Gallery

In the latest FBI warning, cybercriminals are now impersonating financial institutions’ refund payment portals. This effort is to contain victims’ personal information with legitimacy.

These bad actors are using social engineering to trick victims into giving them access to their computer by impersonating representatives of technical repair services. In details from the FBI’s public service announcement lists the following, “Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund.”

Although tech support scams are very common, the FBI did note that as recent as last month scammers are using scripts that portray a refund payment portal when it is actually a malicious site.

BleepingComputer found samples of these scripts below pretending to be various financial institutions:

This Data wiper replaces every other 666 bytes of data with junk. Techradar reported that a new data-wiping malware has been detected, infecting more and more endpoints with each passing day – but what’s most curious is that it poses as ransomware.

The malware is called Azov Ransomware, and when run on a victim’s device, it overwrites file data with junk, rendering the files useless. The overwrites are cyclical – the malware would overwrite 666 bytes of data, then leave the next 666 intact, then repeat the process.

Even though there is no way to retrieve the corrupt files, there is no decryption key or ransom demands, the malware(opens in new tab) still comes with a ransom note, which says that victims should reach out to security researchers and journalists for help.

It’s a Sleeper Program That Wakes up October 27th

Another curious thing about Azov Ransomware is that it comes with a trigger, having it sit idly on the endpoint until October 27, 10:14:30 AM UTC, after which all hell breaks loose. When this date comes, the victim doesn’t necessarily need to run the exact executable – running pretty much any program will do. That’s because the wiper will infect all other 64-bit executables on the devices whose file path does not hold specific strings.

SOURCE: TechRadar

A criminal gang is launching business email compromise (BEC) attacks by posing as “real attorneys, law firms, and debt recovery services.” The attackers send legitimate-looking invoices tailored to the targeted organization, asking for a payment of tens of thousands of dollars.

“These sophisticated invoices also list a bill number, account reference number, bank account details, and the company’s actual VAT ID. Some invoices even include a ‘notification of rights’ and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we’ve observed, it’s possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms.”

If the employee refuses to authorize the transaction, the attackers will sometimes pose as an executive at the organization and send the employee an email granting permission to make the payment.

“When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company,” the researchers write. “When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we’ve observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and ‘authorizes’ the employee to proceed with the payment.”

The researchers note that the user could recognize these emails as fake if they know where to look for the sender’s email address, but the attackers have included the executive’s real email in the display name.

Abnormal Security concludes that organizations should implement modern email security solutions, as well as providing training for employees to recognize these attacks.

“If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important,” the researchers write. “Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment.”

New-school security awareness training can give your organization an essential layer of security by teaching your employees how to thwart social engineering attacks.

Michael Kan at PCMag had the scoop: A hacker is already circulating one phishing email, warning users they’ll need to submit some personal information to keep the blue verified checkmark for free.

He wrote: “One hacker is already exploiting Twitter’s reported plan to charge users for the verified blue checkmark by using it as a lure in phishing emails.

On Monday, journalists at TechCrunch(Opens in a new window) and NBC News(Opens in a new window) received phishing emails that pretended to come from Twitter, and claimed they had to submit some personal information in order to keep the blue checkmarks on their Twitter accounts.

“Don’t lose your free Verified Status,” the phishing email says. Twitter itself has yet to officially announce any changes about the blue checkmark. Nevertheless, the phishing email tries to exploit the news by claiming that some verified users, particularly celebrities, will need to pay $19.99 per month after Nov. 2 to keep the status.

The email then tries to create a sense of urgency. “You need to give a short confirmation so that you are not affected by this situation,” it says. “To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don’t provide verification, you will pay $19.99 every month like other users to get the verification badge.”

The email provides a button labeled “Provide Information.” However, a closer look at the message reveals it was sent from the email address Twittercontactcenter@gmail, instead of an official Twitter domain—a clear red flag the message is a fake. “

Australia has now become the newest target for attacks in part due to a overworked cybersecurity workforce that are not able to stop these bad actors.

Last week a ransomware attack hit Australia’s defence communications platform for military personnel – and the starting point was due to human error. Since September alone half of Australia’s population alone suffered a data breach with  the Optus attack and the Medibank hack.

And unfortunately, there is no quick turnaround to address the weak assertion points, which is due to the border closures with COVID-19 guidelines still in place with the continent. In a statement by Sanjay Jha, chief scientist at the University of New South Wales institute for cybersecurity “They don’t have enough trained people to take it seriously and do what is needed,” “Sometimes you’re ticking a box in an Excel spreadsheet and you don’t understand what you’re doing, and then the outcome is not going to be great. You need people who are really skilled and trained properly.”

We highly suggest you to look into new-school security awareness training, especially now. With cybersecurity insurance premiums increasing and overall attacks increasing, now is the time to implement end-user education to your users before it’s too late.

Reuters has the full story.

Researchers at Cyren describe a phishing attack that resulted from the theft of a stolen iPad. The iPad was stolen on a train in Switzerland, and briefly appeared on Apple’s location services in Paris a few days later. The owner assumed the iPad was lost for good, but sent a message to the iPad with her phone number just in case.

More than six months later, the owner received a text message claiming to be from Apple Support, claiming that her iPad had been found. The message included a link to a spoofed iCloud website that asked for her Apple login details. Fortunately, she didn’t fall victim to this attack.

Cyren’s researchers then tied this attack to a sophisticated phishing kit designed to spoof multiple Apple services. The attacker receives the stolen data via a custom-made Telegram bot.

“A Telegram bot is useful for this purpose since it allows for easy broadcast via the cloud – in technical terms, a http API,” the researchers write. “It’s surprisingly easy to set up a Telegram bot for this purpose, the process can be done in about one minute. [A]fter creating a bot, you receive an authentication token. The authentication token allows you to control the bot and send messages. The reason that the attackers are using it is because Telegram has an HTTP-based interface which allows bot owners to send messages just using a HTTP request that includes the token of the bot, a chat id, and the message. This is all completely free of charge and the bot owner doesn’t need their own separate server to handle the communication. It is also user friendly for the attacker as he conveniently receives the victim info in a telegram chat.”

After stealing the credentials and logging into the victim’s account, the phishing kit will automatically remove the linked iCloud account from the device. This allows the attacker to “reset the stolen devices and set them up as new devices so they can be sold.”

Deepfakes, the realistic and thoroughly convincing fabrication of imagery, video, and audio that fakes the identity of some person in ways that are difficult to detect, have aroused concern recently. They seem to open the prospect of extraordinarily effective disinformation and social engineering campaigns. Deepfakes have already found their way into advertising campaigns.

The Wall Street Journal reports that some campaigns have begun to feature celebrities, or rather their deepfaked personae. “None of these celebrities ever spent a moment filming these campaigns. In the cases of Messrs. Musk, Cruise and DiCaprio, they never even agreed to endorse the companies in question.”

The potential for deepfake abuse in advertising is accompanied by a comparable potential for disinformation. The Wall Street Journal quotes Ari Lightman, professor of digital media and marketing at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy, who says, “We’re having a hard enough time with fake information. Now we have deepfakes, which look ever more convincing.”

So far, however, the feared, industrial-scale use of deepfakes in social engineering scams has yet to fully materialize. The Register reports that the familiar tools of the con artist are still by far the norm.

“Panic over the risk of deepfake scams is completely overblown, according to a senior security adviser for UK-based infosec company Sophos.

“‘The thing with deepfakes is that we aren’t seeing a lot of it, Sophos researcher John Shier told El Reg last week.

“Shier said current deepfakes – AI generated videos that mimic humans – aren’t the most efficient tool for scammers to utilize because simpler and cheaper attacks like phishing and other forms of social engineering work very well.

“‘People will give up info if you just ask nicely,’ said Shier.”

Deepfakes undeniably represent a concern, but don’t let them distract you from the obvious. As Sophos’s Shier explained, usually all it takes is for someone to ask nicely.

Criminals continue to use old, low-tech approaches to social engineering because those approaches still work. A human problem calls for a human solution. New-school security awareness training can help your employees avoid falling for social engineering, whether it’s high-tech or low-tech.

Britain’s data watchdog has fined major construction group Interserve with a £4.4m fine. This was due to a cyber attack stole personal and financial details for over 113,000 employees and the company failed to stop the attack.

This phishing attack was very unique as it occurred over two years ago, and the company broke data protection law by not taking action to prevent the attack from occurring in the first place. The  Information Commissioner’s Office (ICO) claimed that the company had outdated systems and a lack of end user education that resulted into a successful phishing attack.

In a statement by John Edwards, UK Information Commissioner,“Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”

This incident should serve as a cautionary tale that one phishing email can cost your organization millions. New-school security awareness training can ensure your users have the proper training to spot and report any suspicious emails that come their way.