Author Archives: TecAdmin

Researchers at Malwarebytes warn that a malvertising campaign they call “malsmoke” has stopped deploying exploit kits and is now using social engineering attacks to trick users into installing malware. The threat actor behind this campaign generally targets high-traffic adult websites. In the latest campaign, the attackers began using web pages that purport to contain an adult video, and inform users that they’ll need to install a Java plugin in order to view the video.

“Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead,” the researchers write. “The new campaign is tricking visitors to adult websites with a fake Java update. This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software.”

The use of social engineering also gives the attackers flexibility in how they target their victims, and enables them to improve upon their techniques in the future.

“The threat actors could have designed this fake plugin update in any shape or form,” Malwarebytes says. “The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.”

Malwarebytes concludes that social engineering schemes will remain relevant, since they’re cheaper and often more efficient than technical exploits.

“In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable,” the researchers explain. “As far as web threats go, such schemes are here to stay for the foreseeable future.”

Technical vulnerabilities can always be patched, but humans need to receive education to combat social engineering attacks. New-school security awareness training can help your employees stay ahead of these evolving tactics.

The past few months have seen ransomware quickly evolve to a place of ingenious sophistication, rampant greed, indifferent destruction, and the sad loss of life.

Your organization should be laser focused on stopping ransomware from ever taking hold. This warning comes as we watch cybercriminal gangs take the simple “encrypted data held for ransom” game to new levels I never though I’d see.

Ransomware attacks have increased in frequency seven-fold, extortion is now a part of nearly every attack to ensure prompt payment, and seeing ransoms in the millions is now, well… not uncommon. In fact, we’ve seen a ransom as high as $34 million already.

And in September, the world of ransomware experienced its’ first ever death. If anything is a signal to lay off attacks on healthcare, that was it. And yet, healthcare remains a ransomware target.

In some ways, it feels like we’re losing the battle.

What’s needed is for all organizations – including healthcare – to look at the root causes of why ransomware attacks are successful. When it comes down to it, it’s users that are needed as part of the attack – users that engage in unscrupulous phishing attacks. This is something that can easily be avoided – with the right education. Organizations who put their users through Security Awareness Training add the user to the layered security strategy, allowing for the user themselves to act as the last line of defense against these increasingly menacing ransomware attacks.

I fear it’s only going to get worse, but it can get better if users work in concert with your cybersecurity strategy. And they can only do that if you train them how to.

Shoppers need to be on the lookout for scammers as Singles Day begins in China and other countries around the world, the BBC reports. Singles Day is the world’s largest online shopping event, originally started by Chinese online retail giant Alibaba. Other countries and companies now have their own versions of the event, and the BBC says the merchandise value of Singles Day last year was “double that of Black Friday and Cyber Monday combined.”

“This year’s event is expected to continue to break records across Asia, as more people stay home and shop online amid the Covid-19 pandemic, while those unable to travel overseas for shopping trips are expected to ‘revenge spend’ online,” the BBC writes. “It represents a huge honeypot for scammers who, over the years, have come up with increasingly innovative ways to trick consumers, from creating fake apps to claims of formaldehyde-soaked clothes. Some shoppers in China have lost tens of thousands of dollars to such ruses.”

Yeo Siang Tiong from Kaspersky told the BBC that scammers have grown savvier and are putting more effort into making their schemes believable.

“In addition, many of the phishing scams in particular have become quite convincing, making it hard for consumers to differentiate between truth and fiction,” Yeo said.

The BBC concludes that shoppers need to know how to recognize the signs of a scam and the tactics used by scammers.

“Never give away critical personal information such as bank account details over the phone,” the BBC says. “E-commerce platforms such as Taobao would typically have a customer’s bank information already saved in their system, so refunds should be able to be processed automatically. Fake refund scams also often offer you more than what you paid for, which would rarely happen in a real situation. If it sounds too good to be true, it probably is. As for Internet phishing scams, double check web addresses if you are redirected to them from other landing pages, said Kaspersky’s Mr Yeo, or try to access deal pages directly through the legitimate website.”

New-school security awareness training can help your employees avoid falling for scams and social engineering attacks in both their personal and professional lives.

New analysis of Q3 shows Emotet attacks on the rise, complete with new methods and features that have impacted governments and enterprise businesses alike.

The banking trojan, Emotet, has been around since 2019, but seems to be the cat with nine lives, as it continues to evolve and repeatedly show itself after quiet periods. According to Recorded Future’s Cyber Threat Analysis report for Q3 of 2020, campaigns involving the trojan demonstrate it’s been undergoing modifications to make it more successful in infecting systems:

• The replacement of TrickBot with QakBot as a final payload
• A 1,000 percent increase in Emotet downloads, correlating with Emotet’s packer change, which causes the Emotet loader to have a lower detection rate across anti-virus software
• Operators using new Word document templates
• Operators using password protected archives containing malicious macros to bypass detections

Recorded Future’s analysts believe the Emotet will “continue to employ major pauses, we believe it is highly likely that Emotet will continue to be a major threat and impact organizations across a variety of industries throughout the end of the year and into 2021.”

We’ve seen Emotet involved in attacks on government agencies, and been employed in a malware-as-a-service model. The changes made in Q3 indicate it’s authors are paying attention to how it’s being detected and blocked, and are changing tactics to stay viable and successful in its goal to infect endpoints.

A research paper in the Journal of Computer Information Systems says that security awareness training is a necessary complement to technical defenses and security policies, SC Magazine reports. Published by researchers from the University of Sussex and the University of Auckland, the paper acknowledges that technical defenses can help, but they can’t influence the human behavioral responses targeted by social engineering.

Hamidreza Shahbaznezhad, a co-author of the report and senior data scientist in industry at the University of Auckland, said in a press release that technical defenses are helpful but not comprehensive.

“Although technical countermeasures such as anti-phishing and spamming tools, email malware detection and data loss prevention are deployed to mitigate the risk of phishing attacks, using these technologies to detect phishing attacks remains a challenging problem,” Shahbaznezhad said. “This is not least because they often require human intervention to analyze and distinguish between phishing and legitimate emails.”

Dr. Mona Rashidirad, co-author and lecturer in strategy and marketing at the University of Sussex Business School, added that awareness training needs to be factored into organizations’ security budgets.

“Security safeguards alone will not protect a company from phishing scams,” Dr. Rashidirad said. “Organizations and individuals substantially invest in security safeguards to protect the integrity, availability, and confidentiality of information assets. However, our study supports the findings of recent studies that these safeguards are not adequate to provide the ultimate protection of sensitive and confidential information.”

The researchers write that training programs should teach employees how to think about their own behavior, and how attackers can manipulate them.

“Indeed, security practitioners should aim such information security awareness programs to inform users about intrinsic and extrinsic factors which can influence their behavior,” the paper says. “Therefore, employees can be more vigilant to understand how cybersecurity criminals can exploit employee’s perception from different individual/motivational, organizational, and technological perspectives. Employees may need to know about the existing security arsenals alongside with the security risks that could be exploited by malicious attackers.”

Organizations need to implement a combination of technical solutions, security policies, and employee training to combat these threats. New-school security awareness training can enable your employees to defend themselves against social engineering attacks.

A report from the New York Department of Financial Services covering the high-profile Twitter account hack from earlier in the year reveals how little time an attack takes to be successful.

I wrote recently about a large number of high-profile twitter accounts being hacked all to promote a fake bitcoin doubling scam. Accounts that were hacked included Apple, Elon Musk and Joe Biden.

A new report on the attack from the New York State Department of Financial Services provides startling details on who carried out the attack and how little effort it really took. According to the report, the three perpetrators were two teenagers from the U.S. and a 22-year old from the U.K. The scam began with vishing Twitter employees by pretending to be members of Twitter’s internal IT calling about an issue with VPN access. Once they gained control over credentials that would provide them an ability to take over Twitter accounts, they took over several high-profile accounts and began tweeting the so-called CryptoForHealth scam.

From start to finish, it only took these youngsters less than one day to use basic social engineering tactics to compromise one of the largest social media giants on the planet. It goes to show you that even organizations with evident efforts to ensure the highest levels of cybersecurity can be taken down by a single employee.

It’s why I talk about the importance of Security Awareness Training so much; it only takes one careless employee, one click, one answering of the phone, etc. to turn an organization into a victim. By educating them about the importance of paying attention to the ever-present threat of cybercriminal activity, your users build up their vigilance and are less likely to fall for scams – even one as simple as this one.

Organizations need to train their employees to be on the lookout for SMS phishing (smishing), according to Jennifer Bosavage at Dark Reading. Bosavage explains that attackers exploit normal human behavior to gain access or information from employees.

“Cyberattackers leverage the way people typically respond to certain social situations to trick them into disclosing sensitive information about themselves, their businesses, or their computer systems,” Bosavage writes. “Even the smallest amount of data can be useful to hackers who are trying to complete a profile that will enable them to get access to credit, banking, and other sensitive information. So the first line of defense is to train employees to recognize their telltale but often subtle signs, as well as how their information can be used in a social engineering attack.”

Bosavage quotes April Wright, a security consultant at ArchitectSecurity.org, as saying that attackers can easily obtain open-source information to make their phishing messages appear legitimate.

“With both smishing and vishing, the source may have some information that makes them seem credible – names of co-workers, a boss’ name, phone numbers, department names, etc.,” Wright said. “These are the seemingly trivial information they have gained via intelligence gathering, [smishing], phishing, or vishing. The most important thing we can do is verify.”

Wright added that employees need to have a healthy sense of suspicion in order to recognize these scams.

“We need to realize that not everyone is good and be on the lookout for questions people don’t normally ask, for that feeling when ‘something isn’t right,’” Wright said. “That feeling has kept humans alive and safe for hundreds of thousands of years, and we should listen to it. It’s there to alert us to danger.”

New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to avoid falling for these attacks.