Russian Threat Actor Conducting Convincing Phishing Campaign via Microsoft Teams
The Russian cyber threat actor Midnight Blizzard (Nobelium, APT29, UNC2452, Cozy Bear) is conducting a highly targeted phishing and social engineering campaign via Microsoft Teams to gain persistent access to Microsoft 365 environments. The United States and the United Kingdom believe Midnight Blizzard to be part of the Foreign Intelligence Service of the Russian Federation (SVR). The threat actor seeks persistent access to networks...
Verizon 2023 DBIR: DoS Attacks Dominate 2022 Cyberattacks and BEC Attacks Double
The recently published Verizon 2023 Data Breach Investigations Report provides insights into the tactics, techniques, and procedures that cyber actors are using to gain access to networks to achieve their objectives. The data for the report comes from security incidents and data breaches between Nov. 1, 2021, to Oct. 31, 2022, which this year includes 953,894 security incidents and 254,968 confirmed breaches, including more than...
Security Agencies Issue Warning About North Korean Spear Phishing Campaigns
Intelligence and law enforcement agencies in the United States and South Korea have issued a warning about the North Korean state-sponsored hacking group Kimsuky (aka APT43, Thallium, and Velvet Chollima), which has been targeting individuals in research centers, think tanks, academic institutions, and news media organizations in spear phishing campaigns, often posing as journalists, academics, and other individuals with credible...
Advanced Phishing Attacks Increased by 356% in 2022
An analysis of by the cybersecurity firm Perception Point shows there was a major increase in advanced phishing attacks in 2022, which increased by 356% from 2021. Phishing accounted for 67.4% of cyberattacks in 2022, and there was an 83% increase in business email compromise (BEC) attacks. In total, cyberattacks increased by 87% from the previous year. While BEC attacks only account for a small percentage of attacks, the losses to...
North Korean Threat Group Using ReconShark Malware in Spear Phishing Campaign
A North Korean advanced persistent threat (APT) actor is using a new malware called ReconShark in a global spear phishing campaign. The malware is capable of collecting and exfiltrating sensitive information to its command-and-control server and downloading executable files on targeted systems. The information gathered by the group is believed to be used for conducting precision follow on attacks on targeted individuals. The malware...
Phishers Turn to Telegram to Market Their Kits and Services
Cybercriminals are increasingly turning to Telegram to share tactics and market their services, especially threat actors specializing in phishing, according to Kaspersky. The phishing community on Telegram has grown substantially over the past year, as phishers flock to the platform an create Telegram channels for promoting phishing kits and bots for automating routine workflows, including for generating phishing pages and collecting...
Security Agency Recommends Businesses Change their Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has issued advice to businesses to help them improve their defenses against phishing, one of the most common ways that malicious actors gain initial access to business networks. Phishing targets employees, who are weak links in the security chain. Employees are prone to make mistakes, and all it takes is for one employee to fail to recognize a phishing threat for a threat actor to gain...
Multiple Threat Actors Exploiting Windows 0Day That Prevents Generation of MotW Warnings
A phishing campaign has been detected that exploits a zero-day Windows vulnerability to drop Qbot malware, a password-stealing Trojan cum malware dropper. QBot has been observed delivering the Brute Ratel and Cobalt Strike post-exploitation tool kits, and ransomware payloads such as Egregor and Black Basta. When files are downloaded from the Internet from untrusted locations, a Mark of the Web attribute is added to the files that...
Massive WhatsApp Phishing Campaign Detected Involving 42,000 Malicious Domains
A massive phishing campaign is being conducted via WhatsApp that alerts recipients that they have won a prize and need to visit a website using the provided link to claim it. The campaign was identified by security researchers at Cyjax, who have attributed the campaign to a Chinese threat group they are tracking as Fangxiao, after they successfully deanonymized some of the domains used in the campaign and bypassed the Cloudflare...
MFA Bypassed in Dropbox Phishing Attack Targeting GitHub Credentials
Dropbox has announced that it has suffered a phishing-related data breach in which hackers gained access to proprietary code stored in GitHub repositories. The San Francisco-based file hosting service provider said customer accounts were not compromised, but hackers gained access to 130 code repositories on GitHub using credentials stolen from employees after they responded to phishing emails. Dropbox said no user content, passwords,...
New Callback Phishing Tactics Used to Gain Access to Devices
Ransomware gangs have resurrected a callback phishing technique for gaining initial access to networks, where initial contact is made with the victim via email and a telephone number is provided for the victim to call, along with an important reason for making contact. This is usually a pending charge for a fake subscription to a product or service or a free trial that is due to come to an end, resulting in a charge being applied....
IRS Warns of Exponential Increase in IRS-Themed Smishing Attacks
The U.S. Internal Revenue Service (IRS) has issued a warning following a massive increase in SMS-based phishing (smishing) attacks over the past few weeks. The IRS-themed messages include links to malicious websites that attempt to steal sensitive personal and financial information. The IRS says it observed an increase in smishing attacks on taxpayers in the fall of 2020, with the attacks continuing throughout the pandemic, but this...
Cybersecurity Awareness Month 2022 Focuses on People
Cybersecurity Awareness Month 2022 runs from October 1 to October 31, with the month of October having been dedicated to improving awareness about cybersecurity since 2004. Throughout October, the U.S. Cybersecurity and Infrastructure Security (CISA) and the National Cybersecurity Alliance (NCA) will lead a collaborative effort between government and industry to improve cybersecurity awareness in the United States and beyond. The...
More than 130 Companies Fall Victim to SMS Phishing Campaign Targeting Okta Credentials
A highly successful phishing campaign has been identified that targets Okta credentials. Okta is an American identity and access management company that provides cloud-based software solutions to help companies manage and secure user authentication. Researchers at Group-IB analyzed the campaign and reported that 136 companies are known to have been attacked, although only 2/3 of the attacked companies were able to be identified. Some...
Microsoft Disrupts Ongoing Russia-Linked Phishing Campaign
Microsoft has announced it has taken steps to disrupt phishing campaigns conducted by a Russia-linked threat actor tracked as SEABORGIUM. The threat actor originates from Russia and conducts operations closely aligned with Russian interests. The threat group has been in operation since at least 2017, and the group is known to conduct phishing and credential theft campaigns, mostly targeting organizations in the United States and the...
Conti Ransomware Groups Using Callback Phishing to Gain Access to Victims’ Networks
Three groups that split from the Conti ransomware operation are primarily gaining access to victims’ networks using callback phishing tactics, according to cybersecurity firm AdvIntel. Callback phishing involves making initial contact with targeted employees in an organization via email. They are advised about a pressing issue that needs to be resolved by telephone. The phone line is manned by the threat actor and social engineering...
Ransomware Gangs are Weaponizing Their Stolen Data and Making BEC Attacks Easier
Business email compromise (BEC) attacks have been increasing. According to the Federal Bureau of Investigation (FBI), BEC attacks are the costliest type of cybercrime and resulted in $43 billion in losses between June 2016 and December 2021. In 2021 alone, 19,954 complaints were received by the FBI’s Internet Crime Complaint Center (IC3) and almost $2.4 billion was lost to the scams. Abnormal Security reports an 84% annual...
Sophisticated Twilio Smishing Attack Sees Accounts and Customer Data Compromised
The digital communication platform provider Twilio has confirmed that multiple employees have been tricked into disclosing their account credentials in a smishing attack. Smishing is the use of SMS messages for conducting a phishing attack to steal employee credentials. Those credentials can be used to access employee accounts and any sensitive data accessible through those accounts. Twilio provides programmable communication tools...
97% of Top Universities Failing to Adequately Protect Against Email Impersonation Attacks
Domain spoofing is a common tactic used by phishers to trick victims into believing they have received an official email from a trusted business or contact. Technologies have been developed to detect domain spoofing and protect individuals from email impersonation attacks, yet many organizations have not implemented email validation protocols that can detect spoofing, and as such, their employees and other stakeholders are subjected...
LinkedIn Remains the Most Impersonated Brand in Phishing Attacks
The Q2, 2022 Brand Phishing Report from cybersecurity firm Check Point shows LinkedIn is still the most impersonated brand in phishing attempts, having first entered into the Top 10 Most Impersonated Brands list in Q1, 2022. There has also been a surge in phishing attempts impersonating Microsoft, which have more than doubled from the previous quarter. The increase has seen Microsoft catapulted into position 2 in the list, accounting...
Security Vendors Impersonated in Callback Phishing Campaign
The cybersecurity vendor CrowdStrike has issued a warning about a callback phishing campaign that attempts to trick employees at businesses into visiting a malicious website. Initial contact is made via email, which instructs recipients to make a phone call as part of a security audit. According to one of the emails obtained by researchers at Crowdstrike, contact is made due to an alleged data breach at the cybersecurity firm. The...
Massive Phishing Campaign Bypasses MFA to Gain Access to Office 365 Accounts for BEC Attacks
This week, Microsoft shared details of a massive phishing campaign that has targeted more than 10,000 organizations since September 2021. The campaign targets organizations that use Office 365 and allows the attackers to hijack accounts, even if they have multi-factor authentication (MFA) enabled. The compromised accounts are then used to conduct business email compromise attacks on external companies to get them to make fraudulent...
Microsoft Rollback of VBA Macro Blocking is Only a Temporary Measure
Last week, Windows users started noticing that Microsoft had stopped blocking Internet-delivered VBA macros by default without making an announcement. Microsoft has now confirmed that the rollback is only a temporary measure. Back in February, Microsoft announced that it would be taking steps to improve security by blocking Visual Basic for Applications (VBA) macros by default in certain Office apps. The security measure would apply...
Police in Europe Dismantle Multi-Million-Euro Phishing Operation
An organized criminal gang that was operating a multi-million-Euro phishing operation has been dismantled by police forces in Belgium and the Netherlands, according to Europol. The operation involved raids at 24 addresses in the Netherlands on June 21, and police arrested 9 individuals suspected of involvement in the operation. They also seized cash, cryptocurrency, jewelry, firearms, and ammunition. Europol assisted in the operation...
Thousands Arrested in Interpol-Led Operation Targeting Social Engineering Scammers
An international law enforcement operation led by Interpol that involved police forces in 76 countries has seen more than $50 million seized and thousands of people have been arrested in connection with social engineering scams such as telecommunication fraud, business email compromise scams, and the money laundering activities in relation to those operations. The operation – called First Light 2022 – ran for two months between...
Emotet Malware Infections Increased by 2,700% from Q4, 2021 to Q1, 2022
Security researchers have identified new variants of Emotet malware that are capable of collecting and using stolen credentials, which are then weaponized and used to distribute the malware, and security solutions are failing to block the malware. Emotet is widely regarded as the most dangerous malware threat. While action was taken by a coalition of law enforcement agencies, which shut down the infrastructure of Emotet in January...
Researchers Uncover Massive Facebook and Messenger Phishing Campaign
Security researchers at the cybersecurity firm PIXM have identified a massive phishing campaign being conducted through Facebook and Messenger, which has driven millions of individuals to web pages hosting phishing forms and online adverts. According to PIXM, in just 4 months, a threat actor was able to steal more than 1 million credentials and generated significant revenue from online advertising commissions. The account credentials...
Local Governments Targeted in Phishing Campaign Exploiting Windows Follina Vulnerability
The critical Windows ‘Follina’ zero-day vulnerability is being exploited in phishing attacks on local governments in the United States and government entities throughout Europe, according to Proofpoint. The phishing campaign uses Rich Text File (RTF) attachments, which will exploit the Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug – CVE-2022-30190 – if opened. Exploitation of the vulnerability does not...
Phishing Campaign Pushing Jester Malware Targets Ukrainian Citizens Warning of Chemical Attacks
A phishing campaign has been identified that warns of chemical weapon attacks on Ukrainian citizens in an attempt to infect devices with Jester malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a security advisory about the mass distribution of these malicious emails targeting Ukrainian citizens. The emails have the subject line “chemical attack” and warn in Ukrainian that information has been...
FBI: More than $43 Billion has been Lost to BEC Scams Since 2016
Business email compromise (BEC) scams are the leading cause of losses to cybercrime. According to the U.S. Federal Bureau of Investigation (FBI), reported losses between June 2016 and December 2021 exceeded $43.3 billion. These scams, also known as email account compromise (EAC), involve compromising a business email account and using it to send emails to individuals responsible for making wire transfers and tricking them into making...
Man Convicted for Phishing Scam Resulting in Theft of $23.5 Million from DoD
The losses to phishing scams can be considerable. What starts with a single phishing email can easily result in a costly data breach, malware infection, or the fraudulent transfer of millions of dollars to an attacker-controlled account. Last week, the U.S Department of Justice announced that one of the perpetrators of a phishing scam has been convicted on six counts for his role in a complex phishing scheme and vendor email...
LinkedIn is the Most Impersonated Brand in Phishing Attacks
The professional social networking site LinkedIn is now the most impersonated brand in phishing attacks according to Check Point Research. In Q1, 2022, 52% of phishing attacks spoofed LinkedIn, which is a 550% increase from the previous quarter when LinkedIn was the 5th most impersonated brand. This is part of an emerging trend in phishing that has seen phishers switch to campaigns seeking corporate social media credentials, which can...
WhatsApp Voicemail Phishing Campaign Distributes Information Stealing Malware
A new WhatsApp phishing campaign has been identified by researchers at Armorblox that has been sent to at least 27,655 email addresses. The emails impersonate WhatsApp and relate to the voice message feature of the instant messaging app to get recipients of the messages to install information-stealing malware. The malware targets passwords stored in browsers and applications, steals cryptocurrency wallets, and can be used to...
Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks
AvosLocker ransomware is being used in attacks on U.S. critical infrastructure organizations, according to a recent joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN). AvosLocker is a relatively new ransomware group that first appeared in June 2021. Initially, the ransomware was used in attacks on Windows...
Feds Issue Update on Conti Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued an update on Conti Ransomware as attacks on U.S. businesses pass the 1,000 mark. The update includes information gathered from the recent leak of internal private messages between gang members by a Ukrainian researcher, who also released the source code for the ransomware and...
Lapsus Ransomware Gang Continues with High Profile Attacks
The Lapsus ransomware gang only is a new threat group that first appeared in December 2021 but has already started building a name for itself with several high-profile attacks already conducted, the latest being the ransomware attack on GPU giant NVIDIA. Sensitive Employee Data and Source Code Stolen from NVIDIA NVIDIA said it detected the attack on February 23, 2021, and announced on February 25 that it was investigating a security...
Phishing Campaign Capitalizes on Ukrainian Crisis
A new phishing campaign has been detected that piggybacks on the current crisis in Ukraine to trick people into divulging their credentials. Emails are being sent warning about suspicious account access from Russia to scare people into clicking the link and logging into their account to change the password. The campaign targets Microsoft customers and attempts to steal Microsoft 365 credentials. The campaign was discovered by security...
83% of Businesses Experienced a Successful Phishing Attack in 2021
Phishing is the most common method used to attack businesses. Phishing attacks are performed to steal credentials, obtain sensitive data, install malware, or gain a foothold in a network for a more extensive compromise. Phishing attacks target individuals and exploit human rather than technical weaknesses, and use social engineering to trick people into taking an action that allows the attacker to achieve their aims. The UK...
TitanHQ Acquires Cyber Risk Aware to Add Security Awareness Training to its Cybersecurity Portfolio
The Irish cybersecurity firm TitanHQ, a leading SaaS business offering a portfolio of cloud-based cybersecurity solutions, has announced the acquisition of the Dublin-based security awareness firm Cyber Risk Aware. Cyber Risk Aware was formed in 2016 and provides the only behavior-driven security awareness platform that provides real-time training to help counter the threat from phishing and other cybersecurity threats that target...
46% of Emails in 2021 Were Spam
The Russian cybersecurity firm Kaspersky has released its 2021 Spam and Phishing Report which identifies the key annual trends in spamming and phishing. The report shows 45.56% of global email volume consisted of spam emails, with Russia the biggest culprit, with 24.77% of spam emails coming from Russian IP addresses and German IP addresses used to send 14.12% of the year’s spam emails. Legitimate organizations such as banks and...
Next-Gen Phishing Kits Used to Bypass Multifactor Authentication
Proofpoint has revealed cyber threat actors are now using a new class of phishing kit that is allowing them to bypass multi-factor authentication (MFA). Multi-factor authentication is strongly recommended on accounts to improve security. Multifactor authentication requires an additional form of identification to be provided in addition to a password. In the event of a password being obtained by an unauthorized individual, access to...
DHL Was the Most Imitated Brand in Phishing Campaigns in Q4, 2021
A recent report from the cybersecurity firm Check Point has revealed DHL was the most impersonated brand in phishing attacks in Q4, 2021, overtaking Microsoft. Check Point’s data show 23% of phishing emails impersonating brands in Q4, 2021 spoofed DHL, up 9% from the previous quarter. Microsoft is usually the brand most impersonated by cybercriminals due to the huge number of customers. In Q4, 20% of all brand impersonation...
Emotet Observed Delivering Cobalt Strike Directly to Infected Devices
Last year, Emotet malware was the most prevalent malware threat but a coordinated international law enforcement operation finally resulted in its infrastructure being seized. At the time of the takedown, Europol considered Emotet to be the world’s most dangerous malware and botnet, with the takedown swiftly neutralizing the threat. The hundreds of thousands of infected devices that made up the botnet finally had the malware removed on...
COVID-19 Omicron Phishing Scam Targets UK Residents Offering Free NHS Omicron PCR Test
An COVID-19 Omicron phishing campaign has been detected that spoofs the UK’s National Health Service and attempts to get individuals to disclose sensitive personally identifiable information and financial details. The campaign takes advantage of fear about the new Omicron variant of the coronavirus which could potentially be more transmissible than other SARS-CoV-2 variants and make current vaccines less effective. Scientists around...
SpamTitan Plus Has Better Coverage of Malicious URLs and Detects Them Faster Than Market Leading Solutions
A new anti-phishing product has been launched by TitanHQ which the company says provides far better coverage of malicious URLs than any of the current market-leading anti-phishing solutions, which means more malicious links are detected and those links are detected faster than other solutions. TitanHQ had been getting feedback from its customer base of 12,000+ businesses and 3,000+ Managed Service Providers that phishing attacks are...
Multiple APT Actors Using Novel RFT Template Injection Technique in Phishing Attacks
A novel Rich Text Format (RTF) Template Injection technique is being used in phishing campaigns conducted by multiple nation-state hacking groups. Researchers at Proofpoint say they first identified this technique being used in March 2021 and its use has been steadily growing. The technique was initially used by the Indian APT group DoNot Team (APT-C-35), followed by the Chinese APT group TA423, then the Russian APT actor Gamaredon....
Vaccine Manufacturers Targeted with Metamorphic Tardigrade Malware
The biomanufacturing sector has been warned about targeted attacks involving Tardigrade malware – a sophisticated metamorphic variant of the SmokeLoader backdoor. Tardigrade malware is known to have been used in two cyberattacks on companies in the biomanufacturing sector in 2021. In the spring of this year, a large biomanufacturing facility was targeted and a second facility was infected with the malware in October. The attacks...
GoDaddy Data Breach Affects 1.2 Million Customers and 6 Web Hosts
On November 22, GoDaddy said it was the victim of a data breach that exposed the email addresses and customer numbers of up to 1.2 million active and inactive Managed WordPress users. The breach also exposed the original admin-level WordPress passwords for those accounts that were created when WordPress was first installed. The passwords could have allowed access to customers’ WordPress servers. Active customers also had their sFTP...
New JavaScript Malware Delivers Multiple Rats and Info Stealers
A new JavaScript malware dubbed RATDispenser is being used to deliver at least 8 different Remote Access Trojans (RATs), information stealers, and keyloggers. According to an analysis by the HP Threat Research team, three different variants of RATDispenser have been detected in the past 3 months and 155 samples have been intercepted. All but 10 of those samples act as first-stage malware droppers that do not communicate with an...
Ransomware Attacks on CNA, Colonial Pipeline, and JBS the Result of Minor Security Lapses
Ransomware attacks in 2021 have increased to record levels and no industry sector is immune. Cyber threat actors have become bolder and have conducted an increasing number of attacks on healthcare organizations, where the lack of access to systems and data has put patient safety at risk, while attacks on critical infrastructure have threatened food production and fuel availability. The escalation of attacks in the United States has...
The Emotet Botnet is Back: TrickBot Infrastructure Being Used to Rebuild the Botnet
The infrastructure of the Emotet botnet was taken down in a Europol/Eurojust coordinated law enforcement operation in January 2021. Since the takedown it has been all quiet on the Emotet front, but the Emotet botnet has now returned. That law enforcement operation saw the infrastructure seized and taken down and two individuals believed to have played key roles in maintaining the infrastructure of the botnet were arrested. The Emotet...
Legitimate FBI System Hacked and Used to Send Spam Emails About Fake Cyberattack
A spam email campaign involving at least 100,000 emails has been conducted using ‘hacked’ FBI-owned servers. The messages advised the recipients that their network had been breached and data was stolen. The emails were sent from the legitimate [email protected] email account and, as such, were passed by the DomainKeys Identified Mail (DKIM) mechanism. The Spamhaus project said the messages were delivered to at least 100,000 mailboxes,...
Robinhood Announces Breach of 7 Million User Records
Hacking attempts are often sophisticated but in some cases gaining access to a company’s internal networks is as simple as asking an employee for login credentials. This is often achieved through a phishing email, where employees are tricked into visiting a website that asks them to log in with their Microsoft 365 credentials. Similar tactics were recently used in an attack on the stock trading platform Robinhood. On November 3, 2021,...
Amazon SES Token Stolen and Used to Send Phishing Emails from Kaspersky.com Email Accounts
A phishing campaign has been identified that abused a legitimate access token of a third-party contractor to send phishing emails from legitimate Kaspersky.com email accounts. The campaign was conducted using the Amazon Simple Email Service (SES) email service, which allows developers to send emails from any app, including apps used for mass email communications. Kaspersky’s Amazon SES token was provided to a third-party contractor in...
NHS Vaccination Proof Phishing Campaign Rife in the UK
Cybercriminals have stepped up their efforts to scam Brits according to new research, with one of the most common scams offering fake proof of COVID-19 vaccination. According to Tessian, the phishing scam spoofs the NHS and advises recipients that they are eligible to apply for a “Digital Passport” which can be used as proof that an individual has been vaccinated against COVID-19 or has contracted COVID-19 and has recently recovered....
CryptoRom Gang Targets iPhone Users of Dating Apps in Sophisticated Romance Scam
Users of dating apps are being warned about a romance scam being conducted by an international cybercriminal gang dubbed CryptoRom. The gang has previously targeted individuals in Asia but has now expanded its operation and is targeting dating app users in Europe and the United States. Romance scams are nothing new of course, but they have become much more prevalent due to the increased use of dating apps, which allow scammers to...
Phishing Campaign Uses Mathematical Symbols to Fool Email Security Solutions
Analysts at email security firm INKY have identified a new phishing campaign that uses mathematical symbols in spoofed corporate logos in an attempt to fool email security solutions and ensure the phishing messages get delivered to inboxes. Many AI-based anti-phishing solutions can detect brand impersonation attacks and reject or quarantine messages rather than delivering to inboxes. If a message looks like it is from a known brand,...
Microsoft Discovers Large-scale Phishing-as-a-Service Operation
Microsoft has discovered a major phishing-as-a-service operation that it says is behind many phishing attacks on businesses over the past 3 years. Phishing is one of the easiest ways for cybercriminals to gain access to business networks. Attackers require a phishing email template to use, need to have a domain to send emails, and a webpage where credentials are harvested. Creating the infrastructure to support phishing campaigns can...
Europol Breaks up Major Cybercrime Ring
A major cybercrime gang operating in the Canary Islands has been broken up by the Spanish National Police, with assistance provided by the Italian National Police and Europol. The gang generated more than $12 million in profit through phishing scams and other forms of fraud such as SIM swapping and business email compromise scams. The scams mostly targeted Italian nationals but also claimed victims in Spain, Ireland, Germany and the...
TitanHQ Adds Geo-Blocking in Latest Release of SpamTitan Email Security
TitanHQ has released of a new version of its award-winning SpamTitan email security solution. The Fall 2021 release – SpamTitan 7.11 – includes several enhancements to improve detection of threats such as malware, ransomware, APTs, spear phishing, and malicious URLs, with the updated version providing greater threat insights to help administrators mitigate risks more effectively. SpamTitan 7.11 includes a new feature –...
Nigerian Threat Actor Tries to Recruit Disgruntled Employees to Conduct a Ransomware Attack on Their Employer
Researchers at Abnormal Security have identified an email campaign run by a Nigerian threat group that is advertising for individuals to take part in ransomware attacks in exchange for a cut of any ransom payments they help to generate. This tactic is nothing new, as many ransomware operations seek affiliates to conduct attacks for an exchange of the profits under the ransomware-as-a-service (RaaS) model. This campaign differs as it...
Phishing Costs Large U.S. Companies $14.8 Million a Year
The cost of phishing attacks has risen fourfold over the past 6 according to the 2021 Cost of Phishing Report published by Proofpoint. Large companies in the United States are now losing an average of $14.8 million a year due to phishing. That equates to a cost of $1,500 per employee. In 2015, when the survey was first conducted, the average cost of phishing for large U.S. companies was $3.8 million. Phishing emails are sent to...
73% of Organizations Suffered a Phishing Related Data Breach in the Past Year
Almost three quarters (73%) of organizations in the United States and United Kingdom suffered a data breach in the past 12 months as a result of a phishing attack, according to the Egress’ 2021 Insider Data Breach survey. The survey was conducted on 500 IT leaders and 3,000 employees in the US and UK by Arlington Research on behalf of Egress, with respondents coming from a variety of industry sectors, including healthcare, legal, and...
Nested Archive Technique used in Phishing Campaign Delivering the BazarBackdoor
A new phishing campaign is underway that delivers the BazarBackdoor malware using a nested archive method, which involves putting compressed archives within another compressed archive. Using a single compressed archive is not sufficient to hide malware from many secure email gateway solutions, which have the capability to scan inside archive files. However, many email security solutions do not check any deeper than this, so adding a...
Fake Kaseya Updates Used in Phishing Campaign to Deliver Cobalt Strike Backdoors
A phishing campaign has been detected by Malwarebytes Threat Intelligence researchers which targets managed service provider customers of Kaseya. The emails claim to provide a Kaseya security update to prevent ransomware attacks but delivers Cobalt Strike backdoors to victims’ networks. The campaign piggybacks on the REvil ransomware attack on the Kaseya Virtual System Administrator (VSA) platform on July 2 that saw ransomware pushed...
Profile Data of 700 Million LinkedIn Users Listed for Sale on Hacking Forum
700 million LinkedIn records were listed for sale on a hacking forum on June 22, 2021 by an individual who calls himself GOD User TomLiner. A sample of 1 million records has been made available as proof that the offer is genuine. The sample records include the full names of LinkedIn users, phone numbers, genders, email addresses, and job information. This is not the first time that a multi-million record batch of LinkedIn user data...
FIN7 Pen Tester Sentenced to 7 Years in Jail
A high-level member of the FIN7 organized crime group has been sentenced to 7 years in jail. The U.S. Department of Justice recently announced that Ukrainian national Andreii Kolpakov has been convicted in the Western District of Washington on one count of wire fraud and one count of conspiracy to commit computer hacking related to payment card theft. In addition to the lengthy jail term, Kolpakov was ordered to pay $2.5 million in...
NCSC Warns UK Educational Institutions of Increased Ransomware Threat
The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data. Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a...
SolarWinds Hackers Conducting Spear Phishing Campaign Posing as USAID
The Russian Advanced Persistent Threat (APT) group Nobelium – aka APT29/The Dukes/Cozy Bear – that was behind the SolarWinds Orion supply chain attack has been conducting a spear phishing campaign masquerading as the U.S. Agency for International Development (USAID). The emails are used to deliver malware and gain persistent access to the internal networks of the targeted companies. The spear phishing attacks were identified by...
Large-Scale Malspam Campaign Detected Delivering the STRRAT Remote Access Trojan
Microsoft has issued a warning about a massive malspam campaign that is being used to deliver the STRRAT remote access trojan (RAT). The campaign is being conducted using compromised email accounts with what appears at first glance to be a PDF file attachment. The attached file appears to have a .pdf extension and displays the typical PDF image; however, the file attachment is simply an image which, if clicked, will download the...
Train Company Under Fire for Insensitive Phishing Simulation Emails
Phishing simulations are an important way to test resilience to phishing attacks, but a British train company has discovered these campaigns can easily backfire if care is not taken when selecting suitable lures for the phishing simulation emails. West Midland Trains recently sent a phishing simulation email to staff that had all the hallmarks of a real-world phishing attack. The emails looked realistic, they appeared to have been...
Phishing Campaign Impersonates Click Studios to Deliver New Moserpass Malware Variant
Last week, Click Studios alerted users of the Passwordstate enterprise password manager about a supply chain attack in which hackers successfully compromised the In-Place Upgrade mechanism of the app, which allowed the attackers to perform malicious upgrades between April 20 and April 22, 2021. During that 28-hour window it is possible that the attackers downloaded a malformed Passwordstate_upgrade.zip file, which was sourced from a...
External Email Message Warnings Can be Easily Hidden or Altered
One of the ways that businesses help their employees identify potentially malicious emails is to flag any email that has been sent from an external email account. These external sender warnings can easily be configured in email clients such as Microsoft Outlook and email security gateways. When the warnings are shown, employees know they need to exercise caution when taking any action suggested in the email. If the warning is not...
Bloomberg Clients Targeted in Phishing Campaign Distributing Remote Access Trojans
Remote Access Trojans (RATs) according to a new report published by researchers at Cisco Talos. The relatively few emails that have been intercepted have made it difficult to determine whether this campaign, dubbed Fajan, uses spray and pray tactics of if the emails are more targeted. The small scale of the campaign suggests the attackers are attempting to hone their skills and are actively maintaining and developing functionality to...
IcedID Malware Distribution Increases as it Vies to Become the New Emotet
A massive malspam campaign is underway distributing the IcedID banking Trojan. The malicious emails have Microsoft Excel attachments, which use Excel 4 macros to deliver the banking Trojan. IcedID is a modular malware that started life as a Trojan that steals financial information from victims. Like several other banking Trojans, it has since evolved into a malware dropper and is now primarily being used to distribute secondary...
New Malware Variant with Worm-Like Capabilities Spoofs Netflix and Spreads via WhatsApp
A new malware variant has been discovered by security researchers at Check Point that has been added to a fake Netflix application – FlixOnline – available from the Google Play Store. The malware has worm-like properties and can spread to other devices via WhatsApp messages. The Android app has the Netflix logo and claims to provide unlimited viewing from any location. If the app is downloaded and installed, permissions are...
FBI Warns State and Local Governments of Increased Risk of BEC Attacks
The Federal Bureau of Investigation (FBI) has issued a warning to state, local, tribal, and territorial (SLTT) governments in the United States about Business Email Compromise (BEC) scams. Losses to BEC attacks increased by 5% to more than $1.8 billion in 2020 and between 2018 and 2020, SLTT government entities have been targeted. BEC attacks involve the use of a compromise email account to send messages to individuals with authority...
Internet Crime Complaints Increased by 69% in 2020 with $4.2 Billion in Losses to Cybercrime
During the pandemic, cybercriminals stepped up their attacks on businesses and individuals and record numbers of complaints about cybercrime were filed with the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3). 69% more complaints were filed with IC3 than 2019, which received 791,790 complaints about cybercriminal activity such as phishing attacks, ransomware and malware, and a wide range of online scams....
Pysa Ransomware Gang Targeting Education Sector, Warns FBI
The FBI has issued an alert following a surge in Pysa ransomware attacks on K-12 schools and higher education institutions. The Pysa (Mespinoza) ransomware gang has recently conducted attacks in 12 U.S. states and the United Kingdom. The ransomware was first identified in 2019, with the FBI aware of targeted Pysa ransomware attacks in the United States and foreign government entities, educational institutions, private companies, and...
More than 50% of Phishing Emails in 2020 Used for Credential Theft
In 2020, threat actors took advantage of the COVID-19 pandemic and adopted COVID-19 and coronavirus themed lures for their phishing campaigns. The volume of phishing emails did not increase in 2020, but many threat groups found they had much greater success with pandemic-related themes than their regular lures. Phishing is the most common method used by threat actors to conduct cyberattacks on businesses. The attacks target employees,...
Spear Phishing Campaign by Lazarus APT Group Targeting Defense Companies
Security researchers at Kaspersky ICS CERT have identified a spear phishing campaign targeting defense companies that delivers an advanced malware dubbed ThreatNeedle. The campaign has been linked to the North Korean Advanced Persistent Threat (APT) group Lazarus – The most active APT group in 2020. Lazarus has conducted many spear phishing campaigns in recent months using the ThreatNeedle cluster of malware, which is a more advanced...
Phishing Attacks Detected Using Malformed URL Prefix
A new phishing campaign has been detected that uses malformed URL prefixes to bypass email security solutions and fool individuals into disclosing their login credentials. The novel tactic was identified by researchers at GreatHorn. Rather than use the standard URL protocols HTTP:// or HTTPS:// the domain linked in the phishing email used HTTP:/\ (forward slash/backslash). The researchers first identified this tactic being used in...
Ransomware Attacks Most Commonly Start with Phishing and 70% Involve Data Exfiltration
The Q4, 2020 Quarterly Ransomware Report from Coveware shows there has been a marked decline in the number of companies paying ransoms to recover data stolen in ransomware attacks and prevent the public release of stolen data. The fall is seen as a response to the erosion of trust. There have been several recent attacks where stolen data has been released publicly even when a ransom has been paid. If companies have a viable backup...
Phishers Target US Businesses in Scam Offering Fake PPP Loans
A phishing campaign has been detected which is targeting U.S. businesses that are struggling to stay in operation during the pandemic. The emails attempt to get business owners to apply for a fake PPP loan and disclose sensitive data. The Paycheck Protection Program (PPP) is part of the U.S. CARES Act, which was launched by the Trump Administration on April 3, 2020 to provide financial assistance to businesses that have been adversely...
TrickBot Returns with a New Malspam Campaign
A botnet that was severely disrupted in late 2020 by a coalition led by Microsoft is now back with a new malspam campaign. The infrastructure used by the operators of the TrickBot botnet was taken down in the run up to the November 2020 U.S. Presidential election, but it didn’t take long for the infrastructure to be rebuilt. The takedown was successful and caused major disruption to the operation, but since no arrests were made, the...
Europol Announces Takedown of the Emotet Botnet
Europol has announced that following a global operation by law enforcement and judicial authorities, the Emotet botnet has been disrupted and law enforcement agencies have seized control of its infrastructure. The takedown was planned for two years and involved Europol, Eurojust, the FBI, the Royal Canadian Mounted Police, the UK’s National Crime Agency, and law enforcement agencies in Ukraine, Netherlands, Germany, Lithuania, and...
UK Residents Warned of COVID-19 Vaccine Phishing Emails Seeking Financial Information
UK residents are being warned about a new phishing campaign that spoofs the National Health Service (NHS) and asks recipients to confirm that they want to receive the COVID-19 vaccine. The UK’s vaccination program is now well underway, with more than 6.5 million people already given the first dose of one of the approved COVID-19 vaccines, with the most vulnerable groups and NHS workers being prioritized. However, it is likely to take...
Mistake with Phishing Campaign Saw Stolen Credentials Accessible Through Google Searches
A mistake by the operators of a phishing campaign has resulted in stolen credentials being accessible through Google searches. Compromised WordPress sites were used to receive stolen credentials; but the information was saved to locations accessible to the public and search engines. Search engines such as Google indexed those locations, which meant the stolen credentials could be found using a simple Google search. More than 1,000...
New PayPal Phishing Scam Advises Users via SMS that their Account has been Limited
A new PayPal phishing scam is being conducted via SMS messages that informs users that their PayPal account has been permanently set to ‘limited’ status, which restricts sending, receiving, or withdrawing money from PayPal accounts. The limited status is applied to accounts when PayPal detects fraudulent or suspicious activity. PayPal restricts accounts for security reasons, such as when someone other than the legitimate account...
US Federal Government Seizes Domains Spoofing COVID-19 Vaccine Developers
Two domains spoofing the COVID-19 vaccine developers Moderna and Regeneron have been seized by the U.S. Department of Justice. The websites were almost perfect clones of the websites they impersonated and had potential to deceive millions of individuals into disclosing sensitive information or downloading malware. This year has seen cybercriminals take advantage of the COVID-19 pandemic and conduct campaigns offering up to date...
More Than 3 Million Chrome and Edge Users Have Malware-Infected Browser Extensions
Approximately 3 million users of Google Chrome and Microsoft Edge have been infected with malware that has been hidden in browser extensions, according to a new report from antivirus company Avast. At least 28 JavaScript-based Chrome and Edge extensions for Instagram, Facebook, Vimeo and others have had malicious code added, which is used to steal personal data and redirect users to adverts and phishing websites. The malicious code...
Document Delivery Lure Used in Large Scale Spear Phishing Campaign Targeting Enterprise Employees
Last week, researchers at Abnormal Security identified a coordinated phishing attack targeting enterprise employees that attempts to steal their Microsoft Office 365 credentials. The emails are being sent from legitimate, but compromised Office 365 accounts using document delivery notifications as the lure to get users to disclose their credentials. Several enterprise organizations were targeted in the attack using hundreds of...
K-12 Schools Warned About Cyber Actors Targeting Distance Learning Education
The U.S. Cybersecurity and infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory to K-12 schools warning that cyber actors are conducting targeted attacks on distance learning education. Cyber actors are attempting to disrupt distance learning services, gain access to sensitive data, and conduct ransomware...
Spear Phishing Campaign Spoofing Microsoft.Com Sees Emails Delivered to Office 365 Inboxes
Researchers at Israeli cybersecurity firm Ironscales have identified a spear phishing campaign targeting Office 365 users that spoofs the Microsoft.com domain. Several thousand Office 365 mailboxes are known to have been targeted, with around 100 customers of Ironscales having been sent the phishing emails. Those customers span several industry sectors including healthcare, insurance, telecom, manufacturing, and financial services....
Foreign APT Groups Targeting Think Tanks, Warns CISA/FBI
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about ongoing cyberattacks on think tanks by foreign Advanced Persistent Threat (APT) groups. The purpose of the attacks is to gain persistent access to victim networks for espionage purposes. This is achieved through phishing attacks to gain access to user credentials and by exploiting vulnerabilities in...
BEC Scammers Using Auto-Forwarding Rules in Web-Based Email Clients to Prevent Detection
Cybercriminals have been using auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise (BEC) scams, according to a recently issued TLP: WHITE Joint Private Industry Notification from the Federal Bureau of Investigation (FBI). Business email compromise scams involve gaining access to a corporate email account and using that account to send emails to other individuals in the...
BEC Gang Members who Scammed More Than 50,000 Organizations Arrested
Image source: INTERPOL Three members of a cybercriminal gang that has attacked more 50,000 organizations have been arrested in Lagos, Nigeria. The arrests come at the end of a year-long investigation into the prolific business email compromise scammers by INTERPOL, Group-IB, and the Nigerian Police Force. The three gang members arrested are believed to be responsible for phishing scams, BEC attacks, and malware distribution on tens of...
Warning Issued After Discovery of Scores of Spoofed FBI Websites
Scores of domains have been identified which spoof official Federal Bureau of Investigation (FBI) websites, prompting the FBI’s Internet Crime Complaint Center to issue a warning. While the intentions of the individuals who registered the domains is not known, it is strongly suspected that the domains were intended for use in future phishing or malware distribution campaigns. The domains could be used to register email accounts that...
Use of SSL Certificates in Malware and Phishing Attacks Up 260% in 2020
Abuse of SSL certificates in phishing and malware attacks has increased by 260% in the first 9 months of 2020, according to a new report from Zscaler. Zscaler analyzed more than 6.6 billion threats for the report and found a major rise in the use of encryption to hide attacks. Encryption was being used across the full attack cycle, according to the researchers, including the initial delivery of malware or malicious links to the...
78% of Microsoft 365 Administrators Have Not Enabled Multi-Factor Authentication
Despite the risk of phishing attacks and email account compromises, 78% of Microsoft 365 admins have not enabled multi-factor authentication and 97% of all Microsoft 365 users are not using MFA, according to a recent report published by CoreView Research. Multi-factor authentication is one of the most effective measures to prevent stolen credentials from being used to gain access to accounts. It is alarming that so few users and...