BLOG

A “Fake Job” scam allows cybercriminals to gain entrance to the network at Sky Mavis, makers of the game Axie Infinity, and eventually take the company for half a billion dollars in crypto.

I shake my head when I read about someone falling for a simple phishing scam with a poorly-written email, the need for a victim-user to open a PDF that then wants you to “log on” to Microsoft 365 first (c’mon, really??!?), and then a bogus logon page (the URL doesn’t even match!!!). But a new scam just reported that took place back in March is much more sophisticated and sinister.

According to The Block, hackers approached Sky Mavis developers via LinkedIn with a lucrative job opportunity at a fake company – including a process that involved multiple interviews and a job offer with “generous compensation.”

The final step in the job process was to download and open a PDF, which was Sky Mavis’ downfall, as it was the host for malware that gave cybercriminals access to the Sky Mavis network and, eventually, Ronin – the Etherium-linked sidechain.

What makes this attack so impressive is the expertise on the part of the cybercriminals around Ronin and blockchain – enough to gain them access to the validator nodes. The attackers got a hold of the private keys belonging to five of the nine validators – enough to steal Sky Mavis’ crypto assets to the tune of $540 million.

I’ve said it before and it’s worth saying again… it only takes one Phish.

Organizations need to have every employee with privileged access (which includes finances, administrative access to IT, and – yes – developers) to undergo continual Security Awareness Training so they can remain vigilant if not second-nature, especially in circumstances when emotions and hope run high and human defenses are down.

A phishing campaign is impersonating the Canada Revenue Agency (CRA) in an attempt to steal Canadians’ personal information, according to Rene Holt at ESET. The phishing emails inform users that they’ve received a tax refund of just under CAD$500. The user is directed to click on a link to a spoofed Government of Canada site.

“Understanding how phishers abuse links in emails, the CRA has taken the wise strategy of not providing links in official correspondence and instead instructing clients to navigate on their own to the official website,” Holt writes. “If, however, you do click on the ‘Interac e-Transfer Autodeposit’ button, you are redirected from a malicious link hosted on istandyjeno[.]hu to the malicious subfolder cra_ca_service hosted on oraclehomes[.]com.”

While the phishing page is a convincing replica, users could recognize the site as a scam if they tried to visit other pages.

“Clicking on ‘Jobs’ simply populates the URL with the value of the id attribute of the HTML element for ‘Jobs,’” Holt says. “Next, if you click on the ‘Proceed’ button on the opening page, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft.”

Hoult offers the following recommendations for users to avoid falling for these scams:

• “Consider whether the purported sender normally communicates via email in this way.
• “Rather than clicking on links in an email, it is better to navigate manually to the official website of the apparent sender.
• “Check for obvious mistakes in the email. For example, why would the Canada Revenue Agency send you email from guidovedebe@skynet.be?
• “Always be wary of sharing your personal and financial information with any webpage.
• “Familiarize yourself with the CRA scam alerts page, especially with the samples of fraudulent emails impersonating the CRA.”

With nearly every organization experiencing some form of phishing attack, new data suggests these attacks are improving in sophistication, effectiveness, and impact.

At some point, there’s a saturation point where every organization comes to a realization about the reality of phishing attack. And according to the State of Email Security Report from email security vendor Mimecast, we’ve reached it.

In their report, Mimecast asked 1400 organizations about both what they’ve experienced and what they expect in the future around phishing attacks. And the results speak volumes:

• Nearly every organization (96%) has been the target of an email-related phishing attempt in the past year
• 79% of organizations have seen an increase in email volume
• 75% of them are seeing an increase in email-based threats
• 72% of them say the number of email-based threats had risen during the past 12 months
• 52% feel cyberattacks are growing increasingly sophisticated

And these attacks are having a negative impact – for example, those organizations “hurt” as a result of a ransomware attack rose 23%, up to three-quarters in the last year – with 4 out of 10 organizations failing to recover the impacted data.

Mimecast shed some light on where the problem lies, with 95% of orgs citing insufficient funding, only 14% of IT budgets allocated to cyber resilience efforts, and only 23% providing Security Awareness Training on a “regular, ongoing basis.”

From the looks of things, cybercriminals are stepping up their game and organizations are falling behind. And with users not properly (read: continually) trained about the importance to remain vigilant against email-based cyberattacks matched with insufficient funding for cybersecurity initiatives, I’m afraid the trends spelled out by Mimecast are only going to continue.

New insight into what happens during and after a ransomware attack paints a rather dismal picture of what to expect from attackers, your executives, and your operations.

I’d love to tell you that once you get through a ransomware attack, all will be well. But that’s just not the case. According to CyberReason’s Ransomware: The True Cost to Business report, the reality of mid- and post- ransomware attack circumstances are anything but resilient.

Let’s start with the fact that, according to the report, 73% of all organizations have experienced a ransomware attack in the last 12 months. And of those that were attacked, the question of paying whether the ransom was paid always comes up:

• 41% paid to “expedite recovery”
• 28% paid to “avoid downtime”
• 49% paid to “avoid a loss in revenue”

But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

Then there is the aftermath to the organization:

• 54% still had corrupted systems or data
• 37% had to lay off employees
• 35% had a C-level resignation
• 33% had to temporarily suspend business

What’s interesting is that 75% of organizations believe they have the right contingency plans to manage a ransomware attack – a number that hasn’t changed in the last year, according to CyberReason. This data point mixed with the aftermath stats above makes me think of the old adage “The best-laid plans of mice and men often go awry.”

So, while your organization “has a plan” to address ransomware, the only truly effective plan is to attempt to stop it all – a strategy that needs to include empowering your users with Security Awareness Training so they are able to distinguish legitimate email and web content from malicious content intent on kicking off a ransomware attack.

Shakespeare said it first, and things haven’t changed: suffering and desire continue to drive victims to the social engineers. Researchers at Bitdefender have observed a phishing campaign that’s using a phony dating site for men to meet Ukrainian women.

“[In] the past couple of weeks, spammers have been targeting internet users with a mixed bag of online dating opportunities such as mail order bride services and dating platforms where single western men can meet Ukrainian women,” the researchers write.

“Despite the ongoing conflict on Ukrainian soil, many dating platforms are still up and running. Since June 10, tens of thousands of spam emails promoting perfect matches between men and beautiful Ukrainian women targeted the inboxes of users from across the globe. The spam emails originate from IP addresses in Turkey. Sixty-six percent of messages arrived in inboxes in the US, 10% in Ireland, 3% in Sweden, Germany and Denmark, and only 2% in the UK.”

When a user visits the site, they’ll be asked to enter personal details, just as they would on a legitimate dating site.

“Upon filling out the requested information, users are directed to another online dating platform, where they can immediately start chatting with beautiful women,” Bitdefender says. “But there’s a catch. Interacting with single ladies on the platforms isn’t cheap. Packages can run into the hundreds of dollars and include sending emails, a limited amount of chat time, and unlocking all profile photos of single Ukrainian women.”

While users should exercise caution on any dating sites, this one in particular had many red flags.

“Behind all the smoke and mirrors, users risk a lot of money in searching for their soul mate,” the researchers conclude. “Moreover, the likelihood of actually communicating with a Ukrainian woman is slim. Dating platforms such as these are notorious for using bots to facilitate communication with as many users as possible. Profiles seem too good to be true and many customer reviews reveal that despite breaking the bank to set up a real-life meeting with the women active on the website, none have shown up.

The correspondence resembles a marketing romance scam, and although it does not align with the situation in Ukraine, it does profit from human emotional drivers and the lack of personal connection experienced by millions of individuals during the pandemic.”

A phishing campaign is attempting to steal credentials for MetaMask cryptocurrency wallets, according to Lauryn Cash at Armorblox.

“The socially engineered email was titled ‘Re: [Request Updated] Ticket: 6093-57089-857’ and looked to be sent from MetaMask support email: support@metamask.as,” Cash writes. “The email body spoofed a Know Your Customer (KYC) verification request and claimed that not complying with KYC regulations would result in restricted access to MetaMask wallet. The email prompted the victim to click the ‘Verify your Wallet’ button to complete the wallet verification.”

The link in the email leads to a spoofed MetaMask login page.

“Upon clicking the ‘Verify your Wallet’ button, within the email, the victim was redirected to a fake landing page – one that closely resembled a legitimate MetaMask verification page,” Cash says. “The victim was prompted to enter his or her Passphrase in order to comply with KYC regulations and to continue the use of MetaMask service. Attackers utilized MetaMask branding, logo, and referenced Passphrase credentials – of which all are associated with the legitimate MetaMask brand. This look-a-like page could easily fool unsuspecting victims, especially those who do not realize that MetaMask does not ask users to comply with KYC regulations.”

The phishing page also contained security advice in order to lend legitimacy to the scam.

“The language on the fake landing page even reminded victims to make sure his or her passphrase is always protected and to double-check that nobody is watching,” Cash writes. “It’s language like this that can evoke trust, one of the primary goals of the attacks. If victims fell for this attack, they would have entered their passphrase credentials, sensitive information that attacks were aiming to exfiltrate through this email attack…. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.”

Rather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

The paper mentions a few ways in which this works. Here are just two of them:

• Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
• Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.