Author Archives: TecAdmin

Researchers at Cyren describe a phishing attack that resulted from the theft of a stolen iPad. The iPad was stolen on a train in Switzerland, and briefly appeared on Apple’s location services in Paris a few days later. The owner assumed the iPad was lost for good, but sent a message to the iPad with her phone number just in case.

More than six months later, the owner received a text message claiming to be from Apple Support, claiming that her iPad had been found. The message included a link to a spoofed iCloud website that asked for her Apple login details. Fortunately, she didn’t fall victim to this attack.

Cyren’s researchers then tied this attack to a sophisticated phishing kit designed to spoof multiple Apple services. The attacker receives the stolen data via a custom-made Telegram bot.

“A Telegram bot is useful for this purpose since it allows for easy broadcast via the cloud – in technical terms, a http API,” the researchers write. “It’s surprisingly easy to set up a Telegram bot for this purpose, the process can be done in about one minute. [A]fter creating a bot, you receive an authentication token. The authentication token allows you to control the bot and send messages. The reason that the attackers are using it is because Telegram has an HTTP-based interface which allows bot owners to send messages just using a HTTP request that includes the token of the bot, a chat id, and the message. This is all completely free of charge and the bot owner doesn’t need their own separate server to handle the communication. It is also user friendly for the attacker as he conveniently receives the victim info in a telegram chat.”

After stealing the credentials and logging into the victim’s account, the phishing kit will automatically remove the linked iCloud account from the device. This allows the attacker to “reset the stolen devices and set them up as new devices so they can be sold.”

Deepfakes, the realistic and thoroughly convincing fabrication of imagery, video, and audio that fakes the identity of some person in ways that are difficult to detect, have aroused concern recently. They seem to open the prospect of extraordinarily effective disinformation and social engineering campaigns. Deepfakes have already found their way into advertising campaigns.

The Wall Street Journal reports that some campaigns have begun to feature celebrities, or rather their deepfaked personae. “None of these celebrities ever spent a moment filming these campaigns. In the cases of Messrs. Musk, Cruise and DiCaprio, they never even agreed to endorse the companies in question.”

The potential for deepfake abuse in advertising is accompanied by a comparable potential for disinformation. The Wall Street Journal quotes Ari Lightman, professor of digital media and marketing at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy, who says, “We’re having a hard enough time with fake information. Now we have deepfakes, which look ever more convincing.”

So far, however, the feared, industrial-scale use of deepfakes in social engineering scams has yet to fully materialize. The Register reports that the familiar tools of the con artist are still by far the norm.

“Panic over the risk of deepfake scams is completely overblown, according to a senior security adviser for UK-based infosec company Sophos.

“‘The thing with deepfakes is that we aren’t seeing a lot of it, Sophos researcher John Shier told El Reg last week.

“Shier said current deepfakes – AI generated videos that mimic humans – aren’t the most efficient tool for scammers to utilize because simpler and cheaper attacks like phishing and other forms of social engineering work very well.

“‘People will give up info if you just ask nicely,’ said Shier.”

Deepfakes undeniably represent a concern, but don’t let them distract you from the obvious. As Sophos’s Shier explained, usually all it takes is for someone to ask nicely.

Criminals continue to use old, low-tech approaches to social engineering because those approaches still work. A human problem calls for a human solution. New-school security awareness training can help your employees avoid falling for social engineering, whether it’s high-tech or low-tech.

Britain’s data watchdog has fined major construction group Interserve with a £4.4m fine. This was due to a cyber attack stole personal and financial details for over 113,000 employees and the company failed to stop the attack.

This phishing attack was very unique as it occurred over two years ago, and the company broke data protection law by not taking action to prevent the attack from occurring in the first place. The  Information Commissioner’s Office (ICO) claimed that the company had outdated systems and a lack of end user education that resulted into a successful phishing attack.

In a statement by John Edwards, UK Information Commissioner,“Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”

This incident should serve as a cautionary tale that one phishing email can cost your organization millions. New-school security awareness training can ensure your users have the proper training to spot and report any suspicious emails that come their way.

Conventional ransomware encrypts the victims’ files and holds them hostage, unavailable to their owners, promising to provide a decryptor once the victims pay the ransom. In some cases being tracked by security firm Cyble, however, they offer nothing in return. The files are in fact deleted.

One such group working with “fake ransomware” is trolling for victims on malicious adult websites (more malicious than the usual run). The phishbait that lures the victims to bite is a specially crafted website (with urls like “nude-girlss [dot] mywire [dot] org,” “sexyphotos [dot] kozow [dot] com,” and “sexy-photo [dot] online”). The phish hook is an executable named “SexyPhotos [dot] JPG [dot] exe.” The unknown criminals behind the phishing campaign are, of course, hoping that the marks won’t read past “SexyPhotos,” or, failing that, certainly not past “JPG,” which their ardent eyes will inevitably tell their ardent brain translates to “no, really, saucy pix here.” And in any case the victims’ system may by default hide file extensions, so the victims may not even see “[dot] exe” in the first place.

Cyble explained in their research report:

“Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware shows false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere during the infection.”

The hoods are demanding $300 in Bitcoin, with the ransom doubling to $600 if the initial demand isn’t met in three days. The victims have seven more days to pay the $600, at which point, the extortionists say, they’ll permanently delete the files. In truth the files are already effectively gone, and it seems unlikely to researchers that the criminals actually have a decryptor. They’re sloppy. In this case, however, Cyble thinks the sloppiness might work to the victims’ advantage . BleepingComputer says, “A possible way to recover from this malware would be to restore your OS to a previous state since the fake ransomware doesn’t delete shadow copies. Of course, this could still result in data loss, depending on the date of the last restore point.”

One lesson to take away from this is to follow a practice of regularly backing up important files. “In general, regular backups of your most important data would be the best practice, as an OS re-installation should be the quickest way out of this trouble,” BleepingComputer writes.

Other lessons include the obvious one of staying away from adult sites, but like much obvious advice people are all too likely to overlook this counsel. But new-school security awareness training might help by sensitizing users to the dangers of executables, and, of course, the risks inherent in downloading untrusted files from untrustworthy sites.

The king of callback phishing campaigns has evolved their methods to include better phishing emails, phone call scams, and final payloads to ensure they achieve their malicious goals.

The BazarCall phishing technique – named after the most common payload used in the scam, BazarLoader, as well as the use of phone calls as the medium to trick victims into downloading – has been around for a few months. Seen initially used to deliver Conti ransomware, this methodology has been used by other cybercriminal groups.

According to a new report from security researchers at Trellix, more BazarCall scams are showing up in the wild. In each case, an invoice or notification of a processed payment is sent – used to grab the attention of the victim and create a sense of urgency to respond. As you can see below, the scammers go to some relatively decent lengths to ensure their phishing emails look legitimate.

Source: Trellix

As part of their campaign, note that there are no email addresses available to respond to. Instead, a phone number is prominently displayed at the bottom of each email, giving the victim only one option to attempt to “address” the undesired expense.

The scammer on the other end of the call uses one of a few patterned call scripts to convince the victim they need to allow the scammer to take over the victim’s computer using support software. Legitimate-looking websites are used to further establish legitimacy:

This new credential harvesting scam impersonates a real U.S. Government COVID-related grant program to harvest credentials and personal details using a blatantly obvious Google form.

By now, you’d think that everyone checks the web browser address bar to see if that unexpected news that they can get free (yes, FREE!) money from the government is legitimate (spoiler alert: it’s not). Security researchers at Email Security vendor Inky have spotted a new wave of phishing attacks using familiar tactics from during the middle of the pandemic.

Under the guise of a small business grant, this scam includes a not-so-legitimate phishing email to start:

Source: Inky

And then a clean, but not obfuscated, Google Form:

Source: Inky

To their credit, the threat actors behind this attack did do a cut and paste of a legitimate COVID-19 grant message. Once the form is completed, the victim is simply notified by Google Forms that their “response has been recorded”.

Small Businesses already are stretched thin, making it difficult to overcome the aftermath of cyber attacks, fraud, and business email compromise. This means it’s that much more critical for users of small businesses to be on guard – particularly in cases where an unsolicited email brings with it “too good to be true” news of free money from the U.S. Government.

Users can be taught what to look out for through continual Security Awareness Training that elevates their sense of vigilance and their understanding of how these scams work, look, and act.

Cyberattacks are the biggest risk to the UK financial system, according to new research from the Bank of England.

However, financial institutions remain confident in their ability to fend off attacks, and believe they are more likely to suffer from the impact of rising inflation.

The Bank’s H2 systemic risk survey polled 65 executives in the UK financial sector, and shows that 74% of respondents deemed a cyberattack to be the highest risk to the financial sector in both the short and long term, followed closely by inflation or a geo-political incident.

The number of respondents who believe their company is at high risk of attack grew rapidly this year, from 31% in the first half of the year to 62% in the second. Those considering the threat to be low has decreased by 20%, to just 3%. What’s more, 83% believe that cyber risk in the financial sector has increased in the past year.

Security researchers at Akamai identify an average of 13 million newly observed domains (NOD) each month this year, representing about 20% of the NODs resolved in the same timeframe.

In a recent blog post, researchers at Akamai discuss how they go about identifying malicious domains. Considering that one of the techniques used by cybercriminals to avoid detection is to continually change domains, the watching of NODs makes sense.

According to Akamai, NODs (both malicious and legitimate) are abundant; approximately 12 million new NODs appear daily, of which, just above 2 million resolve in DNS.

And we’re not talking about legible domain names; according to Akamai, the domains are more like the following:

Domain Name Examples.  Source: Akamai

In short, cybercriminals are utilizing about 20% of the NODs as part of their phishing and social engineering attacks, utilizing this continually updated set of domain names in an attempt to avoid detection as being malicious.

While the good guys – like the folks at Akamai – are working to stay vigilant, remember that all the efforts are reactive in nature; that is, the good guys can’t in theory get ahead of the bad guys, as no one knows what the bad guy’s next move is. So, in the world of NODs, the intent is to create heuristics rules (190 of them, according to Akamai) to help identify a NOD that’s malicious.

But it’s still possible that some NODs will make it through scrutiny and facilitate a phishing attack. This is one of the reasons that even with really strong security technologies in place, it’s necessary to arm your users with Security Awareness Training so they become part of your defense, spotting really ridiculous domain names – like the ones above – and see the emails for what they really are: an attack.