Image-Based Phishing and Phone Scams Continue to Get Past Security Scanners

Using the simplest tactic of not including a single piece of content that can be considered malicious, these types of scams are making their way to inboxes every single time.

What happens if the malicious bit of a phishing scam is nothing more than a phone number – and it’s embedded within an image to boot? We’ve covered these kinds of scams before – particularly those pretending to be Amazon. It’s a brilliantly simple technique used to get past security scanners; by not having any known-malicious content (remember, it’s just an email with an image in it), it gets through to the users Inbox.

But security company Inky detected a recent example of these attacks impersonating Geek Squad by using optical character recognition (OCR) within the embedded images.

Geek Squad - Image-based Vishing

Because many email clients automatically display attached images, this scam is enabled and requires the victim to call the phone number displayed in the image (as there is no link to click and the sender email addresses are often indicated to be a “no-reply” type of email account.

Victims call the number and are socially engineered into giving up their credit card details.

It’s a scam that is going to require that every email scanning security solution to offer OCR as a means of detection. Until then, users need to play a role in their organization’s security – something taught through continual Security Awareness Training – and see the scam for what it is, and ignore it appropriately.


MFA Fatigue Attacks

Researchers at Specops Software describe a technique attackers are using to bypass multi-factor authentication (MFA). In an article for BleepingComputer, the researchers explain that attackers repeatedly attempt to login to an account protected by MFA, which spams the user with MFA requests until the user finally approves the login.

“Cybercriminals increasingly use social engineering attacks to access their targets’ sensitive credentials,” the researchers write. “Social engineering is a manipulative technique used by hackers to exploit human error to gain private information. MFA fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks. This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets’ lack of training and understanding of attack vectors.”

If the user is unaware of this technique, they may accept the request to make the notifications stop.

“Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification,” the researchers write. “As the MFA notifications appear continuously, a user may get tired and assume it’s an annoying system malfunction; hence accept the notification as they did previously. Unfortunately, this grants the hacker access to the user’s critical infrastructure.”

This technique was used by the Lapsus$ cybercriminal gang to successfully breach Uber in September 2022.

“As these MFA bombing attacks have obvious negative impacts on businesses, companies should ensure that all their critical infrastructures and resources are protected from internal or external threats,” the researchers write. “These attacks can damage a company’s reputation and erode the trust of its customers, leading to a loss of customers and sales volume. Additionally, MFA attacks can disrupt your operations, cause loss of sensitive information and alter your business practices.”


Over One-Third of Companies Who Pay the Ransom are Targeted for a Second Time

Despite the somewhat logical notion that once you’ve paid the ransom, the attack is over, new data shows that paying the ransom doesn’t help you anywhere near how much you think it does.

Everyone planning for a ransomware attack has some kind of scenario in mind of how it’s going to go. Even with a solid incident response plan, this is all well and fine, but it’s necessary to take a look at industry data that spells out what the reality of organizations that have actually gone through an attack looks like.

This is what we find in the Cyber Readiness Report 2022 – Ransomware Update from U.K. cyber insurer Hiscox. In it, readers get a glimpse into how ransomware attacks start, whether they paid the ransom, and what happened after they did.

The results are a bit startling.

Only 59% said they successfully recovered all their data
43% had to still rebuild systems, despite having the ransomware recovery key
34% recovered some of their data
15% said the recovery key didn’t work at all
But the story doesn’t just end there. What about the attack itself? According to the data, it’s far from being over:

36% sustained a second ransomware attack
29% had their data leaked
19% were asked for more money by the attacker
And because 62% of Hiscox respondents said phishing emails are the most common method of entry, it’s evident that this is one of the weak spots in most organizations, and is where more effort needs to be placed to protect the organization. One of the most effective ways is through continual Security Awareness Training, which educates users on the latest scams and social engineering tactics used in these kinds of attacks.


Phishing Attacks Misuse Microsoft Dynamics 365 Customer Voice Functionality to Hide Malicious Links

Leveraging a legitimate feature of Dynamics 365, threat actors are able to obfuscate the malicious nature of the email within content that naturally requires user interaction.

It’s been called the “static expressway” – the use of legitimate sites to bypass security scanners that would, otherwise, spot the malicious nature of the phishing emails. We’ve seen this before in attacks using Paypal invoices, for example. In this latest attack documented by security analysts at Avanan, threat actors are using a survey feature within Dynamics 365 normally used to gain feedback from customers.

Instead, threat actors are sending bogus voicemails with links to play the voicemails that send victims to credential harvesting logon pages impersonating the Microsoft 365 platform. In some cases, legitimate Customer Voice links are also embedded for additional credibility with security scanners.


Source: Avanan

The challenge here for security solutions is that many solutions see a known-good link from a legitimate platform and don’t scan it (which, of course, does not help the situation). So you’re not going to be able to rely solely on your security solutions to stop these kinds of attacks.  Instead, it’s up to the recipient user to be vigilant – something taught to those that undergo continual Security Awareness Training – when receiving emails that are unexpected, or look even the slightest bit off or out of place.


FBI director says he’s ‘extremely concerned’ about China’s ability to weaponize TikTok

Suzanne Smalley at Cyberscoop reported: “FBI Director Christopher Wray told Congress on Tuesday he is “extremely concerned” that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance.

Wray said during a House Homeland Security Committee hearing on worldwide threats that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to “control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.”

In his opening remarks, Wray noted that while America faces cyberthreats from a variety of nations, “China’s fast hacking program is the world’s largest, and they have stolen more of Americans’ personal and business data than every other nation combined.”

Wray said the FBI has seen a surge in cybersecurity cases and as the numbers have increased so too has the complexity of the investigations. “We’re investigating over 100 different ransomware variants and each one of those with scores of victims as well as a whole host of other novel threats posed by both cybercriminals and nation-states alike.”

He said that APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans’ personal devices.

Because Chinese companies are forced to “basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government … that’s plenty of reason by itself to be extremely concerned” about TikTok and the larger threat posed by Chinese cyber aggression, he said.”

Article CONTINUES at cyberscoop


“Hired Hand” in the Kingdom of Saudi Arabia Uses Domain Spoofing

Sometimes a social engineering campaign has a clear geographical focus, often shaped by language, holidays, or current events. In this case, the scammers are taking opportunistic advantage of a company whose service offerings have a significant share in a locally important Saudi market, and their preferred technique has been domain-spoofing.

Researchers have observed the production of a large number of bogus domains that misrepresent themselves as belonging to a well-known employment agency in the Kingdom of Saudi Arabia. Group-IB reports that, “Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.”

It’s thus the market for domestic workers that the criminals have been seeking to exploit. It’s a more dispersed, less centralized market, and those engaged in it may have less support and less familiarity with cybercrime than bigger organizations in the construction sector.

“The campaign, which was launched in April 2021, appeared to peak in March 2022,” the researchers say, “when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme.” Why has the campaign endured as long as it has? It’s been working. “As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money.”

They earn money in a familiar way, by inveigling victims into giving up their banking and other credentials. “The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone.” Those interested in hiring domestic help are then taken through a plausible application process, in the course of which they enter various bits of personal data, but the hook comes at the end, where they’re asked to pay a small processing fee. This is the stage at which financial credentials are taken. The hook is set, and the phish is reeled in.

Users can protect themselves by developing certain sound habits of awareness, like paying attention to a site’s actual url before they visit it (and similarly by paying attention to the email address of unsolicited messages especially). Companies can help by remaining alert for signs that their brands are being impersonated. In both cases, new-school security awareness training can help impart the knowledge and skills users and organizations can use to fend off social engineering.


Phishing Campaign Abuses Microsoft Customer Voice

Researchers at Avanan warn that a phishing campaign is using Microsoft’s Dynamic 365 Customer Voice feature to send malicious links. Customer Voice is designed to collect feedback from customers, but attackers are using it to send phony links claiming that the recipient has received a voicemail.

“This email comes from the survey feature in Dynamics 365,” the researchers write. “Interestingly, you’ll notice the sending address has ‘Forms Pro’ in it, which is the old name of the survey feature. The email shows that a new voicemail has been received. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.”

The link to the fake voicemail comes from a Microsoft domain, so email security products tend to view it as safe.

“This is a legitimate Customer Voice link from Microsoft,” Avanan says. “Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the ‘Play Voicemail’ button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the ‘Play Voicemail’ button, which redirects to a phishing link.”

Avanan notes that attackers are increasingly abusing legitimate platforms to bypass email security filters.

“We’ve seen this a lot recently, whether it’s Facebook, PayPal, QuickBooks or more. It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link,” the researchers write. “Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for.

This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body. These attacks are incredibly difficult to stop for scanners and even harder for users to identify.”


The Rise in Unwanted Emails, Now Found to be Nearly 41%

How many business emails do the recipients actually want? Or, conversely, how many of them are unwanted? A study by Hornetsecurity looked at this question (along with a number of other security issues) and reached a conclusion that, on reflection, most people with a business email account would probably say is consistent with their own experience: some 40.5% of emails that arrive are ones the recipients don’t really want in the first place.

Hornetsecurity’s CEO, Daniel Hofmann, said, in conjunction with the release of the company’s Cyber Security Report 2023, “This year’s cyber security report shows the steady creep of threats into inboxes around the world. The rise in unwanted emails, now found to be nearly 41%, is putting email users and businesses at significant risk.” He added, “What’s more, our analysis identified both the enduring risk and changing landscape of ransomware attacks – highlighting the need for businesses and their employees to be more vigilant than ever.”

The risk emails present, of course, is that of phishing. The sheer volume of unwanted, unexpected emails can not only take advantage of the trust people repose in their business systems, but quantity can have a quality all its own. The more attempts, the more likely it is that some user will fall for one of them in a moment of weakness, gullibility, or an otherwise commendable inclination to help, to cooperate.

Phishing remains a perennial threat, and as criminals and nation-states improve their craft and deploy more convincing come-ons and spoofs, the unwary will continue to be caught. New-school security awareness training can equip employees with the knowledge and skills they need to resist this form of social engineering.


[HEADS UP] FBI Warns of Tech Support Scams That Impersonate Payment Portals for Fake Refunds

In the latest FBI warning, cybercriminals are now impersonating financial institutions’ refund payment portals. This effort is to contain victims’ personal information with legitimacy.

These bad actors are using social engineering to trick victims into giving them access to their computer by impersonating representatives of technical repair services. In details from the FBI’s public service announcement lists the following, “Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund.”

Although tech support scams are very common, the FBI did note that as recent as last month scammers are using scripts that portray a refund payment portal when it is actually a malicious site.

BleepingComputer found samples of these scripts below pretending to be various financial institutions:

Chase fake online refund portal

Source: BleepingComputer

The FBI is encouraging any potential victims to not grant remote access at all to any unknown person and to not send wire transfers at all through online or phone communications. Frequent new-school security awareness training is highly encouraged for your users to avoid these types of tech support scams in their day-to-day operations.


Cookie-stealing Feature Added by Phishing-as-a-Service Provider To Bypass MFA

The Robin Banks phishing-as-a-service platform now has a feature to bypass multi-factor authentication by stealing login session cookies, according to researchers at IronNet. The phishing kit’s developer used an open-source tool to implement this feature, which targets Google, Yahoo, and Outlook accounts.

“Like many other open-source tools, Evilginx2 has become very popular among cybercriminals as it offers an easy way to launch adversary-in-the-middle (AiTM) attacks with a pre-built framework for phishing login credentials and authentication tokens (cookies),” the researchers write. “This, as a result, allows the attacker to bypass 2FA. Evilginx2 works by creating a reverse proxy. Once a user is lured to the phishing site, they are presented with a phishing page (via phishlets) with localized SSL certificates. The user is proxied internally, and once a successful login occurs to the destination (i.e. Gmail), the username, password, and login token are captured. The attacker can then view these stolen credentials through the Robin Banks GUI, their Telegram bot, or the evilginx2 server terminal. From there, the attacker can open their own browser, insert the stolen login token, enter the credentials to successfully bypass 2FA, and access the desired account.”

IronNet notes that phishing kits are increasingly including ways to get around multi-factor authentication.

“Robin Banks’ introduction of this new cookie-stealing feature is somewhat to be expected given the growing need for threat actors to bypass MFA for initial access,” the researchers write. “With more and more organizations (hopefully) requiring 2FA and multi-factor authentication (MFA) to inhibit easy unauthorized access to user accounts, credential-stealing alone only goes so far. This is why we have seen a growing trend amongst threat actors devising ways to bypass MFA, such as through MFA fatigue or cookie-stealing.”