BLOG

The growing interest in new cryptocurrencies and the potential to get in early on Amazon’s supposedly forthcoming crypto has scammers taking victims for thousands of dollars.

Investing in cryptocurrency is seen by some as a legitimate means to make money on gains, as well as other crypto-financial vehicles that include staking, pooling, and farming. So, it makes sense that scammers are looking for ways to rob their victims of cryptocurrency rather than risk breaking into bank accounts, using stolen credit card details, etc.

In a new crypto token scam documented by security researchers at Avast, scammers are posting ads looking like they are from legitimate news sources on the web informing the reader of a “presale” of the Amazon token “$AMZ”.

Source: Avast

The websites used look clean and professional and don’t hint much at all that they aren’t Amazon’s. With pages that promote Prime membership benefits, a roadmap for the token, and a clear call to action to “Buy Token” (note: one of the red flags!), this scam gets “buyers” to cough up any of a number of accepted cryptocurrencies as payment.

Source: Avast

Once an account is created, victims are even provided a fake “portfolio” page, providing additional opportunities to “purchase” these nonexistent tokens.

Source: Avast

This is a very creative and well-executed scam. We’ve covered a similar scam back in 2019 with Facebook’s Libra cryptocurrency. The difference with this new scam is the professionalism in the execution. And, while the goal is to simply take the victims legitimate crypto as payment, it could just as easily be attempting to get the victim to download and open/install a malicious document. Organizations should still be wary of such scams, as the potential for corporate impact is real. Users undergoing Security Awareness Training will see the scam for what it is at the start – the URLs the “legitimate” news ads point to are as bogus as they come – making it important to enroll users in continual training to be sure they don’t fall for these and similar scams.

More than half (55%) of phishing attacks target IT departments, according to research commissioned by OpenText. Additionally, nearly half of survey respondents said they had fallen for a malware phishing attack.

“The most common form is a standard untargeted mass phishing attack,” the researchers write. “Nearly one in five of the respondents to the IDG survey said they either were definitely targeted by such an attack (37%) or suspect they were (42%). Next most common is a malware attack, where the user gets an email with an attachment — usually a Microsoft Office document — that launches malware if clicked on. Among the respondents, 44% confirmed they were the victim of such an attack and 23% suspect so.”

Many respondents also said that malware phishing attacks are very hard to identify.

“Malware attacks joined search engine phishing and clone phishing as the most difficult types of attacks to recognize and avoid, all cited by around one-third of the respondents,” the researchers write. “Search engine phishing involves fake websites that show up in search engine results, including in paid ads. Often posing as some type of financial institution, the sites then entice users to enter personal information, including banking credentials.”

The report found that the consequences of phishing attacks range from data breaches, lost revenue, downtime, legal troubles, and reputational damage.

“More than a third (37%) cited exposure of sensitive data, and 32% said they’ve suffered lost productivity,” the researchers write. “One in five had suffered a loss of revenue from phishing, and nearly as many (19%) had had to pay legal or regulatory fines. Perhaps worse, more than one-third (37%) reported that their organization had suffered downtime lasting longer than a day as a result of phishing attacks. Larger organizations (500 to 999 employees) were far more likely to report such downtime, at 44%, versus 14% for small companies (25 to 100 employees). Larger organizations are also more likely to report negative consequences from phishing, especially exposure of sensitive data: nearly half (49%) of all the respondents from large companies, versus 35% for medium (100 to 499 employees) and 16% for small companies.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing attacks.

New data shows a huge disparity between the likelihood of cyberattack against U.K. organizations and their employee’s cybersecurity awareness and vigilance.

New data put out by security vendor Armis paints a rather disconcerting picture of U.K. workers when it comes to their role in aiding the organization’s cybersecurity efforts. According to Armis, despite the fact that a majority of workers (60%) have stated they’ve personally experienced a cyberattack, only 27% of them recognize the cyber risk associated with interacting with email and the web. In addition, one in 9 employees (11%) don’t care about cybersecurity at all!

What makes this issue of users not being aware of or concerned about cyberattacks is the number one type of attack experienced by users (according to Armis): phishing. With more than one-quarter (27%) of U.K. workers experiencing phishing attacks using social engineering to trick victims into giving up credentials, credit card data, and more, it’s imperative that users are made to be part of the organization’s security stance.

And given we’ve seen how U.K. workers have posed a cybersecurity risk historically, this new data is alarming.

This should be a wake-up call to business leaders and cybersecurity executives that your workers are your weakest link and your greatest risk. Workers need to be placed in continual Security Awareness Training that educates them on various kinds of cyberattacks they may face, while reinforcing their role as part of the organization’s cyber defenses.

A phishing campaign is impersonating Pfizer with phony request-for-quotation (RFQ) emails, according to Roger Kay at INKY. The email lures had fairly convincing PDF attachments that didn’t contain any malicious links or malware, and instead prompted the user to reach out to the scammer for more details.

“They both claimed that Pzifer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer,” Kay says. “The PDF was three pages long and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good. The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point.”

Kay notes that the attackers used several measures to help the emails bypass security filters.

“In this particular attack combination, the black hats used both high and low tech to evade anti-phishing radar,” Kay writes. “The high tech involved newly created and freeware domains, set up to send phishing emails that would not trigger rudimentary email defences (i.e., DMARC analysis of DKIM and SPF records). The low tech was a simple PDF attachment with no poison links or malware in either the attachment or the email itself. These elements were designed expressly to not trigger anti-phishing analysis.”

Kay concludes that users should be suspicious of unsolicited emails like this, especially if they appear to come from major companies.

“Recipients should be aware that large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects,” Kay says. “If a recipient is in a sales department and does business with Pfizer (or, in a similar situation, any other company), they should get in touch with their contact directly by telephone or an initiated email to determine whether the RFQ is legitimate. It is also highly unlikely that a Pfizer employee would use a freemail account for official business.”

New–school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing emails that slip past your technical defenses.

A US Federal Trade Commission (FTC) data spotlight has found that people in the US lost $148 million to gift-card-related scams in the first nine months of 2021. The spotlight also found that median reported losses from these scams increased from $700 to $1,000 throughout the same period.

“Scammers favor gift cards because they are easy for people to find and buy, and they have fewer protections for buyers compared to some other payment options,” the spotlight explains. “Scammers can get quick cash, the transaction is largely irreversible, and they can remain anonymous.”

The spotlight explains how scammers use social engineering to trick people into spending hundreds or thousands of dollars on gift cards.

“According to reports received by the FTC, scams demanding gift cards most often start with a phone call from someone impersonating a well-known business or government authority,” the report says. “Many people report that a scammer posing as Amazon or Apple told them to send pictures of the numbers on gift cards to fix a supposed security problem with their account. Sometimes they call those numbers ‘security codes.’ But the only thing the numbers are good for is taking the money on the card. Other people report that a scammer claiming to be the Social Security Administration said their bank accounts would be frozen as part of an investigation. They’re told to buy gift cards to avoid arrest or to secure access to their money. Reports also show that scammers asking for gift cards pretend to be a love interest, employer, sweepstakes or lottery company, or family member in trouble.”

The FTC also notes that scammers appear to favor Target gift cards.

“In the first nine months of 2021, over twice as much money was reported lost on Target gift cards than any other brand,” the FTC says. “Google Play gift cards were next, followed by Apple, eBay, and Walmart cards. Scammers also tell people where to buy the gift cards. In the first nine months of 2021, people who reported losing money buying gift cards mentioned Target stores more than other retailers. Reports suggest that Walmart, Best Buy, CVS, and Walgreens stores are also popular with scammers.”

New-school security awareness training can enable your employees to recognize social engineering tactics.

When most see cyberattacks as something that is impactful at the organizational level, the head of the National Security Agency sees cyberattacks as being a threat to the entire nation.

Just as you and I hear so much about cybercriminals attempting an attack on various organizations for purpose of data theft or ransomware, the U.S. military faces millions of attempts to access their networks by means of vulnerability scans, phishing attacks, and more.

In a recent interview with ABC News, Director of the National Security Agency and Commander of U.S. Cyber Command Gen. Paul Nakasone highlighted how recent ransomware attacks have elevated his own opinion of cyber attacks from a “criminal matter” to now being a matter of national security, stating “What’s at stake is obviously the security of our nation. We don’t want to have a failure to imagine what’s happening.”

At the Integrated Cyber Command Center at Fort Meade in Maryland, a mix of military, civilians, and contractors work together using “Hunt Forward” teams that are asked to threat hunt on networks globally, sharing threat intel with private sector businesses.

Nakasone also mentioned six months ago he would have graded the cyber-readiness of American businesses at a “low C” based on their investment in security infrastructure to protect their networks and through educating their users. “I think that we’ve gotten a lot better since then, but we still have a ways to go.”

One of the key areas that businesses can address today is the education of their users through Security Awareness Training, where users can be made a part of your organization’s security stance, standing vigilant against email- and web-based threats that use social engineering to trick victims into engaging with malicious content.

This is obviously getting serious. So, while you’re thinking about the one organization you’re responsible for, realize it’s a much larger problem and your organization is just one point of entry into the larger issue of national security.

Researchers at Kaspersky have found that most phishing pages are active for less than one day, with many of them going offline after just a few hours. Most of these short-lived pages were set up through hosting providers.

“Hosted phishing pages become inactive faster than the others,” the researchers write. “A quarter of the pages survived for no more than 8 hours, and only 12.3% of all pages remained active after 30 days. This has to do with the fact that the cheapest option which requires the least effort is to create a hosted phishing website. Hosting providers offer a free trial period which is usually enough for cybercriminals’ plans, and once time is up on the free trial they can simply create a new page and abandon the old one.

The longest-lasting phishing pages, meanwhile, were usually set up on compromised websites that were abandoned or left vulnerable.

“The most ‘resilient’ pages turned out to be ones created before June 2015: 45.7% of these pages remained active after 30 days,” the researchers write. “Most of these are old websites hacked by cybercriminals who put phishing content there. These pages are likely to remain active for a long time because they’ve been abandoned by their original creators or are located on servers with outdated software which leaves websites more vulnerable to attacks and their consequences.”

Most of the phishing pages contained the same content throughout their life cycles. The researchers note that many of the phishing pages that do change their content are impersonating the PUBG video game, which frequently updates its in-game products.

“Among phishing pages which have changed their content stand out those imitated prize giveaways from the game PUBG,” Kaspersky says. “This could have something to do with the fact that PUBG runs alternating temporary events (‘seasons’). Given that cybercriminals want to make their phishing pages convincing and therefore as topical as possible, they periodically change the content of pages to keep up with the new season.”

New-school security awareness training can enable your employees to avoid falling for phishing attacks.