BLOG

A new phishing campaign impersonates MetaMask, informs victims their cryptocurrency wallets aren’t “verified” and threatens suspension.

Cybercriminals will go wherever they a) perceive the money is and b) wherever they have expertise in the scam. In the case of the latest attack on MetaMask users identified by security researchers at Bitdefender Labs, the mastermind behind this attack certainly understands how MetaMask works.

In the scam, the potential victim user is sent an email impersonating MetaMask, asking for their wallet to be verified:

Those that click the “Verify My MetaMask” are taken to a phishing site made to look like MetaMask’s website. On the site, the victim is asked to provide their recovery phrase (a sequence of ten random words established when the wallet is setup that can be used to recover access to the wallet should the credentials be lost).

Once the recovery phrase is provided, it’s game over for the wallet owner, and funds are difficult to recover.

The key to the success of this campaign is found in the urgency it creates; the threat of suspending the wallet if it is not verified is enough to make unsuspecting recipients of this phishing email act accordingly and give up their most secret details about their MetaMask wallet.

This use of urgency is found in nearly every phishing scam – whether targeting individuals or users within an organization. And it’s only through having a vigilant mindset when receiving an email like the one above that will cause the recipient to pause and scrutinize the email to determine whether it’s legitimate or not before following the instructions found within. This vigilance is established in organizations through continual Security Awareness Training designed to not just teach users that scams are everywhere, but how they work, what role the user themselves plays in a phishing attack, and how they can stop the attack by simply paying attention.

Technology is an ever-changing landscape where we evolve and improve year over year much like the Moore’s Law theory with processor speeds. Cybersecurity, on the other hand, becomes more complicated and more diverse with the evolution of software and hardware vulnerabilities, which drives a larger and more complicated digital landscape for security professionals. According to Gartner, among the top seven trends in Cyber Security for 2022 is Digital Supply Chain Risk. Given the recent history of successful supply chain attacks, this should come as no surprise to CISOs and CIOs. The question is: how can you prepare your organization to effectively protect against a supply chain attack?

What Is A Supply Chain Attack?

Rather than attacking an organization directly, a software supply chain attack targets the vendors of apps and other code used by the organization. Typically, the bad actors will look to exploit some weakness in the vendor’s development cycle and attempt to inject malicious code into a signed and certified application.

By contaminating update servers or development tools, inserting code into executables, or simply replacing real packages with fake ones, adversaries can gain access to victims further along the supply chain.

A Brief History Of Supply Chain Attacks In The News

Here’s a quick breakdown of the most impactful supply chain attacks over the last decade or so.

RSA Security – 2011

• Compromised RSA’s “seed warehouse” for SecurID tokens.
• Allowing for the attacker to clone to break into other systems leveraging SecurID tokens.
• Attack delivered via spearphish with attachment “2011 Recruitment plan.xls” from a HR partner org!
• Used zero day Adobe Flash Player to drop a Poison Ivy RAT.

Target – 2013

• A heating, ventilation, and air conditioning (HVAC) supplier allowed access into Target.
• The hackers compromised Target’s server and placed the malware on POS devices across their entire store network.
• Compromised over 40 million credit and debit cards.
• 18.5 million in settlement claims and untold reputation damage. Even Target has estimated this has had over $200 million in impact.

CCleaner – March 2017

• Hugely popular software (2BN total downloads by 2017) compromised to include a backdoor ‘ShadowPad’.
• Piriform breached via stolen TeamViewer creds, then installed ShadowPad malware to infect software distribution systems.
• Binaries were being legitimately signed!
• Allowed the attacker to record keystrokes and included a password stealer.
• 2.27M compromised downloads, with 1.65M communicated with CnC server.
• 40 PCs targeted with 2nd stage infection.

ASUSTek Computer – 2019

• ASUS Live Update Utility service delivered malware to 1000s of customers.
• Impacted up to 500,000 computers.
• Targeted 600 specific hardcoded MAC addresses.
• Legitimate code signing certificate used.
• Operation ShadowHammer had similarities to ShadowPad, group also linked to CCleaner attack.

SolarWinds – December 2020

• SUNBURST malicious code deployed by SolarWinds Orion official updates.
• Widely trusted software vendor with 300,000 customers.
• Impacted some 18,000 customers.
• Malware waits 12 days before executing and initiating to its C2.
• 264 days from malware compilation, to detection in December.
• High value targets including security vendor and US Gov.

Kaseya – July 2021

• Kaseya VSA software used to deliver ransomware.
• Compromised approx. 1500 customers.
• Attackers leveraged two (known) vulnerabilities in the VSA software.
• Financially motivated – $70M ransom.
• Russia linked group REvil took credit leveraging their ransomware; also, behind June 2021’s JBS ransomware attack.

Based on these previous attacks, we can determine the following are the primary focus for threat actors:

• Targeting insecure software for building systems or large-scale updating platforms.
• Targeting custom in-house development or specialized code/firmware.
• Using stolen certificates to sign apps, making themselves look like a trusted 3rd-party product or a product developed in house.
• Exploiting vulnerable devices, from network gear to IoT and POS, allowing for the shipment and movement of pre-installed malware.

How To Protect Against Supply Chain Attacks?

As we’ve learned from the trends of supply chain attacks, we need to encourage strong security practices from our software vendors and developers, then prepare for those who are not meeting those standards.

For the organization looking to protect against supply chain attacks, there are a number of action points that should be implemented.

First of all, be sure to enforce strong code application integrity policies to allow only authorized apps to run. This can be accomplished by leveraging SSO Authorization Code Grant or leverage an Application Control platform for your organization.

Next, make sure that you leverage a strong Endpoint Detection and Response (EDR) solution that can automatically detect and remediate suspicious activities in real time. When looking into an EDR solution, make sure it’s meeting your company’s minimum criteria and view the MITRE ATT&CK Evaluations when comparing products. Some crucial questions to take into consideration are:

• How does the EDR solution protect your assets? Does it require an Agent? Is it Agentless? If you don’t have an agent, what features are you missing leveraging an Agentless EDR solution?
• What Devices or Operating Systems (OS) are not Covered by the EDR Security Solution? How many different types of agents/policies are needed to expand to these different OS’s?
• Does this EDR Solution expand to Cloud Platforms?
• Does this EDR software provide easy integrations with other systems?
• How much automation does the EDR provide out of the box?
• How long can I store data with this EDR solution? Most organizations need a minimum of two to three months of logs for audit purposes.
• If your company has a merger and acquisition, how complicated would it be to combine your EDR solution with theirs?

Aside from ensuring you have the right endpoint detection and response solution to meet your business needs, consider using an open and flexible security platform that can maximize your visibility. An Extended Detection & Response (XDR) platform can offer flexibility, visibility and peace of mind knowing you have a single place to go in the event of a cyber security attack. XDR also offers better ROI and can make your company more cost efficient by finding trends and bad practices within your organization.

Of course, even with the right technology in place, it’s still vital to be prepared for data loss or denial of service with secure backups and regular redeployment testing. While ransomware attackers have evolved their extortion tactics to beyond mere denial of service, effective backups remain necessary due to the possibility of local disasters or just general hardware failure. You should follow a standard that meets the risk level you’re comfortable with, whether that is the 3-2-1 backup rule or 3-2-1-1-0 or 4-3-2. Stick with a plan and make sure you’re securing these backups to prevent tampering, then have a schedule or audit where you test these backups.

Drive a Cybersecurity-Centric Culture

Besides making sure your technology stack is up to scratch for a modern enterprise, there are other changes needed. It’s crucial to drive a Cybersecurity-Centric Culture in your company to make sure that your investment in technology reaches its full potential.

There has been plenty of good research into how to effectively implement a cybersecurity-first culture, but in essence it boils down to the following.

• Empowering People—Cybersecurity culture empowers people with the sociological and psychological skills that are required to work with cybersecurity technology and processes.
• Projecting cybersecurity meaning—Within the enterprise, the importance of the people, technology and processes of cybersecurity is understood. The consequences of ignoring cybersecurity’s technological and financial risk are addressed.
• Establishing stakeholder partnership and collaboration of key players—A network of cybersecurity stakeholders is defined and managed. Stakeholders include employees, managers, government agencies, senior executives, boards of directors, technology providers, consulting providers, and education and training providers.
• Providing an education and training road map—An appropriate education and training program that encompasses the people, technology and processes of cybersecurity is integrated and delivered.

Empower Security Hygiene for Developers

For the software vendors and developers needing to improve their security posture to prevent the opportunity of supply chain attacks, start considering the following options:

• Maintain a secure infrastructure around update/build management.
  • Don’t delay on security patches for either OS/Software driven vulnerabilities.
  • Require mandatory integrity controls to ensure only trusted tools can run in your organization; investigate into implementing CISA Zero Trust Maturity Model.
  • Look into passwordless authentication and require Multi-Factor Authentication (MFA) for all admins.
• If you haven’t already, build secure software updaters as part of your Secure Software Development Lifecycle (SSDLC).
  • Require SSL for update channels and implement certificate pinning.
  • Everything should be signed, including configuration files, scripts, XML Files, and packages.
  • Don’t allow your updater to accept generic input or commands, require digital signatures.
• Develop an Incident Response (IR) plan for supply chain attacks, create a runbook and actually stress-test it with attack simulations.

Conclusion

Bad actors are always looking for an easy buck, with the least amount of resistance for the biggest opportunity, and supply chain attacks are still on the radar for these groups. The landscape is getting even more complicated with 9 out of 10 companies leveraging open-source software projects. Add to that the growing use of Internet of things (IoT) for cars and smart devices like appliances, door locks and thermostats, as well as the growth of IoT in healthcare and industrial/energy, and you have a never-ending expansion of the attack surface in almost every organization.

It is essential that organizations review their cybersecurity requirements, gain visibility into supply chain dependencies, and be prepared with modern tools and practices to help contain and prevent future supply chain attacks.

Netflix lost 200,000 subscribers in the first quarter of 2022 and is expecting another two million will walk away from the service before the end of June.

The shock disclosure – which was part of Netflix’s routine earnings call – wiped US$54 billion off the company’s market value in a single day with its price tumbling by 35 per cent from US$348 on Monday to US$226 by close of trading on Tuesday, local time.

“Our revenue growth has slowed considerably,” the company said in a letter to shareholders.

“Streaming is winning over linear [TV], as we predicted, and Netflix titles are very popular globally.

“However, our relatively high household penetration – when including the large number of households sharing accounts – combined with competition, is creating revenue growth headwinds.”

Netflix has forecast an increase in this downtrend and has braced shareholders for a further two million subscribers to leave the platform by the middle of the year.

“COVID clouded the picture by significantly increasing our growth in 2020, leading us to believe that most of our slowing growth in 2021 was due to the COVID pull forward,” Netflix said, chalking the negative subscription movement up to four factors.

First is the uptake of broadband-connected household TVs around the world, an uncontrollable factor that should bring more customers over time but which has slowed somewhat.

Then there is Netflix’s estimate that 100 million households share an account.

While the proportion of account sharing hasn’t changed much, the company said, it does limit the number of new customers that can be acquired.

As such, account sharing is something Netflix wants to either rein in or find a way to better monetise by charging people more if they share credentials with people outside their household.

“So if you’ve got a sister, let’s say, that’s living in a different city, you want to share Netflix with her, that’s great. We’re not trying to shut down that sharing,” Netflix chief product officer Gregory Peters said on the recent earnings call.

“But we’re going to ask you to pay a bit more to be able to share with her and so that she gets the benefit and the value of the service, but we also get the revenue associated with that viewing.”

Competition was the third factor because, as us consumers are constantly aware, there is now a wealth of different streaming platforms from major brands and well-established studios taking up a larger share of the on-demand video market.

Finally, ongoing macro-economic factors like inflation concerns, ongoing slow economic growth, and Russia’s invasion of Ukraine as causes for the subscriber slip.

When asked if Netflix would consider a cheaper subscription tier that incorporates advertising into the videos – a model in use by its competitors Hulu and Disney – the company’s co-founder and co-CEO Wilmot Hastings said Netflix was exploring that option.

“I don’t think we have a lot of doubt that it works, that all those companies have figured it out,” he said.

“It would be a plan layer. So if you want the ad-free option, you’ll be able to have that as a consumer.

“And if you would rather pay a lower price and you’re ad-tolerant, we’re going to cater to you also.”

Looking at a regional breakdown of Netflix’s membership numbers, only Asia Pacific saw growth in net paid membership from January to March 2022, adding 1,000,000 new subscribers.

But in North America, South America, and the large Europe, Middle East and Africa segment, memberships dropped considerably.

North America saw the biggest total drop in numbers with 636,000 people abandoning their monthly Netflix payment.

Social media companies, particularly LinkedIn, are now the most impersonated brands in phishing campaigns, researchers at Check Point have found.

“Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups,” the researchers write. “So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of rankings. It represents a dramatic 44% uplift from the previous quarter, when LinkedIn was in fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has now fallen to second position and accounted for 14% of all phishing attempts during the quarter.”

Shipping companies are still in second place, with DHL and FedEx impersonation accounting for a significant portion of phishing attacks.

“Shipping is now the second most targeted category, with threat actors continuing to take advantage of the general rise in e-commerce by targeting consumers and shipping companies directly,” the researchers write. “DHL is second to LinkedIn, accounting for 14% of phishing attempts; FedEx has moved from seventh position to fifth, now accounting for 6% of all phishing attempts; and Maersk and AliExpress have entered the top ten list for the first time. Our report highlights one particular phishing strategy that used Maersk-branded emails to encourage the download of spoof transport documents, infecting workstations with malware.”

Attackers have also impersonated shipping giant Maersk with phishing emails that deliver the Agent Tesla malware.

“During the first quarter of 2022, we observed a malicious phishing email that used Maersk’s branding and was trying to download the Agent Tesla RAT (Remote Access Trojan) to the user’s machine,” the researchers write. “The email which was sent from a webmail address and spoofed to appear as if it was sent from ‘Maersk Notification (service@maersk[.]com)’, contained the subject, ‘Maersk : Verify Copy for Bill of Lading XXXXXXXXX ready for verification.’ The content asked to download an excel file ‘Transport-Document’, that would cause the system to be infected with Agent Tesla.”

The NSW government needs to do more to protect gig economy workers from exploitation if the state is to continue taking advantage of ride share and delivery services, a parliamentary inquiry has found.

Handing down its first report, a NSW committee on the impacts of technology on the future of work has recommended the government build in greater legislative protections for gig economy workers and should require platforms to be more transparent about their workers’ payments.

The committee has now published 22 recommendations following two years’ worth of hearings in which it learned how the ‘independent contractors’ hired by the likes of Uber, Lyft, and Menulog are treated.

Committee Chair Daniel Mookhey said the lack of minimum wages, paid leave, and poor safety standards have been a major concern for the inquiry.

“The cyclist who delivers our Friday night takeaway receives next to none of the conditions long considered fair and decent across Australia,” he said.

“The job itself also puts workers in very real danger of injury, abuse and harassment.

“From extensive evidence over eight hearings to date, the committee has concluded that current laws perpetuate the overwhelming power imbalance between lone ‘contractors’ and multinational platform companies, rather than mitigating it.”

Gig economy workers are typically classified as ‘independent contractors’, not employees, allowing the companies that pay them to forego penalty rates, leave arrangements, and other benefits associated with being an employee.

For the likes of Uber, Lyft, and Amazon among others, ‘independent contractors’ have opened space for them operate lean, scalable businesses that can tap into casual workforces in markets around the world.

Likewise, fast food chains and restaurants that didn’t run their own delivery services could latch onto platforms and send their products to customers’ homes.

True cost of delivery

The committee heard of further economic benefits from the gig economy’s freedom in NSW such as job creation, a lower barrier of entry for work, and the ability for full- or part-time workers to earn supplementary income.

For workers – the platforms profess – one major benefit of gig economy work is flexibility of hours, something Amazon alludes to with the name of its ‘last-mile’ delivery platform Amazon Flex which must now pay its NSW gig economy drivers a minimum hourly rate.

But the flipside of this highly casualised work, as noted by Mookhey, is a severe lack of income protection, convoluted dispute resolution systems, and difficult working conditions that led to at least five deaths in Australia in late 2020.

“Inquiry participants advised the committee that a primary way that rideshare and food delivery platforms exert a high level of control over their workers is through their models of algorithmic management,” the inquiry’s first report said.

“This is because these platforms’ algorithms determine the allocation, remuneration, chastisement and even the termination of labour.”

Workers said they felt pushed by the algorithms to deliver food faster and are “encouraged to take health and safety risks to support themselves and their families”.

When workers are injured or killed at work, platforms tend to hide behind the ‘independent contractor’ status of their workers to avoid paying comensation.

In the US, the classification of workers as ‘independent contractors’ has led to recent stories about workers’ families still having to pay for funerals after their loved ones were murdered on the job.

Possible protections for gig economy workers recommended by the committee include legislative changes to provide food delivery and rideshare drivers with the same protections as independent transport workers.

The government has also been recommended to establish a “system of collective bargaining” for gig economy workers.

Temporary residents, students, and people who speak a second language at home are all more likely to be gig economy workers, which is most common among young males aged 18-34.

Its early-April announcement had some crying ‘April Fool’ and pulling out the Bane memes, but Dyson’s space-age Zone air filter was quickly confirmed as a very real addition to a growing family of wearable air filters that have fans intrigued and experts concerned.

Marketed as ‘air-purifying headphones’, the Zone kills two birds with one stone by bundling Dyson’s first-ever audio headphones – a hi-fidelity, noise-cancelling design – with an unusual crossbar that encircles the front of the face.

Whether or not the unit is playing audio, its built-in filter purifies ambient air and blows the filtered stream directly across the wearer’s nose and mouth – providing a bubble of clean air that works as an alternative to conventional filtration masks.

The speed of airflow can be adjusted to, for example, provide more air when walking briskly or running.

“We’ve spent a lot of time developing purification systems to go in people’s homes, and we want to provide that same benefit for someone when they’re on the tube train commuting,” Dyson explained.

Taking the Zone from drawing board to working product took Dyson’s engineers six years of research and 500 prototypes, as they worked to miniaturise the drum-sized filters used in the company’s room air purifiers to a size where they could be built into the headphone speakers.

Thousands of filters were tried before the company settled on a design built around electrostatic media, which attracts the dust particles from the air rather than relying exclusively on pushing massive volumes of air through the units.

Dyson markets the technology as being intended for polluted city environments, where pervasive clouds of smoke and haze compromise air quality and make breathing difficult –potentially causing breathing difficulties and asthma attacks in many people.

With around 10.7 per cent of Australians suffering from asthma, the promise of portable filtered air may rapidly help shape the target market for the Zone – which will be released later this year into a global market where competitors have already tried to cash in on widespread awareness of air quality caused by the COVID-19 pandemic.

LG, for its part, last year released an air-purifying mask with a more conventional mask-like shape that snugly covers the mouth and nose, with a mid-year update adding built-in microphone and speakers to ampilfy the wearer’s voice after revelations the unit’s design was an effective muffle.

Razer has also released a portable air filter, with its Zephyr offering colourful lights and twin filters that looks more like the respirators an automotive spray painter might use.

Air Ring has offered yet another design, hiding the filter behind the neck and delivering clean air across a face-covering visor.

Throw in an array of wearable air purifier necklaces, and the options for portable air filtration are only continuing to expand.

But is it COVID safe?

Although more than two years of pandemic have normalised the wearing of face coverings, Dyson and its rivals are pushing the concept into new territory – and potential buyers must be aware that they are not making any claims that the units offer effective protection against COVID-19.

Air Ring, for its part, integrates N95 HEPA filters and a virucidal UV-C light, while Razer is quick to point out that the Zephyr “is not a N95 mask/respirator” despite claiming that it filters 99 per cent of bacteria from the air.

Asked whether the Zone’s FFFP2 filter would protect against COVID-19 particles, a Dyson representative told a Slate reporter that the visor “acts as a physical barrier against forward projection”.

Yet masks work by surrounding the mouth and nose with a filter – meaning that the Zone’s open design won’t stop an infected person spreading COVID.

One expert told Slate it was “irresponsible” to wear something that would actually accelerate exhaled COVID particles, speeding their spread into the surrounding air.

Others weren’t as concerned, noting the unit’s low-powered fan and the fact that it is most likely to be worn outside where the risk of transmitting the COVID-19 virus is lower.

Just how effective the device is, or isn’t, as a mask replacement won’t be known until it’s released later this year – but its potential value for urban asthma sufferers could rapidly change it from a design oddity into a lifesaver.