German Police Collar Alleged Phishing Cybercriminals

The Bundeskriminalamt (BKA), Germany’s federal criminal police, raided three homes on Thursday, September 29th, in the course of an investigation of a cyber criminal operation the BKA says netted approximately €4,000,000 from its victims by using phishing tactics. Two suspects were arrested and charged; the disposition of the third individual will depend upon the results of further investigation.

statement by the BKA (provided by BleepingComputer) explained the nature of the fraud, which depended upon unusually faithful and convincing spoofed communications that misrepresented themselves as being from the victims’ banks. The emails told the victims that changes to the bank’s security system would affect their accounts, and that they should follow a link to arrange continued access to their accounts. The link led to a convincing phishing page. “There, the phishing victims were asked to enter their login data and a current TAN [Transaktionsnummer–a number associated with a particular transaction], which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount and availability of credit.” Further engagement with the victims induced them to give up additional TANs, which the criminals used to withdraw the victims’ funds.

The scam is interesting in other ways. For one thing, the criminals used distributed denial-of-service (DDoS) attacks against banking websites as misdirection for their imposture. The legitimate sites may have suffered from reduced availability, but the phishing sites, of course, remained accessible. Another interesting aspect of the case is the criminals’ alleged employment of “other cyber criminals who sell various forms of cyber attacks as ‘Crime-as-a-Service’” (the BKA uses the English phrase) “on the dark web.” Some details are being withheld pending further investigation.

The amount the BKA alleges the criminals stole is striking. €4,000,000 is the equivalent, at current exchange rates, to £3,520,000 or $3,920,000. This particular crime seems to have affected mostly individuals, but its scale and approach suggest that organizations could be vulnerable to similar scams. New-school security awareness training can help your employees cope with this and other forms of social engineering.

READ MORE

Response-Based Phishing Scams Targeting Corporate Inboxes Hit New Records

Setting a record for both highest count and share in volume with other types of phishing scams, response-based attacks are at their highest since 2020 and are continuing to grow.

Despite a lot of focus on credential theft, cybercriminals are trending toward response-based scams – where the scam relies on the user responding through a communication channel chosen by the scammer. We’ve seen examples of these types of phishing attacks that have leveraged chatbotsWhatsApp, and even phone calls to establish credibility and take control of the conversation.

New data from Agari and Phish Labs, in their Quarterly Threat Trends & Intelligence report for August 2022 shows that response-based scams are on the rise, being responsible for 41% of threats targeting corporate inboxes. While still trailing behind credential theft attacks, response-based scams have experienced continual growth over the last two years.

According to the report, the response-based scams can be broken down into the following types:

  • Advance-Fee scams – 54%
  • Vishing – 25%
  • Business Email Compromise – 16%
  • Job Scams – 4.8%
  • Tech Support – 0.2%

Of these, vishing is up over 625% from Q1 of last year and has steadily increased over the course of the past year.

I think I should reemphasize that these scams are all focused on business users and, according to the report, may include malware such as EmotetQBotSnakeKeyLogger – all payloads I’ve covered before here on our blog.

The growth in response-based scams means that threat actors are seeing continual success – which, in turn, means users are responding. To stop your users from responding, it’s important that you enroll them in continual security awareness training to teach them to spot these scams before they respond to them.

READ MORE

Social Engineering and Bogus Job Offers

Researchers at SentinelOne have warned that North Korea’s Lazarus Group is using phony Crypto.com job offers to distribute macOS malware. The researchers aren’t sure how the lures are being distributed, but they suspect the attackers are sending spear phishing messages on LinkedIn. SentinelOne notes that this campaign “appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.”

“Back in August,” SentinelOne’s report says, “researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com.

”The campaign seems to represent a kind of twofer for Pyongyang. On the one hand, it’s intended to enable cryptocurrency theft, and this is desirable as a way of redressing North Korea’s chronic shortage of funds, driven by decades of sanctions and isolation. On the other hand, it’s also useful for espionage. They’re interested in prospecting both users and employees of cryptocurrency exchanges. There’s continuity with earlier efforts that targeted cryptocurrency exchanges, notably 2018’s AppleJeus campaign.

We’ve seen this kind of thing before. Note in particular the abuse of generally trusted platforms like LinkedIn that cater to professionals and the advancement of their careers. New-school security awareness training can teach your employees to recognize phishing and other social engineering attacks. The world of cryptocurrency may not (quite) be the Wild West, but it’s not a safe corner of cyberspace, either.

READ MORE

Recent Optus Data Breach Teaches the Importance of Recognizing Social Engineering

Optus, one of Australia’s largest telecommunications companies, recently suffered a data breach that affected over 9.8 million customers.

The telecom giant is not sure who was behind the cyber attack, but did admit that some identity documents may have been compromised. SBS News recently reported that the company’s data is already being leaked to sites on the Dark web, including a extortion threat that the info would be released unless Optus replied:

Optus Data Breach Example

Source: SBS News

This data breach should be a big learning lesson to organizations all around – the ramifications of this are solely due to social engineering tactics.

It is every threat actor’s sole mission to have you fall for their trap. Security measures such as new-school security awareness training can teach your users to spot the warning signs, report the suspicious activity, and be proactive in their day-to-day operations.
READ MORE

Security Practices Are Improving, But Cybercriminals Are Keeping Up

A survey by GetApp has found that the number of organizations using phishing simulations has risen from 30% in 2019 to 70% in 2022. Despite this positive trend, however, attackers continue to increase both the sophistication and volume of their phishing emails, which has led to a significant rise in employees clicking on phishing links.

“Phishing schemes and their effectiveness have reached a critical point in 2022,” the researchers write. “For the first three years of our survey, the rate of companies reporting phishing emails had remained fairly steady. But in the last year, the percentage of companies reporting phishing has jumped from 77% to 89%. More concerning, the number of companies that report someone actually clicking a link in a phishing email lept from 64% to 81% in only the last year. In the last three years, the percentage of employees clicking on phishing links has absolutely skyrocketed, from 43% to 81%. Combined, these numbers are even more alarming because they show a clear upward trend in both phishing volume and effectiveness over the last three years.”

Likewise, the amount of organizations requiring multi-factor authentication has steadily increased over the past three years, but attackers are increasingly finding ways to bypass these measures.

“In 2019, our survey found that 64% of U.S. companies used 2FA for all (21%) or some (43%) business applications,” the researchers write. “In 2022, that number has increased to 91%. Perhaps more importantly, the percentage of companies that use 2FA for all business applications has more than doubled, from only 21% in 2019 to nearly half (45%) in 2022.”

GetApp says organizations need to continue implementing security best practices to keep up with the evolving threat landscape.

“The gap between companies reporting phishing emails and those reporting employees clicking on phishing emails has narrowed year over year, from a 30-point gap in 2019 to only eight points in 2022,” the researchers write. “In response, companies must prioritize email security and educate staff on the increasingly sophisticated social engineering strategies that threat actors use in phishing emails to manipulate employees into turning over network credentials or downloading malware.”

READ MORE

Social Engineering Targets Healthcare Payment Processors

The US Federal Bureau of Investigation (FBI) has issued an alert warning of an increase in phishing and other social engineering attacks against healthcare payment processors.

“In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites,” the Bureau says. “In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.”

The FBI describes three successful social engineering attacks against these entities:

  • “In April 2022, a healthcare company with more than 175 medical providers discovered an unauthorized cyber criminal posing as an employee had changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to direct payments to the cyber criminal rather than the intended providers. The cyber criminal successfully diverted approximately $840,000 dollars over two transactions prior to the discovery.”
  • “In February 2022, a cyber criminal obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account belonging to the cyber criminal, resulting in a $3.1 million loss. In mid-February 2022, in a separate incident a different cyber criminal used the same method to steal approximately $700,000.
  • “From June 2018 to January 2019, cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals. One victim reported a loss of approximately $1.5 million. The cyber criminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.”
READ MORE

Uber security breach ‘looks bad’, caused by social engineering

It was all over the news, but ZDNet’s Eileen Yu was one of the first. — “Hacker is believed to have breached Uber’s entire network in a social engineering attack, which one security vendor says is more extensive than the company’s 2016 global data breach and access logs potentially altered.”

Push-Fatigue

The article continues: ” A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP).

“The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”

Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline.

The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak.

With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface.”

Quote from WIRED: “One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”

 “That’s God—they own that there’s nothing they can’t access,” the security engineer added. “It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.”

Don’t let this happen to you. Train your users.

READ MORE

[HEADS UP] Bank of America Warns About Recent Scams That Request Zelle Payment Due to ‘Suspicious Activity’

Bank of America recently sent a customer service email warning users to watch out for this new phishing attack.

Threat actors are sending realistic texts requesting that you send money using Zelle® as payment due to a ‘fraud alert’. These texts use make the warning look legitimate, and if you respond to the text then you’ll receive a call from a fake representative.

This person will use social engineering techniques and will trick your users into asking for you to send money to yourself through the Zelle® payment method. In reality you’ll be sending the money directly to these scammers pockets, and they will be able to receive your money into their account.

Check out the full video from Zelle on how to spot this type of scam here:

 

It’s incredibly important that you do not share any codes based on a suspicious caller ID, and to not be pressured to act immediately if your users receive this type of call. New-school security awareness training can teach your users about the latest threats.

READ MORE

Cisco Attempt Attributed to Lapsus$ Group

Security researchers at Cisco Talos have issued an update on the cyberattack Cisco sustained earlier this year. The attack began with a phishing attack against a Cisco employee, which led to the attackers stealing data and attempting to extort the company with the threat of releasing the stolen information.

“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” the researchers write. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco Talos offers the following summary of the event:

  • “On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
  • “During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
  • “The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
  • “CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
  • “After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
  • “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
  • “We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”
READ MORE

Phishing from a French Government Career Website

Attackers are exploiting a legitimate French government website to send phishing messages, according to researchers at Vade. The website, Pôle Emploi, is a career site for companies looking for job recruits. The attackers are responding to job postings with phony resumes that contain a link to a Google Form designed to harvest credentials.

“The recruiting company—if not vigilant—opens the attachment thinking it is a resume and is faced with malicious links,” the researchers write. “If they click on the links, they are redirected to a malicious form where they will be asked for their Pôle Emploi account information. This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address.”

The phony resume instructs the victim to click on the link in order to secure their account.

“The hacker’s message states that the recipient (the recruiting company) needs to open the attachment to access an applicant’s resume,” the researchers write. “The hacker adds that the attachment contains URLs that the recipient must open in order to update Pôle Emploi’s recruiting account and secure it.”

Vade notes that the phishing document is also designed to steal users’ multifactor authentication codes.

“The credentials and the validation code of the Pôle Emploi’s recruiting account of the targeted company are sent to the hacker via email from Google Docs,” Vade says. “With those credentials, the hacker can easily access the Pôle Emploi portal of the recruiting company.”

The researchers add that access to these accounts could lead to further targeted attacks within the organizations.

“Most phishing attacks are designed to steal account credentials, and in this case, the damage could be significant,” Vade says. “The Pôle Emploi portal likely contains the personal information of companies and job candidates. With this information, hackers can access sensitive company information and steal personal data, which they can later sell to other hackers. They could also launch additional attacks on users with the data stolen, including phishing and business email compromise attacks.”

READ MORE