Tag Archives: Phishing

Very Creative Phishing Attack

It all starts with a calendar invite, but there is a setup. The con is that your bank account has been compromised and you need to fix it.

The attack starts with an email titled (like) “Fraud Detection from Message Center”. This part of the attack uses a real but compromised Office 365 account, complete with legit email security like DKIM and SPF.

The invite is hosted on the real Office 365 Sharepoint.com and contains a link. Clicking on the link causes another relatively simple document to open with another link.

Since hackers are equal opportunity crooks, when the user clicks on this link, they get transferred to a phishing site hosted at Google where the user is presented with a very convincing Wells Fargo site page.

The user is then prompted for the login information, PIN, various account number details and email credentials.

Assuming the user falls for all of this, they are taken to a legitimate Wells Fargo login page designed to make the user think the account was secured, when in fact, the user just gave the hacker the keys to the cookie jar. And likely all of his or her money.

According to the security vendor (Cofence), this is not the first time that hackers have used Google’s infrastructure to host malware. Credit: SC Magazine

So what should you be doing?

Education. Education. Education.

Anti-phishing training should be a requirement at all companies and for all employees. At the low end there is free training, but for most companies, there is a moderate cost solution that is highly effective.

Some companies send the same phishing email to everyone, maybe once a quarter. That is not an effective approach to train employees. The program needs to be much more active in order to be effective.

As you can see from the sophistication of the attack above, the hackers are working overtime to steal your money.

You need to work equally hard to protect it.

If you need help with your anti-phishing training, please contact us.

Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Massive Docusign Phishing Attack After Breach

Docusign is one of the major eSigning providers in the country.  eSigning allows customers to electronically sign documents instead of having to go somewhere to place a pen on paper and sign those documents with ink.  As a result of this convenience, eSigning is extremely popular.  It is used in every industry vertical where document signing is a part of the process.

Docusign noticed an uptick in phishing emails targeting its customers this month.  The emails targeted existing customers of Docusign.   Docusign says that they have 100 million users in their system.

Initially they thought that this was just another of many generic phishing attacks, but they soon realized that the hacker had too much very realistic information.  Docusign had been hacked.

The company discovered that what they call a non-core system had been compromised and their customer list taken.  At this time the company says that no financial information or signed documents were taken, but what was taken – names and emails – allows attackers to launch a very targeted attack against Docusign customers.

The way the attack works is that the customer receives an email that looks strikingly like a real Docusign request EXCEPT that it is asking the user to download and open a Word document – something that Docusign does not do.  Of course, most Docusign customers do not know this.  If they do open the document and follow the rest of the instructions from the attacker, the user’s system is now compromised.  The attacker can do whatever he or she wants to do.

While this campaign uses a Word document, the next campaign could use something else – maybe a malicious URL.

For companies that use any eSigning technology, it appears that now would be a good time to educate your users about what a legitimate eSign request looks like and what an eSign phishing attack looks like.

For the mortgage industry, which is a big user of eSign technology, this is just another attack vector.  Just like the industry has set up processes to warn its clients about fake wire transfer requests, it looks like the industry now has to warn its clients about fraudulent eSign requests.  Today it is Docusign;  tomorrow is could be any Docusign competitor.  In fact, any mortgage purchase or refinance client could be a target – eSign or not.  After all, clients are deluged with requests during the mortgage process and it is very hard for clients to know what is real and what is fake.

Another day, another opportunity.

Information for this post came from KnowBe4 and KrebsOnSecurity.

Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.

FBI Says Over $2 Billion Lost To CEO Email Fraud

Wow.  That is an impressive number.  As I have talked about before, what the insurance industry calls business email compromise or BEC and what the FBI is calling CEO email fraud is a very lucrative business at $2.3 billion since January 2015.

The way it works is the attacker does a little research on the “mark” – and this is a classic con job, hence the term mark is appropriate – and then sends the mark an email.  Could be the head of finance, someone in the wire room, something like that, pretending to be the CEO or CFO and needing a wire.  With a little social engineering they get their money from the mark.

And, unlike a check or credit card, it is very difficult to get that money back.  Usually, it is transferred out of the target account almost instantly.

Insurance copies, as I have written about, are also starting to push back saying that this is not a cyber breach.  The employee willingly wired the money.  They will cover it, but it is different policy.

There are many variations on exactly how this works, but the result is the same – someone voluntarily wires money to the bad guy.

There are also well known ways to curb this.  In almost all cases, they add some overhead to the process.  If your employee is asked to wire money to someone that they do not wire to normally, ask a question.  Shouldn’t there be a PO?  Or a contract?  Walk down the hall and ask the CEO.  Require two people to approve the wire.  Stuff like that.

Brian reports on a couple of well known phishes – Mattel toys, $3 million, Ubiquiti, $46 million and Scoular, $17 million, among many others.  None of these companies will go out of business but it is both embarrassing and expensive.

The best one though, is when the company Phish Me, who makes anti-phishing management software, was attempted to be phished.  They, as you might expect, did not fall for the con, but did decide to play with the attacker.  That is all documented in the Phish Me article below, so I am not going to repeat it.  The article is a wonderful tool to use in training, however.

At this point, organizations need to fortify the payments process.  As the bank robber Willy Sutton is reported to have said – that is where the money is.

To do that is pretty simple – one part training, one part process and one part sheer will.  There should be a well documented process on how to get money out of your company and based on the particular business model, you should figure out where the soft underbelly is and armor it up.

For those of you who are interested in the details of how these attackers pull these attacks off, I recommend reading the Phish Me article.

For everyone else, this would be a good time to look at your accounting process.

Information for this post came from Krebs On Security and Phish Me.

Pentagon Blocks Links In Email

The Pentagon has a better way to stop users from clicking on phishing email – neuter the emails.

Below is an example of what the email that you send to someone in the DoD might look like before it enters the DoD email system and when the user sees it.

LinksEnabled               Linksdisabled

Needless to say, from the user’s standpoint, the resultant email is basically trash.

In part, how bad things are will depend on how much of the HTML in email they disable.  If they disable all of it, for DoD users, email goes back to the way it was in 1980.  If you send anything other than a text email with no linked graphics and no formatting, the user will be not able to read it.

If you send an email that links to content out on the ‘net, which a lot of corporate email does (like the example above), the user will likely just delete it.

If the graphics are embedded in the email (which is the way it was in the early 2000s until that resulted in emails that were so large that email servers could not deal with them), then the DoD mail scrubbing software will be able to analyze the embedded graphics for harmful content and probably your email will emerge mostly unscathed.

What this means for people who send email to DoD mailboxes is that they are going to need to be conscious of how that email is constructed and what their DoD user is going to see.

Certainly for any form of advertising email/ product email/ blog etc., businesses are probably going to need to rethink their strategies and come up with a different format of email for those millions of DoD users.

Of course, there is another option that DoD users have been using for years and that is GMail.  I have lost count of the number of DoD people who have told me over the years to send my emails to them at their GMail accounts because DoD emails are unreadable.

Of course, all that does is move the entry point for the malware from Outlook to the browser.  That’s sure a lot safer – NOT!

*IF* DoD blocks GMail and other webmail solutions, that would make things very difficult for DoD users – but that likely is going to be required.  If the DoD user can’t click on a phishing link in their Outlook mail but can click on that link in their GMail, how have we helped things?

IF corporations start neutering emails, that will make marketers very unhappy.  They have spent a lot of time and money attempting to make email pretty and if you force them to go back to 1980 email in order to get something that a corporate user can even read – that will be a problem.  The good news is that is completely unlikely to happen except at the very most security sensitive companies – maybe a fraction of one percent or less.

Still, it could get interesting.  And at least for the millions of DoD users, it is going to happen.



Information for this post came from Federal Computer Weekly (FCW)