30Oct

Phishing Attacks Can Come from an Unlimited Number of Trusted Phishing Sites Thanks to Google App Engine

October 30, 2020By 0 comment

Scammers are taking advantage of Google’s Trust Service Verification and the way their App Engine creates unique URLs to host trusted landing pages used in phishing scams.

Ever phishing scammer that needs a website to take their victim to complete the scam or to host a command-and-control server to complete at attack needs that site to be one that security solutions will allow.

It’s one of the reasons some cybercriminals choose to compromise and infect websites owned by legitimate companies, while others choose to create malicious apps hosted with cloud providers like Azure and Google.

Traditionally, once a domain or subdomain has been identified as being malicious by a security solution, it’s game over for the bad guy. The challenge with blocking URLs built using Google’s App Engine is how Google App Engine (hosted on appspot.com) creates the URL names.

Today, the URLs use the following subdomain nomenclature:

VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com

Note how values such as version and project ID could vary over time or simply be purposely updated to generate hundreds or even thousands of identical malicious webpages, as was the case when security engineer Yusuke Osumi found over 2000 URLs that all pointed to the same fake Office 365 logon page.

Keep in mind, again, because these are running on Google’s own appspot.com, which is a Google Trusted domain, the pages created under this domain are trusted by everyone and every solution.

That’s bad.

This checked the “it’s ok” box for just about every security solution, so it’s up to your users to act as a line of defense, scrutinizing URLs when being sent to what should be a known website. Users that enroll in Security Awareness Training are taught to always be skeptical of web links, requests for credentials, and other common tricks used as part of a phishing scam. Since Google App Engine isn’t doing you any favors, it’s time to do one for yourself with Security Awareness Training.

READ MORE
29Oct

Don’t Neglect the Threat of Vishing

October 29, 2020By 0 comment

People need to help raise awareness about voice phishing scams, or vishing, according to Paul Ducklin at Naked Security. While phone scams have been around for years, they remain effective and people continue to fall for them. Someone who would be suspicious of an unexpected email might be more trusting when there’s a human voice at the other end of the line.

“Never let yourself get suckered, surprised, or seduced into taking any direct action on the basis of a phone call you weren’t expecting from a person whose voice you don’t recognise with certainty,” Ducklin writes. “It doesn’t matter where the call claims to originate. Anyone can say they are from your bank, a hospital, the tax agency, a coronavirus track-and-trace service, the local police station, or the lottery company. Whether the caller is giving you bad news or good, you have no way of verifying anything that’s said to you from information offered up in the call itself.”

Ducklin adds that when you receive an unsolicited phone call from someone asking for information or trying to get you to do something, you should hang up and call the organization that the caller claimed to work for.

“Whether you are worried about a fraudulent transaction, scared about a tax problem, or excited about what could be a lottery win, here’s what to do: find a number to call back by yourself, using contact information you already have on record,” Ducklin says. “Your last tax return should have a tax office contact number on it; your credit card should have a fraud reporting number on the back; most hospitals have a central contact number that can be double-checked online; and so on. Never rely on information read out to you in a call, or sent in an email, or delivered via SMS, as a way of deciding whether to believe the message or the call.”

New-school security awareness training can teach your employees about social engineering techniques so they can avoid falling for these tricks.

READ MORE