Gallery

Shakespeare said it first, and things haven’t changed: suffering and desire continue to drive victims to the social engineers. Researchers at Bitdefender have observed a phishing campaign that’s using a phony dating site for men to meet Ukrainian women.

“[In] the past couple of weeks, spammers have been targeting internet users with a mixed bag of online dating opportunities such as mail order bride services and dating platforms where single western men can meet Ukrainian women,” the researchers write.

“Despite the ongoing conflict on Ukrainian soil, many dating platforms are still up and running. Since June 10, tens of thousands of spam emails promoting perfect matches between men and beautiful Ukrainian women targeted the inboxes of users from across the globe. The spam emails originate from IP addresses in Turkey. Sixty-six percent of messages arrived in inboxes in the US, 10% in Ireland, 3% in Sweden, Germany and Denmark, and only 2% in the UK.”

When a user visits the site, they’ll be asked to enter personal details, just as they would on a legitimate dating site.

“Upon filling out the requested information, users are directed to another online dating platform, where they can immediately start chatting with beautiful women,” Bitdefender says. “But there’s a catch. Interacting with single ladies on the platforms isn’t cheap. Packages can run into the hundreds of dollars and include sending emails, a limited amount of chat time, and unlocking all profile photos of single Ukrainian women.”

While users should exercise caution on any dating sites, this one in particular had many red flags.

“Behind all the smoke and mirrors, users risk a lot of money in searching for their soul mate,” the researchers conclude. “Moreover, the likelihood of actually communicating with a Ukrainian woman is slim. Dating platforms such as these are notorious for using bots to facilitate communication with as many users as possible. Profiles seem too good to be true and many customer reviews reveal that despite breaking the bank to set up a real-life meeting with the women active on the website, none have shown up.

The correspondence resembles a marketing romance scam, and although it does not align with the situation in Ukraine, it does profit from human emotional drivers and the lack of personal connection experienced by millions of individuals during the pandemic.”

A phishing campaign is attempting to steal credentials for MetaMask cryptocurrency wallets, according to Lauryn Cash at Armorblox.

“The socially engineered email was titled ‘Re: [Request Updated] Ticket: 6093-57089-857’ and looked to be sent from MetaMask support email: support@metamask.as,” Cash writes. “The email body spoofed a Know Your Customer (KYC) verification request and claimed that not complying with KYC regulations would result in restricted access to MetaMask wallet. The email prompted the victim to click the ‘Verify your Wallet’ button to complete the wallet verification.”

The link in the email leads to a spoofed MetaMask login page.

“Upon clicking the ‘Verify your Wallet’ button, within the email, the victim was redirected to a fake landing page – one that closely resembled a legitimate MetaMask verification page,” Cash says. “The victim was prompted to enter his or her Passphrase in order to comply with KYC regulations and to continue the use of MetaMask service. Attackers utilized MetaMask branding, logo, and referenced Passphrase credentials – of which all are associated with the legitimate MetaMask brand. This look-a-like page could easily fool unsuspecting victims, especially those who do not realize that MetaMask does not ask users to comply with KYC regulations.”

The phishing page also contained security advice in order to lend legitimacy to the scam.

“The language on the fake landing page even reminded victims to make sure his or her passphrase is always protected and to double-check that nobody is watching,” Cash writes. “It’s language like this that can evoke trust, one of the primary goals of the attacks. If victims fell for this attack, they would have entered their passphrase credentials, sensitive information that attacks were aiming to exfiltrate through this email attack…. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.”

Rather than run a complex credential harvesting phishing scam, attackers use existing information about their victim and hijack a popular web service account *before* it’s created.

I’m guessing that initial summary got you wondering “how exactly does someone hijack an account that doesn’t yet exist?” According to a new research paper put out by the Microsoft Security Research Center, a new class of attack has been identified called account pre-hijacking. The idea behind the attack is that a scammer has personal details about their victim (whom they likely want to impersonate). Instead of trying to get the victim to give up their credentials to, say, their Office 365 account (that would be incredibly targeted spear phishing – something that has only a remote chance of working), the attacker goes to a platform the user is not yet setup on, and initially creates an account in the victim’s name.

The paper mentions a few ways in which this works. Here are just two of them:

• Two routes to account creation – if a web service supports both a federated means to create an account, as well as a “classic” service-specific method, the attacker creates both at the same time, using the victim’s email address hoping the service will merge the accounts, giving access to both the victim and the attacker.
• Unexpired session – the attacker signs on to the pre-hijacked account, and sends a service notification to the user to reset the password. The hope is that the service will allow the older session to remain active, despite the victim setting the password and finalizing the account.

Regardless of the method, the intent is to gain access to a new account that is tied to the user’s email address. In the end, the attacker, if successful, is able to utilize the compromised account on the new platform, acting as the user. The researchers note 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks.

Users will need to be made aware of these new techniques – particularly if they are likely to utilize an account on one or more of the most popular web-based services today. Enrolling users in Security Awareness Training, so should they receive a password reset notification for an account they themselves haven’t setup yet, will ensure the red flags are raised and they understand that this is suspicious at best, and potentially malicious at worst.

The US FBI has warned that scammers on LinkedIn are a “significant threat,” CNBC reports. Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento field offices, told CNBC in an interview that cryptocurrency scams have been particularly widespread recently.

“This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims,” Ragan said. “So the criminals, that’s how they make money, that’s what they focus their time and attention on,” Ragan said. “And they are always thinking about different ways to victimize people, victimize companies. And they spend their time doing their homework, defining their goals and their strategies, and their tools and tactics that they use.”

LinkedIn stated in a blog post last week, “While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional. If you do encounter any content on our platform you believe could be a scam, be sure to report it so that our team can take action quickly. This includes anyone who asks you for any personal information, including your LinkedIn account credentials, financial account information, or other sensitive personal data. We also encourage you to only connect with people you know and trust. If you’d like to keep up with someone you don’t know but that publishes content that is relevant to you, we encourage you to follow them instead.”

LinkedIn offered the following recommendations in a blog post:

• “People asking you for money who you don’t know in person. This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings.
• “Job postings that sound too good to be true or that ask you to pay anything upfront. These opportunities can include mystery shopper, company impersonator, or personal assistant posts.
• “Romantic messages or gestures, which are not appropriate on our platform – can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.

New data shows a rise in the use of text messages as an effective vehicle to connect with potential victims for social engineering scams as Americans increase their preference of the medium.

Historically, we see email as the primary communications vehicle for malicious content, but new data from spam blocking app vendor Truecaller in their Insights 2022 U.S. Spam & Scam Report shows a massive uptick in text-based scams. According to the report:

• 85% of Americans say they have received a robotext (of any type)
• Over half (58%) of Americans reported receiving more spam calls and/or text messages than they did a year ago.
• The average number of spam texts per month is 19.5

One of the reasons for this massive increase may be the increased dependence on texting; according to the report, 60% of Americans prefer to use text, social media apps, and email as their primary means of communicating over voice.

The scams communicated over text vary ranging from consumer issues like changing cable TV providers, to cyber security issues, to data breach notifications.

Source: Truecaller

The lesson to be learned here is that legitimate organizations rarely seek to communicate via text as the initial means of contact. Corporate users that undergo Security Awareness Training already realize this and are far less likely to fall for such scams, given the unusual nature of the communication and the use of text as the initial contact medium.

Attackers are taking advantage of the current news about monkeypox to trick people into clicking on malicious links, Pickr reports. Researchers at Mimecast have spotted a phishing campaign that impersonates companies in an attempt to trick employees into visiting phony health safety sites that steal their information.

The subject line is designed to grab the user’s attention, stating, “Attention all [Company] Employees – Please Read and Comply.”

The emails then state, “[Company name] has been closely monitoring developments related to the Monkeypox outbreak, including all updates provided by the Centers for Disease Control, World Health Organization, and local health officials. In an effort to keep all team members safe and informed, as well as our business protected, included here are the precautions that have been put in place.”

The email includes a link that says, “Click here to complete Mandatory Monkeypox safety awareness training.” This link leads to a phishing site that will steal their information.

Tim Campbell, Head of Threat Intelligence Analysis at Mimecast, stated that criminals frequently take advantage of current news.

“Monkeypox is high on the news agenda so it comes as no surprise that cyber criminals are exploiting it,” Campbell said. “Cybercriminals [are] adjust their phishing campaigns to be as timely and relevant as possible, using traditional attack methods to exploit current events in an attempt to lure busy and distracted people to engage with links in emails, applications or texts…. Now, they are using monkeypox as an opportunity to send phishing emails to company employees for ‘mandatory monkeypox awareness training. As the phishing email is made to look like an internal company email, employees are at risk of clicking the link and entering their login details, which will then be stolen and used to access systems within the organisation and steal information.”

People have probably been primed by the COVID pandemic to take healthcare warnings seriously, and so bad actors will seek to use their attention against them. New-school security awareness training can give your employees a healthy sense of suspicion so they can recognize red flags associated with social engineering attacks.

Threat actors are targeting HR employees who are looking to hire new people, according to Lisa Vaas at Contrast Security. As part of their job, HR employees frequently interact with people outside of the organization and are more likely to open external files. Attackers frequently take advantage of this by hiding malware within phony resumé files.

Vaas cites Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, as saying in a talk at RSAC that North Korean threat actors are particularly fond of this technique.

“[One thing] that’s been really interesting to watch is their attempts to infiltrate organizations remotely by trying to actually get hired inside of these companies, particularly in the web3 crypto space, where they’re responding to advertisements,” Alperovitch said. “They’re saying they’re willing to do remote development work. They’re saying they’re from ‘a’ Bay Area, although in many of the interviews they failed to identify even the most common locations in ‘the’ [San Francisco] Bay Area.”

Attackers use job-listing and networking sites such as LinkedIn to identify potential targets.

“They’re still having a tough time actually passing these interviews, but they don’t have to pose as Bay Area natives when it comes to packing resumés with malware,” Vaas writes. “One example: In April, eSentire research showed that new phishing attacks, targeting corporate hiring managers, were delivering the more_eggs malware, tucked into bogus CVs. These campaigns sprang up a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers: The offers dangled malicious ZIP archive files with the same name as that of the victims’ job titles, as lifted from their LinkedIn profiles.”

Niceness, to be sure, is a good thing, everything else being equal. But it can also render you vulnerable to scams and cons. Every employee needs to know that they should never click the “Enable content” button in a Microsoft Office document. New-school security awareness training can teach your employees how to avoid falling for phishing attacks.

An Iranian threat actor is conducting a spear phishing operation against Israeli officials, according to researchers at Check Point. The targets have included the former Foreign Minister and Deputy Prime Minister of Israel, a former Major General of the Israeli Defense Forces, and a former US Ambassador to Israel.

“One of the straightforward purposes of this campaign is to gain access to the inboxes of its victims, specifically for Yahoo inboxes from the flows we observed,” the researchers write. “The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page. It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records. We suspect that once the victim enters his account ID, the phishing backend server would send a password recovery request to Yahoo, and the 2FA code would allow the attackers to gain access to the victim’s inbox.”

Check Point notes that the attackers used an identity service to add legitimacy to their phishing sites.

“Using a legitimate service to facilitate an attack is always a great bonus for a threat actor,” the researchers write. “It saves resources and the need to develop anything on their own, not to mention that the target and any security solution would be less suspecting of a legitimate service. In this case, the attackers used validation.com, an identity verification service created by the domain registration giant NameCheap, that allows anyone to easily validate their customer’s identity by providing an option to scan an ID or documents directly from the webcam, or by uploading a file…. In this campaign, we have seen one redirection flow from Litby[.]us which leads to a URL on validation.com, and as part of our analysis, we had an indication that the attacker obtained the Passport scan of another high end target. This scan was likely collected by the same means, highlighting the effectiveness of this technique.”

New data from security vendor Sophos shows that while the presence of cyber insurance coverage has increased, it’s the experiencing of attacks that’s driving the need.

When the concept of cyber insurance was first introduced, it seemed like a shakedown and just another way for insurers to take the organization’s money. But today, according to Sophos’ just released Cyber Insurance 2022: Reality from the Infosec Frontline report, cyber insurance policies are now held by 94% of organizations.

So, what’s driving this adoption of cyber insurance?

Much of the adoption lies in organizations experiencing an attack and realizing they need insurance to potentially cover what their own cybersecurity stance doesn’t. According to the report:

• 57% of respondents experienced an increase in the volume of cyberattacks on their organization
• 59% saw the complexity of these attacks increase
• 53% said the impact of these attacks had also increased
• 89% of those hit by ransomware have cyber insurance against ransomware

It also appears to be the prevalence of attacks and the massive impact they have on their victims, as 70% of organizations not hit by ransomware still have cyber insurance against it.

And it’s getting more difficult to obtain cyber insurance, as insurers evolve their understanding of what is a secure insured and what is not. According to the report:

• 94% of those with cyber insurance said the process for securing coverage had
• changed over the last year.
• 54% say the level of cybersecurity they need to qualify is now higher
• 47% say policies are now more complex
• 40% say fewer companies offer cyber insurance
• 37% say the process takes longer

And even if you get a policy, there’s no guarantee the attack scenario you encounter is covered, as many organizations have needed to go to court over being paid out based on their policy.

So the best plan is to have as secure an environment as is possible – which includes securing your users with continual Security Awareness Training to minimize the threat of email- and web-based social engineering attacks designed to give attackers entrance into the organization’s network.

Researchers at KELA warn that ransomware gangs are increasingly refraining from mentioning their victims’ names after the initial attack, giving the victims a chance to pay up before the attack is publicized. This puts an additional layer of pressure on the victim to pay quickly, because it may allow them to avoid the reputational damage that’s among the biggest threats a victim faces. If the victim refuses to pay, the attackers can then publish their name and threaten to release the stolen data.

“KELA observed a few ransomware groups using relatively new intimidating methods which include publishing a victim without mentioning the company’s name,” the researchers write. “For example, Midas published a few victims claiming ‘a new company’ as their victim on their data leak site. If the victim did not pay, Midas would edit the post and add the victim’s name. Lorenz ransomware gang adopted the same practice and published a ‘new target company’ on their ransomware blog. Additionally, Everest data leak site operators used the same method: a Canada-based supplier was listed with a threat to leak 96 gigabytes of the company’s data, including over 10,500 personal records of Canadian citizens.”

The prolific ransomware gang Conti has adopted a similar tactic, using hidden blog posts to threaten the victims.

“In comparison to Everest and Lorenz who maintain ambiguity regarding victims’ names, Conti’s leaked chats showed that the gang prepared hidden blog posts about victims that can be accessed only via a specific URL,” KELA says. “The actors share this hidden blog post with a victim to intimidate them by showing how easily the victim’s data can be accessed. If a victim agrees to pay, the post is never released; if the negotiation fails, the blog becomes publicly accessible, and the victim’s name is disclosed.”