Author Archives: TecAdmin

INKY has published a report on the use of small business grants as phishing lures. Scammers are impersonating the US Small Business Administration (SBA) to distribute phony grant applications hosted on Google Forms.

“Unbeknownst to many, the SBA recently stopped accepting applications to their COVID-19 relief loan and grant programs,” INKY says. “Still, [the phishing email] includes an enticing offer for any unknowing small business owner: Simply fill out the form and find out if you’re qualified to receive the funds. Clicking on ‘Apply Now’ takes recipients to a survey on Google Forms…. Any small business owner who had previously applied for legitimate loans and grants could be easily fooled by the form itself. The top of the form appears to be a cut-and-paste of a genuine COVID-19 grant message and the questions which follow are very similar to those the SBA asks applicants in legitimate circumstances.”

The Google Form asks the user to submit their personal and financial information, including their social security number, driver’s license details, and bank account information.

The researchers note that there are several red flags that could have alerted observant users, including typos and grammatical errors in the phishing email.

“There is something else that a more discerning eye might have noticed,” the researchers write. “Because this cybercriminal used a legitimate Google Forms survey to harvest credentials there is a line populated just under the ‘Submit’ button that says, ‘Never submit passwords through Google Forms.’ It’s not a good lesson to learn the hard way. Ironically, if you look a little further, beneath the ‘Submit’ button you’ll also see Google’s ‘Report Abuse’ button. It’s not an option you see too often in phishing scams, and could easily be ignored by anxious small business owners who fall for this threat.”

Researchers at Mandiant have published an analysis of a phishing-as-a-service kit called “Caffeine,” which further lowers the bar for inexperienced cybercriminals by offering a publicly available, easy-to-use phishing service.

“Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user,” the researchers write. “Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform.”

The phishing kit also offers a customer support service for inexperienced users, along with a simple user interface.

“Once registered, a new Caffeine user is then directed to the service’s main index page to begin their phishing voyages,” the researchers write. “It is worth noting that over the course of its investigation into the Caffeine platform, Managed Defense observed Caffeine’s administrators announce several key platform improvements via the Caffeine news feed, including feature updates and expansions of their accepted cryptocurrencies.”

The phishing kit also facilitates finding hosting services for phishing campaigns.

“For most traditional phishing campaigns, phishermen generally employ two main mechanisms to host their malicious content,” Mandiant says. “They will typically leverage purpose-built web infrastructure set up for the sole purpose of facilitating their phishing voyages, use legitimate third-party sites and infrastructure compromised by attackers to host their content, or some combination of both.”

The US Internal Revenue Service (IRS) has issued an alert warning of a significant rise in text message phishing scams (smishing) impersonating the IRS since the beginning of the year.

“So far in 2022, the IRS has identified and reported thousands of fraudulent domains tied to multiple MMS/SMS/text scams (known as smishing) targeting taxpayers,” the alert says. “In recent months, and especially in the last few weeks, IRS-themed smishing has increased exponentially. Smishing campaigns target mobile phone users, and the scam messages often look like they’re coming from the IRS, offering lures like fake COVID relief, tax credits or help setting up an IRS online account. Recipients of these IRS-related scams can report them to phishing@irs.gov.”

IRS Commissioner Chuck Rettig said in a statement, “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages. In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

The alert adds that the IRS will not send messages asking for personal or financial details, and users should be suspicious of any emails, phone calls, or text messages that ask for this information.

“In the latest activity, the scam texts often ask taxpayers to click a link where phishing websites will try to collect their information or potentially send malicious code onto their phones,” the alert says. “The IRS does not send emails or text messages asking for personal or financial information or account numbers. These messages should all be red flags for taxpayers.”

Ne

Greg Noone at the Techmonitor site covered this problem early October 2022, starting with a horror story.

A company had taken cyber coverage for the past year with no claims, but during a routine scan a software vulnerability was discovered. They did not fix it in time. A new policy was proposed that would not cover ransomware. They signed it. Guess what happened a week after? Right. Here is a short extract and further below a link to the site.

“I would be disingenuous if I told you that ransomware wasn’t a key factor in some of the headwinds that we’ve seen in the market with regards to pricing,” explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re.

The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware. Its reasoning, according to the firm’s underwriting director Tony Chaudhry, was that policies shouldn’t “expose the market to systemic risks that syndicates could struggle to manage”.

Cyber insurance does not have a long history. The market itself, explains Mario Vitale, chief executive of cyber insurance provider Resilience., has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size.

“I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a “less stable market… and also just a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”

Ongoing volatility is making reinsurers nervous

Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they “have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients”, he says. Resilience’s answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimise their vulnerability to breaches as far as is humanly possible.

The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defence: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff.  This is the link to the full article. Warmly recommended.

As Cyber Insurance Dries Up, Treasury Department Eyes a Backstop

Bloomberg law covered the same topic from another interesting angle: “A US Treasury Department request for public input on a potential federal cyber insurance program highlights a coverage gap for US companies as insurers reduce offerings.

The regulator is seeking public comment until Nov. 14 on whether the government needs to shore up the insurance industry to pay for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.

Cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks. Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.

The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.

Cyber insurers have seen losses jump 300% from 2018 to 2021, according to Fitch Ratings. Insurers, including Lloyd’s of London, Chubb Ltd., and Beazley PLC are racing to cut coverage for catastrophic cyberattacks that can paralyze multiple industries at once.

Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP. “A cyber insurer can write policies with comfort knowing it can transfer some risk to the government, so it can offer bigger policy limits for businesses,” Moss said. Link to full Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/as-cyber-insurance-dries-up-treasury-department-eyes-a-backstop?

The US Federal Communications Commission (FCC) offers advice on how to avoid falling for scams that follow in the wake of natural disasters like Hurricane Ian. Scammers target victims of disasters as well as people trying to donate to charities.

“First, know that officials with government disaster assistance agencies do not call or text asking for financial account information, and that there is no fee required to apply for or get disaster assistance from FEMA or the Small Business Administration,” the FCC says. “Anyone claiming to be a federal official who asks for money is an imposter.”

The FCC adds that users should always be suspicious of phone calls that ask for information.

“Remember that phone scams often use spoofing techniques to deliberately falsify the information transmitted to your caller ID display to disguise their identity or make the call appear to be official,” the alert says. “If someone calls claiming to be a government official, hang up and call the number listed on that government agency’s official website. Never reveal any personal information unless you’ve confirmed you’re dealing with a legitimate official. Workers and agents who knock on doors of residences are required to carry official identification and show it upon request, and they may not ask for or accept money.”

Additionally, users should contact their insurance providers directly rather than relying on unsolicited phone calls, emails, or text messages.

“If you get a phone call about an insurance claim or policy, don’t give out any personal information or agree to any payment until you can independently verify that the call is legitimate,” the alert says. “If the caller says they’re from your insurance company, hang up and contact your agent or the company directly using the number on your account statement…. Contractors and home improvement companies may also call claiming to be partners with your insurance provider,” the FCC says. “Never give policy numbers, coverage details, or other personal information out to companies with whom you have not entered into a contract. If your state requires licensing, verify that any contractor you are considering is licensed and carries adequate insurance. Many states have online databases you can check.”

A man from Atlanta, Georgia has been convicted of running romance scams and business email compromise attacks that netted him over $9.5 million, the US Justice Department has announced.

“Elvis Eghosa Ogiekpolor has been sentenced to 25 years in federal prison for money laundering and conspiracy to commit money laundering after being convicted at trial,” the Justice Department said in a press release. “Ogiekpolor opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million dollars from various online frauds, including romance frauds and business email compromise scams (‘BECs’). He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas.”

Thirteen victims of the romance scams, mostly women, testified in Ogiekpolor’s trial, though the Justice Department notes that there were many more victims of the fraud operation.

“The victims recounted how they met male strangers online and were soon convinced they were in a romantic relationship with the men, even though the victims were in communication with the individuals for months without meeting in person,” the Justice Department says. “Often these men claimed they wanted to start a life with the victims and were eager to live with them as soon as some kind of issue was resolved. For example, one romance fraud victim was convinced to wire $32,000 to one of the accounts Ogiekpolor controlled because her ‘boyfriend’ (one of the men online) claimed a part of his oil rig needed to be replaced but that his bank account was frozen.

This victim borrowed against her retirement and savings to provide the funds, which ultimately required her to refinance her home to pay back the loan. Another victim testified that she was convinced to send nearly $70,000 because the man she met on eHarmony claimed to need money to promptly make payment on several invoices due to a frozen bank account.”

The Bundeskriminalamt (BKA), Germany’s federal criminal police, raided three homes on Thursday, September 29th, in the course of an investigation of a cyber criminal operation the BKA says netted approximately €4,000,000 from its victims by using phishing tactics. Two suspects were arrested and charged; the disposition of the third individual will depend upon the results of further investigation.

A statement by the BKA (provided by BleepingComputer) explained the nature of the fraud, which depended upon unusually faithful and convincing spoofed communications that misrepresented themselves as being from the victims’ banks. The emails told the victims that changes to the bank’s security system would affect their accounts, and that they should follow a link to arrange continued access to their accounts. The link led to a convincing phishing page. “There, the phishing victims were asked to enter their login data and a current TAN [Transaktionsnummer–a number associated with a particular transaction], which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount and availability of credit.” Further engagement with the victims induced them to give up additional TANs, which the criminals used to withdraw the victims’ funds.

The scam is interesting in other ways. For one thing, the criminals used distributed denial-of-service (DDoS) attacks against banking websites as misdirection for their imposture. The legitimate sites may have suffered from reduced availability, but the phishing sites, of course, remained accessible. Another interesting aspect of the case is the criminals’ alleged employment of “other cyber criminals who sell various forms of cyber attacks as ‘Crime-as-a-Service’” (the BKA uses the English phrase) “on the dark web.” Some details are being withheld pending further investigation.

The amount the BKA alleges the criminals stole is striking. €4,000,000 is the equivalent, at current exchange rates, to £3,520,000 or $3,920,000. This particular crime seems to have affected mostly individuals, but its scale and approach suggest that organizations could be vulnerable to similar scams. New-school security awareness training can help your employees cope with this and other forms of social engineering.

Setting a record for both highest count and share in volume with other types of phishing scams, response-based attacks are at their highest since 2020 and are continuing to grow.

Despite a lot of focus on credential theft, cybercriminals are trending toward response-based scams – where the scam relies on the user responding through a communication channel chosen by the scammer. We’ve seen examples of these types of phishing attacks that have leveraged chatbots, WhatsApp, and even phone calls to establish credibility and take control of the conversation.

New data from Agari and Phish Labs, in their Quarterly Threat Trends & Intelligence report for August 2022 shows that response-based scams are on the rise, being responsible for 41% of threats targeting corporate inboxes. While still trailing behind credential theft attacks, response-based scams have experienced continual growth over the last two years.

According to the report, the response-based scams can be broken down into the following types:

• Advance-Fee scams – 54%
• Vishing – 25%
• Business Email Compromise – 16%
• Job Scams – 4.8%
• Tech Support – 0.2%

Of these, vishing is up over 625% from Q1 of last year and has steadily increased over the course of the past year.

I think I should reemphasize that these scams are all focused on business users and, according to the report, may include malware such as Emotet, QBot, SnakeKeyLogger – all payloads I’ve covered before here on our blog.

The growth in response-based scams means that threat actors are seeing continual success – which, in turn, means users are responding. To stop your users from responding, it’s important that you enroll them in continual security awareness training to teach them to spot these scams before they respond to them.