01Mar

Phishing Catch of the Day: Your Inbox Will be Deactivated

March 1, 2021By 0 comment

In this series, our security experts will give a behind the scenes look at phishing emails that were reported to PhishER, KnowBe4’s Security Orchestration, Automation and Response (SOAR) platform. We will go in-depth to show you real-world attacks and how you can forensically examine phishing emails quickly.

Each Phishing Catch of the Day will focus on a single phish attempt and describe:

  1. What context or pretexting exists between employee, hacker and email.
  2. What red flags one can look for before falling victim.
  3. What attack vector is being utilized and for what purpose.
  4. What steps to take to inoculate users from similar attacks.

The Initial Phish Breakdown

PhishER Reported Phishing Email

Figure 1: PhishER Screenshot of Reported Phishing Email

Early in the morning on Feb 11th, a Knowbe4 employee received an email that claims their inbox will be deactivated if they do not confirm their email address. The sender of this phish is hoping to generate an emotional reaction, causing a user to react without thinking.

Phishing Warning Signs and Red Flags

The best approach to consistently identify phishing is to simply ask oneself “Is this phishing?” whenever viewing an email or electronic message. The brain will naturally jump into a detective mindset and become resilient to emotional reaction.

Scroll up to the first screenshot, put on your detective cap, and try to find as many red flags as you can before continuing!

Red Flags for Phishing Email

Figure 2: Red flags found in the phishing email

Let’s gather more information from the headers of the email. Clicking on the Headers tab in PhishER will give you all headers pulled from the reported message in an easy-to-read format and highlights ip addresses and authentication information for you. Take a look at the Arc-Authentication-Results to figure out the original, non-spoofable, sender location.

Phishing Email Authentication Results PhishER

Figure 3: Arc-Authentication-Results from the Headers tab in PhishER

It appears that the email is coming from an Amazon SES server and the originating ip is 23.251.242.1. You may be able to reach out to Amazon and report abuse if necessary, especially if this is an ongoing problem from this specific address.

Phishing Attack Vector and Road to Compromise

Opening up the link found in the email, we see the landing page below.

Phishing Email Landing Page Example

Figure 4: Phishing email landing page

Notice the “NOPE” at the top and the fill-in for “nope@nope .com”. This is pulled from the ‘#’ anchor passed in to the page from the email URL. The page then uses javascript to style the form and add any icon found in Google images for the user’s email domain. This is to provide some familiarity to a victim and to imitate a generic login page that an individual might trust.

phishing email address pass-through

Figure 5: Anchor passed in from the URL in the email body

Upon entering their credentials, the page will run a js script to verify that the password and email fields are not empty and send the form contents to a remote server in Indonesia (which may explain why the email had been sent outside US business hours).

Phishing email js script

Figure 6: JS code to POST user entered credentials to a remote server

Phishing domain WHOIS results

Figure 7: WHOIS of the domain found in the POST request

Conclusions and Recommendations

The attack described above is a perfect example of credential phishing. This is a tactic where a hacker will route you to a landing page that imitates a popular or important browser application in hopes that, when you enter your username and password, they can pocket the credentials to use at a later date.

This attack can be particularly harmful to your organization because your end users are usually unaware that they have compromised their account! A malicious actor can utilize this access for weeks without detection because any activity looks to come from a legitimate account.

If you’re a KnowBe4 customer, you can find this phishing template under the IT Category on the KMSAT platform labeled, “IT: IT Support Email Shutdown (Link) (Spoofs Domain)”.

It’s important to ensure your users are staying alert of the latest attacks. Frequent phishing security tests and new-school security awareness training can help your users actively apply training techniques in their day-to-day job functions.

READ MORE
26Feb

Phishing Targets Industrial Control Systems

February 26, 2021By 0 comment

Phishing continues to be a primary initial access vector in cyberattacks against industrial control systems, according to researchers at Dragos. Out of the fifteen threat groups tracked by the security firm, ten rely on spear phishing attachments to compromise their victims, and thirteen abuse valid accounts to maintain persistence.

STIBNITE, a threat actor that targets wind turbine companies in Azerbaijan, uses fake login pages and malware-laden documents to compromise its victims.

“STIBNITE gains initial access via credential theft websites spoofing Azerbaijan government organizations and phishing campaigns using variants of malicious Microsoft Office documents,” Dragos says. “STIBNITE also used information related to the global COVID-19 pandemic for malicious document themes.”

TALONITE, a threat group that focuses on the US electric sector, uses spear phishing to deliver malicious documents.

“TALONITE’s phishing campaigns utilize electric and power grid engineering-specific themes and concepts, indicating an intent to gain a foothold within energy sector entities,” the researchers write. “Such access could facilitate gathering host and identity information, collecting sensitive operational data, or mapping the enterprise environment to identify points of contact with ICS. The identified infrastructure and phishing emails spoofed the National Council of Examiners for Engineering and Surveying (NCEES), North American Electric Reliability Corporation (NERC), the American Society of Civil Engineers (ASCE), and Global Energy Certification (GEC).”

Dragos stresses that malicious cyber activity targeting industrial control systems is increasing, with four new ICS-targeting threat actors spotted in 2020.

“Data from our YIR report shows that this trend corresponds with a 3X rise in ICS-focused threats,” said Dragos’ CEO, Robert M. Lee. “The convergence of an increasingly ICS-aware and capable threat landscape with the trend towards more network connectivity means that the practical observations and lessons learned contained in our 2020 YIR report are timely as the community continues to work to provide safe and reliable operations

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart targeted phishing attacks.

READ MORE
25Feb

Bogus FedEx and DHL Phishbait

February 25, 2021By 0 comment

Researchers at Armorblox describe an ongoing phishing campaign that’s using phony FedEx and DHL shipping notifications as phishing lures.

“A few days ago, the Armorblox threat research team observed an email impersonating FedEx attempt to hit one of our customer environments,” the researchers write. “The email was titled ‘You have a new FedEx sent to you’ followed by the date the email was sent. The email contained some information about the document to make it seem legitimate, along with links to view the supposed document.”

The emails contained links to the Quip document hosting service, where the attackers had set up a landing page with a link to a spoofed Office 365 login page. The DHL phishing scam used a similar technique.

“The email sender name was ‘Dhl Express’ and title was ‘Your parcel has arrived’, including the victim’s email address at the end of the title,” Armorblox says. “The email informed victims that a parcel arrived for them at the post office, and that the parcel couldn’t be delivered due to incorrect delivery details. The email includes attached shipping documents that victims are guided to check if they want to receive their delivery.”

These emails contained an HTML attachment that opened what appeared to be a blurred-out spreadsheet behind an Adobe login box. The login overlay had the user’s email address pre-filled in the first box, so the researchers believe the attackers were trying to trick the user into entering their email password rather than their Adobe account credentials.

The researchers conclude that people should use a combination of training and technical defenses such as two-factor authentication to defend themselves against these attacks.

“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” they write. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email sender name ‘Dhl Express’ instead of ‘DHL Express’, Why does this shipping details document have an HTML extension? etc.).”

What might users be trained to look for? Poor idiomatic control, for one thing. The logos and layouts are very nicely done, but the words are a bit clumsier: DHL and FedEx have better writers. New-school security awareness training can create a culture of security within your organization so your employees can recognize phishing and other types of social engineering attacks.

READ MORE
24Feb

Running Headfirst Into a Breach

February 24, 2021By 0 comment

The pandemic changed the fortunes of many organisations. Perhaps none so much as Zoom, which has found itself becoming a noun synonymous with any form of video call.

However, its meteoric rise has not been without some hiccups along the way. There have been many cases of people not securing their meetings, leading to many cases of ‘zoombombing’ in which unauthorised people join video calls with the intention of sharing lewd, obscene or otherwise distasteful content.

There was also the case of investors wanting to jump on the Zoom bandwagon who inadvertently purchased stock of Zoom Technologies, a small Chinese company which had nothing to do with Zoom, the video chat platform.

Errors and mistakes aside, criminals have also been quick to notice the trend and have been quick to capitalise by registering thousands of fake domains designed to impersonate Zoom and other video conference brands. They have also been using them to send out phishing links.

With the majority of office employees working remotely, receiving Zoom invites or even seeing reminders in their calendar for upcoming Zoom meetings has become a daily occurrence.

It is not just phishing via email that has taken off. People working from home usually have several communication channels they use to interact with colleagues, customers, partners and friends. These encompass everything from messaging apps to social media and everything in between.

Pulling on Emotions

Criminals are very good at crafting messages in a way that pulls on people’s emotions. This can be fear, greed, curiosity, urgency, helpfulness or any other emotion. One of the biggest reasons for this can be understood by Daniel Kahneman who stated in his book, “Thinking, Fast and Slow” that there are essentially two types of thinking the human brain undertakes.

System one is referred to as fast thinking and largely works automatically and effortlessly via shortcuts, impulses and intuition. It is fast, but also error prone. System two is also known as slow thinking. It takes time to analyse, reason, solve complex problems and requires people to exercise self-control. It is slow, but reliable.

A good criminal pulls on emotions because it is a surefire way to get people into system one thinking, where they will carry out an action before thinking about it.

Think about it. When was the last time you received a scam or phishing attack and the sender was polite and ended with, “please respond whenever is convenient, there’s no rush”?

It’s why an inflammatory Tweet or Facebook post receives so much attention and so many responses, even though we often know we should just ignore it. It just presses our emotional buttons and we need to say something.

So, it becomes difficult to reign people in — even the most security conscious people can be fooled by a WhatsApp message which pops up saying, “Why aren’t you in the meeting? We’re all waiting for you. Click here to join.”

Not a Theoretical Risk

The security industry has been guilty in the past of over-hyping issues. But social engineering threats are very real. If we look at the growth of ransomware over the years, it has become a huge criminal cash cow.

Most ransomware these days is delivered via phishing across multiple channels, hitting organisations across all industry verticals and of all sizes. Nearly a year ago, Travelex was hit by ransomware which resulted in the business being down for several weeks before they recovered. Unfortunately, its woes didn’t end there. With the pandemic hitting and many countries going into lockdown, the organisation didn’t get a chance to recover and went into administration later in the year.

Down under in Australia, the CEO of a hedge fund was tricked into clicking on a phishing email disguised as a Zoom invite. The click gave criminals access to the CEO’s email, which allowed them to send emails posing as the CEO authorising payments amounting to nearly $8m. And while the hedge fund was able to recover most of the money, the reputational damage was so severe that its main fund pulled out, forcing the hedge fund to shut down.

The fact of the matter is that social engineering attacks are only increasing and becoming the main thrust of cybercrime, which are having far greater impact on victim organisations.

Ways You Can Stay Safe

Staying safe against these attacks is increasingly difficult, not just from the increased sophistication of attacks, but the sheer volume of attack avenues that are available to criminals, ranging from email inboxes, social media accounts, chat apps, sms and phone calls.

  1. Security Awareness Training

    Security awareness training should be raised to all users from the most junior all the way to the most senior executives. The variety and impact of these attacks should be explained and mechanisms provided so that users can quickly and easily report any suspicious activity for the security team to investigate.

  2. Gain Visibility

    Security teams need to be able to obtain visibility into all of their organisation’s communication channels. For most organisations, too many channels are kept in the dark, so often by the time a breach is detected, it is too late.

  3. Real-Time Threat Detection

    All critical accounts, including marketing and executives, need to be monitored continuously for suspicious activity and messaging. In addition to scanning all files, attachments and links for malware, non-technical social engineering threats should also be sought out.

  4. Incident Response

    A layered response approach needs to be put in place so that any threats detected can be removed immediately.

READ MORE
23Feb

The First Documented Russian Hack in…1981?

February 23, 2021By 0 comment

I’m reading “Active Measures: The Secret History of Disinformation and Political Warfare” by Thomas Rid and wanted to share this story with you which was new to me! It’s warmly recommended, a great read.

In October 1981, in a highly embarrassing incident for the Kremlin, a large Soviet nuclear-armed submarine ran aground near Sweden’s Karlskrona Naval Base, violating Swedish Territorial waters.

To deflect some political heat, Russian intelligence launched an innovative active measures campaign that took advantage of a new semi-electronic messaging system called the Mailgram, an invention of Western Union.

All of a sudden, on November 8, 1981, a dozen Mailgrams started appearing across Washington, offering dirt on Swedish-American relations. They were sent to the Swedish Ambassador and several newspapers in the United States and Europe.

How was this hack possible?

A sender could phone in a message to Western Union, and they would transmit it electronically to a post office close to the recipient where the message would be printed out and delivered by mail.

Western Union did not independently confirm the recipient’s address or the telephone number to which the unauthenticated caller asked to bill the charges. “Obviously,” concluded the FBI, “the true senders of the Mailgrams were aware that they could have the charges billed to the addresses or telephone numbers of the alleged senders without verification. The setup was easy to exploit since the attackers spoofed false senders and had Western Union send the bill to the impersonated users!

My realization was that Russia has been at this for a very, very long time, and with the advent of the internet they have the ultimate tool to scale their active measures and cause massive international havoc.

READ MORE
19Feb

Popular Car Company Becomes Next Target in $20 Million Dollar Ransomware Attack

February 19, 2021By 0 comment

In an unfortunate situation popular car company Kia Motors America recently made headlines of a possible ransomware attack and the company was demanded to pay $20 Million ransom from a cybercriminal gang in order to not leak stolen data.

It was reported by Bleeping Computer earlier this week that the car company suffered a major IT outage that affected all of their technology applications. A customer tweeted that they were told from a dealership that the outage is due to the ransomware attack.

The alleged ransomware group responsible for this attack was DoppelPaymer ransomware, a popular gang that steals unencrypted files before stealing the encrypted device. They also leak data on a site to further pressure the victim to pay the ransom. Below is a recent example of just that:

Source: Bleeping Computer

Kia Motors America released a statement with the following, “KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

Make sure your organization is not the next victim of ransomware. New-school security awareness training can teach your users how to spot and report any suspicious activity.

READ MORE
18Feb

Bogus Bug Reports as Phishbait, Scams

February 18, 2021By 0 comment

Some bug bounty seekers are using extortionist or fear-mongering tactics in an effort to get paid for reporting trivial flaws, according to Chester Wisniewski at Sophos. He calls them “beg bounty” attempts. Wisniewski explains that, “‘Beg bounty’ queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.”

For example, some of these individuals use automated scanners to identify websites that don’t have DMARC enabled, then send a copy-and-pasted notification to each website’s owner.

“They claim to have found a ‘vulnerability in your website’ and then go on to explain that you do not have a DMARC record for protection against email spoofing,” Wisniewski writes. “That is neither a vulnerability nor is it in your website. While publication of DMARC records can help prevent phishing attacks, it is not an easy policy to deploy, nor is it high on the list of security tasks for most organizations.”

While some of these people are probably well-meaning, others are clearly scammers seeking to frighten victims into paying. Even in the cases where real vulnerabilities were identified, the flaws were minor and not worthy of a bounty payout. Additionally, many of the targeted organizations didn’t have bug bounty programs set up in the first place. Wisniewski thinks small businesses are most at risk of falling for these tactics.

“There are reports that paying beg bounties leads to escalating demands for higher payments,” Wisniewski says. “One organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.”

If you do have a bug bounty program, you’ll know about it. And if you don’t, let your people know that, too, so they don’t fall victim to this…what? Grey hat scam? Not all scams come in black and white. New-school security awareness training can help your employees remain calm and avoid falling victim to scare tactics and other social engineering techniques.

READ MORE
16Feb

Phishing and Impersonated Brands

February 16, 2021By 0 comment

Microsoft is still the most impersonated brand for phishing campaigns, according to researchers at Vade Secure. The security firm spotted 30,621 unique Microsoft-related phishing URLs in 2020. The researchers note that “[a] single unique phishing URL could be used in hundreds or even thousands of phishing emails.” Facebook was the second most impersonated, with 14,876 unique phishing URLs. PayPal came in third, followed by Chase and eBay.

“COVID-19 colored everything in 2020, so it’s not surprising that cloud came out on top,” the researchers write. “As the working world switched to remote, the need for cloud-based solutions skyrocketed. Microsoft Teams users increased from 44 million in March 2020 to 75 million in April 2020. Meanwhile, Facebook, Google, and Netflix saw big financial gains during COVID-19, and each is in the top 20.”

E-commerce phishing has also been on the rise due to the pandemic, and some new brands have made it to the top ten list.

“New to the Phishers’ Favorites list, Rakuten, a Japanese e-commerce company, made its first appearance on the list, coming in at #6,” the researchers write. “Rakuten’s rise is thanks to a large spike in phishing activity in Q3 2020, when Vade Secure detected a 485 percent increase in Rakuten phishing URLs.”

The researchers also observed a year-over-year increase in phishing emails laden with the Emotet banking Trojan.

“Phishing emails weaponized with malware also featured prominently in 2020,” Vade Secure says. “Emotet, which had gone silent in early 2020, returned briefly in the spring and came roaring back in the fall. A wave of Emotet malware emails hit Microsoft users in September, with a single-day high of 1,799 phishing URLs and 13,617 for the quarter, a 44 percent increase from Q2.”

Trends in phishing lures change over time, but the underlying hallmarks of social engineering remain the same. New-school security awareness training can help your employees recognize phishing emails and other social engineering attacks.

READ MORE
12Feb

It’s Not Only About the URL

February 12, 2021By 0 comment

You have to look at the totality of an email to determine whether it is a phishing attack or not.

I’ll admit it, I’m guilty. When I get a phishy-looking email, the first thing I do is hover over the URL to see if it is legitimate-looking or not. And, most phishing emails do contain rogue-looking domains. So much so, that I actually wrote about this here previously and created a one-hour webinar all about how to teach yourself and co-workers how to spot rogue URLs. You can even download our handy Rogue URL PDF handout (shown below) for a quick review or to hand it out to your co-workers.

Red Flags of Rogue URL's

Analyzing included URLs is a big part of determining if something is malicious or not.

It’s just not the only thing!

The URL Is Not Everything

We all need to look at the totality of the potentially suspicious phishing request to determine if it is malicious or not. URL investigation is a big part of that process, but there are many phishing scenarios where the URLs are indeterminate or even completely, 100%, legitimate. For instance, many phishing emails originate from common, shared domains. For example, many phishing emails come from onmicrosoft.com (0365-hosted domains), gmail.com, sendgrid.net. I’m highly suspicious of sendgrid.net because a lot of phishing emails come from there and then I realized that one of my absolutely favorite computer security portals, Spiceworks, sends all their emails from sendgrid.net. And that’s not a bad thing. Sendgrid.net is a legitimate service used by mostly legitimate people, but because it is widely and publicly available, it is often used by scammers, as are the shared, public domains by Microsoft and Google.

Many times, the phishing emails come from legitimate, private domains. Oftentimes, they are a hijacked domain and the involved link has nothing to do with the brand being or request being impersonated. For example, the rogue URL link says something like waterworks.com/inbox/subscriptions/rogue.jsp, where you can tell that someone’s otherwise legitimate domain and website have been hijacked by a hacker who is using it until the exploit and hole that allowed him/her in is shutdown.

But sometimes, not only is the domain legitimate but it comes from a domain you trust and regularly do business with. Most of the time, the other side you trust has been pwnd and is not being used, unbeknownst to the victim involved, to send spear phishing attacks to people who trust and regularly do business with them. These types of phishes are known as third-party phishing attacks and I wrote about them here. Add to this any time a co-worker has been infected or compromised. The email coming to you could be coming from a close friend.

And sometimes, despite your experience and expertise, looking at the URL just doesn’t solidly indicate whether a suspected phishing attack is definitely a phishing attack.

I found myself relying way too much on URL inspection and my first and often only sign of whether something was malicious or not. So much so that I almost prematurely approved some malicious emails as legit. It happened enough that I was starting to scare myself that one day I would miss one. And even though I knew I was overly reliant on URL inspection, I couldn’t shake the habit at first. I still found myself looking at the URL in a suspected message first and often making the decision then and there.

Drill – Everything But the URL

So, I created a new drill for myself. For months, if I suspected an email or web scenario as being malicious, I refused to look at the URL until the very end of the inspection. I would take my time and see how many other “red flags” of social engineering I could find. Did I see obvious typos? Did I see subject and content mismatches? Did I see email address mismatches? Did the email come in at a strange time? Was the email an unexpected request for something I had never done before? Did the email contain a “stressor” event where it is telling me I had to do something very quickly or there would be consequences? Is it asking me to perform an action that may result in harm? And so on.

My self-imposed drill was a success! In every case of a legit phishing email (or website), I found at least a handful of other clues, that taken in their totality, indicated that what I was dealing with was a malicious phish. Oftentimes, by the time I got to the URL, I had already made my decision. And here is the most important lesson: When I looked at URL last, I was more often able to determine whether an email was malicious or not overall. I didn’t let the URL alone become the primary deciding factor. With my old behavior, using the URL alone or first and primarily, there were definitely times when I wasn’t sure. Using my new strategy, I have successfully determined legitimacy faster and with more accuracy.

If You Still Can’t Confirm Legitimacy

Phishes are ever marching toward more realism. I’m seeing more phishes show up that I can’t as easily determine the legitimacy of, whether or not I’m looking at the URL first. Here’s what I do:

First, if there is a way, I try to confirm the email externally, not using any of the provided information in the email. For example, if it says something has happened to my account that I need to verify, and it links to an account that I actually use, instead of clicking on the URL in the email, I simply go to the legitimate domain, log in, and then see if I get the same warning message. If not, the suspected email was a scam. If the email contains a phone number, especially if I’m told to call it, I go to the Internet, find the real company’s website, look up the phone number there, and call it. If the email claims to be from a department in your company or from a company you trust, call the legitimate phone number you already have on file. Do not call the phone number in the email. Scammers often have fake “switchboards” and operators ready to answer with the right branding.

In moments where I really can’t tell for sure if the email is legitimate or not, I can report it to a trusted colleague. Two sets of eyes are better than one. I’ve got a trusted friend in my company who I trust as much as myself or more to determine legitimacy. Sometimes when I’m in a bind, I send him the email…with a big subject banner indicating what I’m sending him is a suspected phish. And he has really helped me to see clues that I didn’t notice on my own.

At KnowBe4, we are also big believers in the Phish Alert Button. Our Phish Alert Button (PAB) is a free download and works with Microsoft Outlook and Gmail email clients. It installs a “macro” button on the email client’s toolbar that a user can click to report and delete suspected phishing attacks. Admins determine where to collect all suspected phishes ahead of time. It allows an IT security team to investigate individual phishing attempts more quickly and be able to report back to their end users if they reported a real or simulated phishing attempt.

If I have the time, I may send the suspected phishing email to a “throw-away” Hotmail email account I have and then open it up in a safe, isolated, virtual machine. I wrote about how to use Windows 10’s Sandbox feature to do this; although overall, I prefer the professional features offered by VMware, Hyper-V, Parallels, VirtualBox, etc. The Windows 10 Sandbox was convenient, but it just didn’t have enough features and was constantly being corrupted for reasons I don’t know and would not start unless I did a reboot of the host system. If you are interested in forensically examining phishing emails and are inexperienced at doing so, consider watching my webinar. If you don’t know how to forensically examine phishing emails, don’t risk it. Send to a friend instead or don’t do it. It’s all too easy to accidentally click on a link or initiate a malicious JavaScript.

Lastly, when in doubt, chicken out. A few times over the last year, I have received what I’m fairly sure are legitimate emails. Due to nature of my job and writing for nearly 30 years, I receive dozens of emails from complete strangers every day. Many of them are overly familiar, acting as if we are long-time friends, and asking me to click a link to review something for them. Many of those emails are obviously written by English-as-second-language folks, so the sentences and phrasing often looks like what you would see in a real phishing email. I get enough of them that I realize that they are likely legitimate, and I don’t want to not respond and have them think I’m ignoring their email and simply providing poor service. But sometimes, in the end, no matter how hard I try, I don’t know for sure, and when that is the case, I either report it via our PAB button and let the experts determine legitimacy or ignore and delete it. I, and my company, can’t take the risk. When in doubt, chicken out.

We are starting to see more advanced phishes where simply hovering over the included URL doesn’t help you to determine legitimacy or not. You and your co-workers should always look at the totality of the phishing attempt to gauge legitimacy. Don’t rely on the URL alone. All people should be taught how to spot the common “red flags” of social engineering. You can also download and distribute far and wide our “Red Flags of Social Engineering” PDF.

No matter how you learn it, everyone should be educated to understand how to look at the entirety of a potential, suspicious request to determine maliciousness. Here at KnowBe4, we are big believers in security awareness training.

READ MORE
11Feb

New Phishing Attack Uses Morse Code to Avoid Detection by Email Scanners

February 11, 2021By 0 comment

Yes – you read that right: Cybercriminals have found a way to use 1830’s technology to trick 2020s security solutions into not identifying phishing attachments as malicious.

Like you, when I first read about this I shook my head and through “no way – how would that even work??!?” But according to a post on reddit, the bad guys realized they could digitally encode their malicious java script in Morse Code, effectively bypassing any email scanners.

The phishing attack starts out like any other, using some basic social engineering around paying an invoice and hosting an attachment made to look like an invoice with the filename ‘[company_name]_invoice_[number]._xlsx.hTML.’

But upon further inspection of the attachment, it leverages javascript, containing a basic decoding function where each letter and number is assigned a Morse code value, and then calls to decode a massive amount of Morse code stored within the file.

morse-code-attachment

Source: Bleeping Computer

The result is when the html attachment is scanned, its contents appear benign to a security solution. But when run, the script converts the Morse code into two additional javascript tags that are injected into the page and executed.

The result of all this is a pretty creative rendering of a fake Excel document and an Office 365 logon screen, stating the user’s session had timed out.

fake-office-365-sign-inSource: Bleeping Computer

Creative? Yes. Unique? No – bad guys can derive even their own simple character replacement encoding (e.g., ‘A’ would be replaced with ‘D’, ‘B’ with ‘E’, etc.) and one can achieve the same result.

The real stopping point here is the bogus email theming and horrible attachment name. Users that undergo Security Awareness Training are positioned to quickly see this for what it is and stop the attack before it goes any further than making it to the Inbox.

READ MORE