Gallery

A US Federal Trade Commission (FTC) data spotlight has found that people in the US lost $148 million to gift-card-related scams in the first nine months of 2021. The spotlight also found that median reported losses from these scams increased from $700 to $1,000 throughout the same period.

“Scammers favor gift cards because they are easy for people to find and buy, and they have fewer protections for buyers compared to some other payment options,” the spotlight explains. “Scammers can get quick cash, the transaction is largely irreversible, and they can remain anonymous.”

The spotlight explains how scammers use social engineering to trick people into spending hundreds or thousands of dollars on gift cards.

“According to reports received by the FTC, scams demanding gift cards most often start with a phone call from someone impersonating a well-known business or government authority,” the report says. “Many people report that a scammer posing as Amazon or Apple told them to send pictures of the numbers on gift cards to fix a supposed security problem with their account. Sometimes they call those numbers ‘security codes.’ But the only thing the numbers are good for is taking the money on the card. Other people report that a scammer claiming to be the Social Security Administration said their bank accounts would be frozen as part of an investigation. They’re told to buy gift cards to avoid arrest or to secure access to their money. Reports also show that scammers asking for gift cards pretend to be a love interest, employer, sweepstakes or lottery company, or family member in trouble.”

The FTC also notes that scammers appear to favor Target gift cards.

“In the first nine months of 2021, over twice as much money was reported lost on Target gift cards than any other brand,” the FTC says. “Google Play gift cards were next, followed by Apple, eBay, and Walmart cards. Scammers also tell people where to buy the gift cards. In the first nine months of 2021, people who reported losing money buying gift cards mentioned Target stores more than other retailers. Reports suggest that Walmart, Best Buy, CVS, and Walgreens stores are also popular with scammers.”

New-school security awareness training can enable your employees to recognize social engineering tactics.

When most see cyberattacks as something that is impactful at the organizational level, the head of the National Security Agency sees cyberattacks as being a threat to the entire nation.

Just as you and I hear so much about cybercriminals attempting an attack on various organizations for purpose of data theft or ransomware, the U.S. military faces millions of attempts to access their networks by means of vulnerability scans, phishing attacks, and more.

In a recent interview with ABC News, Director of the National Security Agency and Commander of U.S. Cyber Command Gen. Paul Nakasone highlighted how recent ransomware attacks have elevated his own opinion of cyber attacks from a “criminal matter” to now being a matter of national security, stating “What’s at stake is obviously the security of our nation. We don’t want to have a failure to imagine what’s happening.”

At the Integrated Cyber Command Center at Fort Meade in Maryland, a mix of military, civilians, and contractors work together using “Hunt Forward” teams that are asked to threat hunt on networks globally, sharing threat intel with private sector businesses.

Nakasone also mentioned six months ago he would have graded the cyber-readiness of American businesses at a “low C” based on their investment in security infrastructure to protect their networks and through educating their users. “I think that we’ve gotten a lot better since then, but we still have a ways to go.”

One of the key areas that businesses can address today is the education of their users through Security Awareness Training, where users can be made a part of your organization’s security stance, standing vigilant against email- and web-based threats that use social engineering to trick victims into engaging with malicious content.

This is obviously getting serious. So, while you’re thinking about the one organization you’re responsible for, realize it’s a much larger problem and your organization is just one point of entry into the larger issue of national security.

Researchers at Kaspersky have found that most phishing pages are active for less than one day, with many of them going offline after just a few hours. Most of these short-lived pages were set up through hosting providers.

“Hosted phishing pages become inactive faster than the others,” the researchers write. “A quarter of the pages survived for no more than 8 hours, and only 12.3% of all pages remained active after 30 days. This has to do with the fact that the cheapest option which requires the least effort is to create a hosted phishing website. Hosting providers offer a free trial period which is usually enough for cybercriminals’ plans, and once time is up on the free trial they can simply create a new page and abandon the old one.

The longest-lasting phishing pages, meanwhile, were usually set up on compromised websites that were abandoned or left vulnerable.

“The most ‘resilient’ pages turned out to be ones created before June 2015: 45.7% of these pages remained active after 30 days,” the researchers write. “Most of these are old websites hacked by cybercriminals who put phishing content there. These pages are likely to remain active for a long time because they’ve been abandoned by their original creators or are located on servers with outdated software which leaves websites more vulnerable to attacks and their consequences.”

Most of the phishing pages contained the same content throughout their life cycles. The researchers note that many of the phishing pages that do change their content are impersonating the PUBG video game, which frequently updates its in-game products.

“Among phishing pages which have changed their content stand out those imitated prize giveaways from the game PUBG,” Kaspersky says. “This could have something to do with the fact that PUBG runs alternating temporary events (‘seasons’). Given that cybercriminals want to make their phishing pages convincing and therefore as topical as possible, they periodically change the content of pages to keep up with the new season.”

New-school security awareness training can enable your employees to avoid falling for phishing attacks.

Scammers are exploiting a real “cyber incident” at a Riverhead New York high school to send out robocalls that claim to be coming from the local police department, RiverheadLOCAL reports.

“Community members should be on the alert for scammers looking to take advantage of the school district’s situation, Riverhead Police Chief David Hegermiller said in a phone interview this afternoon after the police department issued a press release warning about a robocall in which someone claiming to be a Riverhead Police sergeant said he was calling about a data breach at Riverhead High School,” RiverheadLOCAL said. “That call did not come from the Riverhead Police Department or any affiliated agencies, according to the police press release.”

The scammers are likely spoofing the phone number to make the call appear legitimate.

“Police provided the phone number and caller ID information connected with the robocall,” RiverheadLOCAL said. “A woman who answered a call to that number today said she had not made any calls of that nature and had not heard anything about it prior to RiverheadLOCAL’s inquiry. She said she had not been contacted by the Riverhead Police Department about the matter. She also said she does not live in Riverhead and does not have children in the district. The department is not making robocalls to the community about the situation in the school district, Hegermiller said this afternoon. Anyone who receives any calls to that effect should hang up and report the call to police.”

Hegermiller added that the department is still attempting to determine who is actually behind the calls.

“We are still working on it and trying to figure out who the caller actually is and how the number is being used,” Hegermiller said.

New-school security awareness training can enable your employees to recognize the hallmarks of social engineering attacks so they can avoid falling for these types of scams.

US telecommunications company Cox Communications has disclosed a data breach that exposed some customers’ information, BleepingComputer reports. The company said in a breach notification letter that an attacker was able to gain access to some customer accounts after using social engineering tactics to impersonate a Cox employee.

“On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts,” the statement said. “We immediately launched an internal investigation, took steps to secure the affected customer accounts, and notified law enforcement of the incident,” reads the data breach notification signed from Amber Hall, Chief Compliance and Privacy Officer of Cox Communications. After further investigation, we discover that the unknown person(s) may have viewed certain types of information that are maintained in your Cox customer account, including your name, address, telephone number, Cox account number, Cox.net email address, username, PIN code, account security question and answer, and/or the types of services that you receive from Cox.”

Cox urges affected customers to keep an eye on their finances for any suspicious activity.

“We assure you that we take this incident very seriously,” the letter continued. “Out of an abundance of caution, we recommend that you review your financial account statements for fraudulent or irregular activity. You should immediately report any unauthorized activity to your financial institution. We also recommend that you change the password on any accounts that may use the same password as your Cox account.”

BleepingComputer offers the following additional recommendations for Cox customers:

• Immediately change the password and account security questions/answers on your Cox account.
• Be on the lookout for phishing emails pretending to be from Cox that are designed to steal your login credentials.
• Enable 2-factor authentication for your Cox accounts to make it harder for threat actors to log in to your account.

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for social engineering attacks. And sound policies based on best practices can help reduce the risk of being deceived by someone pretending to be an employee.

Researchers at MailGuard have observed a phishing campaign that’s using phony “spam notification” emails that purport to come from Microsoft Office 365. The emails tell recipients that an important-looking email has been sent to their spam folder, and they’ll need to click a link to view the supposed message.

“Scammers are sending the email from ‘quarantine[at]messaging[dot]microsoft[dot]com’, and the display name is the recipient’s domain, to feign authenticity,” the researchers write. “The email subject is ‘Spam Notification: 1 New Messages’, alluding to the body of the email that informs the recipient that a spam message has been blocked and is being held in quarantine for them to review. Details of the ‘Prevented spam message’ are provided, with scammers personalizing the subject heading as ‘[company domain] Adjustment: Transaction Expenses Q3 UPDATE’ to create a sense of urgency and using a finance-related message.”

If a user clicks the link, they’ll be taken to a spoofed Office 365 login page. MailGuard notes that once an attacker compromises your Office 365 account, they can access a wealth of sensitive data.

“Providing your Microsoft account details to cybercriminals means that they have unauthorised access to your sensitive data, such as contact information, calendars, email communications, and more, which could lead to criminal activity such as BEC, identity theft , and other fraudulent activity,” MailGuard says. “Customers of trusted brand names such as Microsoft are targeted by cybercriminals due to the company’s expansive user base, so customers must remain vigilant and check twice before clicking on any potentially harmful links.”

MailGuard urges users to be wary of emails that:

• Are not addressed to you by name.
• Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.
• Are from businesses that you were not expecting to hear from, and/or
• Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.

New-school security awareness training can enable your employees to recognize social engineering tactics so they can thwart phishing attacks.

Researchers at Avanan have spotted a new phishing campaign that’s impersonating DHL with phony shipping notifications. The emails inform the recipients that they need to update their delivery address in order to receive a package.

“In this attack, scammers are using brand impersonation,” the researchers write. “By showing a page that looks like it comes from a trusted brand, they’re hoping to trick end-users into clicking on a link. That link, however, is a classic credential harvesting link, looking to steal data and other information. The email starts with noting that there is an ‘undelivered’ package from DHL. By going online, you can submit your address, as well as other information, to get the delivery on time and at the right place. However, that won’t happen. “

The researchers note that impersonating DHL allows the attackers to target people all around the world, particularly during the holiday season.

“What’s particularly clever is the spoof of DHL,” Avanan says. “Not only is DHL the third-most impersonated brand, according to Check Point Research, but it also delivers packages from around the globe. With folks broadening their purchasing horizons this holiday season, a DHL package is more likely, making the spoof more believable. The hackers are utilizing the classic social engineering tactic of urgency to get end-users to click. The thinking, they hope, is that end-users will be in a panic seeing that their package won’t get to their door on time, and will enter their info without thinking.”

Avanan offers the following advice to help users recognize these attacks:

• “If clicking on the harvesting link, inspect the URL
• “Pay close attention to mistakes in the email. “DHL Office” is not a real place—the closet think would be DHL Express ServicePoint
• “Pay extra attention to emails from brands, especially around the holidays. Check Point Research has found that two of the top five most impersonated brands ship goods (DHL, Amazon)
• “Ensure that the package that has been ordered is actually shipping with DHL. The tracking number provided provided with the original order will show if the package is delivered with DHL and the true delivery status
• “Utilize an email security solution that relies on multiple factors to determine an email is phishing”

It’s a seasonal trend, but a perennial threat. New-school security awareness training can enable your employees to avoid falling for phishing attacks.

Bleepingcomputer had the scoop. Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns. Threat actors are quick to adjust to the latest trends and hot topics, and increasing people’s fears is an excellent way to cause people to rush to open an email without first thinking it through.

In this case, the Omicron variant is an emerging strain of COVID-19 that has scientists concerned over its high transmissibility and the potential ineffectiveness of existing vaccines against its mutations.

This all makes it an ideal topic for phishing, as even the vaccinated are worried about how Omicron would affect them in the case of an infection. UK’s consumer protection organization ‘Which?’ published two samples of new phishing emails pretending to be from the United Kingdom’s National Health Service (NHS) warning about the new Omicron variant.

These emails offer recipients a free Omicron PCR test that will allegedly help them “get around restrictions”. To add trust in the emails, the malicious address used for distributing these emails is ‘contact-nhs@nhscontact.com’.  If the recipient clicks on the embedded “Get it now” button or taps on the URL in the email body, they are taken to a fake NHS website claiming to offer the “COVID-19 Omicron PCR test.”

The victims are then directed to enter their full name, date of birth, home address, mobile phone number, and email address. Finally, they are requested to make a payment of £1.24 ($1.65), which is supposed to cover the delivery cost of the test results.

The purpose of this is not to steal the amount itself but the payment details of the victim, like the e-banking credentials or their credit card details. During that step, the victim is also requested to enter their mother’s name, which the actors could use to bypass security questions during a subsequent account takeover attempt.

What to do if you got scammed

If you think you might have entered your details on a fraudulent site, contact your bank immediately and cancel your compromised card/accounts. Monitor your bank accounts closely and review the transactions for any signs of unauthorized payments. If you receive an email that looks suspicious, report it at “report@phishing.gov.uk”. To report smishing texts, forward them to 7726.

Stepping your employees worldwide through new-school security awareness training helps them make smarter security decisions and creates a strong last line of defense.

This is a cross-post with grateful acknowledgment to Bleepingcomputer.