Updates on Vishing

Voicemail scams are on the rise, according to Paul Ducklin at Naked Security. These scams are a form of voice phishing (“vishing”) in which scammers churn out automated phone calls and leave pre-recorded messages when the calls go to voicemail. Like Nigerian prince email scams, this tactic allows scammers to weed out the people who are savvy enough to recognize the scam immediately.

“The theory behind recognising and reacting to voicemail prompts is obvious: many people understandably refuse to answer calls from numbers they don’t know, and program them to go through to voicemail automatically,” Ducklin explains. “By leaving automated messages in the same way that many legitimate companies do, such as taxi-booking firms, the criminals avoid having to get involved personally at the start. This not only saves the crooks time, but also – by asking you to make a voicemail choice such as pressing ‘1’ or staying on the line – pre-selects those people who haven’t figured out right away that it’s a scam.”

Fortunately, most of these scams are easy to recognize once you know what they look like. Ducklin concludes with advice on how to avoid falling victim to scams:

“Don’t try. Don’t buy. Don’t reply. Memorise this easily-remembered saying that the Australian cybersecurity industry came up with many years ago. It’s a neat way of reminding yourself how to deal with spammers and online charlatans.

“Don’t let yourself get sucked or seduced into talking to the scammers at all. We advise against what’s called ‘scambaiting’ – the pastime of deliberately leading scammers on, especially over the phone, in the hope that it might be amusing to see who’s at the other end. You’re talking to a crook, so the best thing that can happen to you is nothing.

“Contact companies you know using information you already have. If you are worried about a fraudulent transaction, login to your account yourself, or call the company’s helpline yourself.

“Never rely on information provided inside an email, or read out to you in a call. Don’t return a call to a number given by the caller. If it’s a scammer, you will not only end up talking to them, but also confirm any guesses (e.g. ‘you applied for a loan’ or ‘it’s about your Amazon account’) that the scammer made in the initial contact.”

New-school security awareness training can help your employees recognize social engineering tactics and follow security best practices.


They’re Here! COVID-19 Vaccine Phishes Finally Arrive

Anticipating that media attention surrounding the development and distribution of COVID-19 vaccines would undoubtedly spur malicious actors to launch new vaccine-themed phishing campaigns, we recently announced the release of eight new simulated phishing templates for the KMSAT security awareness training platform. Now, just two weeks after that announcement (and on the very day that the UK launched its own mass vaccination program), the first real vaccine-themed phishing emails have arrived. Let’s take a look.

The first one reported to us by customers using the Phish Alert Button (PAB) uses the very kind of social engineering scheme that we anticipated:


This email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2. Predictably enough, the link in the email body takes unwitting clickers to a credentials phish:


To be sure, the language used in the body of that malicious email is a bit stilted — definitely not the effortlessly clear prose one would expect in a professionally written email of this type. But it will do.

As it turns out, this particular phish compares quite well with one of the eight simulated phishing templates we introduced two weeks ago:


The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution:

1. How soon will a vaccine be available?
2. Will it be safe?
3. How can I get it?
4. When can I get it?
5. How much will it cost?
6. Should I get it?

Put very simply, this is pretty much what we expected.


Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization’s network.

Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees’ inboxes, it is high time to get your users up to speed by stepping them through New-school Security Awareness Training and testing them with the vaccine-themed simulated phishing templates already available in KMSAT.


Why Are You Being Phished?

People often wonder, why are they being phished? Why are they being phished by a hacker in the first place? What does their organization have that some hacker decided they were noteworthy enough to be targeted in the first place?

Targeted vs. Random

Most organizations are hit by phishing randomly without special targeting. The originating phishing sender had the recipient’s email address, usually from buying or downloading a large bulk list of email addresses or the involved email address was scraped from some other hapless victim who was previously compromised. The hacker and his/her phishing scam didn’t especially pick out a particular victim. They obtained tens of millions or even hundreds of millions of potential victims and their email addresses to send to all of them at the same time and/or over several phishing campaigns. Email addresses from your organization just happened to be on the list. That is how the vast majority of phishing emails end up in an inbox.

The opposite possibility is that your organization was especially targeted, on purpose, by a hacker. For a variety of possible reasons, a hacker decided your company had a reason to be targeted, be it money, intellectual property, nation-state objective, and some other justification. Targeted spear phishing attacks are far less common, but harder to defend against.

Random Phishing Attacks

Actually, there is a third, very common, hybrid answer that blends the two main methods. Increasingly, random phishing attacks drop malware which breaks into an organization’s computers and then notifies the hacker of its successful breach. Usually, the initial exploit is accomplished by a malware program designed primarily to get a foothold onto a system or network. It then immediately “dials home” to its “command & control” (C&C) servers, to download the latest, updated, currently undetectable-by-antivirus version of itself. It then downloads and follows any commands left waiting for it by the hacker, if any. The instructions could include telling it to steal data, initiate a ransomware payload, get involved as part of a bigger distributed denial of service (DDoS) attack, or simply to wait.

The initial instructions will often tell the malware to search for all the available passwords and login credentials that can be found on the involved system and upload them to the hacker. Then it will go into a pseudo-hibernating mode and wait for the hacker to send further instructions. They will also get the new IP addresses or domain names for their always moving C&C servers to ensure that one or a few C&C shutdowns by the AV vendors and authorities don’t interrupt their operations.

Many malware programs are inside of systems and networks for up to a year without being detected. They do this by constantly updating to make sure they have the latest versions and remain undetectable by most antivirus programs. Its creator or code will often check Google’s VirusTotal, which runs 70-plus antivirus engines. It’s a good place for hackers to check to see which malware detectors are starting to recognize their programs. If they see AV detection starting to happen, they will re-encrypt or re-obfuscate their malware programs to make the modified malware programs newly “invisible” to the current AV signatures.

It’s very common for hackers today to check their online admin consoles, to which each and every malware bot reports (via the C&C servers). The admin consoles, which reside on yet another C&C server, contain a lot of useful information, including total number of successful infections, country locations, which operating systems and browsers were involved, and the exploited IP addresses and/or domain names. If hackers have the time and desire, they can look over the list of reported domain names. And if they see one that catches their eye for some reason, they can remotely access the compromised device and take a look around. They might find some interesting data to steal or lurk around reading C-level emails to see what they can encrypt or steal to get the most leverage or revenue. At any time in this world, there are likely dozens to hundreds of malware gangs controlling hundreds of thousands to millions of compromised nodes, with the power to do whatever they want whenever they want; limited only by the capability of the software and hardware. It’s a hacker’s dream these days.

Defending Against Cyber Attacks

Targeted attacks are very hard to stop from being successful, especially if the human adversary has nearly unlimited time and resources, like a well-funded hacker gang or nation-state. It is rare that organization will withstand a sustained, focused effort. However, unlike targeted attacks, random and hybrid attacks are many thousands of times more common and can be more easily defended against.

Here’s the possible surprise. All types of attacks, targeted or random, can be defended against in the exact same way. It really doesn’t take any extraordinary defenses. No special gizmos or super expensive solutions are needed. Simply better patching Internet-accessible software and fighting social engineering better is 90% to 99% of the battle ().

Significantly better mitigating those two attack methods will put down most attacks – targeted or otherwise. It just has to be done consistently and more accurately. It requires understanding that these two attack methods are used far more often than any other attack method and then focused on by the defender. The reason most organizations got compromised is because they attempted to do too many things all at once and lost focus on the two things that matter the most. Hackers love it when defenders get distracted.

From a purely defensive point of view, it really doesn’t matter why your organization was targeted by a phishing campaign. It does matter, especially if they are successful. But you implement the exact same preventative, detective, and response controls for both of them.

If you want to learn about everything you can do to prevent social engineering and phishing from being successful (including policies, technical defenses, and education), you can watch the On-Demand Webinar: your Ultimate Guide to Phishing Mitigation.


New “Back to Work” HR-Themed Phishing Scam Works to Steal Internal User Credentials

Using a fake internal memo from HR, per-user custom-named email attachments, SharePoint Online, and a realistic-looking HR form, this phishing attack has all the ingredients to trick your users.

This far into the pandemic, there are groups of users within your organization begging to come back to the office, as well as those that never want to set foot in the office again. This emotional attachment to either sentiment is the basis for this newest scam, documented by security researchers at Abnormal Security.

The scam appears to come from internal HR, informing users of dates that the offices are expected to reopen and when employees should return to the office to work. Each contains an HTML attachment with the victim’s name on it (see below).


Unlike most html attachments, the link doesn’t take the user to a malicious webpage; instead it takes them to a SharePoint Online document that appears to be an HR document the user is required to acknowledge. This use of a legitimate Office 365 SharePoint site helps these attacks bypass security and find their way to the user’s Inbox.

The most dumbfounding part of this attack is how the user is tricked out of their credentials. At the end of the HR form, they are simply asked for their email address (which is presumed to be their username) and then asked to enter in their password as a means to establish identity as part of agreeing to the presented HR policies. Anyone who understands when and where passwords would be used can easily see this isn’t one of those times.

The scam is a good one – it uses evasive techniques to ensure delivery, establishes legitimacy and urgency, and quickly seeks to reach its malicious goal. Users that have undergone Security Awareness Training should be able to spot this as being a scam, keeping their credentials – and your organization – secure.


Ransomware Gangs Are Now Cold-Calling Victims If They Restore From Backups Without Paying

Catalin Cimpanu at ZDNet reported on another evil escalation in ransomware extortion tactics.  In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands.

“We’ve seen this trend since at least August-September,” Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday. Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday.

“We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they’ve also seen scripted templates in phone calls received by their customers.

According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers.  The post has a redacted transcript of a call, provided by one of the security firms as an example, with victim names removed.

Another Escalation In Ransomware Extortion Tactics

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they’ve encrypted corporate networks.

Previous tactics included the use of ransom demands that double in value if victims don’t pay during an allotted time, threats to notify journalists about the victim company’s breach, or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.

However, while this is the first time ransomware gangs have called victims to harass them into paying, this isn’t the first time that ransomware gangs have called victims.

In April 2017, the UK’s Action Fraud group warned schools and universities that ransomware gangs were calling their offices, pretending to be government workers, and trying to trick school employees into opening malicious files that led to ransomware infections.


How Are Credential-Theft Phishing Websites Avoiding Detection? They Just Invert the Website Background

Sometimes the easiest solution is the best solution. And in the case of phishing attacks intent of stealing credentials using a fake logon page, it appears that background inversion does the trick.

Plenty of security solutions use crawlers to spot phishing sites before allowing users to navigate to them. And one of the more identifiable aspects of legitimate logon pages to sites such as Office 365 is the background. So, it makes sense that anytime a background image traditionally associated with a well-known authentication process shows up on some other website, it’s a sign there may be something suspicious afoot.

Well, it appears the bad guys have figured this out and have used the simplest of techniques to avoid detection: inversion. By simply inverting the picture background image (see below) using Cascading Style Sheets (CSS) when a crawler visits, the bad guys avoid detection.

Original next to inverted background

Source: PhishFeed

But what about when a human visits? It’s obvious something’s wrong. No problem. The CSS code automatically reverts the image to its normal presentation when an actual user visits, making them feel they’ve arrived at the appropriate page.

This one is so tricky, no user will ever know just by looking at the familiar background. But through new school Security Awareness Training, users can be taught to be mindful of the website URL, making certain it’s actually the legitimate vendor’s logon page and not a lookalike website.


Think Tanks Targeted by APT Actors

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning that nation-state advanced persistent threat (APT) actors are targeting US think tanks. The advisory says APTs are particularly interested in think tanks that focus on international affairs or national security policy.

“APT actors have relied on multiple avenues for initial access,” the advisory states. “These have included low-effort capabilities such as spear phishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.”

CISA says leaders should “Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.” For employees, the advisory offers the following recommendations:

  • “Log off remote connections when not in use.
  • “Be vigilant against tailored spear phishing attacks targeting corporate and personal accounts
  • (including both email and social media accounts).
  • “Use different passwords for corporate and personal accounts.
  • “Install antivirus software on personal devices to automatically scan and quarantine suspicious
  • “Employ strong multi-factor authentication for personal accounts, if available.
  • “Exercise caution when:
    • “Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
    • “Using removable media (e.g., USB thumb drives, external drives, CDs).”

New-school security awareness training can help organizations of all types defend themselves against cyberattacks by enabling employees to recognize social engineering tactics.


South African Post Office Issues Warning on Postal Phishing Attack

The South African Post Office recently issued a warning about a phishing attack. The post office advised everyone to delete the email immediately.

“The SA Post Office continues to receive enquiries from members of the public who receive an email stating that a package could not be delivered to them because of outstanding customs duties,” the Post Office released in a statement. “The mail contains a link that leads them to a payment page not operated by the SA Post Office, and refers to a fraudulent tracking number not issued by the Post Office.”

The post office also disclosed that the sender’s name was changed to show that it was sent from the post office rather than the true email address of the cybercriminal. This is a typical social engineering tactic for the bad guys to utilize.

With the pandemic showing an increase in attacks all around the world, it’s important for your users to consistently be vigilant of any email communication that is out of the norm. New-school security awareness training can train your users how to spot and report any suspicious email activity.


Fake Zoom Invite Leads to one Australian Company’s Downfall

We’ve previously written blog posts to be cautious of suspicious Zoom meeting links, and we even reported a huge increase in phishing attacks using Zoom of August this year. The heads-up is that these attacks are happening right now in high volume.

Unfortunately, one hedge fund company based in Australia did not get the message.

The Australian Finance Review reported that Levitas Capital’s largest institutional client, Australian Catholic Super, had pulled a planned $16 Million investment following the September incident and the fund would be closing down. It was later reported that this was due to a fake Zoom meeting invite phishing link that was opened by one of the co-founders of the organization.

Fraudulent invoices were then sent to other companies that the fund had previously worked with. “There were so many red flags which should have been spotted … It makes you wonder where else in the system could this happen?” said Michael Fagan, co-founder of Levitas Capital.

Here is the screenshot of the Zoom invite to show just how realistic the invite looked:

Fake Zoom Invite Link

Let this be a warning for other companies not taking new-school security awareness training seriously. It’s important to continually educate your users of common social engineering tactics like this one.


Ransomware Downtime Costs for SMBs Are 50 Times More than the Ransom Itself!

No one has less cash on hand to spend on dealing with a cyberattack than the small business. New data shows ransomware is a challenge for SMBs and they aren’t prepared for the costs.

No other malware type has evolved as much over the last 12 months as ransomware. The sheer number of attacks, the improvements in sophistication and efficacy are unmatched, and the ransoms are only getting larger.

But most still think this is an enterprise problem; nothing could be farther from the truth. In Datto’s Global State of the Channel Ransomware Report, we find that the SMB is just as much a target of opportunity as the enterprise. And in many cases, despite it being impactful to the business, SMB’s simply aren’t aware of the danger.

According to the report:

  • 70% of MSPs report ransomware as the most common malware threat to SMBs
  • Only 30% report that their clients feel ‘very concerned’ about ransomware
  • 62% of MSPs said clients’ productivity was impacted due to attacks
  • 39% said their clients experienced business-threatening downtime

What’s interesting is how the costs of ransomware has fluctuated over time. While the average reported ransom stayed largely flat – $5,900 in 2020 versus $5,600 in 2019 – the average ransom is 50 times higher – $274K!!!

According to Datto, the leading cause of ransomware attacks is successful phishing email attacks. This means that despite most SMBs having security solutions in place (e.g., 59% have anti-malware filtering solutions implemented), it’s not enough. MSPs need to add Security Awareness Training to their security solution offering to improve their client’s security stance by incorporating the user as part of the security strategy.

From the looks of things, the SMB needs to step up their game and MSPs need to lead the way; Security Awareness Training is the answer to improve their client’s security posture.