clickers to a credentials phish:

vaccine-personal-1b

To be sure, the language used in the body of that malicious email is a bit stilted — definitely not the effortlessly clear prose one would expect in a professionally written email of this type. But it will do.

As it turns out, this particular phish compares quite well with one of the eight simulated phishing templates we introduced two weeks ago:

template_ReserveYourVaccine-1

The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution:

1. How soon will a vaccine be available?
2. Will it be safe?
3. How can I get it?
4. When can I get it?
5. How much will it cost?
6. Should I get it?

Put very simply, this is pretty much what we expected.

Conclusion

Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization’s network.

Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees’ inboxes, it is high time to get your users up to speed by stepping them through New-school Security Awareness Training and testing them with the vaccine-themed simulated phishing templates already available in KMSAT.

READ MORE
09Dec

Why Are You Being Phished?

December 9, 2020By 0 comment

People often wonder, why are they being phished? Why are they being phished by a hacker in the first place? What does their organization have that some hacker decided they were noteworthy enough to be targeted in the first place?

Targeted vs. Random

Most organizations are hit by phishing randomly without special targeting. The originating phishing sender had the recipient’s email address, usually from buying or downloading a large bulk list of email addresses or the involved email address was scraped from some other hapless victim who was previously compromised. The hacker and his/her phishing scam didn’t especially pick out a particular victim. They obtained tens of millions or even hundreds of millions of potential victims and their email addresses to send to all of them at the same time and/or over several phishing campaigns. Email addresses from your organization just happened to be on the list. That is how the vast majority of phishing emails end up in an inbox.

The opposite possibility is that your organization was especially targeted, on purpose, by a hacker. For a variety of possible reasons, a hacker decided your company had a reason to be targeted, be it money, intellectual property, nation-state objective, and some other justification. Targeted spear phishing attacks are far less common, but harder to defend against.

Random Phishing Attacks

Actually, there is a third, very common, hybrid answer that blends the two main methods. Increasingly, random phishing attacks drop malware which breaks into an organization’s computers and then notifies the hacker of its successful breach. Usually, the initial exploit is accomplished by a malware program designed primarily to get a foothold onto a system or network. It then immediately “dials home” to its “command & control” (C&C) servers, to download the latest, updated, currently undetectable-by-antivirus version of itself. It then downloads and follows any commands left waiting for it by the hacker, if any. The instructions could include telling it to steal data, initiate a ransomware payload, get involved as part of a bigger distributed denial of service (DDoS) attack, or simply to wait.

The initial instructions will often tell the malware to search for all the available passwords and login credentials that can be found on the involved system and upload them to the hacker. Then it will go into a pseudo-hibernating mode and wait for the hacker to send further instructions. They will also get the new IP addresses or domain names for their always moving C&C servers to ensure that one or a few C&C shutdowns by the AV vendors and authorities don’t interrupt their operations.

Many malware programs are inside of systems and networks for up to a year without being detected. They do this by constantly updating to make sure they have the latest versions and remain undetectable by most antivirus programs. Its creator or code will often check Google’s VirusTotal, which runs 70-plus antivirus engines. It’s a good place for hackers to check to see which malware detectors are starting to recognize their programs. If they see AV detection starting to happen, they will re-encrypt or re-obfuscate their malware programs to make the modified malware programs newly “invisible” to the current AV signatures.

It’s very common for hackers today to check their online admin consoles, to which each and every malware bot reports (via the C&C servers). The admin consoles, which reside on yet another C&C server, contain a lot of useful information, including total number of successful infections, country locations, which operating systems and browsers were involved, and the exploited IP addresses and/or domain names. If hackers have the time and desire, they can look over the list of reported domain names. And if they see one that catches their eye for some reason, they can remotely access the compromised device and take a look around. They might find some interesting data to steal or lurk around reading C-level emails to see what they can encrypt or steal to get the most leverage or revenue. At any time in this world, there are likely dozens to hundreds of malware gangs controlling hundreds of thousands to millions of compromised nodes, with the power to do whatever they want whenever they want; limited only by the capability of the software and hardware. It’s a hacker’s dream these days.

Defending Against Cyber Attacks

Targeted attacks are very hard to stop from being successful, especially if the human adversary has nearly unlimited time and resources, like a well-funded hacker gang or nation-state. It is rare that organization will withstand a sustained, focused effort. However, unlike targeted attacks, random and hybrid attacks are many thousands of times more common and can be more easily defended against.

Here’s the possible surprise. All types of attacks, targeted or random, can be defended against in the exact same way. It really doesn’t take any extraordinary defenses. No special gizmos or super expensive solutions are needed. Simply better patching Internet-accessible software and fighting social engineering better is 90% to 99% of the battle ().

Significantly better mitigating those two attack methods will put down most attacks – targeted or otherwise. It just has to be done consistently and more accurately. It requires understanding that these two attack methods are used far more often than any other attack method and then focused on by the defender. The reason most organizations got compromised is because they attempted to do too many things all at once and lost focus on the two things that matter the most. Hackers love it when defenders get distracted.

From a purely defensive point of view, it really doesn’t matter why your organization was targeted by a phishing campaign. It does matter, especially if they are successful. But you implement the exact same preventative, detective, and response controls for both of them.

If you want to learn about everything you can do to prevent social engineering and phishing from being successful (including policies, technical defenses, and education), you can watch the On-Demand Webinar: your Ultimate Guide to Phishing Mitigation.

READ MORE
08Dec

New “Back to Work” HR-Themed Phishing Scam Works to Steal Internal User Credentials

December 8, 2020By 0 comment

Using a fake internal memo from HR, per-user custom-named email attachments, SharePoint Online, and a realistic-looking HR form, this phishing attack has all the ingredients to trick your users.

This far into the pandemic, there are groups of users within your organization begging to come back to the office, as well as those that never want to set foot in the office again. This emotional attachment to either sentiment is the basis for this newest scam, documented by security researchers at Abnormal Security.

The scam appears to come from internal HR, informing users of dates that the offices are expected to reopen and when employees should return to the office to work. Each contains an HTML attachment with the victim’s name on it (see below).

b7tr7p0_mjM14Cdj0gUkOPMwyj1Ejb5ZDjFBbueyQfFIOJr51baKZ6_4otFOw1dPoyiyKAgpX_dP7BeHbfqsnW-6h0pau6KerBHtpHR_AvmusmWCTj-CWCuBBVNfInLBXyNOzl_A

Unlike most html attachments, the link doesn’t take the user to a malicious webpage; instead it takes them to a SharePoint Online document that appears to be an HR document the user is required to acknowledge. This use of a legitimate Office 365 SharePoint site helps these attacks bypass security and find their way to the user’s Inbox.

The most dumbfounding part of this attack is how the user is tricked out of their credentials. At the end of the HR form, they are simply asked for their email address (which is presumed to be their username) and then asked to enter in their password as a means to establish identity as part of agreeing to the presented HR policies. Anyone who understands when and where passwords would be used can easily see this isn’t one of those times.

The scam is a good one – it uses evasive techniques to ensure delivery, establishes legitimacy and urgency, and quickly seeks to reach its malicious goal. Users that have undergone Security Awareness Training should be able to spot this as being a scam, keeping their credentials – and your organization – secure.

READ MORE
07Dec

Ransomware Gangs Are Now Cold-Calling Victims If They Restore From Backups Without Paying

December 7, 2020By 0 comment

Catalin Cimpanu at ZDNet reported on another evil escalation in ransomware extortion tactics.  In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands.

“We’ve seen this trend since at least August-September,” Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday. Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday.

“We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they’ve also seen scripted templates in phone calls received by their customers.

According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers.  The post has a redacted transcript of a call, provided by one of the security firms as an example, with victim names removed.

Another Escalation In Ransomware Extortion Tactics

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they’ve encrypted corporate networks.

Previous tactics included the use of ransom demands that double in value if victims don’t pay during an allotted time, threats to notify journalists about the victim company’s breach, or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.

However, while this is the first time ransomware gangs have called victims to harass them into paying, this isn’t the first time that ransomware gangs have called victims.

In April 2017, the UK’s Action Fraud group warned schools and universities that ransomware gangs were calling their offices, pretending to be government workers, and trying to trick school employees into opening malicious files that led to ransomware infections.

READ MORE
04Dec

How Are Credential-Theft Phishing Websites Avoiding Detection? They Just Invert the Website Background

December 4, 2020By 0 comment

Sometimes the easiest solution is the best solution. And in the case of phishing attacks intent of stealing credentials using a fake logon page, it appears that background inversion does the trick.

Plenty of security solutions use crawlers to spot phishing sites before allowing users to navigate to them. And one of the more identifiable aspects of legitimate logon pages to sites such as Office 365 is the background. So, it makes sense that anytime a background image traditionally associated with a well-known authentication process shows up on some other website, it’s a sign there may be something suspicious afoot.

Well, it appears the bad guys have figured this out and have used the simplest of techniques to avoid detection: inversion. By simply inverting the picture background image (see below) using Cascading Style Sheets (CSS) when a crawler visits, the bad guys avoid detection.

Original next to inverted background

Source: PhishFeed

But what about when a human visits? It’s obvious something’s wrong. No problem. The CSS code automatically reverts the image to its normal presentation when an actual user visits, making them feel they’ve arrived at the appropriate page.

This one is so tricky, no user will ever know just by looking at the familiar background. But through new school Security Awareness Training, users can be taught to be mindful of the website URL, making certain it’s actually the legitimate vendor’s logon page and not a lookalike website.

READ MORE