The Number of Phishing Attacks Grows 15% in One Quarter, Reaching an All-Time High

New data shows that while ransomware remains somewhat flat, massive increases in business email compromise and response-based email attacks were seen last quarter.

We’d all like to see this trend of attack growth break with some significant downturns. But, according to the latest Phishing Activity Trends Report, 3rd Quarter 2022 from the Anti-Phishing Working Group (better known as APWG), Q3 of this year most definitely wasn’t going to be our quarter.

Phishing attacks continue to rise in a steady fashion, quarter over quarter, demonstrating that this method of initial attack isn’t going anywhere anytime soon.

Phishing Activity Trends Report, 3rd Quarter 2022

Other types of cyberattacks saw more significant gains last quarter:

  • Wire transfer BEC attacks in Q3 increased by 59 percent compared to Q2
  • Response-based email attacks grew a whopping 488% in Q3 2022 compared to Q2
  • Advance fee fraud scams launched via email increased by 1,000% in Q3

In other words, email-based attacks are at their worst. It’s imperative that organizations see these attacks for what they really are – a sign that a phishing-based attack is an almost certainty, regardless of the sophistication of your layered security strategy. One aspect that should be addressed is the user’s role in a cyberattack; it’s all well and fine that your security solutions are designed to stop malicious emails from coming in. But when that one email makes it all the way to the inbox, it’s up to your user to be vigilant and see the email as being potentially malicious – something taught with continual Security Awareness Training.


Social Engineering, Money Mules, and Job Seekers

A small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.

The scam began with a gig economy job offer. “A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home,” the CBS explained. “They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.”

All a prospective “cash processor” needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need “proximity to a bitcoin machine.” If the aspiring cash processors did an Internet search for their prospective employer, they would “find a professional website, with information matching what was provided in the employment agreement.” And it came with a Nova Scotia address, just to lend verisimilitude to the scam.

The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.

“It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account. She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with. ‘It was just kind of like a mad scramble to try and figure out what was going on,’ said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.”

The Royal Canadian Mounted Police has the case under investigation, but of course it’s better to avoid being victimized in the first place. New-school security awareness training can give any team appropriate skepticism about social engineering, however small-scale or subtle it may appear.


Less Than One-Third of Organizations Leverage Multiple Authentication Factors to Secure Their Environment

Demonstrating a complete lack of focus on the need for additional authentication factors, surprising new data highlights a material security gap that enables cybercrime.

I’ve previously covered industry data that points to the overwhelming majority of cyberattacks use valid accounts (which puts harvesting credentials as a primary attack focus). But new data from MFA hardware vendor Yubico in their State of Global Enterprise Authentication Survey puts a clear focus on the problem – organizations just aren’t implementing multi-factor authentication.

According to the report, a third or less use some form of additional authentication factor:

  • 33% use Mobile/SMS pushes
  • 30% use a Password Manager
  • 29% use a mobile push authentication app
  • 20% use hardware keys

What’s more shocking is that 59% of employees rely on simple username and password combinations to authenticate.

This isn’t good folks.

All it takes is one really good social engineering phishing attack and threat actors will have one or more sets of your employee’s credentials. And with no additional authentication factors, cybercriminals have the keys to whatever corporate kingdom the compromised employee has access to.

So, first off, implement MFA. Across the board for everyone. No exceptions.

Second, implement Security Awareness Training – again, across the board for everyone, so that every user is educated on the state of phishing and social engineering attacks, and can help avoid providing threat actors with usernames and passwords (remember, even those orgs with MFA in place are being attacked with MFA Fatigue attacks – making it necessary to train everyone, regardless of MFA status).


Hospitals Warned of Royal Ransomware Attacks by U.S. Department of Health

This brand new ransomware gang is on the attack and, despite them being new to the game, are coming out of the gate attacking the healthcare sector and asking for millions in ransom.

The Health and Human Services’ Health Sector Cybersecurity Coordination Center (quite the mouthful, which is probably why they simply go by the name HC3 released an analyst note last week discussing recent attacks by Royal ransomware against the Healthcare and Public Healthcare (HPH) sector.

According to the note, Royal is not operating in an “as a Service” model, meaning they are keen to take 100% of all ransoms collected – which currently range from $250K to over $2 million. They are focused primarily at hospitals and other healthcare organizations within the United States, using data exfiltration, double extortion tactics to ensure payment, and publishing 100% of all data stolen.

Royal uses a particular set of initial attack methods, including embedding malicious links in malvertising, phishing emails, fake forums, and blog comments – all leveraging the value of social engineering to trick victims into engaging with their malicious content. This kind of trickery is addressed through Security Awareness Training which teaches corporate users how to maintain vigilance – even when interacting with what appears to be a normal email or webpage – and elevate the security stance of the organization by doing so.


5 Cyber Scams to Watch Out for This Holiday Season

With the holiday season now in sight, businesses and consumers alike have begun to prepare for the annual shopping and gift giving frenzy. Prices are seeing a much-needed plunge, but this is also the time of year where cybersecurity hygiene tends to drop, too.

As inboxes flood with messages about markdowns galore, opportunistic cyber criminals use this time to step up their holiday scams. This post covers why seasonal retail is under attack by cyber criminals, five common holiday season scams, and what businesses and shoppers can do to keep up their cyber defenses.

Why Seasonal Retail Is Under Attack

From late November through to the end of the year, consumers across the globe rack up billions of dollars shopping holiday deals and giving generously to charities. When the COVID-19 pandemic first impacted the world in early 2020, online shopping surged, and now more people than ever make purchases virtually.

Deloitte’s 2022 Holiday Retail Survey found that the online shopping trends seen during the pandemic have endured. This year, the survey reported that online shopping took a 63% share, which is on par with the previous two years.

Shoppers this year also note they are not “giving up the convenience of online shopping” even as they warm up to in-store visits, and 66% of retail executives expect online holiday shopping traffic to have at least single-digit growth over last year.

Those figures are naturally attractive to cyber threat actors, who hope that the dash to grab the best discounts on items with limited availability will lead buyers to fall for fraudulent activity.

Scammers take advantage of unsuspecting shoppers in multiple ways, including through fake websites, discount campaigns, and even charities, to obtain personal and financial information.

Here are five ways threat actors take advantage of the holiday season and how consumers and businesses can stay protected.

1. Fake Ads and Malicious Links

This is the time of year when scammers zero in on targets who are searching for the best markdowns and bundle promotions, trying to spread their dollars further. Scammers run fake ads showing valuable and hard-to-get items at incredible prices. To encourage shoppers to click, they often use urgent phrasing, promising attractive discounts only while supplies last, or for a limited time only.

To further increase clickability, scammers use the same marketing strategies as legitimate ads to trick shoppers who are already moving faster than usual and may have their guard down. Once an unsuspecting victim clicks the link, they are led to fraudulent sale sites with credit card skimmers embedded in the code.

How To Stay Safe:

  • Shoppers can protect themselves from fake ads and malicious links by performing a quick check on the product being advertised. See a deal too good to be true? Pull up the official website of the brand and check if the same sale prices are reflected on their product pages.
  • Don’t rely on the quality of the photos displayed in the ad. Pixelated images can be an immediate red flag, but scammers also rip off genuine photos from official brand websites.
  • If a sale site seems sketchy, check for inconsistencies in spelling and language. Confirm that the website includes comprehensive policies on shipping, returns, customer support, and privacy. A privacy policy should cover how the company collects, uses, and protects personal and transactional data.
  • Check if the site is trusted by looking for “https” at the beginning of the site’s URL and ensure there is a closed lock or unbroken key icon. These icons indicate that data submitted on the site is encrypted.

2. Fake Discounts & Coupon Code Apps

Scammers will go to great lengths to obtain sensitive information. Other than hosting fake ads with bad links, they also build fraudulent applications that claim to search for and consolidate discount codes and coupons from popular brand names.

These fake apps are usually distributed through unofficial app repositories with the intention of having users download malware onto their devices, stealing payment information, or credentials to social media or online banking accounts.

How To Stay Safe:

  • If a company name seems unfamiliar, check for community reviews and how long the app has been around. Scam apps are typically less than a few months old.
  • Shoppers should look up the details of the app’s developer. How easy is it to find out the developer’s identity? If it’s not obvious who they are and where they trade from, walk away.
  • Use a security product to check if the application is known malware, or use public malware checking sites like VirustTotal to check an application or suspicious file’s reputation (be careful not to upload personal files – anything uploaded there is shared publicly!)

3. Holiday Email Scams & Phishing Campaigns

Sometimes all it takes is an unassuming email and a clever subject line to sink the hook. The holiday season is rife with phishing scams as cyber threats actors take to hiding amongst the throngs of legitimate emails from big brands.

Some scammers create spoofs of legitimate holiday emails from established brands and lure in their target with bargain prices. Clicking the links leads shoppers to malicious websites primed to drop malware or phish for login credentials.

Other than offering special gifts, bundle pricing, and extra coupons, holiday email scams may also send shoppers invoices for items they did not purchase. These kinds of emails include deceptive links to “report a problem” or reach a customer service team member. The scammers hope that indignant shoppers will fall for the links and click, thinking they can dispute the invoice.

How To Stay Safe:

  • Defend against social engineering scams by using trusted security software to block out malware.
  • Make sure your device operating system is up-to-date and your accounts are protected by Multi-factor authentication.
  • When reading emails, inspect link addresses before clicking on them. Scammers often use URLs that look similar to real ones, replacing letters and spacing with numbers and punctuation or using odd domains.
  • Shoppers can also check that their browser settings are set to show full website addresses by default and that the appropriate privacy and security settings are all turned on.

4. Fake Charity Sites & Scams

The winter holidays is often a time of paying back one’s gratitude through charity and threat actors are waiting on the side lines to exploit the season’s givings. Scammers will often take full advantage of people’s generosity during this time of year by spoofing the phone numbers of legitimate charities and impersonating the agents to ask for donations.

Some cyber scammers may send text messages, target people through social media, or set up a computerized auto dialer to deliver pre-recorded messages.

How To Stay Safe:

  • Be wary of these solicitations whether online, via phone, or even in person. The safest way to donate to a charitable organization is to reach out to them proactively, or simply donate through their official website.
  • Check that the websites have firm payment protection in place and always use a credit card rather than providing direct account information.

5. Fake Offers for Seasonal Work

Businesses often hire in advance of the busy holiday season. Consumers who have trusted known brands for years may find themselves applying for a little part-time, seasonal work only to find that they’ve given away personal information to a fraudster.

Scammers in these schemes impersonate HR representatives, recruiters, and even senior managers of real companies and post help-wanted ads via email or on social media platforms.

Usually, these open roles will include forms for the hopeful applicant to fill out and ask for intimate details such as address, tax details, social security number, work permit information, and other personally identifiable information (PII).

If the ad is not directly phishing for PII, then applicants may be led to bogus sites that scan for email addresses and passwords or even ask them to pay upfront for job supplies and training fees.

How To Stay Safe:

  • Holiday job seekers should research the company, review their website and associated channels. Check their Careers landing page to find the official job posting and ensure that the details of the role are the same.
  • Remain cautious of roles that have vague job requirements, pay an unusually high wage, or promise applicants that they will “make money fast”. Receiving a job offer right away after applying and without an interview is another common red flag.
  • Only give personal information directly related to the application process after you have met in person or over video with a member of the company’s HR department.

Cybersecurity Is Crucial For the Holidays

We’ve covered many common scams that day to day consumers face during the holiday rush, but it’s important for businesses to protect themselves and their customers from cyber threats, too. During the holiday season when threat actors are more active, businesses may equally find that they are understaffed and dealing with heavy demand.

During the holiday season, businesses should be prepared to see increases in malware campaigns, ransomware and data extortionDistributed-Denial-of-Service (DDoS) attacks, and the possibility of data loss.

As the number of digital transactions soars during the holiday season, establishing better cybersecurity processes can help to keep businesses and their customers safe from holiday scams.

  • Establish Full Visibility & Managed Security – Consumers often favor online shopping because of the convenience of shopping 24/7. This means that malicious activity can happen at any hour of the day, even outside the business hours of a company’s IT team. Having round-the-clock protection is crucial to identifying malicious behavior in its earliest stages before lateral spread can occur.
  • Execute Pre-Seasonal Audits – Before the holiday rush, companies should perform thorough security checks to validate any recent coding changes, SaaS updates, and third-party code on payment pages especially. Check that sensitive areas of a network are adequately protected and minimize the exposure of critical data and assets.
  • Ensure & Maintain Compliance Controls – Businesses that collect payment through credit cards must be in compliance with the requirements of the Payment Card Industry Security Standards Council (PCI CSS). The council focuses its controls on protecting payment account security during digital transactions. Retail companies accepting, processing, storing, or transmitting credit card information and cardholder data must meet controls set out in the Payment Card Industry Data Security Standard (PCI DSS) framework.

Ughh. FBI’s Vetted Threat Sharing Network ‘InfraGard’ Hacked

Investigative reported Brian Krebs reported December 13, 2022 that “InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.”

Here is another extract from Krebs

“On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.

“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.

In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.”



Scammer Group Uses Business Email Compromise to Impersonate European Investment Portals

A sophisticated scammer group has stolen at least €480 million from victims in France, Belgium, and Luxembourg since 2018, according to researchers at Group-IB. The gang uses a highly detailed scam kit called “CryptosLabs,” which impersonates investment portals from more than forty major European financial entities.

“Right out of the block, the victims are promised high returns on their capital,” the researchers write. “To find the ‘investors’ scammers leave messages on the dedicated investment forums or use legitimate advertising mechanisms on social media and search engines to promote the scheme. To appear trustworthy, such ads feature logos of notable banking, fin-tech, crypto, and asset management companies active in France, Belgium, and Luxembourg.”

After clicking on one of the scammers’ ads, the user will be taken to a webpage where they’ll be asked to enter their contact details.

“Interestingly, the victim doesn’t get immediate access to a fake investment platform. The scammers’ call center verifies the information to identify the most likely targets. Masquerading as personal managers of investment divisions of the companies that victims saw on the social media ads, call-center operators reach out to the victims to clarify further steps, explain how the platform works, and provide credentials to start trading.”

The scammers go to a great deal of effort to interact with their victims professionally, convincing them to continue investing money. The scam kit even shows phony growth charts on the victims’ investments.

“After successfully logging into an investment portal the victim sees multiple made-up graphs and charts all indicating sky-high returns and growth stocks,” the researchers write. “After some time, the victim is contacted by a ‘personal manager’ again to sign a fake engagement document and make a €200-300 deposit to activate the account. Once the victim pays, the money goes straight into the scammers’ pockets. The victim is finally granted full access to a branded fake trading platform. Those who make it that far can see the account balance and multiple juicy investment opportunities in stocks, crypto, NFTs, and contact their ‘personal manager’ at their convenience. Some panels seen by Group-IB offer victims up to 17 different investment strategies. The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves and encouraging them to deposit more funds to multiply their investments.”


Incident Response Actions are Systematically Reversed by Hackers to Maintain Persistence

Analysis of attacks on two cellular carriers have resulted in the identification of threat actions designed to undo mitigations taken by security teams mid-attack.

We’d like to think that the attackers only move in a game of cyberattack chess is “attack” and then once you begin to mitigate their intrusion, lateral movement, modification of user accounts, etc. the threat actor just gives up and you win. But new analysis of several attacks by security vendor Crowdstrike show that while your team is busy trying to undo everything attackers have done to facilitate their access, they are equally busy either reversing your actions or setting up additional means of entry, privilege, and access.

According to the analysis, Crowdstrike observed the following activity mid-attack when response actions weren’t being taken swiftly:

  • Setup of additional VPN access
  • Setup of multiple RMM tools
  • Re-enabling of accounts disabled by security teams

It’s just like chess; you make a move and your adversary makes another.

There are two takeaways from this story:

  • Response actions need to be swift; you need to cut off attacker access quickly and effectively
  • Based on the initial attack vectors – mostly social engineering designed to harvest credentials, Security Awareness Training for every user is needed to keep users vigilant whether they’re using email, the phone, or the Internet.

Archives Overtake Office Documents as the Most Popular File Type to Deliver Malware

Taking the lead over the use of Word, Excel, PDF, and other office-type documents in attacks, new data shows that files like ZIP and RAR have grown in popularity by 11% last quarter.

For years, we’ve seen attackers take advantage of the scripting functionality found in Office documents (e.g., macros using VB and PDF support for java) to enable the download and execution of malicious content. But it was inevitable that attackers would move on – with so many security sources being vocal about disabling macros and scripting, attackers had to find a new way to sneak their malicious content in via email.

According to HP Wolf Security’s Q3 Threat Insights Report, archive files now represent 44% of the files used to deliver malware, overtaking Office document found in only 32% of attacks. Attackers are leveraging the inability of security solutions to open archives (especially those protected with a password provided as part of a phishing attack) to obfuscate the true intentions.

Additionally, according to the report, attackers are focusing more energy on improving their social engineering, brand impersonation, and their use of built-in OS capabilities (instead of downloading malicious tools) to improve their chances of a successful attack.

All this adds up to more phishing attacks, craftier scams, and more victims falling prey because they aren’t interacting with email with a sense of vigilance – something taught through Security Awareness Training – to ensure that every time an unsolicited email is received, it’s scrutinized by the recipient as being malicious first until proven otherwise.


Cyber Insurers Focus on Catastrophic Attacks and Required Minimum Defenses as Premiums Double

Recent attacks are helping cyber insurers better understand what security strategies need to be in place and how to price policies based on the risk those policies cover.

Remember, insurance companies of all kinds are in business to stay in business. That means that while they are willing to share the risk with your organization, they’re not in the business of just paying out on a claim without a fight. And because that’s not a good look for cyber insurers, it makes more sense for them to be proactive and do one or more of the following:

  • Help to reduce the risk of attack by establishing what cyber defenses must be in place
  • Price policies across the board correctly so there’s enough revenue coming in to cover the percentage of claims that should be paid
  • Limit what attack scenarios are covered – sometimes in specific down to the kind of attack, the role of the attacker, the role of internal employees in the attack, etc.

According to a recent Wall Street Journal article on the subject, cyber insurers are getting really smart at limiting their risk. With premiums rising by 92% in 2021, according to reinsurance company Swiss Re, the focus now is on the impact an attack could have on, say, a supplier that could impact millions of people, evaluating which cloud providers the insured use, and possibly requiring insureds to hold capital in reserve for worst-case scenarios.

In other words, cyber insurers are better understanding the nature of cyber risk. While news of premiums hiking significantly isn’t pleasing, in the end, it may be a necessary step until there’s enough significant data on attacks for insurers to determine what the risk reality looks like.

Until then, it’s up to organizations to continue to put up strong cyber defenses designed to keep attackers from succeeding – something that should include Security Awareness Training as part of the strategy.