01Oct

Don’t Just Catch a Phish, Captcha One

October 1, 2020By 0 comment

Researchers at Menlo Security have identified a phishing site that uses three layers of visual captchas to evade detection by automated security crawlers. Captchas are brief tests on websites that ask you to enter a word or select a series of images to prove you’re not a robot. Almost everyone has encountered these, since they’re usually used by legitimate sites to filter out malicious or unwanted traffic from bots.

In this case, however, the attackers are using captchas to prevent good bots (i.e., bots that are designed to hunt down phishing sites) from accessing the phishing page. The researchers also note that the captchas have the added benefit of lending credibility to the phishing page, since users associate these tests with legitimate sites.

“Two important things are happening here,” they write. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

When a user first accesses the phishing site, they’ll be presented with the familiar “I’m not a robot” reCAPTCHA checkbox. After clicking this box, the user will be asked to select the correct set of images to proceed (for example, images with bicycles, street signs, school buses, and so forth). The user will have to solve three of these tests before they’re allowed to access the phishing page, which is a convincingly spoofed version of an Office 365 login portal designed to steal their credentials.

“Microsoft happens to be the brand that is most phished across our customer base,” the researchers explain. “This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.”

Attackers are constantly adapting their techniques to stay ahead of improved security technology. New-school security awareness training can give your employees the knowledge they need to avoid falling for these attacks.

Menlo Security has the story.

READ MORE
30Sep

Organizations Working From Home Opens Wider Target for Cybercriminals

September 30, 2020By 0 comment

With so many people working from home, more attackers are adapting their strategies to focus on employees as a way to bypass organizations’ defenses, FCW reports. During a webcast hosted by Venable, several Federal and industry experts discussed the challenges associated with remote work, particularly in organizations that previously required physical modes of identification.

Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency (CISA), said attackers are increasingly using fake social media accounts and phone calls to trick employees into handing over their credentials or installing malware.

“Those attacks are shifting everywhere traditional network security controls are not located,” Connelly said. “Many attackers are actually calling employees and encouraging them to log on to those fake pages and then grabbing their credentials from those pages.”

Connelly added that it’s much harder to defend against phishing attacks on social media when employees are working from home.

“How do you put security controls around a social messaging app?” Connelly asked.

Wendy Nather, Head of Advisory CISOs at Duo Security, explained that many previous security assumptions are suddenly no longer applicable.

“Because we’re not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can’t use,” Nather said. “If somebody calls the help desk, how are you going to verify them if they can’t walk over and show you their CAC [Common Access Card]?”

Likewise, Ross Foard, a senior engineer at CISA, said well-established forms of authentication in the government are hard to transfer to a remote environment.

READ MORE
30Sep

What’s the Information Stolen in a Phishing Attack Really Worth?

September 30, 2020By 0 comment

Once a scammer tricks their victim out of web credentials, credit card details, or online access to a bank account, the details collected are worth plenty by simply selling them on the dark web.

The cybercriminal industry is much like regular businesses; each one specializes in a particular product or service and has no interest in doing “everything”. For example, when a phishing attack successfully yields online credentials to Office 365, in many cases, the credentials are sold by the initial attacker, rather than utilized by them to further launch attacks.

Why? Because it’s a lot easier to make a quick buck and repeat the process using automated tools than to develop a complex multi-step attack campaign.

According to the 2020 Dark Market Report: The New Economy report from security vendor Armor, those stolen details are worth quite a bit on the dark web:

  • A credit card in the US can fetch as much as $12. One in the EU is worth as much as $35.
  • The value of cloned ATM cards are based on the bank account balance. For example, the ATM card associated with an account worth $10K in it would be worth between $600-800.
  • Paypal account credential values follow the account’s balance, with credentials to a $1000 account valued at $100.
  • Even social media accounts have value, with Twitter leading the pack at $16 per account

In every case above, the details purchased are used to then be used by the next bad guy. It’s an ecosystem where many cybercriminals have found a way to plug themselves in by simply doing the work of fooling victims into giving up information and then selling it off to the highest bidder.

Phishing attacks remain one of the most prevalent ways attackers steal these details. Teaching user to be vigilant while at work and home (which, for many, is the same place today) is a necessary step using new school Security Awareness Training. Those that undergo training are mindful of the potential harm an email or website can cause and are constantly watching for anything that appears to be abnormal, suspicious, or downright malicious in nature – avoiding the attack and keeping their details secure.

READ MORE