BLOG

Researchers at Check Point have discovered a spear phishing campaign dubbed “DangerousSavanna” that’s targeting financial entities in at least five African countries.

The campaign has been running for at least two years, and has targeted organizations in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The researchers believe the campaign is financially motivated.

“DangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries,” the researchers write.

“The companies that belong to these financial groups provide a wide range of banking products and services, and include not only banks but also insurance companies, microfinancing companies, financial holding companies, financial management companies, financial advisory services, etc. Despite the relatively low complexity of their tools, we observed the signs that might point out that the attackers managed to infect some of their targets. This was most likely due to the actors’ persistent attempts at infiltration. If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point. With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user.”

The phishing emails are written in French, the primary or official language of the targeted countries.

“The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies, all of which are medium to large financial groups in French-speaking Africa,” the researchers write. “In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company whose domain doesn’t have an SPF record.”

Check Point believes that the attackers will continue improving their social engineering techniques and malware.
“This campaign, which has been running for almost two years, often changes its tools and methods, demonstrating the actors’ knowledge of open-source tools and penetration testing software,” the researchers write. “We expect that this campaign, which shows no signs of stopping or slowing down, will continue to adjust its operations and methods with an eye to maximizing its financial gain.”

As threat actors look for ways to evade detection by security solutions, the use of cloud applications has seen a material jump in the last 12 months, according to new data.

While we see plenty of cyberattacks that utilize dark infrastructure to accomplish their malicious activities, more and more we’re seeing a trend where threat actors are taking advantage of web-based application platforms to utilize their legitimacy to ensure phishing email delivery all the way to the Inbox.

In the latest report from Palo Alto Network’s Unit42, Legitimate SaaS Platforms Being Used to Host Phishing Attacks, we find that the increases are far greater than expected. According to the report, the following types of SaaS platforms were included in their analysis of phishing URLS:

Source: Palo Alto

What they found is a staggering and continually increasing trend of misuse of these platforms to host phishing URLS. In the 12 months between June of 2021 and June 2022, the number of malicious phishing URLs increased 1,100%.

Source: Palo Alto

According to the report, these sites were used for a number of purposes, including:

• Design / Prototyping
• Website Building
• Form Building

The end result is websites that are made to look like legitimate impersonated brands for attacks focused on both credential theft and fraud.

And, given the “hockey stick” chart above, organizations should expect this to continue, making it more difficult to spot phishing emails via security solutions. This makes it necessary to employ users to play a role in identifying and stopping phishing emails – something they’ll need to be educated on via Security Awareness Training to do it effectively.

ARN just reported: “The metaverse is seen by many companies as a great business opportunity and for new ways of working. Security provider Trend Micro, however, warns in a recent research report that cyber criminals could misuse the technology for their own purposes.

Security researchers predict that a kind of darknet structure could emerge there, similar to today’s Internet. The machinations of the cyber gangsters could even take place in protected rooms that can only be reached from a specific physical location and via valid authentication tokens. This would make their underground marketplaces inaccessible to law enforcement agencies. In fact, it could be years before the police can operate effectively in the metaverse.

Likely metaverse threat scenarios

The researchers warn that the Darkverse could become a platform for cyber threats, including:

• Attackers target non-fungible tokens (NFTs), an increasingly popular means of defining property in the metaverse, for phishing, ransomware, fraud, and other attacks.
• Criminals use the metaverse to launder money using overpriced virtual real estate and NFTs.
• Criminal and state actors create manipulative narratives that reach vulnerable and receptive groups. Social engineering, propaganda and fake news have profound implications in a cyber-physical world.
• Privacy is redefined. Operators of metaverse-like rooms have unprecedented insight into the actions of the users. Privacy as we know it no longer exists there.

“The metaverse is a multi-billion-dollar, high-tech vision that will define the next internet age. While we don’t know exactly how it’s shaping up, we already need to start thinking about how it might be exploited by threat actors and how we can build our own to protect society in a meaningful way.” comments Udo Schneider, IoT security evangelist at Trend Micro.

“In view of the high costs and legal challenges, law enforcement agencies will have difficulties monitoring the metaverse in general in the first few years,” Schneider is convinced. He demands: “The IT security industry must intervene now.” Otherwise, “a new Wild West would develop on our digital front door.”

As cyber insurers evolve their understanding of the cyber attack landscape, who’s responsible, and what’s at stake, a logical next step is taken by Lloyd’s to better isolate what is covered and what isn’t.

It’s inevitable; cyberinsurers can’t blindly just cover every kind of cyberattack and pay out every time one happens – there are too many to count, and often times it’s the insured’s own employees that enabled an attack potentially covered by a cyber insurance policy.

A new market bulletin put out by Lloyd’s of London makes it clear that very specific types of attacks – those that are essentially akin to cyber warfare – are not going to be covered.

“We are therefore requiring that all standalone cyber-attack policies…must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack.”

Some of the requirements around this exclusion includes:

• Losses arising from a war
• Losses arising from state backed cyber-attacks the “that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”

It also mentions that coverage with such an exclusion must also:

• Specify whether computer systems outside an affected state (presumably within the context of the requirements above) are excluded or not
• Provide an agreement between Lloyd’s and the insured as to “how any state backed cyber attack will be attributed to one or more states”

This puts more of the burden of having a strong protective cyberstance all the more important – one that includes Security Awareness Training as part of a layered defense to prevent cyber attacks from ever gaining entrance to a victim network and wreaking havoc – state actor or not.

In a variation on a recently seen theme in which scammers pose as buyers on e-commerce platforms, victims in Singapore are being taken in by people offering to buy goods from them.

Carousell is a popular (and legitimate) Singapore-based consumer-to-consumer and business-to-consumer platform on which people can buy and sell both new and second-hand goods. The contact message from the scammer typically reads something like this: “I would like to pay for an item via FedEx. It’s easy. I will need your phone number to place the order, now I will send you a link to receive funds for the goods, you confirm the transaction and receive the money for the goods,” etc.

The link to “receive funds” is malicious, designed to harvest the victim’s banking credentials. The victims have been realizing something is amiss only after they find unauthorized transactions on their accounts. The Singapore Police urge anyone with information about the scam, whether they’re victims or witnesses, to call the police hotline or report what they know online. So far people have lost more than S$17,000 to the scammers.

This is a scam directed against consumers, but it’s not difficult to see how similar approaches might be made to employees of a business, especially of business-to-consumer firms whose transactions include trading over e-commerce platforms. New school security awareness training can help your employees spot scams like the ones currently taking a ride on Carousell.

Plenty of new anecdotal and legal case-based stories are demonstrating that just because your organization has a policy doesn’t mean it’s actually going to pay out after an attack.

In a recent article over at Business Insurance, an interesting topic was raised about how phishing scams, which remaining a continual exposure for most organizations – seem to fall through the cracks of policy coverage. From the article:

Phishing coverage falls into a gap between cyber liability insurance, which typically responds to breaches, and crime policies, which cover money stolen from companies.

One of the reasons seems to be that cyber insurance policies are written to cover the insured should a particular crime (e.g., wire fraud) or action (e.g., data breach) be committed, as these result in significant impacts on the victim organization. But phishing, in and of itself, is merely the conduit for something more sinister, so it’s difficult to tie it into a policy.

Take the example of a user getting phished, falling for the attack and clicking on the link or the attachment… but nothing else happens – no malware, malicious download or script, nothing. This is a far cry from when a claim is made against a cyber insurance policy because hundreds of thousands of dollars were sent to the wrong bank.

See the difference?

The Business Insurance article is worth a read. It will get you thinking about how the organization needs to take matters into its’ own hands and put a stop to phishing – as the cyber insurance policy probably isn’t going to do much to assist after the fact. It’s one of the reasons we’re so passionate about organization having a layered security approach to stopping phishing attacks that includes Security Awareness Training to empower users to assist in detecting and stopping attacks before they become “claim-worthy.”

Reaching a six-quarter high in Q2, hybrid vishing attacks have increased six times that of the hybrid-vishing attacks experienced in Q1 2021.

Vishing attacks – those that leverage voice calls as some part of the overall attack – have been in the news lately. With nearly half of organizations experiencing vishing attacks, this should come as no surprise. These response-based attacks (that is, an attack that requires the corporate user to interact) have been continually growing, according to the Q2 2022 Cyber-Intelligence Report from security vendor Agari.

According to the report, hybrid vishing attacks have jumped 625% since they started recording the presence of these attacks in Q1 2021.

Source: Agari

We’ve covered some examples of hybrid vishing attacks before, such as the fake Amazon order confirmation email that requires the victim to call “Amazon” if the recipient has a problem (with the $1000 flat screen TV they’re being told they bought).

Hybrid Vishing started with BazarCall, a spinoff of the Conti Ransomware gang. It’s cross-medium tactics actually help the cybercriminal establish credibility, making it more likely that recipients may fall victim to the scam, giving up personal details, credit card information, credentials, and more.

Users that undergo continual Security Awareness Training are taught to spot these kinds of scams – regardless of their believability or sophistication – and not respond, rendering these attacks dead in their tracks.