BLOG

Researchers at Avanan warn that a phishing campaign is using Microsoft’s Dynamic 365 Customer Voice feature to send malicious links. Customer Voice is designed to collect feedback from customers, but attackers are using it to send phony links claiming that the recipient has received a voicemail.

“This email comes from the survey feature in Dynamics 365,” the researchers write. “Interestingly, you’ll notice the sending address has ‘Forms Pro’ in it, which is the old name of the survey feature. The email shows that a new voicemail has been received. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.”

The link to the fake voicemail comes from a Microsoft domain, so email security products tend to view it as safe.

“This is a legitimate Customer Voice link from Microsoft,” Avanan says. “Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the ‘Play Voicemail’ button, hackers have more tricks up their sleeves. The intent of the email is not in the voicemail itself; rather, it is to click on the ‘Play Voicemail’ button, which redirects to a phishing link.”

Avanan notes that attackers are increasingly abusing legitimate platforms to bypass email security filters.

“We’ve seen this a lot recently, whether it’s Facebook, PayPal, QuickBooks or more. It is incredibly difficult for security services to suss out what is real and what is nested behind the legitimate link,” the researchers write. “Plus, many services see a known good link and, by default, don’t scan it. Why scan something good? That’s what hackers are hoping for.

This is a particularly tricky attack because the phishing link doesn’t appear until the final step. Users are first directed to a legitimate page–so hovering over the URL in the email body won’t provide protection. In this case, it would be important to remind users to look at all URLs, even when they are not in an email body. These attacks are incredibly difficult to stop for scanners and even harder for users to identify.”

How many business emails do the recipients actually want? Or, conversely, how many of them are unwanted? A study by Hornetsecurity looked at this question (along with a number of other security issues) and reached a conclusion that, on reflection, most people with a business email account would probably say is consistent with their own experience: some 40.5% of emails that arrive are ones the recipients don’t really want in the first place.

Hornetsecurity’s CEO, Daniel Hofmann, said, in conjunction with the release of the company’s Cyber Security Report 2023, “This year’s cyber security report shows the steady creep of threats into inboxes around the world. The rise in unwanted emails, now found to be nearly 41%, is putting email users and businesses at significant risk.” He added, “What’s more, our analysis identified both the enduring risk and changing landscape of ransomware attacks – highlighting the need for businesses and their employees to be more vigilant than ever.”

The risk emails present, of course, is that of phishing. The sheer volume of unwanted, unexpected emails can not only take advantage of the trust people repose in their business systems, but quantity can have a quality all its own. The more attempts, the more likely it is that some user will fall for one of them in a moment of weakness, gullibility, or an otherwise commendable inclination to help, to cooperate.

Phishing remains a perennial threat, and as criminals and nation-states improve their craft and deploy more convincing come-ons and spoofs, the unwary will continue to be caught. New-school security awareness training can equip employees with the knowledge and skills they need to resist this form of social engineering.

In the latest FBI warning, cybercriminals are now impersonating financial institutions’ refund payment portals. This effort is to contain victims’ personal information with legitimacy.

These bad actors are using social engineering to trick victims into giving them access to their computer by impersonating representatives of technical repair services. In details from the FBI’s public service announcement lists the following, “Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund.”

Although tech support scams are very common, the FBI did note that as recent as last month scammers are using scripts that portray a refund payment portal when it is actually a malicious site.

BleepingComputer found samples of these scripts below pretending to be various financial institutions:

This Data wiper replaces every other 666 bytes of data with junk. Techradar reported that a new data-wiping malware has been detected, infecting more and more endpoints with each passing day – but what’s most curious is that it poses as ransomware.

The malware is called Azov Ransomware, and when run on a victim’s device, it overwrites file data with junk, rendering the files useless. The overwrites are cyclical – the malware would overwrite 666 bytes of data, then leave the next 666 intact, then repeat the process.

Even though there is no way to retrieve the corrupt files, there is no decryption key or ransom demands, the malware(opens in new tab) still comes with a ransom note, which says that victims should reach out to security researchers and journalists for help.

It’s a Sleeper Program That Wakes up October 27th

Another curious thing about Azov Ransomware is that it comes with a trigger, having it sit idly on the endpoint until October 27, 10:14:30 AM UTC, after which all hell breaks loose. When this date comes, the victim doesn’t necessarily need to run the exact executable – running pretty much any program will do. That’s because the wiper will infect all other 64-bit executables on the devices whose file path does not hold specific strings.

SOURCE: TechRadar

A criminal gang is launching business email compromise (BEC) attacks by posing as “real attorneys, law firms, and debt recovery services.” The attackers send legitimate-looking invoices tailored to the targeted organization, asking for a payment of tens of thousands of dollars.

“These sophisticated invoices also list a bill number, account reference number, bank account details, and the company’s actual VAT ID. Some invoices even include a ‘notification of rights’ and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we’ve observed, it’s possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms.”

If the employee refuses to authorize the transaction, the attackers will sometimes pose as an executive at the organization and send the employee an email granting permission to make the payment.

“When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company,” the researchers write. “When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we’ve observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and ‘authorizes’ the employee to proceed with the payment.”

The researchers note that the user could recognize these emails as fake if they know where to look for the sender’s email address, but the attackers have included the executive’s real email in the display name.

Abnormal Security concludes that organizations should implement modern email security solutions, as well as providing training for employees to recognize these attacks.

“If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important,” the researchers write. “Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment.”

New-school security awareness training can give your organization an essential layer of security by teaching your employees how to thwart social engineering attacks.

Michael Kan at PCMag had the scoop: A hacker is already circulating one phishing email, warning users they’ll need to submit some personal information to keep the blue verified checkmark for free.

He wrote: “One hacker is already exploiting Twitter’s reported plan to charge users for the verified blue checkmark by using it as a lure in phishing emails.

On Monday, journalists at TechCrunch(Opens in a new window) and NBC News(Opens in a new window) received phishing emails that pretended to come from Twitter, and claimed they had to submit some personal information in order to keep the blue checkmarks on their Twitter accounts.

“Don’t lose your free Verified Status,” the phishing email says. Twitter itself has yet to officially announce any changes about the blue checkmark. Nevertheless, the phishing email tries to exploit the news by claiming that some verified users, particularly celebrities, will need to pay $19.99 per month after Nov. 2 to keep the status.

The email then tries to create a sense of urgency. “You need to give a short confirmation so that you are not affected by this situation,” it says. “To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don’t provide verification, you will pay $19.99 every month like other users to get the verification badge.”

The email provides a button labeled “Provide Information.” However, a closer look at the message reveals it was sent from the email address Twittercontactcenter@gmail, instead of an official Twitter domain—a clear red flag the message is a fake. “

Australia has now become the newest target for attacks in part due to a overworked cybersecurity workforce that are not able to stop these bad actors.

Last week a ransomware attack hit Australia’s defence communications platform for military personnel – and the starting point was due to human error. Since September alone half of Australia’s population alone suffered a data breach with  the Optus attack and the Medibank hack.

And unfortunately, there is no quick turnaround to address the weak assertion points, which is due to the border closures with COVID-19 guidelines still in place with the continent. In a statement by Sanjay Jha, chief scientist at the University of New South Wales institute for cybersecurity “They don’t have enough trained people to take it seriously and do what is needed,” “Sometimes you’re ticking a box in an Excel spreadsheet and you don’t understand what you’re doing, and then the outcome is not going to be great. You need people who are really skilled and trained properly.”

We highly suggest you to look into new-school security awareness training, especially now. With cybersecurity insurance premiums increasing and overall attacks increasing, now is the time to implement end-user education to your users before it’s too late.

Reuters has the full story.