Gallery

The US Federal Communications Commission (FCC) offers advice on how to avoid falling for scams that follow in the wake of natural disasters like Hurricane Ian. Scammers target victims of disasters as well as people trying to donate to charities.

“First, know that officials with government disaster assistance agencies do not call or text asking for financial account information, and that there is no fee required to apply for or get disaster assistance from FEMA or the Small Business Administration,” the FCC says. “Anyone claiming to be a federal official who asks for money is an imposter.”

The FCC adds that users should always be suspicious of phone calls that ask for information.

“Remember that phone scams often use spoofing techniques to deliberately falsify the information transmitted to your caller ID display to disguise their identity or make the call appear to be official,” the alert says. “If someone calls claiming to be a government official, hang up and call the number listed on that government agency’s official website. Never reveal any personal information unless you’ve confirmed you’re dealing with a legitimate official. Workers and agents who knock on doors of residences are required to carry official identification and show it upon request, and they may not ask for or accept money.”

Additionally, users should contact their insurance providers directly rather than relying on unsolicited phone calls, emails, or text messages.

“If you get a phone call about an insurance claim or policy, don’t give out any personal information or agree to any payment until you can independently verify that the call is legitimate,” the alert says. “If the caller says they’re from your insurance company, hang up and contact your agent or the company directly using the number on your account statement…. Contractors and home improvement companies may also call claiming to be partners with your insurance provider,” the FCC says. “Never give policy numbers, coverage details, or other personal information out to companies with whom you have not entered into a contract. If your state requires licensing, verify that any contractor you are considering is licensed and carries adequate insurance. Many states have online databases you can check.”

A man from Atlanta, Georgia has been convicted of running romance scams and business email compromise attacks that netted him over $9.5 million, the US Justice Department has announced.

“Elvis Eghosa Ogiekpolor has been sentenced to 25 years in federal prison for money laundering and conspiracy to commit money laundering after being convicted at trial,” the Justice Department said in a press release. “Ogiekpolor opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million dollars from various online frauds, including romance frauds and business email compromise scams (‘BECs’). He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas.”

Thirteen victims of the romance scams, mostly women, testified in Ogiekpolor’s trial, though the Justice Department notes that there were many more victims of the fraud operation.

“The victims recounted how they met male strangers online and were soon convinced they were in a romantic relationship with the men, even though the victims were in communication with the individuals for months without meeting in person,” the Justice Department says. “Often these men claimed they wanted to start a life with the victims and were eager to live with them as soon as some kind of issue was resolved. For example, one romance fraud victim was convinced to wire $32,000 to one of the accounts Ogiekpolor controlled because her ‘boyfriend’ (one of the men online) claimed a part of his oil rig needed to be replaced but that his bank account was frozen.

This victim borrowed against her retirement and savings to provide the funds, which ultimately required her to refinance her home to pay back the loan. Another victim testified that she was convinced to send nearly $70,000 because the man she met on eHarmony claimed to need money to promptly make payment on several invoices due to a frozen bank account.”

The Bundeskriminalamt (BKA), Germany’s federal criminal police, raided three homes on Thursday, September 29th, in the course of an investigation of a cyber criminal operation the BKA says netted approximately €4,000,000 from its victims by using phishing tactics. Two suspects were arrested and charged; the disposition of the third individual will depend upon the results of further investigation.

A statement by the BKA (provided by BleepingComputer) explained the nature of the fraud, which depended upon unusually faithful and convincing spoofed communications that misrepresented themselves as being from the victims’ banks. The emails told the victims that changes to the bank’s security system would affect their accounts, and that they should follow a link to arrange continued access to their accounts. The link led to a convincing phishing page. “There, the phishing victims were asked to enter their login data and a current TAN [Transaktionsnummer–a number associated with a particular transaction], which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount and availability of credit.” Further engagement with the victims induced them to give up additional TANs, which the criminals used to withdraw the victims’ funds.

The scam is interesting in other ways. For one thing, the criminals used distributed denial-of-service (DDoS) attacks against banking websites as misdirection for their imposture. The legitimate sites may have suffered from reduced availability, but the phishing sites, of course, remained accessible. Another interesting aspect of the case is the criminals’ alleged employment of “other cyber criminals who sell various forms of cyber attacks as ‘Crime-as-a-Service’” (the BKA uses the English phrase) “on the dark web.” Some details are being withheld pending further investigation.

The amount the BKA alleges the criminals stole is striking. €4,000,000 is the equivalent, at current exchange rates, to £3,520,000 or $3,920,000. This particular crime seems to have affected mostly individuals, but its scale and approach suggest that organizations could be vulnerable to similar scams. New-school security awareness training can help your employees cope with this and other forms of social engineering.

Setting a record for both highest count and share in volume with other types of phishing scams, response-based attacks are at their highest since 2020 and are continuing to grow.

Despite a lot of focus on credential theft, cybercriminals are trending toward response-based scams – where the scam relies on the user responding through a communication channel chosen by the scammer. We’ve seen examples of these types of phishing attacks that have leveraged chatbots, WhatsApp, and even phone calls to establish credibility and take control of the conversation.

New data from Agari and Phish Labs, in their Quarterly Threat Trends & Intelligence report for August 2022 shows that response-based scams are on the rise, being responsible for 41% of threats targeting corporate inboxes. While still trailing behind credential theft attacks, response-based scams have experienced continual growth over the last two years.

According to the report, the response-based scams can be broken down into the following types:

• Advance-Fee scams – 54%
• Vishing – 25%
• Business Email Compromise – 16%
• Job Scams – 4.8%
• Tech Support – 0.2%

Of these, vishing is up over 625% from Q1 of last year and has steadily increased over the course of the past year.

I think I should reemphasize that these scams are all focused on business users and, according to the report, may include malware such as Emotet, QBot, SnakeKeyLogger – all payloads I’ve covered before here on our blog.

The growth in response-based scams means that threat actors are seeing continual success – which, in turn, means users are responding. To stop your users from responding, it’s important that you enroll them in continual security awareness training to teach them to spot these scams before they respond to them.

A survey by GetApp has found that the number of organizations using phishing simulations has risen from 30% in 2019 to 70% in 2022. Despite this positive trend, however, attackers continue to increase both the sophistication and volume of their phishing emails, which has led to a significant rise in employees clicking on phishing links.

“Phishing schemes and their effectiveness have reached a critical point in 2022,” the researchers write. “For the first three years of our survey, the rate of companies reporting phishing emails had remained fairly steady. But in the last year, the percentage of companies reporting phishing has jumped from 77% to 89%. More concerning, the number of companies that report someone actually clicking a link in a phishing email lept from 64% to 81% in only the last year. In the last three years, the percentage of employees clicking on phishing links has absolutely skyrocketed, from 43% to 81%. Combined, these numbers are even more alarming because they show a clear upward trend in both phishing volume and effectiveness over the last three years.”

Likewise, the amount of organizations requiring multi-factor authentication has steadily increased over the past three years, but attackers are increasingly finding ways to bypass these measures.

“In 2019, our survey found that 64% of U.S. companies used 2FA for all (21%) or some (43%) business applications,” the researchers write. “In 2022, that number has increased to 91%. Perhaps more importantly, the percentage of companies that use 2FA for all business applications has more than doubled, from only 21% in 2019 to nearly half (45%) in 2022.”

GetApp says organizations need to continue implementing security best practices to keep up with the evolving threat landscape.

“The gap between companies reporting phishing emails and those reporting employees clicking on phishing emails has narrowed year over year, from a 30-point gap in 2019 to only eight points in 2022,” the researchers write. “In response, companies must prioritize email security and educate staff on the increasingly sophisticated social engineering strategies that threat actors use in phishing emails to manipulate employees into turning over network credentials or downloading malware.”

The US Federal Bureau of Investigation (FBI) has issued an alert warning of an increase in phishing and other social engineering attacks against healthcare payment processors.

“In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites,” the Bureau says. “In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.”

The FBI describes three successful social engineering attacks against these entities:

• “In April 2022, a healthcare company with more than 175 medical providers discovered an unauthorized cyber criminal posing as an employee had changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to direct payments to the cyber criminal rather than the intended providers. The cyber criminal successfully diverted approximately $840,000 dollars over two transactions prior to the discovery.”
• “In February 2022, a cyber criminal obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account belonging to the cyber criminal, resulting in a $3.1 million loss. In mid-February 2022, in a separate incident a different cyber criminal used the same method to steal approximately $700,000.
• “From June 2018 to January 2019, cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals. One victim reported a loss of approximately $1.5 million. The cyber criminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.”

Bank of America recently sent a customer service email warning users to watch out for this new phishing attack.

Threat actors are sending realistic texts requesting that you send money using Zelle® as payment due to a ‘fraud alert’. These texts use make the warning look legitimate, and if you respond to the text then you’ll receive a call from a fake representative.

This person will use social engineering techniques and will trick your users into asking for you to send money to yourself through the Zelle® payment method. In reality you’ll be sending the money directly to these scammers pockets, and they will be able to receive your money into their account.

Check out the full video from Zelle on how to spot this type of scam here:

It’s incredibly important that you do not share any codes based on a suspicious caller ID, and to not be pressured to act immediately if your users receive this type of call. New-school security awareness training can teach your users about the latest threats.

Security researchers at Cisco Talos have issued an update on the cyberattack Cisco sustained earlier this year. The attack began with a phishing attack against a Cisco employee, which led to the attackers stealing data and attempting to extort the company with the threat of releasing the stolen information.

“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” the researchers write. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco Talos offers the following summary of the event:

• “On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
• “During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
• “The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
• “CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
• “After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
• “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
• “We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”

Attackers are exploiting a legitimate French government website to send phishing messages, according to researchers at Vade. The website, Pôle Emploi, is a career site for companies looking for job recruits. The attackers are responding to job postings with phony resumes that contain a link to a Google Form designed to harvest credentials.

“The recruiting company—if not vigilant—opens the attachment thinking it is a resume and is faced with malicious links,” the researchers write. “If they click on the links, they are redirected to a malicious form where they will be asked for their Pôle Emploi account information. This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address.”

The phony resume instructs the victim to click on the link in order to secure their account.

“The hacker’s message states that the recipient (the recruiting company) needs to open the attachment to access an applicant’s resume,” the researchers write. “The hacker adds that the attachment contains URLs that the recipient must open in order to update Pôle Emploi’s recruiting account and secure it.”

Vade notes that the phishing document is also designed to steal users’ multifactor authentication codes.

“The credentials and the validation code of the Pôle Emploi’s recruiting account of the targeted company are sent to the hacker via email from Google Docs,” Vade says. “With those credentials, the hacker can easily access the Pôle Emploi portal of the recruiting company.”

The researchers add that access to these accounts could lead to further targeted attacks within the organizations.

“Most phishing attacks are designed to steal account credentials, and in this case, the damage could be significant,” Vade says. “The Pôle Emploi portal likely contains the personal information of companies and job candidates. With this information, hackers can access sensitive company information and steal personal data, which they can later sell to other hackers. They could also launch additional attacks on users with the data stolen, including phishing and business email compromise attacks.”