Gallery

Conventional ransomware encrypts the victims’ files and holds them hostage, unavailable to their owners, promising to provide a decryptor once the victims pay the ransom. In some cases being tracked by security firm Cyble, however, they offer nothing in return. The files are in fact deleted.

One such group working with “fake ransomware” is trolling for victims on malicious adult websites (more malicious than the usual run). The phishbait that lures the victims to bite is a specially crafted website (with urls like “nude-girlss [dot] mywire [dot] org,” “sexyphotos [dot] kozow [dot] com,” and “sexy-photo [dot] online”). The phish hook is an executable named “SexyPhotos [dot] JPG [dot] exe.” The unknown criminals behind the phishing campaign are, of course, hoping that the marks won’t read past “SexyPhotos,” or, failing that, certainly not past “JPG,” which their ardent eyes will inevitably tell their ardent brain translates to “no, really, saucy pix here.” And in any case the victims’ system may by default hide file extensions, so the victims may not even see “[dot] exe” in the first place.

Cyble explained in their research report:

“Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware shows false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere during the infection.”

The hoods are demanding $300 in Bitcoin, with the ransom doubling to $600 if the initial demand isn’t met in three days. The victims have seven more days to pay the $600, at which point, the extortionists say, they’ll permanently delete the files. In truth the files are already effectively gone, and it seems unlikely to researchers that the criminals actually have a decryptor. They’re sloppy. In this case, however, Cyble thinks the sloppiness might work to the victims’ advantage . BleepingComputer says, “A possible way to recover from this malware would be to restore your OS to a previous state since the fake ransomware doesn’t delete shadow copies. Of course, this could still result in data loss, depending on the date of the last restore point.”

One lesson to take away from this is to follow a practice of regularly backing up important files. “In general, regular backups of your most important data would be the best practice, as an OS re-installation should be the quickest way out of this trouble,” BleepingComputer writes.

Other lessons include the obvious one of staying away from adult sites, but like much obvious advice people are all too likely to overlook this counsel. But new-school security awareness training might help by sensitizing users to the dangers of executables, and, of course, the risks inherent in downloading untrusted files from untrustworthy sites.

The king of callback phishing campaigns has evolved their methods to include better phishing emails, phone call scams, and final payloads to ensure they achieve their malicious goals.

The BazarCall phishing technique – named after the most common payload used in the scam, BazarLoader, as well as the use of phone calls as the medium to trick victims into downloading – has been around for a few months. Seen initially used to deliver Conti ransomware, this methodology has been used by other cybercriminal groups.

According to a new report from security researchers at Trellix, more BazarCall scams are showing up in the wild. In each case, an invoice or notification of a processed payment is sent – used to grab the attention of the victim and create a sense of urgency to respond. As you can see below, the scammers go to some relatively decent lengths to ensure their phishing emails look legitimate.

Source: Trellix

As part of their campaign, note that there are no email addresses available to respond to. Instead, a phone number is prominently displayed at the bottom of each email, giving the victim only one option to attempt to “address” the undesired expense.

The scammer on the other end of the call uses one of a few patterned call scripts to convince the victim they need to allow the scammer to take over the victim’s computer using support software. Legitimate-looking websites are used to further establish legitimacy:

This new credential harvesting scam impersonates a real U.S. Government COVID-related grant program to harvest credentials and personal details using a blatantly obvious Google form.

By now, you’d think that everyone checks the web browser address bar to see if that unexpected news that they can get free (yes, FREE!) money from the government is legitimate (spoiler alert: it’s not). Security researchers at Email Security vendor Inky have spotted a new wave of phishing attacks using familiar tactics from during the middle of the pandemic.

Under the guise of a small business grant, this scam includes a not-so-legitimate phishing email to start:

Source: Inky

And then a clean, but not obfuscated, Google Form:

Source: Inky

To their credit, the threat actors behind this attack did do a cut and paste of a legitimate COVID-19 grant message. Once the form is completed, the victim is simply notified by Google Forms that their “response has been recorded”.

Small Businesses already are stretched thin, making it difficult to overcome the aftermath of cyber attacks, fraud, and business email compromise. This means it’s that much more critical for users of small businesses to be on guard – particularly in cases where an unsolicited email brings with it “too good to be true” news of free money from the U.S. Government.

Users can be taught what to look out for through continual Security Awareness Training that elevates their sense of vigilance and their understanding of how these scams work, look, and act.

Cyberattacks are the biggest risk to the UK financial system, according to new research from the Bank of England.

However, financial institutions remain confident in their ability to fend off attacks, and believe they are more likely to suffer from the impact of rising inflation.

The Bank’s H2 systemic risk survey polled 65 executives in the UK financial sector, and shows that 74% of respondents deemed a cyberattack to be the highest risk to the financial sector in both the short and long term, followed closely by inflation or a geo-political incident.

The number of respondents who believe their company is at high risk of attack grew rapidly this year, from 31% in the first half of the year to 62% in the second. Those considering the threat to be low has decreased by 20%, to just 3%. What’s more, 83% believe that cyber risk in the financial sector has increased in the past year.

Security researchers at Akamai identify an average of 13 million newly observed domains (NOD) each month this year, representing about 20% of the NODs resolved in the same timeframe.

In a recent blog post, researchers at Akamai discuss how they go about identifying malicious domains. Considering that one of the techniques used by cybercriminals to avoid detection is to continually change domains, the watching of NODs makes sense.

According to Akamai, NODs (both malicious and legitimate) are abundant; approximately 12 million new NODs appear daily, of which, just above 2 million resolve in DNS.

And we’re not talking about legible domain names; according to Akamai, the domains are more like the following:

Domain Name Examples.  Source: Akamai

In short, cybercriminals are utilizing about 20% of the NODs as part of their phishing and social engineering attacks, utilizing this continually updated set of domain names in an attempt to avoid detection as being malicious.

While the good guys – like the folks at Akamai – are working to stay vigilant, remember that all the efforts are reactive in nature; that is, the good guys can’t in theory get ahead of the bad guys, as no one knows what the bad guy’s next move is. So, in the world of NODs, the intent is to create heuristics rules (190 of them, according to Akamai) to help identify a NOD that’s malicious.

But it’s still possible that some NODs will make it through scrutiny and facilitate a phishing attack. This is one of the reasons that even with really strong security technologies in place, it’s necessary to arm your users with Security Awareness Training so they become part of your defense, spotting really ridiculous domain names – like the ones above – and see the emails for what they really are: an attack.

INKY has published a report on the use of small business grants as phishing lures. Scammers are impersonating the US Small Business Administration (SBA) to distribute phony grant applications hosted on Google Forms.

“Unbeknownst to many, the SBA recently stopped accepting applications to their COVID-19 relief loan and grant programs,” INKY says. “Still, [the phishing email] includes an enticing offer for any unknowing small business owner: Simply fill out the form and find out if you’re qualified to receive the funds. Clicking on ‘Apply Now’ takes recipients to a survey on Google Forms…. Any small business owner who had previously applied for legitimate loans and grants could be easily fooled by the form itself. The top of the form appears to be a cut-and-paste of a genuine COVID-19 grant message and the questions which follow are very similar to those the SBA asks applicants in legitimate circumstances.”

The Google Form asks the user to submit their personal and financial information, including their social security number, driver’s license details, and bank account information.

The researchers note that there are several red flags that could have alerted observant users, including typos and grammatical errors in the phishing email.

“There is something else that a more discerning eye might have noticed,” the researchers write. “Because this cybercriminal used a legitimate Google Forms survey to harvest credentials there is a line populated just under the ‘Submit’ button that says, ‘Never submit passwords through Google Forms.’ It’s not a good lesson to learn the hard way. Ironically, if you look a little further, beneath the ‘Submit’ button you’ll also see Google’s ‘Report Abuse’ button. It’s not an option you see too often in phishing scams, and could easily be ignored by anxious small business owners who fall for this threat.”

Researchers at Mandiant have published an analysis of a phishing-as-a-service kit called “Caffeine,” which further lowers the bar for inexperienced cybercriminals by offering a publicly available, easy-to-use phishing service.

“Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user,” the researchers write. “Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform.”

The phishing kit also offers a customer support service for inexperienced users, along with a simple user interface.

“Once registered, a new Caffeine user is then directed to the service’s main index page to begin their phishing voyages,” the researchers write. “It is worth noting that over the course of its investigation into the Caffeine platform, Managed Defense observed Caffeine’s administrators announce several key platform improvements via the Caffeine news feed, including feature updates and expansions of their accepted cryptocurrencies.”

The phishing kit also facilitates finding hosting services for phishing campaigns.

“For most traditional phishing campaigns, phishermen generally employ two main mechanisms to host their malicious content,” Mandiant says. “They will typically leverage purpose-built web infrastructure set up for the sole purpose of facilitating their phishing voyages, use legitimate third-party sites and infrastructure compromised by attackers to host their content, or some combination of both.”

The US Internal Revenue Service (IRS) has issued an alert warning of a significant rise in text message phishing scams (smishing) impersonating the IRS since the beginning of the year.

“So far in 2022, the IRS has identified and reported thousands of fraudulent domains tied to multiple MMS/SMS/text scams (known as smishing) targeting taxpayers,” the alert says. “In recent months, and especially in the last few weeks, IRS-themed smishing has increased exponentially. Smishing campaigns target mobile phone users, and the scam messages often look like they’re coming from the IRS, offering lures like fake COVID relief, tax credits or help setting up an IRS online account. Recipients of these IRS-related scams can report them to phishing@irs.gov.”

IRS Commissioner Chuck Rettig said in a statement, “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages. In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

The alert adds that the IRS will not send messages asking for personal or financial details, and users should be suspicious of any emails, phone calls, or text messages that ask for this information.

“In the latest activity, the scam texts often ask taxpayers to click a link where phishing websites will try to collect their information or potentially send malicious code onto their phones,” the alert says. “The IRS does not send emails or text messages asking for personal or financial information or account numbers. These messages should all be red flags for taxpayers.”

Ne

Greg Noone at the Techmonitor site covered this problem early October 2022, starting with a horror story.

A company had taken cyber coverage for the past year with no claims, but during a routine scan a software vulnerability was discovered. They did not fix it in time. A new policy was proposed that would not cover ransomware. They signed it. Guess what happened a week after? Right. Here is a short extract and further below a link to the site.

“I would be disingenuous if I told you that ransomware wasn’t a key factor in some of the headwinds that we’ve seen in the market with regards to pricing,” explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re.

The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware. Its reasoning, according to the firm’s underwriting director Tony Chaudhry, was that policies shouldn’t “expose the market to systemic risks that syndicates could struggle to manage”.

Cyber insurance does not have a long history. The market itself, explains Mario Vitale, chief executive of cyber insurance provider Resilience., has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size.

“I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a “less stable market… and also just a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”

Ongoing volatility is making reinsurers nervous

Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they “have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients”, he says. Resilience’s answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimise their vulnerability to breaches as far as is humanly possible.

The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defence: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff.  This is the link to the full article. Warmly recommended.

As Cyber Insurance Dries Up, Treasury Department Eyes a Backstop

Bloomberg law covered the same topic from another interesting angle: “A US Treasury Department request for public input on a potential federal cyber insurance program highlights a coverage gap for US companies as insurers reduce offerings.

The regulator is seeking public comment until Nov. 14 on whether the government needs to shore up the insurance industry to pay for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.

Cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks. Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.

The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.

Cyber insurers have seen losses jump 300% from 2018 to 2021, according to Fitch Ratings. Insurers, including Lloyd’s of London, Chubb Ltd., and Beazley PLC are racing to cut coverage for catastrophic cyberattacks that can paralyze multiple industries at once.

Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP. “A cyber insurer can write policies with comfort knowing it can transfer some risk to the government, so it can offer bigger policy limits for businesses,” Moss said. Link to full Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/as-cyber-insurance-dries-up-treasury-department-eyes-a-backstop?