BLOG

The Australian Taxation Office has advised Australians to delete a particular email and to not provide any personal information.

Data from the Australian Competition and Consumer Commission reveals those in the 35-44 age bracket lost the most money from phishing scams in September. This research was released in lieu of this phishing attack.

Australians have been warned of a JobKeeper scam asking for recipients’ driving licence and their Medicare card:

This email claims the ATO is ‘checking claims’ made through the wage subsidy scheme Australians in that age group lost $87,000 combined last month, $20,000 more than Australians over the age of 65 – who lost $66,000.

A survey by digital security firm Avast found meanwhile almost half of Australians (49%) have encountered a phishing attack this year. Their findings showed 73% of Australians have experienced a phishing scam in their personal life and 7 per cent had received a phishing attack at work.

The survey found phishing attacks were the most common scams encountered by Australians at 78%, followed by phone call scams (55%) and smishing scams (41%), which are text message scams.

It’s important for your organization to be aware of the potential warning signs. New-school security awareness training can train your users on how to spot and report a suspicious email.

Phishing attacks are growing in prevalence during the pandemic, according to David Dufour, Vice President of Engineering and Cybersecurity at Webroot. Webroot’s recent threat report concludes that people are receiving 34% more emails than before the pandemic, and this increase was accompanied by an uptick in phishing attacks.

“Well, I think none of this will be surprising, but it’s just kind of critical to bring up so people are keeping it top of mind,” Dufour said. “A lot of things are, hey, make a donation or, you know, click here, click this link to be able to donate to help COVID survivors or things of that nature. Or maybe, hey, you want to get your stimulus check quicker, click this link and give us your account information, and we’ll get your stimulus check deposited in, you know, a few minutes. None of that is true…They’re just trying to get you to click that link.”

Dufour added that the combination of the increase in email volume and the distractions of working from home creates a perfect environment for phishing attacks to succeed.

“The problem that we’re seeing is kind of twofold,” Dufour said. “One – people are getting inundated with emails from colleagues or, you know, customers even, where it may be coming from their personal account, it may be coming from their business account because everyone’s working at home, so they’re getting a lot of email from unfamiliar places, and some of it’s legitimate for them to do their job. And the other big issue is you’re at home with little Susie or little Johnny from school and you’re trying to make them lunch and you’re trying to answer emails and you’re trying to respond to your boss, and so there’s also a distraction factor, where people aren’t as focused on what they’re reading and they’re more apt to click as well.”

Dufour concluded that employees want to learn how to make smarter decisions, and organizations need to help educate them.

“The security industry has realized that the user is not as dumb as we want to make them out to be,” he said. “People really want to do the right thing. If we can educate them – like I said, most people know what phishing is. We just gotta keep it top of mind and in their brain to be aware of it. But on top of that, the thing that people really need to be doing is slowing down and taking the time to read what’s going on. And if you’re in a busy spot, maybe don’t answer your email. Set aside some time when you can do it thoughtfully.”

New-school security awareness training can create a culture of security within your organization by teaching your employees how to avoid falling for social engineering attacks.

New insight from Accenture Security highlights specific ways attackers are changing their tactics to make Microsoft’s email platform a tool rather than an obstacle for phishing attacks.

We all tend to think of our email platform as something that helps create a more secure environment four our networks. But new disturbing information found in Accenture’s 2020 Cyber Threatscape Report shows that, in the wild, parts of Microsoft Exchange (and Exchange Online), as well as Outlook Web Access are being used as part of sophisticated phishing campaigns:

• Threat groups like Belugasturgeon are hiding within Exchange traffic to obfuscate both command relays and data exfiltration
• Hackers are attempting to gain access to Exchange servers responsible for the Client Access Server role to deploy web shells that facilitate the harvesting of credentials during an Outlook on the Web session.
• Belugasturgeon even went as far as to register one of their pieces of code as a Microsoft Exchange Transport Agent (reputable transport agents include antivirus, mail filtering, etc.) so that they could gain access to email passing through Exchange and be able to create, modify, or delete messages.

This level of sophistication makes it clear that the bad guys are willing to do whatever it takes to gain access to your credentials and email.

While the means to mitigate the issues mentioned above likely revolves around keeping any Exchange systems you still manage up to date with patching, it’s still important that users be vigilant around any abnormal communications issues – emails not being received by an intended recipient or not receiving an email from an external party could both be signs that, (assuming the user in question is involved with either a financial aspect of the organization, intellectual property, customer data, or employee information) a bad guy could be messing with your email conversations and inserting themselves in a case of business email compromise.

Researchers at GreatHorn warn that a large-scale phishing campaign is using open redirects to evade email security filters. Open redirects allow attackers to take a URL from a non-malicious website and tack on a redirect, so that when the link is clicked it will take the user to a phishing page. This results in a phishing link that can fool both humans and technology. A human may inspect the URL and conclude that it will take them to a legitimate site, while security filters will struggle to flag the link as malicious.

“The Threat Intelligence Team described this campaign as a ‘comprehensive and multi-pronged attack,’ with multiple hosting services and web servers being used to host fraudulent Office 365 login pages,” the researchers write. “Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.”

Based on similarities in the phishing emails and malicious sites, GreatHorn believes a single actor is behind the campaign.

“The URLs in the phishing emails sent to users vary,” the researchers write. “Some employ redirects; others point directly at the phishing kit pages. The phishing kit itself uses the same naming structure in nearly all cases: http://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.”

The phishing pages are designed to steal credentials, but they also contain JavaScript that will install malware on the victim’s computer.

“The phishing webpages impersonate a Microsoft Office 365 login, using the Microsoft logo and requesting that users enter their password, verify their account, or sign-in,” GreatHorn says. “Given this campaign’s breadth and highly targeted nature, the sophistication and complexity suggest that the attackers’ significant coordinated effort is underway. Additionally, GreatHorn’s Threat Research Intelligence Team identified attempts to deploy the Cryxos trojan on multiple browsers, including Chrome and Safari.”

New-school security awareness training can prepare your employees to identify and thwart phishing emails that bypass your technical defenses.

It’s Cyber Security Awareness Month  which is a great time of year for everyone to dispense security wisdom like Oprah giving away cars.

But looking back at some of the blogs I’ve written over the years, particularly around Cyber Security Awareness Month, and dare I say, some of my peers, there’s a bit of an issue — and that is that we’re often so focussed on showcasing our cyber security knowledge that it can be easy to forget who the knowledge is intended for.

The effect can be visualised by the following chart:

It’s important that as security professionals we use the opportunities presented by Cyber Security Awareness Month wisely, and communicate better. Below are five tips which have helped me, and may be of use to you too.

1. Quit blaming others: Yes, we all get it. Sometimes people make mistakes, do silly things, or ignore you altogether. It’s so easy to declare, “Lol, users!” rolling your eyes a bit, and exhaling while letting your shoulders drop in the way a parent does just before they tell their 8 year old how disappointed they are in their exam results.
   Instead, let’s be the people who, in the face of mistakes, buy them an ice cream and make light of it. After all, is a little bit of ransomware really worth ruining friendships over?
2. Argue behind closed doors: Security professionals don’t always agree on things. And that’s a good thing, we need to be constantly challenging assumptions and out of date practices. I guess we are also egomaniacs who love being right and putting others down. But that’s a topic for another time.
   The point is that people who don’t work in security don’t need to be confused. So, if someone says to their colleagues, “use a password manager” don’t jump in on social media and say how bad you think the advice is, how MFA is a better option, or how l33t you are for being able to memorise 78 different unique passwords each being 16 characters long.

   Baby steps are what we need, and if we can help people be a little bit more secure today than what they were yesterday, that’s great. If professionals want to disagree, or say how one method is superior to another, they can do it out of the public sight where it doesn’t look like cybersecurity isn’t full of infighting imbeciles.

3. Be specific: Whenever asked a security question the reflex action is to sharply inhale before saying, “well, it depends” which is then followed by 15 minutes of incoherent rambling which includes liberal use of phrases such as, “risk”, “appetite”, “appropriate”, and “threat model”.
   I get it, I used to be a consultant in a previous life, and it’s what pays the bills. But when your colleagues, friends, or family members ask you a question, don’t beat around the bush – you’re not their consultant. Just tell them what to do, keep it specific and simple, but more importantly make it practical.
4. Be a storyteller: We’re not college professors or lecturers, and nobody really wants to listen to a professor (apologies to professors). So try to make your message interesting and engaging. Telling a story really helps people remember and apply messages. If you tell the family an engaging story around the dinner table about how a criminal got caught because they posted too much information about themselves on social media, it may be all that’s needed for people to evaluate their own choices and change their behaviours accordingly.
5. Make them cool: Making people who you directly come into contact with aware of cyber security and steps they can take is great. But do you know what’s better? Having them go on and spread the message further. So instead of just telling, show something interesting and cool. Think of a little hack as a magic trick. Show someone, amaze them, then teach them how to do it. They will be more than happy to show off their newly learnt trick to all their friends and family and be the cool one.

We aren’t trying to make everyone a cyber security expert during Cyber Security Awareness Month, and such a goal is unachievable. What we do want, is for people to make better risk decisions and know who to go to when they are in any doubt. If we can help people to be even 1% more secure during October than they were last month, then that in itself makes Cyber Security Awareness Month worth it.

An extremely skilled group of hackers-for-hire dubbed “Bahamut” is using sophisticated social engineering tactics against a range of targets around the world, researchers at BlackBerry have found. The group has refined its tactics over time, and it adapts every time a security firm publishes research on its activities.

“BlackBerry assesses that BAHAMUT’s phishing and credential harvesting tradecraft is significantly better than the majority of other publicly known APT groups,” BlackBerry says. “This is principally due to the group’s speed, their dedication to single-use and highly compartmentalized infrastructure, and their ability to adapt and change, particularly when their phishing tools are exposed.”

The group now uses a streamlined framework for phishing that makes it very difficult to block these attacks.

“While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly,” the researchers write. “Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates. This embrace of ever-fleeting infrastructure makes real-time detection all but impossible. Catching a window that is open only for a few hours on infrastructure that is constantly changing requires resources and luck that few network defenders, much less individual targets, could ever hope to possess.”

The group also does extensive research on its targets, and in some cases has used fake social media profiles to build trust with their victims. Notably, the researchers found that the hackers often knew the target’s personal email address, and avoided sending phishing emails to the victim’s corporate or government address.

“Throughout our analysis of their phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of information about their targets prior to phishing them,” they write. “This was clearly the result of a concerted and robust reconnaissance operation.”

BlackBerry concludes that Bahamut’s patience, attention to detail, and commitment to operational security puts them far above most threat actors.

“In sum, BlackBerry finds BAHAMUT to be well above average in its social engineering,” the researchers write. “The group has truly impressive operational security that enables them to continue to attack despite numerous, repeated attempts to expose their operations.”

New-school security awareness training can help your employees defend themselves against targeted social engineering attacks.

Inexperienced cybercriminals can easily find places to buy phishing kits in the open, on the “surface web” (as opposed to the deep or dark web), according to Jan Kopriva at the SANS Internet Storm Center. Kopriva set out to see how many of these kits he could find for sale on popular websites, and was able to find more than a hundred on YouTube alone after a single search. These YouTube videos offered demonstrations of the phishing kits’ functionality and pointed users to where they could purchase the kits.

“Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored – this wasn’t mentioned in the video description so it was probably intended as a surprise bonus feature),” Kopriva writes. “For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100. The 86 ‘commercial’ phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.”

The kits spoofed a wide range of services, with Office 365, PayPal, Amazon, and Netflix appearing most frequently. Each of the offerings contained various functionalities, and some included tutorials for new scammers.

“Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium,” Kopriva says. “Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.”

Kopriva’s research demonstrates how easy it’s become for aspiring criminals to launch effective phishing attacks with minimal technical skills. New-school security awareness training can enable your employees to identify and thwart these types of attacks.