Mar 19 2024

APT28 Hacker targeting in widespread Phishing Scheme

Category: APT,Phishingdisc7 @ 7:20 am

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

Widespread Phishing Scheme

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage of the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: APT28


Feb 29 2024

Vishing, smishing, and phishing attacks skyrocket 1,265% post-ChatGPT

Category: Phishingdisc7 @ 8:40 am

76% of enterprises lack sufficient voice and messaging fraud protection as AI-powered vishing and smishing skyrocket following the launch of ChatGPT, according to Enea.

Enterprises report significant losses from mobile fraud

61% of enterprises still suffer significant losses to mobile fraud, with smishing (SMS phishing) and vishing (voice phishing) being the most prevalent and costly.

Enterprises account for a significant share of communication service provider (CSP) subscribers and an even greater share of their revenues. They depend on their CSP to protect them from telecom-related fraud, with 85% saying security is important or extremely important for their telecoms buying decisions.

Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.

61% of enterprise respondents said their mobile messaging fraud costs were significant, yet more than three-quarters don’t invest in SMS spam or voice scam/fraud protection.

51% said they expect their telecom operator to protect them from voice and mobile messaging fraud, citing their role as more important than that of cloud providers, managed IT providers, systems integrators or direct software vendors.

85% of enterprises say that security is important or extremely important for their telecoms purchasing decisions.

Only 59% of CSPs say they have implemented a messaging firewall, and just 51% said they have implemented a signaling firewall. 46% report adopting some threat intelligence service, essentially leaving a majority blind to new or morphing threats.

CSPs that prioritize security are better positioned to win enterprise business

Security leaders, characterized by better capabilities, better funding, and a higher prioritization of security, are less than half as likely as the followers to have a security breach go undetected or unmitigated (12% vs 25%). CSP security leaders are more likely to see security as an opportunity to generate revenues (31% vs 19%).

“We’ve observed the rapidly evolving threat landscape with growing concern, particularly as AI-powered techniques become more accessible to cybercriminals,” commented John Hughes, SVP and Head of Network Security at Enea.

“The stark increase in mobile fraud, particularly following the advent of advanced technologies like ChatGPT, underscores a critical need for enhanced network security measures. This survey highlights a significant disconnect between enterprise expectations and the current capabilities of many CSPs, and our ongoing mission is to help the sector bridge that gap and safeguard networks and users,” concluded Hughes.

Maintaining and enhancing mobile network security is a never-ending challenge for CSPs. Mobile networks are constantly evolving – and continually being threatened by a range of threat actors who may have different objectives, but all of whom can exploit vulnerabilities and execute breaches that impact millions of subscribers and enterprises and can be highly costly to remediate.

To bridge this gap, CSPs must overcome challenges such as a lack of skilled staff to handle potential security breaches, a lack of budget to invest in adequate security tools, and internal organizational complexity preventing them from prioritising security.

Phishing for Phools: The Economics of Manipulation and Deception

Investigation on Phishing Attacks and Modelling Intelligent

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smishing, vishing


Jan 25 2024

198% Surge In Browser Based Zero-Hour Phishing Attacks

Category: Phishingdisc7 @ 1:23 pm

The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security. 

Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.

The Rise Of Evasive Attacks

Gone are the days of easily identifiable phishing scams. 

Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners. 

These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:

  • SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
  • Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
  • Image-Based Phishing: Embedding malicious code within seemingly harmless images.
  • Brand Impersonation: Mimicking trusted websites to steal login credentials.
  • Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.

Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks. 

These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers. 

Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.

Despite technological advancements, the human element remains the weakest link. 

Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information. 

This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.

Menlo Security: Shining A Light On The Dark Web

The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions

Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.

Key Takeaways for a Safer Web:

  • Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
  • Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
  • Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats

David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”

Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with Trustifi AI-powered Email security solutions.

Phishing Attacks and Detection

Phishing for Phools: The Economics of Manipulation and Deception

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: phishing


Jan 12 2024

Framework discloses data breach after accountant gets phished

Category: Data Breach,Phishingdisc7 @ 10:21 am

https://www.bleepingcomputer.com/news/security/framework-discloses-data-breach-after-accountant-gets-phished/

Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.

The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”

“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.

“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.

“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”

Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.

As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.

Affected customers warned of phishing risks

Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.

The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.

Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.

“We are also auditing their standard operating procedures around information requests,” the company added.

“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”

A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.

Big Breaches: Cybersecurity Lessons for Everyone 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: data breach


Oct 07 2023

HOW MGM RESORTS LOST $100 MILLION AS A RESULT OF A SIMPLE VISHING CALL

Category: Phishingdisc7 @ 11:55 am

CYBERATTACK ON MGM RESORTS: A FINANCIAL DEBACLE

MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.

DETAILS OF THE ATTACK

The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.

ECONOMIC FALLOUT

The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.

COMPROMISE OF CUSTOMER DATA

A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.

IDENTITY OF THE ATTACKERS

Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.

RECOVERY AND RESPONSE

In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.

CONCLUSION AND FUTURE IMPLICATIONS

The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.

Vishing = Voice Phishing

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: VISHING CALL, Vishing: Voice Phishing


Oct 02 2023

SEND PHISHING EMAILS WITH CONTENT FONT SIZE: 0PX CAN TO HACK INTO MICROSOFT OUTLOOK 365 ACCOUNTS

Category: Phishingdisc7 @ 9:38 am

Threat actors have begun utilizing an innovative approach to zero-point font obfuscation, a pre-existing technique, in an attempt to deceive users of Microsoft Outlook. They do so by creating an illusion that certain phishing emails have been thoroughly scanned and cleared by antivirus programs, thus increasing the chances of these deceptive emails bypassing security protocols. This not only aids in evading security measures but also enhances the probability of recipients falling prey to these fraudulent schemes.

Jan Kopriva, an analyst at the SANS Internet Storm Center, encountered a phishing email that cleverly employed text written in zero-pixel size font. This technique, originally documented by Avanan (a subsidiary of Check Point) researchers in 2018 and known as ZeroFont Phishing, was being utilized in a distinct and innovative manner, according to Kopriva’s observations. Historically, cyber attackers have integrated zero font size text within phishing emails to disrupt the continuity of text that is visible, making it increasingly difficult for automated email scanning systems like those implemented by Outlook to flag suspicious emails.

However, Kopriva noticed a variation in the use of the ZeroFont technique, which diverged from its original purpose. Instead of utilizing it to obstruct automated scanning systems from labeling the email as potentially harmful or fraudulent, it was applied to craft an illusion of trustworthiness for the recipient. Kopriva elaborated that the technique was being used to modify the text that is usually displayed in Outlook’s listing pane—a section adjacent to the body of emails that provides users with a sneak peek into the email content.

Rather than presenting the typical email subject line followed by the initial few lines of the email—which could potentially raise red flags about a phishing attempt—the listing pane under this technique displayed the subject line and an additional line of text. This added text falsely indicated that the email had undergone a security scan and was deemed safe by a threat protection service.

Avanan researchers have also discovered another manipulation of this technique, dubbed the “One Font” technique. In these instances, threat actors embed extremely small text within the zero- or one-point font range as part of their strategy to develop more elusive and sophisticated phishing scams. This minuscule font size effectively dismantles email scanning techniques relying on semantic analysis, generating confusion for the scanning systems while remaining undetectable to the recipients due to its unreadable size.

In the specific phishing email Kopriva analyzed, the attackers ingeniously incorporated text that implied the email had been verified and secured. This was achieved by inserting text in zero font size ahead of the email’s actual content. As a result, in Outlook’s listing pane, the user would see text confirming the email’s security status immediately below the subject line—instead of the true opening line of the phishing email. This deceptive approach takes advantage of Outlook’s method of displaying email text, thus exploiting it to the attacker’s benefit.

Kopriva acknowledged the possibility that this tactic has been deployed undetected for a while now. Nonetheless, it represents an additional tool in the arsenal of cyber threat actors, enhancing their ability to launch effective phishing campaigns. As defenders against cyber threats, awareness of this tactic is crucial. He recommends that organizations actively engaged in conducting security awareness training focused on phishing should incorporate information on this technique. This knowledge would empower employees to recognize and appropriately respond to deceptive emails employing this technique as an anti-detection strategy, thus fortifying organizational defenses against such cyber threats.

PHISHING SCAM AND PREVENTIVE MEASURES

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Phishing Scam


Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES


Sep 04 2023

“SMISHING TRIAD” TARGETED USPS AND US CITIZENS FOR DATA THEFT

Category: Phishingdisc7 @ 10:30 pm

Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.

Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries – the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.

The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.

Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.

Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.

The notable detail of “Smishing Triad” campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like “PostalFurious” and “RedZei” observed by other researchers in the past.

“Smishing Triad” also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 – there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.

The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal. 

“Smishing Triad” has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized ‘smishing kits’ targeting popular U.S., U.K. and EU brands – starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by “Smishing Triad” registered in “.top” zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.

After acquisition of the ‘smishing kit’, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victims’ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.

Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the “Smishing Triad” with the wider community and network defenders to raise awareness and safeguard their customers.

Further technical details are available in the report published by ReSecurity.

SCAM!: How to Avoid the Scams That Cost Victims Billions of Dollars Every

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smishing


May 26 2023

Phishers use encrypted file attachments to steal Microsoft 365 account credentials

Category: PhishingDISC @ 9:53 am

Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.

“[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),” say Trustwave researchers Phil Hay and Rodel Mendrez. “The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.”

Phishing emails with Microsoft Encrypted Restricted Permission Messages

The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.

Phishing email with a encrypted restricted-permission message (Source: Trustwave)

The emails contain a .rpmsg (restricted permission message) attachment and a “Read the message” button with a long URL that leads to office365.com for message viewing.

To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.

After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like it’s hosted on SharePoint but it’s actually hosted on the Adobe’s InDesign service.

They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.

In the background, the open source FingerprintJS library collects the user’s system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.

Hiding from security solutions

“The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,” Hay and Mendez noted.

“The only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.”

They advise organizations to:

  • Block, flag or manually inspect .rpmsg attachments
  • Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line “Your one-time passcode to view the message”
  • Educate users about the consequences of decrypting or unlocking content from unsolicited emails
  • Implement MFA.

InfoSec tools | InfoSec services | InfoSec books

Tags: Microsoft 365


Apr 19 2023

What is Spear Phishing Attack? – Guide for Motives, Techniques & Prevention Methods

Category: PhishingDISC @ 11:47 am

Every day tens of thousands of Spear phishing emails are sent to millions of victims around the world.

Cyber-attacks have different pathways now; they can strike you from inside or outside, with equal damages across your network.

Targeted takedowns could be critical if analyzed and executed with absolute precision.

In this guide. We’ll look at Spear Phishing Attacks, techniques, examples, mitigation procedures, and a few best practices.

Spear Phishing

What is Spear Phishing?

Spear Phishing is a malicious practice that executes via Email campaigns that hackers research their target audience, understand their likes and dislikes, study their day to day operations, and customize the mail to steal sensitive data and install malware. This type of targeted email campaign deployment to infiltrate their target audience group is called Spear Phishing Attack.

Any anonymous email that drops into your inbox from an unknown sender can be assumed to be phishing Attack. Blasting millions of emails to the database of email id’s with malicious intent is called phishing.

It could be for the deployment of malware, remote code executions and more, however, this phishing may not be rewarding for hackers.

How does Spear Phishing Attack Work?

Spear Phishing is executed in four stages,

  1. Target identification
  2. Studying the target’s behavior
  3. Customizing the message
  4. Blasting emails

Target identification:

The hackers initially identify their target victims by narrowing down their audience based on their motive of the campaign, this could be targeted at corporate in a particular vertical or patients of a healthcare company.

The identification procedure is divided into two stages, the primary and secondary target, primary target will be executives working for an MNC, who will be receiving the blasted emails and the secondary target will be the key ones who will have access to business sensitive information.

These primary targets that have become victims to the spear phishing attack will be manipulated to exploit the secondary targets.

Studying the target’s behavior:

Gathering information about the targeted audience by digging deep into their social media profiles, job sites, portfolios, comments, likes and groups they belong to, and communities they belong to. One way or another the hackers will gain their personal information like email, phone numbers, first name, surname, history of experience, schooling, college, area of expertise and more which they will use to influence their potential targets.

Customizing the message

Hackers will customize their emails and message based on the information collected from these external resources for better open rates and reduced bounce rates. Once a successfully established message is obtained they will proceed for the email blasting procedure.

Blasting emails

After all the research hackers will prepare their attack vector and strategy to ensure the mail gets delivered to the target audience inbox and not into the spam folder.

They will disguise the sender details to be a legitimate one, to ensure the proper delivery of the mail is made and the end user opens it as expected.

After opening the email, the user will click a link or download an attachment-based on the content as it is made accurate.

With all research, the CTR will definitely be high. Thanks to the reliability of the mail crafting procedures the hackers have implemented.

What are 3 types of Spear-phishing emails?

Usually, hackers prefer one of three techniques below to manipulate their target audience.

  1. Impersonation
  2. Personalization
  3. Emotional Response

Impersonation

As the name defines, hackers pretend to be someone else or a legal entity to establish trust and elude with data. This technique is very commonly used by disguising a genuine person or entity in the sender section with an indistinguishable subject line.

Personalization

This technique has an excellent success rate, as the message is very much customized for the recipient so he believes that this email will be of use to him or for his profession in general.

Emotional Response

This technique creates a fear, happiness, shock or surprise to make the end user open the mail and click/download the malicious content as planned.

What is an example of spear phishing?

Examples of Spear Phishing Attacks are very much targeted and often have disastrous outcomes for enterprises, below are few examples for successful spear phishing attacks.

Ubiquite Networks Inc

This Company paid more than USD $40 million in 2015, as a result of spear phishing attack because of a CEO fraud. The emails were impersonated as if they were from senior executives to transfer funds to a third party entity in Hong Kong, which was then found to be some anonymous entity and not a genuine third party.

RSA

RSA is a leading security firm but unfortunately, even they themselves become victim to a targeted spear phishing attack in 2011.

Mails with subject line ‘2011 Recruitment Plan’ were blasted, though most of it was marked as spam one user opened it, leading to the deployment of malware into the infected system and eventually gave remote access to the hackers to infiltrate the computer and network.

Amazon

Amazon is another leader among the fortune 500 companies, targeting this firm will definitely improve your success rates for spear phishing.

In 2015, a mass spear phishing attack was unleashed targeting Amazon customers with a subject line ‘Your Amazon.com order has been dispatched’, followed by a code.

However, unlike the normal emails from Amazon, where you could see the dispatch status directly in the mail or via your Amazon account, in this case, it was mentioned to be available in the attachment.

Few employees become prey to this maneuver and a Locky ransomware was downloaded and installed in the infected systems to encrypt data and demand ransom.

How can you protect yourself from phishing?

Spear phishing prevention is a process that depends on different factors like awareness, tools, education, emotional response and more. Below are the best practices that both organizations and individuals should practice to protect yourself from phishing,

  1. Increasing cyber awareness
  2. Employing cyber tools
  3. Identifying fake emails
  4. Avoiding clicks and attachments
  5. Avoid mails that force urgency

According to a report from Intel 97% of people were unable to identify a phishing mail. The best suggestion to apply spear phishing prevention by creating cyber awareness and improving cyber education. Spear phishing prevention is a process that will depend on a number of factors and their amount of precision.

Increasing cyber awareness:

Organizations and individuals should improve their cyber awareness either themselves or through cyber guidelines. Understanding the attack vectors, their mechanisms, procedures and possible procedures can help the end users and individuals prepare themselves any potential phishing scams and ensure they avoid them all times.

Employing cyber tools

As already mentioned in earlier sections, no tools are good against phishing attacks but properly configured browser policies, email filters, and endpoint configurations can reduce the chances of becoming a victim to phishing scams. GPO policies for stronger passwords and firewall configurations could also help organizations secure their users against phishing mails.

Identifing fake emails

Users can also distinguish between a genuine and fake mail by looking at the subject line, the sender and the relativity. Based on the content of the email this can be re-confirmed. Any unknown senders or purpose of the mail could be a potential phishing scam.

Avoiding clicks and attachments

Not all phishing scams do work when the mail is opened, most is switched ON only when the link in the mail is being clicked or an attachment is being opened. So the users need to ensure they are aware of the links and attachments, perhaps by hovering over the link or looking at the attachment file.

Avoid mails the force urgency

Users should avoid emails that create an urgency; emotional response is what will become prey to these sort of phishing emails. Any emotional mail that create a fear, surprise, shock, or personalized emotional response based on your tax, and health metrics should be avoided.

Spear Phishing Infographic

Spear Phishing

Organizations need to have few policies and configurations in place to keep phishing mails away from the enterprise network, however when users expose themselves to public networks only a self-analysis and cyber practices can keep them safe against spear phishing attack.

If you guys have ever experienced a phishing email, or do have an example to share, please free to comment below your experiences and message so we will see some real-time information on this threat.

Spear phishing attacks are hard to detect and mitigate, so keep your browsers and firewalls active and updated.

Spear Phishing Attack Detection

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Spear Phishing Attack


Feb 10 2023

Catches of the Month: Phishing Scams for February 2023

Category: Information Security,PhishingDISC @ 12:50 pm

Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.

This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.

UK government warns of Russian-sponsored phishing campaign

The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.

In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudsters’ national governments.

The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online – often using Facebook, LinkedIn or the website of the target’s employer.

Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.

The NCSC’s advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.

Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.

Commenting on the findings, NCSC Director of Operations Paul Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.

“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.

“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”

Experts concerned that ChatGPT could be used for scams

ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.

The program’s advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group – scammers – could also embrace the technology.

As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.

“The first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, ‘OK, how can I use this for bad things?’ I’m going to play to see what bad things I can do with it,” Wisnieski told TechTarget.

One of those ‘bad things’ that he considered was the ability for ChatGPT to create phishing scams.

“If you start looking at ChatGPT and start asking it to write these kinds of emails, it’s significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,” he said.

“Most humans who are writing phishing attacks don’t have a high level of English skills, and so because of that, they’re not as successful at compromising people.

“My concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way we’re detecting them right now is we can tell that they’re not a professional business.

“ChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.”

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

https://www.itgovernance.co.uk/blog/catches-of-the-month-phishing-scams-for-february-2023?

More resources on Phishing training

Previous posts on Phishing

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Phishing scams


Dec 16 2022

Facebook Infrastructure Used by Hackers in Phishing Attack Chain

Category: Hacking,PhishingDISC @ 9:39 am

This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipients’ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.

https://www.trustwave.com/media/19406/picture1yu.png?v=0.0.1
Phishing email message

“The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain”, according to Trustwave.

Here the Facebook post pretends to be “Page Support,” using a Facebook logo to appear as if the company manages it.

https://www.trustwave.com/media/19407/picture2yu.png?v=0.0.1
Facebook post masqueraded as a support page

The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebook’s copyright appeal page, is reached by clicking the link in the post.

https://www.trustwave.com/media/19408/picture3yu.png?v=0.0.1

Particularly, any data that victims enter into the form after hitting the send button, along with the victim’s client IP and geolocation data will be forwarded to hackers.

Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victim’s Facebook account.

The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.

https://www.trustwave.com/media/19395/picture10yu.png?v=0.0.1
Phishing page with OTP request

Any code entered by the victim will fail, and if the “Need another way to authenticate?” button is pressed, the site will redirect to the real Facebook site.

According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.

Various Facebook accounts promoting the same fake alerts
Various Facebook accounts promoting the same fake alerts 

Therefore, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial links’ seeming legitimacy.

The Totally Awesome Phish Trivia Book: Uncover The History & Facts Every Phish Head Should Know! 

InfoSecBooks | Tools | Services

Tags: facebook, Facebook Infrastructure, phishing


Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know you’ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

How to protect yourself:

  • Never answer calls from numbers you don’t recognize, even if it has a local area code.
  • Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a link—even if it looks trustworthy—go to the official site instead.
  • Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
  • Don’t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if you’re a victim of phishing

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

Tags: Phishing scams


Nov 21 2022

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Category: Hacking,Malware,PhishingDISC @ 11:13 am

An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation…

China’s Playbook – new Art of War

War Without Rules: China's Playbook for Global Domination

Tags: Art of war, China's Playbook, Chinese hackers


Oct 17 2022

Phishing-as-a-Service Platform Lets Anyone Launch Own Phishing Campaigns

Category: PhishingDISC @ 9:50 am

With the release of the PhaaS platform called ‘Caffeine’, threat actors can now easily launch their own sophisticated phishing attacks. Anyone who wants to start their own phishing campaign will be able to register on this platform through an open registration process.

Caffeine has been thoroughly tested by the analysts at Mandiant. This is a free and open-source platform that does not require any specific requirements like the following to use its portal for launching Phishing campaigns:-

  • No invites or referrals required
  • No approval needed
  • No social shares required
  • No specific joining or subscription to any social channel or hacking forum is needed

Sophisticated Phishing Campaigns

Phishing Scam

I'd Rather Be Phishing - Cool Cyber Security Hacker T Shirt

Tags: Phishing Scam, Phishing-as-a-Service


Oct 12 2022

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Category: Phishing,RansomwareDISC @ 8:52 am

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Tags: Callback Phishing Attack


Oct 08 2022

Email Defenses Under Siege: Phishing Attacks Dramatically Improve

Category: Information Security,PhishingDISC @ 3:31 pm

About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.

computer code on a screen with a red fish hook dangling in the middle
Source: Andrea Danti via Alamy Stock Photo

This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.

“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.

Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm’s 2022 Mid-year Cybersecurity report.

Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.

Research & Recon Inform Phishing

https://www.darkreading.com/remote-workforce/email-defenses-under-siege-phishing-attacks-dramatically-improve

Defending Phishing Attacks on Organizations For Beginners

Phishing Awareness and Training

Phishing Detection Using Content-Based Image Classification

Tags: phishing attacks, Phishing Awareness and Training


Aug 24 2022

Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account

Category: PhishingDISC @ 10:19 am

In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.

Tropical school of fish in Mauritius.

An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.

Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.

The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.

Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.

“In April of this year, we began to see a significant volume of phishing emails using embedded ncv.microsoft.com survey links of the sort used in this campaign,” he tells Dark Reading.

Combination of Tactics

The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC’s Nathaniel Sagibanda explained in the Wednesday post.

The recipient most likely will open the message expecting it’s related to a document that needs a signature. “However, that isn’t what we see as you read the message body,” he wrote.

Instead, the email includes what seems like an attached, unnamed PDF file that’s been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.

“While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it’s less common to see an embedded link posing as an attachment,” he wrote.

The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.

Mimicking a Customer Survey

When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that’s been compromised by attackers, researchers said.

This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.

To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact “@eFaxdynamic365” with any inquiries, researchers said.

The “Submit” button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.

The attackers then modified the template with “spurious eFax information to entice the recipient into clicking the link,” which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.

Fooling a Trained Eye

While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.

Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.

“Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt,” Gallop says.

Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.

In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.

Phishing Game Remains Strong

https://www.darkreading.com/cloud/unusual-microsoft-365-phishing-efax-compromised-dynamic-voice-account

Tags: Phishing Campaign Spoofs


Jul 26 2022

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

Category: Information Security,PhishingDISC @ 4:03 pm

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.

According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.

The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.

Phishing By the Numbers

Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).

Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.

The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.

“Phishing attacks are more sophisticated than ever,” wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.

“Hackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,” he wrote.

Phishing Attacks: Advanced Attack Techniques

Tags: phishing attacks


Jul 20 2022

Catches of the Month: Phishing Scams for July 2022

Category: PhishingDISC @ 1:41 pm

Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.

NFT marketplace warns users of phishing scams

Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.

The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.

OpenSea has since warned that the information could be used to launch phishing attacks.

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.

“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”

OpenSea warned users via an email notification

Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.

Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).

Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.

It was that technique that caught out fans of the NFT artist Beeple last month. His Twitter account was hacked, with the attackers stealing $70,000 (about £56,000) worth of cryptocurrency.

In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.

Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.

Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.

If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.

School district accidentally wires $200,000 to fraudulent bank

The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about £164,000) to a bank account controlled by cyber criminals.

Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.

Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.

Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”

It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.

“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”

Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.

Phishing attacks reach all-time high, report finds

The first three months of 2022 saw more than a million reported phishing attacks, according to the APWG’s Phishing Activity Trends Report

It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291. 

According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services. 

The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).

The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents. 

According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).

Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams. 

Meanwhile, 18% of BEC messages used email domains owned by the attacker. 

The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average. 

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

Tags: Phishing scams, phishing training


Next Page »