Attackers Use Morse Code to Encode Phishing Attachments

phishing campaign is using morse code to encode malicious attachments in order to slip past security filters, according to researchers at Microsoft. The phishing emails contain HTML attachments designed to steal credentials.

“This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,” the researchers write. “The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments. Some of these code segments are not even present in the attachment itself. Instead, they reside in various open directories and are called by encoded scripts.”

(Morse code is not, of course, really encryption. It’s just another alphabetical system, but nowadays only old-school ham radio fists are likely to be fluent in Morse. And so it can function like a cipher for those not in the know.) This technique gives the emails a better chance of bypassing security technologies, since the filters are less likely to recognize the attachments as malicious.

“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HTML file may appear harmless at the code level and may thus slip past conventional security solutions,” the researchers write. “Only when these segments are put together and properly decoded does the malicious intent show.”

The researchers add that the attackers update their obfuscation techniques on a regular basis to stay ahead of the security industry.

“Cybercriminals attempt to change tactics as fast as security and protection technologies do,” the researchers write. “During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize social engineering attacks.

READ MORE

The Anatomy of Smishing Attacks and How to Avoid Them

Cybercriminals and nation-state actors continue to launch smishing attacks to steal credentials and distribute malware, according to Michael Marriott, Senior Strategy and Research Analyst at Digital Shadows. Marriott describes a new Android banking Trojan called “AbereBot” that’s being sold on cybercriminal forums. Since the Trojan targets mobile devices, it’s distributed via text messages.

“This is just one recent example, and barely a month goes by without another Android malware making news headlines,” Marriott says. “Back in January, for example, FluBot was reported to have spread quickly and significantly across targets. This malware was installed by SMS, in this case purporting to be from a delivery company providing a package tracking link. Users were prompted to download an application that would enable them to track the package, however, the malicious application enabled the attacker to capture banking credentials.”

Marriott cites advice from the UK’s National Cyber Security Centre (NCSC) on how to avoid falling for these scams:

  1. “Only download apps from App Stores, such as the Android Play Store.
  2. “If you suspect you have clicked on a malicious link, reset your device to factory settings and reset credentials of any accounts that you have entered since the infection.
  3. “Even non-Android users should be cautious of clicking on links that may be attempting to capture credentials.
  4. “Beware of unsolicited texts using high pressure tactics that introduce urgency, such as closing accounts or transferring funds, for example. When in doubt, go to the full website of the company and check notifications for your accounts there.
  5. “Beware of anything that forces you to log in to unrelated services, such as entering banking credentials to receive a package.
  6. “Always treat a message offering ‘something for nothing,’ such as winning money or prizes, as suspect, especially when you need to provide financial or other sensitive information.”

New-school security awareness training can enable your employees to recognize social engineering attacks.

READ MORE

WhatsApp Phishing Scams Significantly Increase

The Southwark Police in London have warned of a spike in WhatsApp phishing scams, according to Paul Ducklin at Naked Security. The station tweeted, “We have seen a surge in WhatsApp accounts being hacked, if you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why. “

Ducklin notes that users of WhatsApp and similar messaging services are more likely to view messages as trustworthy, since they appear to be coming from an acquaintance.

“Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place,” Ducklin writes. “That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.”

Ducklin adds that users should be suspicious of unsolicited or strange messages from contacts, especially if the messages sound urgent or try to get you to click on a link.

“Never trust messages simply because they come from a friend’s account,” he says. “Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them. If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.”

Two-factor authentication (2FA) is an essential layer of defense, but Ducklin stresses that attackers can still bypass this measure via social engineering.

“If you’ve turned on 2FA on your various accounts, good for you,” he writes. “It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for these attacks.

READ MORE

Insights Into Credential Phishing

Cybercriminals are quick to put hacked accounts to use, according to Agari by Help Systems. The researchers found that 91% of compromised accounts are accessed by attackers within one week, and half of these accounts are accessed within the first twelve hours. Additionally, 23% of phishing sites are using automation to test the authenticity of stolen credentials. Agari explains that criminals are efficient at escalating their attack once they gain access to a network.

“[O]nce attackers gained access to the compromised accounts, it became apparent that they wanted to identify high-value targets who have access to a company’s financial information or payment system so that they could send vendor email compromise scams more effectively,” the researchers write. “The accounts were also used for other purposes, including sending malicious emails and using the accounts to register for additional software from which to run their scams.”

Agari notes that once the attackers compromise a single account at an organization, they can use that account to send more convincing phishing emails to other employees. It’s particularly effective in staging business email compromise (BEC) campaigns.

“In another example, cybercriminals targeted employees at real estate or title companies in the U.S. with an email that appeared to come from a U.S.-based financial services company that offers title insurance for real estate transactions,” Agari says. “When targets opened the email, they were encouraged to view a secure message, which sent them to a webpage mimicking the company’s actual homepage. From there, they were encouraged to view additional documents and enter their account information—leading to the compromise. This shows the self-fulfilling growth cycle where credential phishing attacks lead to compromised accounts, which lead to more credential phishing attacks and more compromised accounts, and so on.”

Agari founder Patrick Peterson emphasized that the best way to defend against these attacks is by preventing attackers from gaining a foothold in the first place.

“Without measures in place to protect against BEC and account takeover-based attacks, the problem will only continue,” Peterson said. “The insight uncovered by the [Agari Cyber Intelligence Division (ACID)] team is a sobering reminder of the scale of the issue—compromised accounts lead to more compromised accounts, and only by preventing the first compromise can we suppress BEC at an early stage.”

New-school security awareness training can help your employees avoid falling for social engineering attacks, stopping the attackers before they’re able to establish a beachhead in your organization.

READ MORE

2021 Phishing Trends Face Alarming Predictions and Will Likely Include Automated Attacks

Researchers at INKY warn that targeted phishing attacks will continue throughout 2020, as some employees return to the office and others continue working from home. They predict that spear phishing attacks will begin to grow more automated, allowing more attackers to launch these attacks.

The researchers expect to see the following five trends for the rest of the year:

  1. “Additional government impersonators will be trying to gather personal information or illicit money through sophisticated phishing scams.
  2. “Cloud breaches will be on the rise as companies continue to offer remote working options to their employees.
  3. “Targeted data theft will climb due to the fact that thousands of businesses have not done enough to properly secure their sensitive information from hackers and cybercriminals.
  4. “Ransomware attacks could escalate as they did in 2020, a year that saw $29.1 million in damages. Using email phishing campaigns, cybercriminals have compromised email accounts using precursor malware, which enables the hacker to then use a victim’s email account to further spread the infection.
  5. “Spear phishing campaigns – which impersonate a CEO, vendor, or other known person – will likely see more sophistication and even automation. This will drive the number of incidents, the complexity, and the likelihood that an employee will fall for this costly phishing threat.”

The researchers conclude that organizations shouldn’t grow complacent as employees begin returning to the office.

“Much like health officials are urging us not to let our guard down for the pandemic this year, it’s also clear that we must be diligent in our efforts to protect our businesses from the cybercriminals’ phishing scams,” INKY says. “Nothing could be sadder than to see your organization through a pandemic, only to have it brought down by a sophisticated phishing event.”

New-school security awareness training with simulated phishing tests can familiarize your employees with these types of attacks so they can thwart them in the real world.

INKY has the story.

READ MORE

Office 365 Phishing Kits Are Being Used in a New Attack Targeting Execs and Finance

A new highly-targeted phishing campaign is seeking to compromise the online credentials of those with influence within an organization using an Office 365-themed update attack.

The bad guys used to try to con anyone with the organization they could and then work to swim “upstream” to compromise someone in IT, an executive, etc. These days, the bad guys are dialed into using online tools like LinkedIn to identify their targets and work by using social engineering tactics to convince their victims into giving up valuable credentials.

In a new attack spotted by security vendor Area 1 targets financial departments, C-suite executives and executive assistants within the financial services, insurance and retail industries.

Using an Office 365 service update phishing email as the initial attack vector, prospective victims are encouraged to open the attachment to read about an important update. The attachment can be a PDF, HTML or HTM file.

Figure2-3

 

 

 

 

 

 

 

 

 

 

 

 

Source: Area 1

A JavaScript “unescape” command is used to obfuscate the HTML that loads a phishing kit-based Office 365 credential harvesting site. The phishing kit even includes a very realistic touch of popping up an updated privacy policy before allowing the user to continue.

Figure5-3

 

 

 

 

 

 

Source: Area 1

All this works to lower the victim’s defenses, establish credibility, and increase the chance of attack success.

Teaching users via Security Awareness Training to watch out for abnormal communications (such as “Microsoft” using an attachment to convey update details) can stop attacks like these in their tracks, no matter how convincing their phishing kit is.

READ MORE

The Growing WeTransfer Phishing Campaign Can Put Your Users at Risk

Researchers at Avanan have observed a phishing campaign that’s impersonating the WeTransfer file-sharing app in an attempt to steal users’ credentials. The email’s subject line states, “You received some important files via WeTransfer!” The body of the email informs recipients that they’ve received three files through the service, with a link to “Get your files.”

The text of the email was worded awkwardly, however, which could tip some users off:

“Dear Sir/Madam,

Attached is our order catalogue and PO-209-2021 And Terms & Condition, please check if you can provide us with those, and quote.

Look forward to have a cooperation with you ,thanks.”

The email also states “Will be deleted by April 5, 2021” to instill a sense of urgency and motivate users to click the link. The link leads to a convincingly spoofed version of WeTransfer’s website, with a popup presenting a button for the user to download their new files. The names of the files are “List of Items.pdf,” “Drawings and Specifications.zip,” and “Company Profile.mp4.”

If the user clicks the button, they’ll be taken to a login page to verify their WeTransfer credentials. When they try to log in, their credentials will be sent to the attacker. The victim will be told that a technical error occurred, and the site will request that they re-enter their password.

“Hackers will do anything to get in your inbox,” Avanan concludes. “Posing as a trusted file-sharing source, with an email you may often get, tends to be a good way to do that.”

While this phishing attack isn’t highly sophisticated, some people will still probably fall for it. Avanan notes that the phishing site’s URL clearly didn’t resemble WeTransfer’s legitimate URL, so observant users could have recognized the scam. New-school security awareness training can teach your employees how to spot the signs of phishing attacks.

READ MORE

Recent Phishing Scams that Managed to Bypass Email Security Filters

Researchers at Armorblox describe several recent phishing scams that managed to bypass email security filters. The first attempted to gain access to users’ Facebook accounts.

“Recently, the Armorblox threat research team observed an email impersonating Facebook attempt to hit one of our customer environments,” Armorblox says. “The email was titled ‘Reminder: Account Verification’ with the sender name ‘Facebook’ and the sender domain ‘noreply@cc[.]mail-facebook[.]com’. The email informed victims that their account usage had been restricted due to some security concerns, and invited victims to verify their account activity to restore full access to their Facebook account.”

The email contains a link to a spoofed Facebook login page designed to steal the user’s credentials.

“The parent domain of the page is ‘sliderdoyle[.]com’, which should tell circumspect users that this isn’t a legitimate site,” the researchers write. “However, the surface-level resemblance of the page to Facebook’s real login portal combined with the urgency generated by the context of the email (restricted account access) means that many users will rush through this page and fill in their account details without looking at the URL.”

Another phishing email impersonated Apple and informed the recipient that their Apple account had been locked.

“The email was titled ‘Re: Your Apple ID has been locked on March 11, 2021 PST’ followed by a reference number,” Armorblox says. “The sender name was ‘Appie ID’, using a common technique of misspelling words to get past deterministic security techniques like filters/blocklists while still passing victims’ eye tests. The email informed victims that their Apple ID had been locked for security reasons. The email invited victims to verify their account within 12 hours of risk having their Apple ID suspended.”

In both of these cases, the scam could have been avoided if users had scrutinized the URL contained in the email. New-school security awareness training can help your employees recognize red flags associated with phishing attacks.

Armorblox has the story.

READ MORE

REvil Ransomware Now Helps with Extortion by Offering to Call the Victim’s Contractors and the Media

The bad guys are going to great lengths to ensure they make their money. As part of its Ransomware-as-a-Service, REvil is now expanding its services to aid in the extortion phase.

REvil/Sodinkibi has been a major player in the RWaaS market, providing its’ affiliate bad guys with functional ransomware malware and a payment site. They are relying on the affiliate to attack, infiltrate, and compromise the victim networks in order to deploy the ransomware. This split of duties brings REvil somewhere between 20-30% of the ransom, with the affiliate taking the remainder home.

So, it’s mutually beneficial to both parties that the ransom first, be paid and second, be as much as possible. The exfiltrating of data and extorting the victim organization to pay or face publication of the stolen data has been growing over the last year since it was first seen used by Maze.

But a new twist on the extortion saga is the launching of a calling service where REvil will call the victim organizations business partners, local media, and more to bring the attack to light and force the organization to pay up to regain its operations.

Shown below, the ad asks for affiliates to provide organization details, chat contacts and phone numbers to call.

Evya9TeXcAEH77G

Source: Twitter

The bad guys aren’t going to be satisfied with just taking your ransom payment; they’re going to ensure they squeeze the maximum amount of money out of your organization they can.

READ MORE

Spoofing Tailored to Financial Departments

Researchers at Area 1 Security have warned of a large spear phishing campaign targeting financial departments and C-suite employees with spoofed Microsoft 365 login pages. The researchers say that in some cases the attackers “specifically targeted newly-selected CEOs during critical transitionary periods.” Additionally, the attackers went after executives’ assistants.

“Beyond financial departments, the attackers also targeted C-suite and executive assistants,” Area 1 says. “Targeting high-level assistants is an often overlooked method of initial entry, despite these employees having access to highly sensitive information and an overall greater level of privileges. In a few instances, the attackers even attempted to bait newly-selected CEOs of two major companies before any public announcements of this significant senior executive changeover were made.”

The attackers appear to have been attempting to conduct business email compromise scams.

“A large majority of the phishing attacks stopped by Area 1 Security were headed to financial controllers and treasurers at various international companies,” the researchers write. “By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.”

The researchers note that the phishing emails were able to bypass email security measures, and the attackers seem to have been more sophisticated than most cybercriminals.

“Clever tactics were used to not only craft the phishing messages, but also to send those messages, as well as to obtain passwords,” the researchers write. “These methods utilized a number of techniques at every step — including legitimate-looking domains and login pages, plus advanced phishing kits — to bypass email authentication and Microsoft’s email defenses. It’s clear that the masterminds behind these attacks possess above-average skills compared to your typical credential harvesting schemers.”

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

READ MORE