BLOG

The US Federal Bureau of Investigation (FBI) has warned that ransomware operators are targeting companies that are going through financial events. The timing is designed to elicit and exploit information in ways that will exert additional pressure on the victims.

“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections,” the Bureau says. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

The FBI explains that ransomware operators select their victims based on the value of the information they have access to, and thus the potential for a big payout.

“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” the FBI says. “Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access. However, while this malware is often mass distributed, most victims of trojans are not also victims of ransomware, indicating ransomware targets are often carefully selected from a pool based on information gleaned from the initial reconnaissance.

Once ransomware operators are within a network, they search for sensitive information that they can use to further incentivize victims to pay.

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” the Bureau says. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.” That reconnaissance phase is often the work of initial access brokers, who pick victims likely to be attractive to the brokers’ criminal customers.

The vast majority of ransomware attacks begin via phishing attacks or technical vulnerabilities like exposed RDP ports. New-school security awareness training can give your organization an essential layer of defense by helping your employees to recognize phishing and other social engineering attacks.

Scammers are using social media to target young women with offers to be their “sugar daddy,” according to Laura Josepha Zimmermann at Avast. Zimmermann received a message on Instagram from a user who appeared to be an older man. The user stated, “Hey my name is Walker and I am looking for a sugar baby. I would like to pay you 1,500 Euro weekly.” The scammer then sent a screenshot of a fake PayPal transaction, and told Zimmermann that she would need to send him some money via a Google Play card in order to activate the account and receive the €1,500.

“[A]spiring ‘sugar daddies’ lure in their victims through direct messages on Instagram with messages that sound (and are) too good to be true,” Zimmermann says. “They first try to gain your trust and before carrying on with requesting payment. When they do get around to requesting payment “verification”, these scammers will disappear as soon as the money is sent and has come into their possession. The payment for the verification is mostly done over prepaid cards, like Google Play or Amazon Cards. These are payment methods that can’t easily be refunded.”

Fortunately, Zimmermann recognized this as a scam immediately and blocked the user after stringing him along to see what he would say, but she notes that this type of scam is common.

“This scam is far from unique nowadays — many young women are affected by similar ploys from cybercriminals across the globe,” Zimmermann writes. “Some of these women may have a difficult financial situation and could use the money. Alternatively, they may just be looking for a certain standard of living that they can’t otherwise afford. The alleged ‘sugar daddies’ exploit these situations to make a profit — and end up causing a lot of damage.”

Zimmermann offers the following recommendations to avoid falling for these scams:

“Don’t answer messages from people you don’t know. If you’re in doubt, look into their profile to see if there’s anything fishy about it.

“Ignore any messages promising free money. Plain and simple.

“Don’t give your personal details to strangers. You wouldn’t do it in person, so why do it on the internet?

“Do your research. If you’d like to validate any message that you receive, there are plenty of resources from other people who have encountered similar types of scams. Read through forums and relevant online groups to obtain more information.”

So it’s the old Nigerian prince advance fee scam reinvented for the sugar community. Stay clear. New-school security awareness training can enable your employees to recognize social engineering tactics.

Misconceptions about cybersecurity can lead to employees falling for preventable attacks, according to Jayant Chakravarti at Toolbox. One misconception is that Apple devices are inherently more secure than Windows machines. Steven Hope, CEO and co-founder of Authlogics, told Toolbox that Mac users can grow complacent due to the false impression that Macs can’t get infected with malware.

“There is a common misconception that viruses and malware only exist on Windows and that somehow macOS is immune to them,” Hope said. “While the somewhat misleading Apple ad campaign implying that a Mac can’t get a PC virus is true, they can get infected with a virus/malware designed for macOS. There are malicious apps and web sites that are designed to steal your data or logon information; Apple and Google regularly remove apps from their app stores for this reason. It is important to remember that even a MacBook needs a password and password security is just as important even if you aren’t using Windows.”

Another assumption about security is that employees will naturally be able to recognize phishing attacks. Jonathan Miles, head of strategic intelligence and security research at Mimecast, told Toolbox that a significant number of employees are susceptible to social engineering attacks.

“Organizations need to be educating their workforce on cybersecurity, as Mimecast research shows that 50% of employees still open attachments from unknown sources, and 40% are fooled by an email pretending to be from a member of their organization every week,” Miles said. “To defend and mitigate the threats, it is key that organizations build a layered approach to cybersecurity resilience, including cybersecurity responsibility and awareness embedded deeply throughout all sectors of organizational culture. Offering regular remote working cybersecurity awareness training to employees will be crucial, with organizations recommended to take the initiative on keeping their employees informed about current and prevailing threats.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to thwart social engineering attacks.

Avast offers a look at incidents in which celebrities have been the victim of social engineering attacks. The firm notes that while celebrities are higher profile targets, attackers use the same tactics against them that work against everyone else.

“Most of the time, celebrities get hacked the same ways anyone else does,” Avast says. “They use weak passwords, fall for social engineering tricks, or suffer from data leaks when larger organizations holding their data are breached.”

In some cases, however, celebrities are victims of attacks they have no control over, such as the breach of law firm Grubman Shire Meiselas & Sacks.

“Celebrity law firm Grubman Shire Meiselas & Sacks, which counts among its clients such A-listers as Madonna, Lil Nas X, Robert De Niro, and LeBron James, recently found itself on the receiving end of a massive hack,” Avast says. “In May 2020, the noted hacking collective REvil — also known as Sodinokibi and one of the world’s most dangerous hacking groups — claimed to have stolen over 750 GB of contracts, emails, NDAs, and other sensitive data. REvil (short for Ransomware Evil) initially demanded a ransom of $21 million, then doubled it. Refusing to pay, the law firm instead turned to the FBI for help.”

In this case, however, the stolen information fortunately wasn’t as sensitive as the hackers made it out to be.

Avast offers the following advice if your accounts or devices are hacked:

1. “Isolate the hacked device: Unplug any Ethernet cables and disable Wi-Fi on the hacked device. This will prevent any malware from spreading or sending data back to the hacker.
2. “Change your passwords: Using an unhacked device, create long, hard-to-guess, and unique passwords for all your accounts and devices — we recommend using passphrases. Strong passwords will lock hackers out of your accounts and prevent them from using old passwords to log back in.
3. “Report the hack and recover your accounts: Most online services, such as Gmail or Facebook, have specific procedures in place for reporting hacks. Follow these procedures for each hacked account to regain control.”

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for these attacks.

Criminals used deepfake technology to steal $35 million from a company in the United Arab Emirates, Forbes reports. The attackers used “deep voice” technology to spoof the voice of a company’s director in order to trick a bank manager into transferring the money to the criminals’ bank accounts.

“In early 2020, a bank manager in the United Arab Emirates received a call from a man whose voice he recognized—a director at a company with whom he’d spoken before,” Forbes writes. “The director had good news: His company was about to make an acquisition, so he needed the bank to authorize some transfers to the tune of $35 million. A lawyer named Martin Zelner had been hired to coordinate the procedures and the bank manager could see in his inbox emails from the director and Zelner, confirming what money needed to move where. The bank manager, believing everything appeared legitimate, began making the transfers.”

Jake Moore from ESET told Forbes that people need to be prepared to see more of these types of attacks as the technology becomes easier to use.

“Audio and visual deep fakes represent the fascinating development of 21st century technology yet they are also potentially incredibly dangerous posing a huge threat to data, money and businesses,” Moore said. “We are currently on the cusp of malicious actors shifting expertise and resources into using the latest technology to manipulate people who are innocently unaware of the realms of deep fake technology and even their existence. Manipulating audio, which is easier to orchestrate than making deep fake videos, is only going to increase in volume and without the education and awareness of this new type of attack vector, along with better authentication methods, more businesses are likely to fall victim to very convincing conversations.”

New-school security awareness training can enable your employees to thwart sophisticated social engineering attacks.

A new trend in social engineering and impersonation emerges as cybercriminals take advantage of a user’s inability to properly identify fake corporate logos in phishing attacks.

We’ve all seen the really bad impersonation phishing email attempts – you know the one’s where you can immediately tell it’s not the vendor it purports to be from. And then there’s the really good ones that look perfect. But one of the needs most phishing attacks have is a need to display graphics so copied logos and branding can be displayed in order to fool the recipient.

But security researchers at anti-phishing vendor Inky have spotted an attack where scammers attempting to impersonate Verizon use symbols to represent the “check” portion of the logo, making the entirety of the “logo” appear without the need for downloading images.

Source: Inky

You may think, “come on… that doesn’t even look like the Verizon logo at all!” and you’d be right. But new branding research around how well consumers memorize corporate logos correctly shows that most people actually remember a version of the logo enough to recognize it, but most don’t actually know exactly what the logo looks like. Using ten of the most well-known brands, it was concluded that, at best, 30% of people can draw a near-perfect version of the logo, with the average being only 16.6% of people.

This means that it’s far more likely than you think that if a phishing scammer can use some rendition of a logo, it may just be enough to fool them into thinking it’s the company they are attempting to impersonate.

Users that undergo Security Awareness Training are far less likely to fall for phishing attacks, regardless of how spot-on the impersonation. By reinforcing the need to scrutinize unsolicited and unexpected emails for sender details, content, type of request, and – yes – branding, it’s possible to spot nearly every phish a mile away.