Gallery

Avast offers a look at incidents in which celebrities have been the victim of social engineering attacks. The firm notes that while celebrities are higher profile targets, attackers use the same tactics against them that work against everyone else.

“Most of the time, celebrities get hacked the same ways anyone else does,” Avast says. “They use weak passwords, fall for social engineering tricks, or suffer from data leaks when larger organizations holding their data are breached.”

In some cases, however, celebrities are victims of attacks they have no control over, such as the breach of law firm Grubman Shire Meiselas & Sacks.

“Celebrity law firm Grubman Shire Meiselas & Sacks, which counts among its clients such A-listers as Madonna, Lil Nas X, Robert De Niro, and LeBron James, recently found itself on the receiving end of a massive hack,” Avast says. “In May 2020, the noted hacking collective REvil — also known as Sodinokibi and one of the world’s most dangerous hacking groups — claimed to have stolen over 750 GB of contracts, emails, NDAs, and other sensitive data. REvil (short for Ransomware Evil) initially demanded a ransom of $21 million, then doubled it. Refusing to pay, the law firm instead turned to the FBI for help.”

In this case, however, the stolen information fortunately wasn’t as sensitive as the hackers made it out to be.

Avast offers the following advice if your accounts or devices are hacked:

1. “Isolate the hacked device: Unplug any Ethernet cables and disable Wi-Fi on the hacked device. This will prevent any malware from spreading or sending data back to the hacker.
2. “Change your passwords: Using an unhacked device, create long, hard-to-guess, and unique passwords for all your accounts and devices — we recommend using passphrases. Strong passwords will lock hackers out of your accounts and prevent them from using old passwords to log back in.
3. “Report the hack and recover your accounts: Most online services, such as Gmail or Facebook, have specific procedures in place for reporting hacks. Follow these procedures for each hacked account to regain control.”

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for these attacks.

Criminals used deepfake technology to steal $35 million from a company in the United Arab Emirates, Forbes reports. The attackers used “deep voice” technology to spoof the voice of a company’s director in order to trick a bank manager into transferring the money to the criminals’ bank accounts.

“In early 2020, a bank manager in the United Arab Emirates received a call from a man whose voice he recognized—a director at a company with whom he’d spoken before,” Forbes writes. “The director had good news: His company was about to make an acquisition, so he needed the bank to authorize some transfers to the tune of $35 million. A lawyer named Martin Zelner had been hired to coordinate the procedures and the bank manager could see in his inbox emails from the director and Zelner, confirming what money needed to move where. The bank manager, believing everything appeared legitimate, began making the transfers.”

Jake Moore from ESET told Forbes that people need to be prepared to see more of these types of attacks as the technology becomes easier to use.

“Audio and visual deep fakes represent the fascinating development of 21st century technology yet they are also potentially incredibly dangerous posing a huge threat to data, money and businesses,” Moore said. “We are currently on the cusp of malicious actors shifting expertise and resources into using the latest technology to manipulate people who are innocently unaware of the realms of deep fake technology and even their existence. Manipulating audio, which is easier to orchestrate than making deep fake videos, is only going to increase in volume and without the education and awareness of this new type of attack vector, along with better authentication methods, more businesses are likely to fall victim to very convincing conversations.”

New-school security awareness training can enable your employees to thwart sophisticated social engineering attacks.

A new trend in social engineering and impersonation emerges as cybercriminals take advantage of a user’s inability to properly identify fake corporate logos in phishing attacks.

We’ve all seen the really bad impersonation phishing email attempts – you know the one’s where you can immediately tell it’s not the vendor it purports to be from. And then there’s the really good ones that look perfect. But one of the needs most phishing attacks have is a need to display graphics so copied logos and branding can be displayed in order to fool the recipient.

But security researchers at anti-phishing vendor Inky have spotted an attack where scammers attempting to impersonate Verizon use symbols to represent the “check” portion of the logo, making the entirety of the “logo” appear without the need for downloading images.

Source: Inky

You may think, “come on… that doesn’t even look like the Verizon logo at all!” and you’d be right. But new branding research around how well consumers memorize corporate logos correctly shows that most people actually remember a version of the logo enough to recognize it, but most don’t actually know exactly what the logo looks like. Using ten of the most well-known brands, it was concluded that, at best, 30% of people can draw a near-perfect version of the logo, with the average being only 16.6% of people.

This means that it’s far more likely than you think that if a phishing scammer can use some rendition of a logo, it may just be enough to fool them into thinking it’s the company they are attempting to impersonate.

Users that undergo Security Awareness Training are far less likely to fall for phishing attacks, regardless of how spot-on the impersonation. By reinforcing the need to scrutinize unsolicited and unexpected emails for sender details, content, type of request, and – yes – branding, it’s possible to spot nearly every phish a mile away.

Bleepingcomputer was first to report: “Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

Coinbase is the world’s second-largest cryptocurrency exchange, with approximately 68 million users from over 100 countries.

In a notification sent to affected customers this week, Coinbase explains that between March and May 20th, 2021, a threat actor conducted a hacking campaign to breach Coinbase customer accounts and steal cryptocurrency.

To conduct the attack, Coinbase says the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account.

While it is unknown how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common. Additionally, banking trojans traditionally used to steal online bank accounts are also known to steal Coinbase accounts.  Full story at Bleepingcomputer.

It’s official: threat actors and cybercriminal gangs alike are enlightened and have locked in on the use of social engineering as the primary means to trick recipients into becoming victims.

At the end of the day, any attack that utilizes email as the delivery mechanism requires the engagement of the email recipient. Whether your users are clicking a link, opening an attachment, or performing the requested task, your users have to do something to enable an attack.

It’s one of the reasons social engineering has become a staple in the threat actor’s arsenal of tools. And, according to Positive Technologies’ Cybersecurity Threatscape: Q2 2021 report, social engineering is nearly ubiquitous across all attacks and are involved in 90% of all cyberattacks. With email used as the primary method of distribution of malware (58% of attacks), it’s necessary to use social engineering to both get the recipient’s attention and motivate them to engage with the malicious email content.

To get a better sense of how social engineering is used, take a look at some of the other stats from this report:

• 77% of attacks were targeted (spoofing of a brand or individual is likely used)
• 73% of attacks involve malware (an attachment or link is the singular focus)

Additionally, the report highlights the focus for the majority of campaigns:

• 69% of attacks on organizations involve ransomware
• 59% of attacks were intent on gaining access to data

With social engineering taking such a prominent place in cyberattacks, it has become necessary to counteract these tactics with Security Awareness Training. Your users can be both vigilant on the types of attacks and the specific campaigns so they are armed with an understanding of current social engineering tactics and know how to identify them.

People in the US lost $133,400,000 to romance scams between January 1st and July 31st of 2021, according to the FBI. The average amount lost was in the tens of thousands of dollars. The scammers trick the victims into thinking they’re investing in cryptocurrencies.

“The scammer’s initial contact is typically made via dating apps and other social media sites,” the FBI says. “The scammer gains the confidence and trust of the victim—through establishing an online relationship—and then claims to have knowledge of cryptocurrency investment or trading opportunities that will result in substantial profits. The scammer directs the victim to a fraudulent website or application for an investment opportunity. After the victim has invested an initial amount on the platform and sees an alleged profit, the scammers allow the victim to withdraw a small amount of money, further gaining the victim’s trust.”

The FBI explains that once the scammer has a victim on the hook, they’ll keep coming up with more reasons for the victim to send them money.

“After the successful withdrawal, the scammer instructs the victim to invest larger amounts of money and often expresses the need to ‘act fast,’” the Bureau says. “When the victim is ready to withdraw funds again, the scammers create reasons why this cannot happen. The victim is informed additional taxes or fees need paid, or the minimum account balance has not been met to allow a withdrawal. This entices the victim to provide additional funds. Sometimes, a ‘customer service group’ gets involved, which is also part of the scam. Victims are not able to withdraw any money, and the scammers most often stop communicating with the victim after they cease to send additional funds.”

The FBI offers the following advice to help people avoid falling for these scams:

• “Never send money, trade, or invest per the advice of someone you have solely met online.
• “Do not disclose your current financial status to unknown and untrusted individuals.
• “Do not provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.
• “If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.
• “Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.”

New-school security awareness training can help your employees recognize social engineering tactics.

The FBI has the story.

After months of what was thought to be the retirement of the REvil ransomware gang, REvil-related systems and Tor sites popped up on the Dark Web last week.

We thought we had seen the last of REvil – one of the most prolific and impactful pieces of ransomware to date. Its ransomware-as-a-service model made it a popular variant used in some of the most well-known attacks this year, taking in tens of millions of dollars in the process. It was thought that REvil had become Darkside and then BlackMatter (which may still be true), but last week’s development may change that.

According to Bleeping Computer, on September 7, both the Tor payment/negotiation site and REvil’s Tor ‘Happy Blog’ data leak site suddenly came back online. The negotiation site did not seem to be functional and the data leak site hadn’t been updated since July 28^th.

This may be a mishap due to booting up old systems that are to be repurposed. But even so, it’s a reminder that some of the greatest minds in ransomware can easily “re-band” as easily as they can disband, putting organizations like yours further at risk.

Security Awareness Training plays a major role in the protection against ransomware attacks. Affiliates for REvil and other RaaS variants still need a way to gain entrance into an organization. Phishing is one of the most used initial attack vectors. By implementing Security Awareness Training, organizations can teach users to participate in the organization’s security stance, being continually vigilant against any email or web content that may seem suspicious, helping to minimize the likelihood of engagement with malicious links or attachments.

Researchers at Microsoft have observed a widespread phishing campaign that’s abusing open redirectors to fool users into visiting credential-harvesting pages. Open redirects are often used for legitimate purposes, such as tracking click rates. However, they can also be abused to disguise a link to a phishing page.

“The use of open redirects in email communications is common among organizations for various reasons,” the researchers write. “For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.”

Microsoft explains that this tactic can fool both users and technology, since the URL itself appears legitimate.

“[U]sers trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it,” Microsoft says. “Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.”

The researchers also note that this campaign makes use of hundreds of unique domains.

“This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure—another attempt to evade detection,” the researchers write. “These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.”

New-school security awareness training can enable your employees to recognize red flags associated with social engineering attacks.