BLOG

The US FBI has warned that scammers on LinkedIn are a “significant threat,” CNBC reports. Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento field offices, told CNBC in an interview that cryptocurrency scams have been particularly widespread recently.

“This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims,” Ragan said. “So the criminals, that’s how they make money, that’s what they focus their time and attention on,” Ragan said. “And they are always thinking about different ways to victimize people, victimize companies. And they spend their time doing their homework, defining their goals and their strategies, and their tools and tactics that they use.”

LinkedIn stated in a blog post last week, “While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional. If you do encounter any content on our platform you believe could be a scam, be sure to report it so that our team can take action quickly. This includes anyone who asks you for any personal information, including your LinkedIn account credentials, financial account information, or other sensitive personal data. We also encourage you to only connect with people you know and trust. If you’d like to keep up with someone you don’t know but that publishes content that is relevant to you, we encourage you to follow them instead.”

LinkedIn offered the following recommendations in a blog post:

• “People asking you for money who you don’t know in person. This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings.
• “Job postings that sound too good to be true or that ask you to pay anything upfront. These opportunities can include mystery shopper, company impersonator, or personal assistant posts.
• “Romantic messages or gestures, which are not appropriate on our platform – can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.

New data shows a rise in the use of text messages as an effective vehicle to connect with potential victims for social engineering scams as Americans increase their preference of the medium.

Historically, we see email as the primary communications vehicle for malicious content, but new data from spam blocking app vendor Truecaller in their Insights 2022 U.S. Spam & Scam Report shows a massive uptick in text-based scams. According to the report:

• 85% of Americans say they have received a robotext (of any type)
• Over half (58%) of Americans reported receiving more spam calls and/or text messages than they did a year ago.
• The average number of spam texts per month is 19.5

One of the reasons for this massive increase may be the increased dependence on texting; according to the report, 60% of Americans prefer to use text, social media apps, and email as their primary means of communicating over voice.

The scams communicated over text vary ranging from consumer issues like changing cable TV providers, to cyber security issues, to data breach notifications.

Source: Truecaller

The lesson to be learned here is that legitimate organizations rarely seek to communicate via text as the initial means of contact. Corporate users that undergo Security Awareness Training already realize this and are far less likely to fall for such scams, given the unusual nature of the communication and the use of text as the initial contact medium.

Attackers are taking advantage of the current news about monkeypox to trick people into clicking on malicious links, Pickr reports. Researchers at Mimecast have spotted a phishing campaign that impersonates companies in an attempt to trick employees into visiting phony health safety sites that steal their information.

The subject line is designed to grab the user’s attention, stating, “Attention all [Company] Employees – Please Read and Comply.”

The emails then state, “[Company name] has been closely monitoring developments related to the Monkeypox outbreak, including all updates provided by the Centers for Disease Control, World Health Organization, and local health officials. In an effort to keep all team members safe and informed, as well as our business protected, included here are the precautions that have been put in place.”

The email includes a link that says, “Click here to complete Mandatory Monkeypox safety awareness training.” This link leads to a phishing site that will steal their information.

Tim Campbell, Head of Threat Intelligence Analysis at Mimecast, stated that criminals frequently take advantage of current news.

“Monkeypox is high on the news agenda so it comes as no surprise that cyber criminals are exploiting it,” Campbell said. “Cybercriminals [are] adjust their phishing campaigns to be as timely and relevant as possible, using traditional attack methods to exploit current events in an attempt to lure busy and distracted people to engage with links in emails, applications or texts…. Now, they are using monkeypox as an opportunity to send phishing emails to company employees for ‘mandatory monkeypox awareness training. As the phishing email is made to look like an internal company email, employees are at risk of clicking the link and entering their login details, which will then be stolen and used to access systems within the organisation and steal information.”

People have probably been primed by the COVID pandemic to take healthcare warnings seriously, and so bad actors will seek to use their attention against them. New-school security awareness training can give your employees a healthy sense of suspicion so they can recognize red flags associated with social engineering attacks.

Threat actors are targeting HR employees who are looking to hire new people, according to Lisa Vaas at Contrast Security. As part of their job, HR employees frequently interact with people outside of the organization and are more likely to open external files. Attackers frequently take advantage of this by hiding malware within phony resumé files.

Vaas cites Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, as saying in a talk at RSAC that North Korean threat actors are particularly fond of this technique.

“[One thing] that’s been really interesting to watch is their attempts to infiltrate organizations remotely by trying to actually get hired inside of these companies, particularly in the web3 crypto space, where they’re responding to advertisements,” Alperovitch said. “They’re saying they’re willing to do remote development work. They’re saying they’re from ‘a’ Bay Area, although in many of the interviews they failed to identify even the most common locations in ‘the’ [San Francisco] Bay Area.”

Attackers use job-listing and networking sites such as LinkedIn to identify potential targets.

“They’re still having a tough time actually passing these interviews, but they don’t have to pose as Bay Area natives when it comes to packing resumés with malware,” Vaas writes. “One example: In April, eSentire research showed that new phishing attacks, targeting corporate hiring managers, were delivering the more_eggs malware, tucked into bogus CVs. These campaigns sprang up a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers: The offers dangled malicious ZIP archive files with the same name as that of the victims’ job titles, as lifted from their LinkedIn profiles.”

Niceness, to be sure, is a good thing, everything else being equal. But it can also render you vulnerable to scams and cons. Every employee needs to know that they should never click the “Enable content” button in a Microsoft Office document. New-school security awareness training can teach your employees how to avoid falling for phishing attacks.

An Iranian threat actor is conducting a spear phishing operation against Israeli officials, according to researchers at Check Point. The targets have included the former Foreign Minister and Deputy Prime Minister of Israel, a former Major General of the Israeli Defense Forces, and a former US Ambassador to Israel.

“One of the straightforward purposes of this campaign is to gain access to the inboxes of its victims, specifically for Yahoo inboxes from the flows we observed,” the researchers write. “The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page. It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records. We suspect that once the victim enters his account ID, the phishing backend server would send a password recovery request to Yahoo, and the 2FA code would allow the attackers to gain access to the victim’s inbox.”

Check Point notes that the attackers used an identity service to add legitimacy to their phishing sites.

“Using a legitimate service to facilitate an attack is always a great bonus for a threat actor,” the researchers write. “It saves resources and the need to develop anything on their own, not to mention that the target and any security solution would be less suspecting of a legitimate service. In this case, the attackers used validation.com, an identity verification service created by the domain registration giant NameCheap, that allows anyone to easily validate their customer’s identity by providing an option to scan an ID or documents directly from the webcam, or by uploading a file…. In this campaign, we have seen one redirection flow from Litby[.]us which leads to a URL on validation.com, and as part of our analysis, we had an indication that the attacker obtained the Passport scan of another high end target. This scan was likely collected by the same means, highlighting the effectiveness of this technique.”

New data from security vendor Sophos shows that while the presence of cyber insurance coverage has increased, it’s the experiencing of attacks that’s driving the need.

When the concept of cyber insurance was first introduced, it seemed like a shakedown and just another way for insurers to take the organization’s money. But today, according to Sophos’ just released Cyber Insurance 2022: Reality from the Infosec Frontline report, cyber insurance policies are now held by 94% of organizations.

So, what’s driving this adoption of cyber insurance?

Much of the adoption lies in organizations experiencing an attack and realizing they need insurance to potentially cover what their own cybersecurity stance doesn’t. According to the report:

• 57% of respondents experienced an increase in the volume of cyberattacks on their organization
• 59% saw the complexity of these attacks increase
• 53% said the impact of these attacks had also increased
• 89% of those hit by ransomware have cyber insurance against ransomware

It also appears to be the prevalence of attacks and the massive impact they have on their victims, as 70% of organizations not hit by ransomware still have cyber insurance against it.

And it’s getting more difficult to obtain cyber insurance, as insurers evolve their understanding of what is a secure insured and what is not. According to the report:

• 94% of those with cyber insurance said the process for securing coverage had
• changed over the last year.
• 54% say the level of cybersecurity they need to qualify is now higher
• 47% say policies are now more complex
• 40% say fewer companies offer cyber insurance
• 37% say the process takes longer

And even if you get a policy, there’s no guarantee the attack scenario you encounter is covered, as many organizations have needed to go to court over being paid out based on their policy.

So the best plan is to have as secure an environment as is possible – which includes securing your users with continual Security Awareness Training to minimize the threat of email- and web-based social engineering attacks designed to give attackers entrance into the organization’s network.

Researchers at KELA warn that ransomware gangs are increasingly refraining from mentioning their victims’ names after the initial attack, giving the victims a chance to pay up before the attack is publicized. This puts an additional layer of pressure on the victim to pay quickly, because it may allow them to avoid the reputational damage that’s among the biggest threats a victim faces. If the victim refuses to pay, the attackers can then publish their name and threaten to release the stolen data.

“KELA observed a few ransomware groups using relatively new intimidating methods which include publishing a victim without mentioning the company’s name,” the researchers write. “For example, Midas published a few victims claiming ‘a new company’ as their victim on their data leak site. If the victim did not pay, Midas would edit the post and add the victim’s name. Lorenz ransomware gang adopted the same practice and published a ‘new target company’ on their ransomware blog. Additionally, Everest data leak site operators used the same method: a Canada-based supplier was listed with a threat to leak 96 gigabytes of the company’s data, including over 10,500 personal records of Canadian citizens.”

The prolific ransomware gang Conti has adopted a similar tactic, using hidden blog posts to threaten the victims.

“In comparison to Everest and Lorenz who maintain ambiguity regarding victims’ names, Conti’s leaked chats showed that the gang prepared hidden blog posts about victims that can be accessed only via a specific URL,” KELA says. “The actors share this hidden blog post with a victim to intimidate them by showing how easily the victim’s data can be accessed. If a victim agrees to pay, the post is never released; if the negotiation fails, the blog becomes publicly accessible, and the victim’s name is disclosed.”

A new survey of executives sheds light on how well organizations fared with cyberattacks in the last 12 month as well as what attack vectors are going to increase future breaches.

I’ve spent quite a bit of time here writing about the experienced and expected continued increases in cyberattacks due to the evolution of cybercrime-as-a-service, the partnerships between cybercriminal groups, and the increased sophistication of attacks.

In other words, cybercrime is now fully acting like legitimate businesses.

A new survey of executives from cybersecurity analysis vendor ThoughtLab provides us a view into what’s transpired back in 2021, and what execs are expecting moving forward. In their newly released report, Cybersecurity Solutions for a Riskier World, we see that both cybersecurity incidents and “material” breaches increased in 2021:

• Organizations experiencing a cybersecurity incident grew 15% in 2021 over 202 with just over one-quarter of organizations (26.2%) being involved in an attack
• While material breaches were far less common, the percentage of organizations experiencing them (.82%) in 2021 was a 24% increase over 2020

And when asked whether their organization is “well prepared for today’s rapidly changing threat landscape”, on average, 27% of all executives said they weren’t, with 40% of CSOs feeling even more strongly about their lack of preparedness.

When asked about the types of attacks that were responsible for the breaches, as well as which ones pose the highest risk over the next two years, a pattern of risk begins to emerge:

The top two highest risks for the foreseeable future are also two of the main causes for recently experienced breaches. They also all involve the unwitting participation of your users. And if you consider that the top initial attack vector in ransomware attacks is phishing, you can include some part of ransomware involving users as well.

What’s needed to protect organizations from future attacks is to prepare users. Prepare them from phishing, vishing, SMiShing, and social engineering – all commonly-used methods to trick users into engaging with malicious content that is the catalyst for breaches. It’s only through Security Awareness Training that users begin to understand how attacks work, what tactics are used, and how to identify a malicious piece of content in email or on the web, reducing the likelihood that users will engage and help the attacker.