08Dec

New “Back to Work” HR-Themed Phishing Scam Works to Steal Internal User Credentials

December 8, 2020By 0 comment

Using a fake internal memo from HR, per-user custom-named email attachments, SharePoint Online, and a realistic-looking HR form, this phishing attack has all the ingredients to trick your users.

This far into the pandemic, there are groups of users within your organization begging to come back to the office, as well as those that never want to set foot in the office again. This emotional attachment to either sentiment is the basis for this newest scam, documented by security researchers at Abnormal Security.

The scam appears to come from internal HR, informing users of dates that the offices are expected to reopen and when employees should return to the office to work. Each contains an HTML attachment with the victim’s name on it (see below).

b7tr7p0_mjM14Cdj0gUkOPMwyj1Ejb5ZDjFBbueyQfFIOJr51baKZ6_4otFOw1dPoyiyKAgpX_dP7BeHbfqsnW-6h0pau6KerBHtpHR_AvmusmWCTj-CWCuBBVNfInLBXyNOzl_A

Unlike most html attachments, the link doesn’t take the user to a malicious webpage; instead it takes them to a SharePoint Online document that appears to be an HR document the user is required to acknowledge. This use of a legitimate Office 365 SharePoint site helps these attacks bypass security and find their way to the user’s Inbox.

The most dumbfounding part of this attack is how the user is tricked out of their credentials. At the end of the HR form, they are simply asked for their email address (which is presumed to be their username) and then asked to enter in their password as a means to establish identity as part of agreeing to the presented HR policies. Anyone who understands when and where passwords would be used can easily see this isn’t one of those times.

The scam is a good one – it uses evasive techniques to ensure delivery, establishes legitimacy and urgency, and quickly seeks to reach its malicious goal. Users that have undergone Security Awareness Training should be able to spot this as being a scam, keeping their credentials – and your organization – secure.

READ MORE
07Dec

Ransomware Gangs Are Now Cold-Calling Victims If They Restore From Backups Without Paying

December 7, 2020By 0 comment

Catalin Cimpanu at ZDNet reported on another evil escalation in ransomware extortion tactics.  In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands.

“We’ve seen this trend since at least August-September,” Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday. Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday.

“We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they’ve also seen scripted templates in phone calls received by their customers.

According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers.  The post has a redacted transcript of a call, provided by one of the security firms as an example, with victim names removed.

Another Escalation In Ransomware Extortion Tactics

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they’ve encrypted corporate networks.

Previous tactics included the use of ransom demands that double in value if victims don’t pay during an allotted time, threats to notify journalists about the victim company’s breach, or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.

However, while this is the first time ransomware gangs have called victims to harass them into paying, this isn’t the first time that ransomware gangs have called victims.

In April 2017, the UK’s Action Fraud group warned schools and universities that ransomware gangs were calling their offices, pretending to be government workers, and trying to trick school employees into opening malicious files that led to ransomware infections.

READ MORE
04Dec

How Are Credential-Theft Phishing Websites Avoiding Detection? They Just Invert the Website Background

December 4, 2020By 0 comment

Sometimes the easiest solution is the best solution. And in the case of phishing attacks intent of stealing credentials using a fake logon page, it appears that background inversion does the trick.

Plenty of security solutions use crawlers to spot phishing sites before allowing users to navigate to them. And one of the more identifiable aspects of legitimate logon pages to sites such as Office 365 is the background. So, it makes sense that anytime a background image traditionally associated with a well-known authentication process shows up on some other website, it’s a sign there may be something suspicious afoot.

Well, it appears the bad guys have figured this out and have used the simplest of techniques to avoid detection: inversion. By simply inverting the picture background image (see below) using Cascading Style Sheets (CSS) when a crawler visits, the bad guys avoid detection.

Original next to inverted background

Source: PhishFeed

But what about when a human visits? It’s obvious something’s wrong. No problem. The CSS code automatically reverts the image to its normal presentation when an actual user visits, making them feel they’ve arrived at the appropriate page.

This one is so tricky, no user will ever know just by looking at the familiar background. But through new school Security Awareness Training, users can be taught to be mindful of the website URL, making certain it’s actually the legitimate vendor’s logon page and not a lookalike website.

READ MORE
03Dec

Think Tanks Targeted by APT Actors

December 3, 2020By 0 comment

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning that nation-state advanced persistent threat (APT) actors are targeting US think tanks. The advisory says APTs are particularly interested in think tanks that focus on international affairs or national security policy.

“APT actors have relied on multiple avenues for initial access,” the advisory states. “These have included low-effort capabilities such as spear phishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.”

CISA says leaders should “Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.” For employees, the advisory offers the following recommendations:

  • “Log off remote connections when not in use.
  • “Be vigilant against tailored spear phishing attacks targeting corporate and personal accounts
  • (including both email and social media accounts).
  • “Use different passwords for corporate and personal accounts.
  • “Install antivirus software on personal devices to automatically scan and quarantine suspicious
  • “Employ strong multi-factor authentication for personal accounts, if available.
  • “Exercise caution when:
    • “Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
    • “Using removable media (e.g., USB thumb drives, external drives, CDs).”

New-school security awareness training can help organizations of all types defend themselves against cyberattacks by enabling employees to recognize social engineering tactics.

READ MORE
02Dec

South African Post Office Issues Warning on Postal Phishing Attack

December 2, 2020By 0 comment

The South African Post Office recently issued a warning about a phishing attack. The post office advised everyone to delete the email immediately.

“The SA Post Office continues to receive enquiries from members of the public who receive an email stating that a package could not be delivered to them because of outstanding customs duties,” the Post Office released in a statement. “The mail contains a link that leads them to a payment page not operated by the SA Post Office, and refers to a fraudulent tracking number not issued by the Post Office.”

The post office also disclosed that the sender’s name was changed to show that it was sent from the post office rather than the true email address of the cybercriminal. This is a typical social engineering tactic for the bad guys to utilize.

With the pandemic showing an increase in attacks all around the world, it’s important for your users to consistently be vigilant of any email communication that is out of the norm. New-school security awareness training can train your users how to spot and report any suspicious email activity.

READ MORE
01Dec

Fake Zoom Invite Leads to one Australian Company’s Downfall

December 1, 2020By 0 comment

We’ve previously written blog posts to be cautious of suspicious Zoom meeting links, and we even reported a huge increase in phishing attacks using Zoom of August this year. The heads-up is that these attacks are happening right now in high volume.

Unfortunately, one hedge fund company based in Australia did not get the message.

The Australian Finance Review reported that Levitas Capital’s largest institutional client, Australian Catholic Super, had pulled a planned $16 Million investment following the September incident and the fund would be closing down. It was later reported that this was due to a fake Zoom meeting invite phishing link that was opened by one of the co-founders of the organization.

Fraudulent invoices were then sent to other companies that the fund had previously worked with. “There were so many red flags which should have been spotted … It makes you wonder where else in the system could this happen?” said Michael Fagan, co-founder of Levitas Capital.

Here is the screenshot of the Zoom invite to show just how realistic the invite looked:

Fake Zoom Invite Link

Let this be a warning for other companies not taking new-school security awareness training seriously. It’s important to continually educate your users of common social engineering tactics like this one.

READ MORE
28Nov

[Heads-Up] A Hacker Is Selling Access To The Email Accounts Of Hundreds Of C-Level Executives

November 28, 2020By 0 comment

ZDNet’s Zero Day column just reported one of the best reasons why you should step your users through new-school security awareness training yet:

“A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world. The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week.  The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:

  • CEO – chief executive officer
  • COO – chief operating officer
  • CFO – chief financial officer or chief financial controller
  • CMO – chief marketing officer
  • CTOs – chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payable

Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role. A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.

The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell. These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

I don’t have to tell you the risks that this brings related to CEO Fraud, also known as Business Email Compromise. ZDNet has the full story:

https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/

READ MORE
27Nov

Credential-Stealing VPN Exploits

November 27, 2020By 0 comment

A hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch for the flaw in May 2019, but many devices remain vulnerable. The flaw (CVE-2018-13379) can allow an unauthenticated attacker to download system files, including passwords, from vulnerable Fortinet VPNS. In fact, the hacker in this case claims to have already obtained the login credentials for the vulnerable devices on the list. BleepingComputer says this access will most likely be exploited by ransomware operators to gain access to networks.

BleepingComputer adds that a number of well-known public and private sector organizations are on the hacker’s list.

“After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies,” BleepingComputer says. “As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”

The hacker’s post was discovered by a threat intelligence analyst known on Twitter as “Bank_Security,” who told BleepingComputer that thousands of companies around the world were on the list.

“This is an old, well known and easily exploited vulnerability,” Bank_Security said. “Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity.”

In cases where patching these devices isn’t possible or can’t be accomplished quickly, implementing multi-factor authentication can at least mitigate this vulnerability. (And multifactor authentication should be enabled wherever possible, even after the flaw has been patched.) New-school security awareness training can create a culture of security within your organization, enabling your employees to keep up with the latest security threats.

READ MORE
26Nov

The Risk of the “To” Line

November 26, 2020By 0 comment

Micropayments company Coil accidentally exposed at least a thousand of its customers’ email addresses by including their addresses in the “To” field of an email, BleepingComputer reports. The email in question concerned updates to the company’s privacy policy (many observers have noted the irony). It’s not clear how many email addresses were exposed, but BleepingComputer suspects it was more than a thousand.

“On taking a closer look, BleepingComputer noticed at least 1,000 emails were included in the announcement,” the publication says. “It is likely other users saw a different set of email addresses listed in the To or CC fields, assuming the mass announcement was emailed in batches of 1,000.”

Coil’s founder and CEO Stefan Thomas apologized in a statement, saying the incident was caused by human error.

“Earlier this evening we sent you an email updating you on changes to our Terms & Privacy Policy,” Thomas said. “Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users’ email addresses were populated alongside yours. This mistake is especially painful as we take privacy extremely seriously — it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.”

BleepingComputer notes that these types of privacy breaches are fairly common, with at least two other incidents occurring in the past few weeks.

“Last week, Rakuten had erroneously emailed multiple customers, stating the customers had earned cashback, only to recall their words later,” BleepingComputer says. “In October, a Home Depot email blunder had exposed hundreds of customer orders and personal information to strangers CC’d in emails.”

It’s not just the incoming mail that can be a problem. The outgoing mail carries its own risks. New-school security awareness training can reduce the risk of both malicious and accidental incidents by teaching your employees to be vigilant when dealing with emails and other forms of communication.

READ MORE
25Nov

How Many Phishing Sites? Over 2 Million in 2020 (so far)

November 25, 2020By 0 comment

Google has flagged 2.02 million phishing sites since the beginning of the year, averaging forty-six thousand sites per week, according to researchers at Atlas VPN. The researchers note that the number of phishing sites peaked at the start of the year, which correlates with the start of the pandemic.

“Data also reveals that in the first half of 2020, there were two huge spikes in malicious websites, reaching over 58 thousand detections per week at the peaks,” the researchers write. “The second half of the year seems more stable, which is not a positive thing, as there are around 45 thousand new copy-cat websites registered every seven days.”

Atlas VPN says the number of new phishing sites has been steadily increasing each year since 2015, but it’s now higher than it’s ever been.

“To take a look at the wider perspective, Atlas VPN analyzed phishing site data since the first quarter of 2015,” the researchers explain. “Our findings revealed that the year 2020 is, in fact, the year with most new phishing sites to date. Even though 2020 is not yet at an end, it already has a record-high number of scam websites detected, amounting to 2.02 million sites, according to Google’s data. This was a 19.91% increase from 2019 when malicious site volume reached 1.69 million. The average year-by-year change in phishing websites reveals a 12.89% growth since 2015. Also, in 2020, all three quarters had more malicious site detections than any of the previous year’s quarters. The second quarter of 2020 has the highest number of phishing sites ever recorded, at over 635 thousand.”

The researchers attribute the spike in 2020 to the COVID-19 pandemic, as people are spending more time online and emotions are running high.

“It is quite easy to correlate the pandemic with the increase in phishing attacks, not only because of the increased internet usage but also due to the panic,” they write. “Panic leads to irrational thinking, and people forget basic security steps online. Users then download malicious files or try to purchase in-demand items from unsafe websites, in result becoming victims of a scam.”

Google and other companies do a good job of tracking down malicious sites, but attackers can easily scale their operations and set up new sites to stay ahead of efforts to shut them down. New-school security awareness training can enable your employees to spot these sites on their own.

READ MORE