Yahoo Suddenly Rises in Popularity in Q4 to Become the Most Impersonated Brand in Phishing Attacks

Completely absent from the top 10 brands for more than two years, Yahoo’s impersonation may indicate that scammers are looking for new attack angles using lesser-used brands.

Yes, of course, Yahoo is anything but insignificant. With revenues topping $8 billion, the search engine giant is still quite relevant today. But in the world of phishing attacks using the impersonation of a major brand, Yahoo was down near 24th place. That is, until last quarter, when – according to CheckPoint’s security analysts determined that Yahoo jumped up 23 places to top the list of Top 10 Impersonated Brands in Q4 of 2022.

Surpassing brands we’ve become accustomed to seeing in the top 5 such as Microsoft, DHL, LinkedIn, Google, and Amazon, Yahoo was previously an impersonation afterthought. But it’s popularity last quarter indicates that there is a resurgence in its’ use as a known and trusted brand that can give scammers just enough credibility to see their phishing attacks succeed.

Offering awards and significant amounts of money, according to CheckPoint, the Yahoo-themed phishing scams sought to trick victims into giving up personal information – including Yahoo credentials.

The use of Yahoo’s brand says a few things about the state of phishing attacks. First, you only need a widely known brand – in essence, any known brand – to launch an impersonation scam. Second, we can only assume the attackers are seeing material success to jump 23 places. Third, with lots of impersonated brands representing those who organizations like your do business with (e.g., DHL, UPS, banks, etc.), users need to be educated through Security Awareness Training that just because you no longer see the impersonation equivalent of the age-old “Nigerian Prince” scam doesn’t mean it can’t pop up in an Inbox today.



Travel-Themed Phishing Attacks Lure Victims with Promises of Free Tickets, Points, and Exclusive Deals

New analysis of December and January emails shows massive spikes in attacks aimed at stealing personal information and credit cards under the guise of once-in-a-lifetime travel deals.

Who wouldn’t want a free airline ticket, or a ton of frequent flyer points in exchange for little-to-no effort? That’s exactly the sentiment attackers are going for, according to new analysis by email security vendor BitDefender’s Antispam Lab. Nearly 10% of all spam was travel themed within the timeframe of December 20th through January 10th, with a little more than half (53%) of it targeting the United States.

Many of these scams focus on credential theft. According to the findings, travel rewards programs and gift cards are the most often used subjects, as the personal details held within those programs include birthdates, social security numbers, etc. that can be monetized by selling them on the dark web.

BitDefender offered up a few examples of these emails – notice how legitimate they look:


Source: BitDefender


Source: BitDefender

As we see travel return to pre-pandemic levels, mixed with an increase in fuel surcharges and flight prices, the opportunity to trick someone with the “too good to be true” deal is alive and well with scammers.


Russian and Iranian Spear Phishing Campaigns are Running Rampant in the UK

The UK’s National Cyber Security Centre (NCSC) has described two separate spear phishing campaigns launched by Russia’s SEABORGIUM threat actor and Iran’s TA453 (also known as Charming Kitten). The NCSC says both threat actors have targeted entities in the UK, including “academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists, and activists.”

The threat actors first conduct reconnaissance on their targets by researching social media and other open-source information. After this, they’ll make contact under the guise of a journalist, colleague, or someone else the victim would be likely to respond to.

“Having taken the time to research their targets’ interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust,” the report says. “They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.”

The threat actors then send the victim a link disguised as something related to their previous conversations.

“Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest,” the NCSC says. “This leads the target to an actor-controlled server, prompting the target to enter account credentials. The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, GoogleDrive, or other file-sharing platforms.

TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call. Industry partners have also reported the use of multi-persona impersonation (use of two or more actor-controlled personas on a spear-phishing thread) to add the appearance of legitimacy.”

New-school security awareness training can enable your employees to follow security best practices so they can thwart targeted phishing attacks.


Phishing Campaign Impersonates Japanese Rail Company

Researchers at Safeguard Cyber describe a phishing campaign that’s posing as a Japanese rail ticket reservation company.

“The phishing campaign impersonates Ekinet, a Japanese based organization that is used to reserve train tickets,” the researchers write. “The campaign attempts to lure victims to a malicious website and then makes them input their credit card or other personal information. The Council of Anti-Phishing in Japan released an alert earlier in 2022 detailing potential scams using Ekinet. From the emails we have seen, the text is usually always in Japanese and recently an email was reported on a United States based organizations inbox.”

A Japanese university was among the organizations targeted by this campaign. The attackers used several different email templates.

“It was reported by the Information Technology Center, The University of Electro-Communications in Japan that there were multiple different emails from this campaign that have been sent to their campus on December 6, 2022, but they are all from the same sender,” the researchers write.

The emails are written in Japanese, but were sent to organizations around the world. The attackers informed victims that their accounts would be shut down if they didn’t click the verification link in the email.

“The messaging is in Japanese and attempts to lure victims into clicking on a malicious URL that is then used to store credit card information or other personal information should the victim fall for the scam,” the researchers write. “The premise of the email that was detected in a customers’ inbox was to lure the victim into clicking on a URL that would redirect them to a phishing site by stating their account would be terminated if they did not verify their login.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for phishing and other social engineering attacks.


New QR Code Phishing Campaign is Impersonating the Chinese Ministry of Finance

Researchers at Fortinet warn that a phishing campaign is impersonating the Chinese Ministry of Finance. The phishing emails contain a document with a QR code that leads to a credential-harvesting site.

“A QR code requires an application to read and translate it into something actionable,” the researchers write. “Most mobile phones have this functionality through their camera, and software packages are available on all major platforms to do this from a computer. In each of the examples FortiGuard Labs found, the QR code contained in the Microsoft Word attachments provided a URL for the user to follow. When the user does this using their desktop platform or mobile device, they arrive at a website controlled by the threat actor.”

The QR code leads to a phony version of the Chinese business communication app DingTalk.

“It is a spoofed facsimile of a DingTalk instance (it should be noted that as of the publication date, this site is now offline),” Fortinet says. “DingTalk is a broadly used enterprise communication platform developed by Alibaba Group. Given the reach of the platform and its large number of users, credentials for it would be valuable. The user is directed to a pop-up message box that suggests their DingTalk account has committed some unspecified business violation(s) and that it will be frozen without verification in 24 hours. After acknowledging the message box, the user is invited to enter their credentials to address the issue.”

Fortinet concludes that users can avoid falling for these attacks by following security best practices.

“These attacks will undoubtedly be prevalent for some time,” the researchers write. “Users are cautioned to verify emails, not open attachments or links, and never enter credentials into a site they have not seen before. Rather than using a received link, users are encouraged to go to the known main site of the vendor to conduct any business. Users can also hover over a link to look for an unusual URL. Organizations are also encouraged to provide training to users to help them identify and avoid malicious email attachments and links.”


Cybercrime The World’s Third Largest Economy After the U.S. and China

Cybersecurity Ventures released a new report that showed cybercrime is going to cost the world $8 trillion USD in 2023.

If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.

“We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it. Link to article where you can download the report and see the VIDEO:


The Amazing Thing Is that DHL Phishing Campaigns STILL Work

Researchers at Armorblox warn that a phishing campaign is impersonating DHL with fake shipping invoices.

“The subject of this email aimed to instill an automatic level of trust through the inclusion of the well-known and trusted brand name, DHL, reading: ‘DHL Shipping Document/Invoice Receipt,’” the researchers write. “The inclusion of a legitimate brand name within the email subject encourages victims to open the email in a timely fashion, assuming the email is a legitimate communication from the brand that needs attention. At first glance, the email seems to be a legitimate communication from international shipping company, DHL, with the sender name and email address reading DHL and dhl@vaimti-yacht[.]com respectively.”

The emails look like legitimate DHL notifications, and they were able to bypass security filters.

“The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department,” Armorblox says. “The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment.”

The emails instructed users to open the Excel attachment, which asked them to enter their Microsoft account credentials in order to view the phony invoice.

“The goal of the targeted attack was for victims to follow the prompted instructions within the email body and open the attachment,” the researchers write. “The attachment included within this email attack was named Shipping Document Invoice Receipt to further instill trust in the unsuspecting victims that the attachment was a legitimate file from DHL and the “copy of DHL receipt for tracking”, as referenced in the body of the email. The information and language used within the email led victims to click the attachment, unsuspecting that the attachment had malicious intent.”

New-school security awareness training can enable your employees to recognize social engineering attacks.


Government Workers as Phishing Targets

Government workers are prime targets for social engineering attacks, according to Kaitlyn Levinson at GCN. Attackers use different tactics to target government employees in specific roles. Levinson quotes Rita Reynolds, Chief Information Officer for the National Association of Counties, as saying that customer-facing county employees might be more likely to assume that requests are legitimate, since they deal with so many people each day.

“Hackers prey upon the customer service aspect of county employees,” Reynolds said. “That desire to be prompt and successful in filling the request can oftentimes result in a county employee maybe not paying closer attention to the authenticity of the email.”

Reynolds added that county agencies should implement security best practices outlined by the Cybersecurity and Infrastructure Security Agency (CISA).

Levinson writes, “CISA advises organizations to use phishing-resistant multi-factor authentication, which goes beyond security measures such as one-time passwords and uses FIDO/WebAuthn authentication or PKI-based MFA, to close the gaps that bad actors could squeeze through.”

Arun Vishwanath, Chief Technology Officer of Avant Research Group, explained that even technical employees are vulnerable to phishing attacks. IT employees may become complacent and assume they’ll be able to recognize phishing emails.

Meredith Ward, director of policy and research for the National Association of State Chief Information Officers, told GCN that government organizations should ensure that their employees are aware of these types of attacks.

“The reality is that there is no one protection tool or technology that can prevent or respond to every cyberattack,” Ward said. “The human factor plays a large part in this discussion, and human awareness is but one tool states have to thwart cyberattacks.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize social engineering attacks.


A Look Back at Mobile Government Cyberattacks Shows Increased Attacks and Weaker Security

A rise in the reliance on unmanaged mobile devices, matched with a lack of patching and increased attacks seeking solely to steal credentials was a perfect storm for government.

You’d think our government has the strongest cybersecurity stance, given the state of modern cyber attacks. But new data from Lookout Software’s just-released US Government Threat Report shows that over the last 2 years, the government hasn’t entirely been prepared, despite cybercriminals being more than ready to attack.

The report, spanning all of 2021 and the first half of 2022, paints a picture of a government under attack, with 1 in 8 government employees were exposed to one or more phishing attacks. Part of the problem lies in the devices being used; being just off the heels of COVID when any mobile device that got an employee working remotely was “acceptable”, some government entities relied on insecure mobile devices:

  • In 2021, 13% of all Federal Government mobile devices were unmanaged; in State & Local, is was 38%
  • The phishing exposure rate was higher on unmanaged devices in 2022 (8.5% of them) than on managed devices (6%)
  • 1 in 11 mobile devices (about 9%) still experience phishing attacks in 2022

According to the report, about half (46%) of all attacks across all government sectors sought to steal credentials, with 70% of them attempting to install malware. It’s this stat about credentials that has me really worried; all it takes is some solid social engineering to trick a user into giving up their credentials.

According to Lookout, 23% of all federal employees clicked on three or more phishing links, despite being notified that they had previously clicked on one. This is a clear cry for continual Security Awareness Training that teaches government employees the need to remain vigilant and that organizational security includes them.


Phishing in the Service of Espionage

Reuters describes a cyberespionage campaign carried out by the hitherto little-known threat group researchers track as “Cold River.” The group is circumstantially but convincingly linked to Russian intelligence services (possibly the FSB, although that’s unclear) through its Russophone operations and the location of at least one of its personnel in the northern city of Syktyvkar, capital of the Komi region. The effort involved attempted social engineering of US nuclear researchers at the Department of Energy’s Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The campaign peaked in August and September, as Russian President Putin’s nuclear threats reached their peak. It’s unknown whether the campaign enjoyed any success: Reuters says that both the Department of Energy and the FSB declined to comment. The report says:

“Cold River, which first appeared on the radar of intelligence professionals after targeting Britain’s foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.

“’This is one of the most important hacking groups you’ve never heard of,’ said Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike. “’They are involved in directly supporting Kremlin information operations.’”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the social-engineering aspect of the campaign. “Hopefully all employees in our nation’s critical infrastructure are already using phishing-resistant multi-factor authentication,” he said. “That will put down a large percentage of phishing attacks, but we can expect Russian phishing campaigns to keep getting more sophisticated over time. That’s why all organizations should aggressively train their employees in how to recognize, stop, and report phishing attacks.”

We call this process “social engineering,” and it’s become prominent in cyberspace, but it really represents an update of old spycraft: identify, approach, compromise, and recruit a target. Counterintelligence officers might take note: new-school security awareness training can help make your people more resistant to the adversary.