BLOG

Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.

“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write. “Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types….From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide. Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”

The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.

“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”

Abnormal notes that hackers sometimes demand a ransom to return the account to its owner.

“While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write. “Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram. Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.”

New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.

A new notification from the FBI warns organizations of attacks at the perfect time when organizations are spending money, new people are being introduced, and operations are in flux.

Threat actors like nothing more than a dash of chaos when it comes to timing their attacks. If they can get the social engineering theming just right, that chaos – when added to a sense of urgency – causes individuals to rush and not think actions through properly. This allows cyber attacks to succeed far more often than they should.

According to the FBI notification, the threat actors responsible are very aware of who they are targeting: “During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Judging from the warning put out by the FBI’s Internet Complaint Center (IC3) earlier this month, cybercriminal gangs are using these major financial events as the perfect juncture for ransomware attacks involving extortion. Think about it – let’s take a fictitious public company being bought by a private investment firm. The entire cost of the deal revolves around the stock price. Now, if a ransomware attacker can succeed in stealing data from and encrypting the systems of the public company, having the public find out could cause the stock price to diminish – thus lowering the value of the company and its purchase price.

If your organization is going through a merger or acquisition (or planning to in the future), it’s imperative that you put up the strongest possible defense against ransomware – which includes the use of Security Awareness Training to include users in the defending against such attacks where malicious email content finds its’ way past security solutions and into the user’s Inbox.

Scammers are impersonating the US Securities and Exchange Commission (SEC) with spoofed phone calls and other communications that attempt to steal money and personal information from victims.

“We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number,” the SEC said in a statement. “The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts. These phone calls and voicemail messages are in no way connected to the SEC. If you receive a communication that appears to be from the SEC, do not provide any personal information unless you have verified that you are dealing with the SEC. The SEC does not seek money from any person or entity as a penalty or disgorgement for alleged wrongdoing outside of its formal Enforcement process.”

The SEC stresses that it won’t ask for money or information via unsolicited messages.

“SEC staff do not make unsolicited communications – including phone calls, voicemail messages, or emails – asking for payments related to enforcement actions, offering to confirm trades, or seeking detailed personal and financial information,” the SEC says. “Be skeptical if you are contacted by someone claiming to be from the SEC and asking about your shareholdings, account numbers, PIN numbers, passwords, or other information that may be used to access your financial accounts. Again, never provide information to someone claiming to be from the SEC until you have verified that the person actually works for the SEC.”

The statement adds that scammers impersonate real employees at the SEC to add legitimacy to their schemes.

“Con artists have used the names of real SEC employees and email messages that falsely appear to be from the SEC to trick victims into sending the fraudsters money,” the SEC says. “Impersonation of U.S. Government agencies and employees (as well as of legitimate financial services entities) is one common feature of advance fee solicitations and other fraudulent schemes. Even where the fraudsters do not request that funds be sent directly to them, they may use personal information they obtain to steal an individual’s identity or misappropriate their financial assets.”

Researchers at Barracuda warn that attackers are sending non-malicious emails as a precursor to targeted phishing attacks.

“Bait attacks are a class of threats where the attackers attempt to gather information they can use to plan future targeted attacks,” the researchers write. “The bait attacks, also known as reconnaissance attacks, are usually emails with very short or even empty content. The goal is to either verify the existence of the victim’s email account by not receiving any ‘undeliverable’ emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials. Because this class of threats barely contains any text and does not include any phishing links or malicious attachments, it is hard for conventional phishing detectors to defend against these attacks.”

The researchers replied to one of these messages and confirmed that their email address was targeted by a spear phishing attack two days later.

“While it is known that bait attacks usually precede some sort of targeted phishing attack, our research team ran an experiment by replying to one of the bait attacks that landed in one of our employee’s private mailboxes,” the researchers write. “The original attack on August 10, 2021 was an email with a subject line ‘HI’ and an empty body content. As part of the experiment, the Barracuda employee then replied on August 15, 2021 with an email containing, ‘Hi, how may I help you?’ Within 48 hours on August 17, 2021, the employee received a targeted phishing attack. The original email was designed to verify the existence of the mailbox and the willingness of the victim to respond to email messages.”

The researchers note that more than one-third of organizations were targeted by these emails in September 2021.

“While the number of bait attacks is still low overall, they are not unusual,” Barracuda says. “Based on analysis by Barracuda researchers, just over 35% of the 10,500 organizations analyzed were targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.”

New-school security awareness training can enable your employees to recognize phishing and other social engineering attacks.

Researchers at Avanan have spotted phishing emails that use a font size of one to fool email security scanners. The emails appear to be password expiration notifications from Microsoft 365. The attackers have inserted benign links that are invisible to the human eye, but trick security scanners into viewing the email as a legitimate marketing email.

“In this attack, hackers utilize a number of obfuscation techniques to get a credential harvesting page through to the inbox,” the researchers write. “First, all links are hidden within the CSS. This confuses natural language filters. Natural language filters see random text; human readers see what the attackers want them to see. In addition, hackers put links within the <font> tag, and brought the font size down to one. This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Beyond that, there are invalid parameters, as the ‘Padding Left’ is set to ‘;’ further confusing scanners.”

Avanan concludes that the phishing emails themselves appear suspicious, so a trained user would be able to spot them as malicious. The emails simply state, “Notification for Password 365. Access To Your Email will be Expired.”

“To the end-user, this email looks like a standard request from their IT department,” the researchers write. “The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They should notice the stilted grammar, such as ‘Notification Microsoft 365’ as a red flag. They should also ask their own IT department before resetting any passwords.”

Thus, insecurity by obscurity. Attackers are constantly coming up with new ways to bypass email security filters. New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

Organizations appear to be overconfident in their ability to protect themselves, despite glaring gaps in security, according to new data from cyber protection vendor, Acronis.

New data from Acronis’ Cyber Readiness Report 2021 tells the tale of some very unprepared – and yet still confident – IT organizations. Overall, organizational cybersecurity isn’t a top concern for organizations despite enabling remote workers (57% of organizations) and securing them (50%) are. In addition, 53% of organizations believe they are safe from supply chain attacks because “We only use known, trusted software” – c’mon; even Microsoft has been a victim of the Hafnium attack back in February.

Despite this overconfidence, the report shows how very unprepared the average organization really is:

• 36% of remote workers have issues using corporate security measures
• 25% of organizations aren’t using multi-factor authentication at all
• 71% of organizations are targeted by phishing attacks each month
• 80% have been the target of cyberattacks in the last year
• 30% of organizations were attacked at least once a day
• Only 20% say they haven’t been a target

Of those organizations experiencing attacks, the number one attack type (experienced by 58% of organizations) was phishing attacks. And, given that organizations (according to the report data) were focused on solutions like anti-malware (73%), backup/DR (48%), vulnerability management (45%), and URL filtering (20%), it’s evident that many of these organizations aren’t placing enough emphasis on educating users to stop the attacks that get past these solutions.

It’s only through continual Security Awareness Training that an organization can address the weakest link in their security stance; users. From the report data, it’s evident that attacks are present, phishing remains a favorite attack vector, and remote users aren’t as secure as they need to be. Putting Security Awareness Training in place will assist in strengthening your stance with remote users, regardless of the amount of security tech in place.