InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Suspicious Offers Be wary of emails offering free money or alarming threats (e.g., frozen accounts). These emotional triggers are classic phishing tactics.
Free Money Red Flag Phishing often exploits greed—if something sounds too good to be true, it probably is.
Generic Greetings Emails that don’t address you personally (e.g., “Dear customer”) are likely mass phishing attempts.
Urgency Traps Don’t act on emails that pressure you to respond immediately—urgency is a common manipulation tactic.
Requests for Personal Info Legitimate organizations won’t ask for sensitive information via email. Don’t provide personal or business data.
Bad Grammar, Bad Sign Poor spelling and awkward grammar are red flags that an email may be a phishing attempt.
Mismatch in Sender Info Always compare the sender’s name to the actual email address to spot spoofing attempts.
Check Before Clicking Links Hover over links to see the actual URL before clicking—phishers often disguise malicious sites.
Email Header Clues Review email headers if you’re suspicious; a sketchy history is a clear sign to delete the email.
Feedback
This tip sheet provides clear, actionable guidance and covers the essentials of phishing detection well. The advice is practical for both technical and non-technical users, with an emphasis on behavior-based awareness. Overall, it’s a solid tool for raising awareness and promoting a culture of cautious clicking.
A recent revelation by security researcher Nick Johnson highlights a sophisticated phishing technique that exploits Google’s own services—specifically OAuth and Google Sites—to send DKIM-signed phishing emails that appear entirely legitimate. This method allows attackers to craft emails that seem to originate from “no-reply@google.com,” effectively bypassing traditional email security measures and deceiving recipients into divulging sensitive information.
The attack begins with the creation of a malicious Google OAuth application. Attackers manipulate the app’s name field to include deceptive messages, such as fake security alerts, by inserting numerous spaces or line breaks to obscure the true nature of the content. This crafted app name then autofills into legitimate-looking emails sent by Google, lending an air of authenticity to the phishing attempt.
Subsequently, the attackers leverage Google Sites to host convincing phishing pages that mimic official Google interfaces. These pages are designed to harvest user credentials under the guise of legitimate Google services. Because the emails are sent through Google’s infrastructure and are DKIM-signed, they often evade spam filters and other security checks, making them particularly dangerous.
This method is especially concerning because it exploits the inherent trust users place in Google’s services. By utilizing Google’s own platforms to disseminate phishing emails and host malicious content, attackers can effectively bypass many of the safeguards that users and organizations rely on to protect against such threats.
The implications of this technique are far-reaching. It underscores the need for heightened vigilance and more robust security measures, as traditional defenses like DKIM and SPF may not be sufficient to detect and block such sophisticated attacks. Organizations must recognize that even trusted platforms can be manipulated to serve malicious purposes.
To counteract these threats, several measures can be implemented:
User Education: Regular training to help users recognize phishing attempts, even those that appear to come from trusted sources.
Two-Factor Authentication (2FA): Encouraging or mandating the use of 2FA can add an additional layer of security, making it more difficult for attackers to gain unauthorized access.
Monitoring and Alerts: Implementing systems that monitor for unusual OAuth app creations or sign-in activities can help detect and respond to suspicious behavior promptly.
Email Filtering Enhancements: Updating email filters to scrutinize not just the sender’s address but also the content and context of the message can improve detection rates.
Collaboration with Service Providers: Working closely with platforms like Google to report and address vulnerabilities can lead to quicker resolutions and improved security for all users.
By adopting a multi-faceted approach that combines user awareness, technical safeguards, and proactive collaboration, organizations can better defend against these advanced phishing techniques.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipient’s email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.
4. Example of Spoofing Email Headers
Here’s an example using Python’s smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term “via Frontend Transport”
When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the sender’s authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmail’s Handling of Outlook’s Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
SPF Check Passed
Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.
Smishing vs Phishing
Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.
Why the Increase in Smishing Attacks?
It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.
The Smishing Attacks
So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.
Links
The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.
Scams
In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.
Call-Back
Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.
What to Do About Smishing Attacks?
While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.
Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.
Ready to learn about Vishing? Let’s play Vishing Vigilante. The term vishing is short for Voice Phishing which is basically a scam carried out over the phone. Vishing calls are often cash driven. The attacker wants to trick you into gaining access to your money. Scammers may also take advantage of your desire to be helpful, create a sense of urgency, or stir strong emotions like fear and curiosity. It’s easy to impersonate someone over the phone, but here’s the thing; you’re always in control because you can always disconnect. A scammer may try to manipulate you by trying to scare you. They might claim that you have overdue taxes and will be arrested unless you pay them immediately. Scammers may try to excite you by claiming you have won a prize or a vacation, and to claim it you just need to pay a small fee. They may tug at your heart strings by claiming to be a charity that needs your donations. Pretty low right. So the next time you receive a strange phone call, ask yourself if it could be a vishing attack and remember you can always disconnect. When it comes to cybersecurity we all need to level up.
The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.
“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.
The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.
The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.
APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.
Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.
The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage of the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.
There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.
The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.
“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.
The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.
“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.
76% of enterprises lack sufficient voice and messaging fraud protection as AI-powered vishing and smishing skyrocket following the launch of ChatGPT, according to Enea.
Enterprises report significant losses from mobile fraud
61% of enterprises still suffer significant losses to mobile fraud, with smishing (SMS phishing) and vishing (voice phishing) being the most prevalent and costly.
Enterprises account for a significant share of communication service provider (CSP) subscribers and an even greater share of their revenues. They depend on their CSP to protect them from telecom-related fraud, with 85% saying security is important or extremely important for their telecoms buying decisions.
Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.
61% of enterprise respondents said their mobile messaging fraud costs were significant, yet more than three-quarters don’t invest in SMS spam or voice scam/fraud protection.
51% said they expect their telecom operator to protect them from voice and mobile messaging fraud, citing their role as more important than that of cloud providers, managed IT providers, systems integrators or direct software vendors.
85% of enterprises say that security is important or extremely important for their telecoms purchasing decisions.
Only 59% of CSPs say they have implemented a messaging firewall, and just 51% said they have implemented a signaling firewall. 46% report adopting some threat intelligence service, essentially leaving a majority blind to new or morphing threats.
CSPs that prioritize security are better positioned to win enterprise business
Security leaders, characterized by better capabilities, better funding, and a higher prioritization of security, are less than half as likely as the followers to have a security breach go undetected or unmitigated (12% vs 25%). CSP security leaders are more likely to see security as an opportunity to generate revenues (31% vs 19%).
“We’ve observed the rapidly evolving threat landscape with growing concern, particularly as AI-powered techniques become more accessible to cybercriminals,” commented John Hughes, SVP and Head of Network Security at Enea.
“The stark increase in mobile fraud, particularly following the advent of advanced technologies like ChatGPT, underscores a critical need for enhanced network security measures. This survey highlights a significant disconnect between enterprise expectations and the current capabilities of many CSPs, and our ongoing mission is to help the sector bridge that gap and safeguard networks and users,” concluded Hughes.
Maintaining and enhancing mobile network security is a never-ending challenge for CSPs. Mobile networks are constantly evolving – and continually being threatened by a range of threat actors who may have different objectives, but all of whom can exploit vulnerabilities and execute breaches that impact millions of subscribers and enterprises and can be highly costly to remediate.
To bridge this gap, CSPs must overcome challenges such as a lack of skilled staff to handle potential security breaches, a lack of budget to invest in adequate security tools, and internal organizational complexity preventing them from prioritising security.
The digital landscape is under siege. Surging browser-based phishing attacks, a 198% increase in just the second half of 2023, paint a chilling picture of cyber threats outsmarting traditional security.
Menlo Security’s 2023 State of Browser Security Report unveils this alarming trend, sounding the alarm for organizations and individuals alike.
The Rise Of Evasive Attacks
Gone are the days of easily identifiable phishing scams.
Cybercriminals are now armed with highly evasive techniques, bypassing conventional defenses like network filters and email scanners.
These HEATs (Highly Evasive Adaptive Threats), making up 30% of all browser-based attacks, employ tactics like:
SMS Phishing (Smishing): Luring victims with seemingly legitimate text messages.
Adversary in the Middle (AITM): Intercepting and manipulating web traffic on the fly.
Image-Based Phishing: Embedding malicious code within seemingly harmless images.
Brand Impersonation: Mimicking trusted websites to steal login credentials.
Multi-Factor Authentication (MFA) Bypass: Finding ways to circumvent even two-factor security.
Traditional security, built for known threats, stumbles against the lightning speed of zero-hour attacks.
These novel phishing campaigns, observed at over 11,000 in just 30 days, exploit the vast and vulnerable attack surface of modern browsers.
Worryingly, 75% of these attacks hide on trusted websites, cloaked in a veneer of legitimacy.
Despite technological advancements, the human element remains the weakest link.
Phishing preys on our inherent trust and cognitive biases, tricking us into divulging sensitive information.
This makes browser security the ultimate line of defense, protecting users at the point of interaction with the web.
Menlo Security: Shining A Light On The Dark Web
The report paints a stark picture, but not a hopeless one. Menlo Security offers a beacon of hope with its advanced browser security solutions.
Leveraging cutting-edge AI and machine learning, Menlo’s technology detects and thwarts even the most sophisticated evasive attacks.
Key Takeaways for a Safer Web:
Evasive threats demand a new approach: Traditional security falls short. Look to advanced browser security solutions powered by AI.
Zero-hour attacks lurk everywhere: Don’t let trusted websites lull you into a false sense of security. Remain vigilant and practice safe browsing habits.
Your browser is the frontline: Prioritize comprehensive browser security to shield yourself from evolving cyber threats
David Miller, Policy Advocate: “This report calls for increased collaboration between cybersecurity researchers, technology companies, and policymakers. We need to share threat intelligence, develop best practices, and create regulatory frameworks that incentivize stronger browser security measures.”
Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape withTrustifiAI-powered Email security solutions.
Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.
The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”
“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.
“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.
“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”
Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.
As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.
Affected customers warned of phishing risks
Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.
The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.
Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.
“We are also auditing their standard operating procedures around information requests,” the company added.
“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”
A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.
MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.
DETAILS OF THE ATTACK
The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.
ECONOMIC FALLOUT
The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.
COMPROMISE OF CUSTOMER DATA
A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.
IDENTITY OF THE ATTACKERS
Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.
RECOVERY AND RESPONSE
In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.
CONCLUSION AND FUTURE IMPLICATIONS
The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.
Threat actors have begun utilizing an innovative approach to zero-point font obfuscation, a pre-existing technique, in an attempt to deceive users of Microsoft Outlook. They do so by creating an illusion that certain phishing emails have been thoroughly scanned and cleared by antivirus programs, thus increasing the chances of these deceptive emails bypassing security protocols. This not only aids in evading security measures but also enhances the probability of recipients falling prey to these fraudulent schemes.
Jan Kopriva, an analyst at the SANS Internet Storm Center, encountered a phishing email that cleverly employed text written in zero-pixel size font. This technique, originally documented by Avanan (a subsidiary of Check Point) researchers in 2018 and known as ZeroFont Phishing, was being utilized in a distinct and innovative manner, according to Kopriva’s observations. Historically, cyber attackers have integrated zero font size text within phishing emails to disrupt the continuity of text that is visible, making it increasingly difficult for automated email scanning systems like those implemented by Outlook to flag suspicious emails.
However, Kopriva noticed a variation in the use of the ZeroFont technique, which diverged from its original purpose. Instead of utilizing it to obstruct automated scanning systems from labeling the email as potentially harmful or fraudulent, it was applied to craft an illusion of trustworthiness for the recipient. Kopriva elaborated that the technique was being used to modify the text that is usually displayed in Outlook’s listing pane—a section adjacent to the body of emails that provides users with a sneak peek into the email content.
Rather than presenting the typical email subject line followed by the initial few lines of the email—which could potentially raise red flags about a phishing attempt—the listing pane under this technique displayed the subject line and an additional line of text. This added text falsely indicated that the email had undergone a security scan and was deemed safe by a threat protection service.
Avanan researchers have also discovered another manipulation of this technique, dubbed the “One Font” technique. In these instances, threat actors embed extremely small text within the zero- or one-point font range as part of their strategy to develop more elusive and sophisticated phishing scams. This minuscule font size effectively dismantles email scanning techniques relying on semantic analysis, generating confusion for the scanning systems while remaining undetectable to the recipients due to its unreadable size.
In the specific phishing email Kopriva analyzed, the attackers ingeniously incorporated text that implied the email had been verified and secured. This was achieved by inserting text in zero font size ahead of the email’s actual content. As a result, in Outlook’s listing pane, the user would see text confirming the email’s security status immediately below the subject line—instead of the true opening line of the phishing email. This deceptive approach takes advantage of Outlook’s method of displaying email text, thus exploiting it to the attacker’s benefit.
Kopriva acknowledged the possibility that this tactic has been deployed undetected for a while now. Nonetheless, it represents an additional tool in the arsenal of cyber threat actors, enhancing their ability to launch effective phishing campaigns. As defenders against cyber threats, awareness of this tactic is crucial. He recommends that organizations actively engaged in conducting security awareness training focused on phishing should incorporate information on this technique. This knowledge would empower employees to recognize and appropriately respond to deceptive emails employing this technique as an anti-detection strategy, thus fortifying organizational defenses against such cyber threats.
TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.
TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.
TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.
You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.
First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.
The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.
After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.
This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.
Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.
In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:
To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.
Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.
By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.
TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.
The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.
You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.
TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.
TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.
If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.
Mitigation By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.
Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.
Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.
Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries – the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.
The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.
Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.
Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.
The notable detail of “Smishing Triad” campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like “PostalFurious” and “RedZei” observed by other researchers in the past.
“Smishing Triad” also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 – there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.
The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal.
“Smishing Triad” has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized ‘smishing kits’ targeting popular U.S., U.K. and EU brands – starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by “Smishing Triad” registered in “.top” zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.
After acquisition of the ‘smishing kit’, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victims’ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.
Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the “Smishing Triad” with the wider community and network defenders to raise awareness and safeguard their customers.
Further technical details are available in the report published by ReSecurity.
Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.
“[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),” say Trustwave researchers Phil Hay and Rodel Mendrez. “The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.”
Phishing emails with Microsoft Encrypted Restricted Permission Messages
The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.
Phishing email with a encrypted restricted-permission message (Source: Trustwave)
The emails contain a .rpmsg (restricted permission message) attachment and a “Read the message” button with a long URL that leads to office365.com for message viewing.
To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.
After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like it’s hosted on SharePoint but it’s actually hosted on the Adobe’s InDesign service.
They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.
In the background, the open source FingerprintJS library collects the user’s system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.
Hiding from security solutions
“The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,” Hay and Mendez noted.
“The only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.”
They advise organizations to:
Block, flag or manually inspect .rpmsg attachments
Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line “Your one-time passcode to view the message”
Educate users about the consequences of decrypting or unlocking content from unsolicited emails
Every day tens of thousands of Spear phishing emails are sent to millions of victims around the world.
Cyber-attacks have different pathways now; they can strike you from inside or outside, with equal damages across your network.
Targeted takedowns could be critical if analyzed and executed with absolute precision.
In this guide. We’ll look at Spear Phishing Attacks, techniques, examples, mitigation procedures, and a few best practices.
What is Spear Phishing?
Spear Phishing is a malicious practice that executes via Email campaigns that hackers research their target audience, understand their likes and dislikes, study their day to day operations, and customize the mail to steal sensitive data and install malware. This type of targeted email campaign deployment to infiltrate their target audience group is called Spear Phishing Attack.
Any anonymous email that drops into your inbox from an unknown sender can be assumed to be phishing Attack. Blasting millions of emails to the database of email id’s with malicious intent is called phishing.
It could be for the deployment of malware, remote code executions and more, however, this phishing may not be rewarding for hackers.
How does Spear Phishing Attack Work?
Spear Phishing is executed in four stages,
Target identification
Studying the target’s behavior
Customizing the message
Blasting emails
Target identification:
The hackers initially identify their target victims by narrowing down their audience based on their motive of the campaign, this could be targeted at corporate in a particular vertical or patients of a healthcare company.
The identification procedure is divided into two stages, the primary and secondary target, primary target will be executives working for an MNC, who will be receiving the blasted emails and the secondary target will be the key ones who will have access to business sensitive information.
These primary targets that have become victims to the spear phishing attack will be manipulated to exploit the secondary targets.
Studying the target’s behavior:
Gathering information about the targeted audience by digging deep into their social media profiles, job sites, portfolios, comments, likes and groups they belong to, and communities they belong to. One way or another the hackers will gain their personal information like email, phone numbers, first name, surname, history of experience, schooling, college, area of expertise and more which they will use to influence their potential targets.
Customizing the message
Hackers will customize their emails and message based on the information collected from these external resources for better open rates and reduced bounce rates. Once a successfully established message is obtained they will proceed for the email blasting procedure.
Blasting emails
After all the research hackers will prepare their attack vector and strategy to ensure the mail gets delivered to the target audience inbox and not into the spam folder.
They will disguise the sender details to be a legitimate one, to ensure the proper delivery of the mail is made and the end user opens it as expected.
After opening the email, the user will click a link or download an attachment-based on the content as it is made accurate.
With all research, the CTR will definitely be high. Thanks to the reliability of the mail crafting procedures the hackers have implemented.
What are 3 types of Spear-phishing emails?
Usually, hackers prefer one of three techniques below to manipulate their target audience.
Impersonation
Personalization
Emotional Response
Impersonation
As the name defines, hackers pretend to be someone else or a legal entity to establish trust and elude with data. This technique is very commonly used by disguising a genuine person or entity in the sender section with an indistinguishable subject line.
Personalization
This technique has an excellent success rate, as the message is very much customized for the recipient so he believes that this email will be of use to him or for his profession in general.
Emotional Response
This technique creates a fear, happiness, shock or surprise to make the end user open the mail and click/download the malicious content as planned.
What is an example of spear phishing?
Examples of Spear Phishing Attacks are very much targeted and often have disastrous outcomes for enterprises, below are few examples for successful spear phishing attacks.
Ubiquite Networks Inc
This Company paid more than USD $40 million in 2015, as a result of spear phishing attack because of a CEO fraud. The emails were impersonated as if they were from senior executives to transfer funds to a third party entity in Hong Kong, which was then found to be some anonymous entity and not a genuine third party.
RSA
RSA is a leading security firm but unfortunately, even they themselves become victim to a targeted spear phishing attack in 2011.
Mails with subject line ‘2011 Recruitment Plan’ were blasted, though most of it was marked as spam one user opened it, leading to the deployment of malware into the infected system and eventually gave remote access to the hackers to infiltrate the computer and network.
Amazon
Amazon is another leader among the fortune 500 companies, targeting this firm will definitely improve your success rates for spear phishing.
In 2015, a mass spear phishing attack was unleashed targeting Amazon customers with a subject line ‘Your Amazon.com order has been dispatched’, followed by a code.
However, unlike the normal emails from Amazon, where you could see the dispatch status directly in the mail or via your Amazon account, in this case, it was mentioned to be available in the attachment.
Few employees become prey to this maneuver and a Locky ransomware was downloaded and installed in the infected systems to encrypt data and demand ransom.
How can you protect yourself from phishing?
Spear phishing prevention is a process that depends on different factors like awareness, tools, education, emotional response and more. Below are the best practices that both organizations and individuals should practice to protect yourself from phishing,
Increasing cyber awareness
Employing cyber tools
Identifying fake emails
Avoiding clicks and attachments
Avoid mails that force urgency
According to a report from Intel 97% of people were unable to identify a phishing mail. The best suggestion to apply spear phishing prevention by creating cyber awareness and improving cyber education. Spear phishing prevention is a process that will depend on a number of factors and their amount of precision.
Increasing cyber awareness:
Organizations and individuals should improve their cyber awareness either themselves or through cyber guidelines. Understanding the attack vectors, their mechanisms, procedures and possible procedures can help the end users and individuals prepare themselves any potential phishing scams and ensure they avoid them all times.
Employing cyber tools
As already mentioned in earlier sections, no tools are good against phishing attacks but properly configured browser policies, email filters, and endpoint configurations can reduce the chances of becoming a victim to phishing scams. GPO policies for stronger passwords and firewall configurations could also help organizations secure their users against phishing mails.
Identifing fake emails
Users can also distinguish between a genuine and fake mail by looking at the subject line, the sender and the relativity. Based on the content of the email this can be re-confirmed. Any unknown senders or purpose of the mail could be a potential phishing scam.
Avoiding clicks and attachments
Not all phishing scams do work when the mail is opened, most is switched ON only when the link in the mail is being clicked or an attachment is being opened. So the users need to ensure they are aware of the links and attachments, perhaps by hovering over the link or looking at the attachment file.
Avoid mails the force urgency
Users should avoid emails that create an urgency; emotional response is what will become prey to these sort of phishing emails. Any emotional mail that create a fear, surprise, shock, or personalized emotional response based on your tax, and health metrics should be avoided.
Spear Phishing Infographic
Organizations need to have few policies and configurations in place to keep phishing mails away from the enterprise network, however when users expose themselves to public networks only a self-analysis and cyber practices can keep them safe against spear phishing attack.
If you guys have ever experienced a phishing email, or do have an example to share, please free to comment below your experiences and message so we will see some real-time information on this threat.
Spear phishing attacks are hard to detect and mitigate, so keep your browsers and firewalls active and updated.
Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudsters’ national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online – often using Facebook, LinkedIn or the website of the target’s employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSC’s advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The program’s advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group – scammers – could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
“The first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, ‘OK, how can I use this for bad things?’ I’m going to play to see what bad things I can do with it,” Wisnieski told TechTarget.
One of those ‘bad things’ that he considered was the ability for ChatGPT to create phishing scams.
“If you start looking at ChatGPT and start asking it to write these kinds of emails, it’s significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,” he said.
“Most humans who are writing phishing attacks don’t have a high level of English skills, and so because of that, they’re not as successful at compromising people.
“My concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way we’re detecting them right now is we can tell that they’re not a professional business.
“ChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.”
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipients’ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.
Phishing email message
“The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain”, according to Trustwave.
Here the Facebook post pretends to be “Page Support,” using a Facebook logo to appear as if the company manages it.
Facebook post masqueraded as a support page
The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebook’s copyright appeal page, is reached by clicking the link in the post.
Particularly, any data that victims enter into the form after hitting the send button, along with the victim’s client IP and geolocation data will be forwarded to hackers.
Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victim’s Facebook account.
The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.
Phishing page with OTP request
Any code entered by the victim will fail, and if the “Need another way to authenticate?” button is pressed, the site will redirect to the real Facebook site.
According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.
Various Facebook accounts promoting the same fake alerts
Therefore, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial links’ seeming legitimacy.
A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.
The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.
And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.
With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.
Most prevalent types of phishing scams
Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.
With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.
This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hackedafter falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.
Here are the six most common types of phishing scams and how to protect yourself.
1. Email scams
Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.
These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.
How to protect yourself:
Never click on links in emails. Instead, visit the official site.
Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.
Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.
How to protect yourself:
Never answer calls from numbers you don’t recognize, even if it has a local area code.
Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
3. Phishing websites
One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.
After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.
Phishing email and the phishing page (Screenshots via Armorblox)
How to protect yourself:
If you get a message with a link—even if it looks trustworthy—go to the official site instead.
Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.
4. SMS text message scams (smishing)
Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).
One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.
How to protect yourself:
Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.
5. Social media phishing
Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.
One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.
Fake Support chatbot (Image: Trustwave)
How to protect yourself:
Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
Don’t ever share your social media password with a third-party website.
6. Man-in-the-middle attack
This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.
Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.
How to protect yourself:
Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.
How to prevent phishing
Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.
Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.
What to do if you’re a victim of phishing
You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.
Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.
No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation
Conclusion
Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.
With the release of the PhaaS platform called ‘Caffeine’, threat actors can now easily launch their own sophisticated phishing attacks. Anyone who wants to start their own phishing campaign will be able to register on this platform through an open registration process.
Caffeine has been thoroughly tested by the analysts at Mandiant. This is a free and open-source platform that does not require any specific requirements like the following to use its portal for launching Phishing campaigns:-
No invites or referrals required
No approval needed
No social shares required
No specific joining or subscription to any social channel or hacking forum is needed
