Gallery

Researchers at Egress observed a massive increase in phishing kits in the run-up to Black Friday, particularly those impersonating Amazon.

“The research, conducted in partnership with Orpheus Cyber, has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits,” Egress said. “Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions. Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for the popular online auction site eBay and over four times as many as for retail giant Walmart.”

Jack Chapman, Egress’s Vice President of Threat Intelligence, stated that people should continue to be vigilant throughout the rest of the holiday shopping season.

“We all want to buy our loved ones the best possible Christmas present and net a bargain price in the Black Friday sales, and each year cybercriminals use this to their advantage,” Chapman said. “PhaaS has lowered the barriers to entry for cybercriminals, making it easy to impersonate well-known brands and trick victims. The recent increase in the number of phishing kits listed for sale highlights the criminals’ appetite for carrying out attacks during busy shopping periods.

Chapman added that people should be particularly cautious with emails that purport to offer shopping discounts.

“Our research uncovered the behind-the-scenes activity of cybercriminals as they prepare to take advantage of unsuspecting victims this holiday period, highlighting the ease with which they’re able to impersonate brands such as Amazon,” Chapman said. “As we approach Christmas, I’d urge everybody to take extreme caution when it comes to unexpected offers and discounts – and if you’ve received an email that you think looks suspicious, don’t click any links and don’t download any attachments.”

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for social engineering attacks.

Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.

“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write. “Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types….From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide. Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”

The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.

“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”

Abnormal notes that hackers sometimes demand a ransom to return the account to its owner.

“While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write. “Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram. Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.”

New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.

A new notification from the FBI warns organizations of attacks at the perfect time when organizations are spending money, new people are being introduced, and operations are in flux.

Threat actors like nothing more than a dash of chaos when it comes to timing their attacks. If they can get the social engineering theming just right, that chaos – when added to a sense of urgency – causes individuals to rush and not think actions through properly. This allows cyber attacks to succeed far more often than they should.

According to the FBI notification, the threat actors responsible are very aware of who they are targeting: “During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Judging from the warning put out by the FBI’s Internet Complaint Center (IC3) earlier this month, cybercriminal gangs are using these major financial events as the perfect juncture for ransomware attacks involving extortion. Think about it – let’s take a fictitious public company being bought by a private investment firm. The entire cost of the deal revolves around the stock price. Now, if a ransomware attacker can succeed in stealing data from and encrypting the systems of the public company, having the public find out could cause the stock price to diminish – thus lowering the value of the company and its purchase price.

If your organization is going through a merger or acquisition (or planning to in the future), it’s imperative that you put up the strongest possible defense against ransomware – which includes the use of Security Awareness Training to include users in the defending against such attacks where malicious email content finds its’ way past security solutions and into the user’s Inbox.

Scammers are impersonating the US Securities and Exchange Commission (SEC) with spoofed phone calls and other communications that attempt to steal money and personal information from victims.

“We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number,” the SEC said in a statement. “The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts. These phone calls and voicemail messages are in no way connected to the SEC. If you receive a communication that appears to be from the SEC, do not provide any personal information unless you have verified that you are dealing with the SEC. The SEC does not seek money from any person or entity as a penalty or disgorgement for alleged wrongdoing outside of its formal Enforcement process.”

The SEC stresses that it won’t ask for money or information via unsolicited messages.

“SEC staff do not make unsolicited communications – including phone calls, voicemail messages, or emails – asking for payments related to enforcement actions, offering to confirm trades, or seeking detailed personal and financial information,” the SEC says. “Be skeptical if you are contacted by someone claiming to be from the SEC and asking about your shareholdings, account numbers, PIN numbers, passwords, or other information that may be used to access your financial accounts. Again, never provide information to someone claiming to be from the SEC until you have verified that the person actually works for the SEC.”

The statement adds that scammers impersonate real employees at the SEC to add legitimacy to their schemes.

“Con artists have used the names of real SEC employees and email messages that falsely appear to be from the SEC to trick victims into sending the fraudsters money,” the SEC says. “Impersonation of U.S. Government agencies and employees (as well as of legitimate financial services entities) is one common feature of advance fee solicitations and other fraudulent schemes. Even where the fraudsters do not request that funds be sent directly to them, they may use personal information they obtain to steal an individual’s identity or misappropriate their financial assets.”

Researchers at Barracuda warn that attackers are sending non-malicious emails as a precursor to targeted phishing attacks.

“Bait attacks are a class of threats where the attackers attempt to gather information they can use to plan future targeted attacks,” the researchers write. “The bait attacks, also known as reconnaissance attacks, are usually emails with very short or even empty content. The goal is to either verify the existence of the victim’s email account by not receiving any ‘undeliverable’ emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials. Because this class of threats barely contains any text and does not include any phishing links or malicious attachments, it is hard for conventional phishing detectors to defend against these attacks.”

The researchers replied to one of these messages and confirmed that their email address was targeted by a spear phishing attack two days later.

“While it is known that bait attacks usually precede some sort of targeted phishing attack, our research team ran an experiment by replying to one of the bait attacks that landed in one of our employee’s private mailboxes,” the researchers write. “The original attack on August 10, 2021 was an email with a subject line ‘HI’ and an empty body content. As part of the experiment, the Barracuda employee then replied on August 15, 2021 with an email containing, ‘Hi, how may I help you?’ Within 48 hours on August 17, 2021, the employee received a targeted phishing attack. The original email was designed to verify the existence of the mailbox and the willingness of the victim to respond to email messages.”

The researchers note that more than one-third of organizations were targeted by these emails in September 2021.

“While the number of bait attacks is still low overall, they are not unusual,” Barracuda says. “Based on analysis by Barracuda researchers, just over 35% of the 10,500 organizations analyzed were targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.”

New-school security awareness training can enable your employees to recognize phishing and other social engineering attacks.

Researchers at Avanan have spotted phishing emails that use a font size of one to fool email security scanners. The emails appear to be password expiration notifications from Microsoft 365. The attackers have inserted benign links that are invisible to the human eye, but trick security scanners into viewing the email as a legitimate marketing email.

“In this attack, hackers utilize a number of obfuscation techniques to get a credential harvesting page through to the inbox,” the researchers write. “First, all links are hidden within the CSS. This confuses natural language filters. Natural language filters see random text; human readers see what the attackers want them to see. In addition, hackers put links within the <font> tag, and brought the font size down to one. This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Beyond that, there are invalid parameters, as the ‘Padding Left’ is set to ‘;’ further confusing scanners.”

Avanan concludes that the phishing emails themselves appear suspicious, so a trained user would be able to spot them as malicious. The emails simply state, “Notification for Password 365. Access To Your Email will be Expired.”

“To the end-user, this email looks like a standard request from their IT department,” the researchers write. “The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They should notice the stilted grammar, such as ‘Notification Microsoft 365’ as a red flag. They should also ask their own IT department before resetting any passwords.”

Thus, insecurity by obscurity. Attackers are constantly coming up with new ways to bypass email security filters. New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

Organizations appear to be overconfident in their ability to protect themselves, despite glaring gaps in security, according to new data from cyber protection vendor, Acronis.

New data from Acronis’ Cyber Readiness Report 2021 tells the tale of some very unprepared – and yet still confident – IT organizations. Overall, organizational cybersecurity isn’t a top concern for organizations despite enabling remote workers (57% of organizations) and securing them (50%) are. In addition, 53% of organizations believe they are safe from supply chain attacks because “We only use known, trusted software” – c’mon; even Microsoft has been a victim of the Hafnium attack back in February.

Despite this overconfidence, the report shows how very unprepared the average organization really is:

• 36% of remote workers have issues using corporate security measures
• 25% of organizations aren’t using multi-factor authentication at all
• 71% of organizations are targeted by phishing attacks each month
• 80% have been the target of cyberattacks in the last year
• 30% of organizations were attacked at least once a day
• Only 20% say they haven’t been a target

Of those organizations experiencing attacks, the number one attack type (experienced by 58% of organizations) was phishing attacks. And, given that organizations (according to the report data) were focused on solutions like anti-malware (73%), backup/DR (48%), vulnerability management (45%), and URL filtering (20%), it’s evident that many of these organizations aren’t placing enough emphasis on educating users to stop the attacks that get past these solutions.

It’s only through continual Security Awareness Training that an organization can address the weakest link in their security stance; users. From the report data, it’s evident that attacks are present, phishing remains a favorite attack vector, and remote users aren’t as secure as they need to be. Putting Security Awareness Training in place will assist in strengthening your stance with remote users, regardless of the amount of security tech in place.

The US Federal Bureau of Investigation (FBI) has warned that ransomware operators are targeting companies that are going through financial events. The timing is designed to elicit and exploit information in ways that will exert additional pressure on the victims.

“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections,” the Bureau says. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

The FBI explains that ransomware operators select their victims based on the value of the information they have access to, and thus the potential for a big payout.

“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” the FBI says. “Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access. However, while this malware is often mass distributed, most victims of trojans are not also victims of ransomware, indicating ransomware targets are often carefully selected from a pool based on information gleaned from the initial reconnaissance.

Once ransomware operators are within a network, they search for sensitive information that they can use to further incentivize victims to pay.

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” the Bureau says. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.” That reconnaissance phase is often the work of initial access brokers, who pick victims likely to be attractive to the brokers’ criminal customers.

The vast majority of ransomware attacks begin via phishing attacks or technical vulnerabilities like exposed RDP ports. New-school security awareness training can give your organization an essential layer of defense by helping your employees to recognize phishing and other social engineering attacks.

Scammers are using social media to target young women with offers to be their “sugar daddy,” according to Laura Josepha Zimmermann at Avast. Zimmermann received a message on Instagram from a user who appeared to be an older man. The user stated, “Hey my name is Walker and I am looking for a sugar baby. I would like to pay you 1,500 Euro weekly.” The scammer then sent a screenshot of a fake PayPal transaction, and told Zimmermann that she would need to send him some money via a Google Play card in order to activate the account and receive the €1,500.

“[A]spiring ‘sugar daddies’ lure in their victims through direct messages on Instagram with messages that sound (and are) too good to be true,” Zimmermann says. “They first try to gain your trust and before carrying on with requesting payment. When they do get around to requesting payment “verification”, these scammers will disappear as soon as the money is sent and has come into their possession. The payment for the verification is mostly done over prepaid cards, like Google Play or Amazon Cards. These are payment methods that can’t easily be refunded.”

Fortunately, Zimmermann recognized this as a scam immediately and blocked the user after stringing him along to see what he would say, but she notes that this type of scam is common.

“This scam is far from unique nowadays — many young women are affected by similar ploys from cybercriminals across the globe,” Zimmermann writes. “Some of these women may have a difficult financial situation and could use the money. Alternatively, they may just be looking for a certain standard of living that they can’t otherwise afford. The alleged ‘sugar daddies’ exploit these situations to make a profit — and end up causing a lot of damage.”

Zimmermann offers the following recommendations to avoid falling for these scams:

“Don’t answer messages from people you don’t know. If you’re in doubt, look into their profile to see if there’s anything fishy about it.

“Ignore any messages promising free money. Plain and simple.

“Don’t give your personal details to strangers. You wouldn’t do it in person, so why do it on the internet?

“Do your research. If you’d like to validate any message that you receive, there are plenty of resources from other people who have encountered similar types of scams. Read through forums and relevant online groups to obtain more information.”

So it’s the old Nigerian prince advance fee scam reinvented for the sugar community. Stay clear. New-school security awareness training can enable your employees to recognize social engineering tactics.

Misconceptions about cybersecurity can lead to employees falling for preventable attacks, according to Jayant Chakravarti at Toolbox. One misconception is that Apple devices are inherently more secure than Windows machines. Steven Hope, CEO and co-founder of Authlogics, told Toolbox that Mac users can grow complacent due to the false impression that Macs can’t get infected with malware.

“There is a common misconception that viruses and malware only exist on Windows and that somehow macOS is immune to them,” Hope said. “While the somewhat misleading Apple ad campaign implying that a Mac can’t get a PC virus is true, they can get infected with a virus/malware designed for macOS. There are malicious apps and web sites that are designed to steal your data or logon information; Apple and Google regularly remove apps from their app stores for this reason. It is important to remember that even a MacBook needs a password and password security is just as important even if you aren’t using Windows.”

Another assumption about security is that employees will naturally be able to recognize phishing attacks. Jonathan Miles, head of strategic intelligence and security research at Mimecast, told Toolbox that a significant number of employees are susceptible to social engineering attacks.

“Organizations need to be educating their workforce on cybersecurity, as Mimecast research shows that 50% of employees still open attachments from unknown sources, and 40% are fooled by an email pretending to be from a member of their organization every week,” Miles said. “To defend and mitigate the threats, it is key that organizations build a layered approach to cybersecurity resilience, including cybersecurity responsibility and awareness embedded deeply throughout all sectors of organizational culture. Offering regular remote working cybersecurity awareness training to employees will be crucial, with organizations recommended to take the initiative on keeping their employees informed about current and prevailing threats.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to thwart social engineering attacks.