CyberheistNews Vol 10 #13 [Heads-Up] Feeding Frenzy: COVID-19 Phishing Attacks Surge As U.S. Reels From Pandemic

CyberheistNews Vol 10 #13
[Heads-Up] Feeding Frenzy: COVID-19 Phishing Attacks Surge As U.S. Reels From Pandemic

By Eric Howes, KnowBe4 Principal Lab Researcher. Having already published three blog pieces on the epidemic of Coronavirus-themed phishing emails and spam/scam offerings online, we were wondering what else the bad guys might be ginning up for stressed-out users and IT folks working the trenches. The answer arrived this week as COVID-19-themed phishes exploded.

On Monday and Tuesday customers using the Phish Alert Button (PAB) reported a massive surge in virus-themed phishing emails. Although we had already seen 90 percent of those emails over the previous days and weeks (and had documented them in our first three blog pieces), we were nonetheless surprised by the sheer volume of emails reported -- a phenomenon we suspect may have been driven by the dramatic escalation of the COVID-19 health crisis in the United States at the end of the previous week.

On Wednesday and Thursday, though, customers began reporting an entirely new set of phishing emails. Curiously, most of these apparently "new" phishing emails were somehow also strangely familiar (more on that in a bit).

In this fourth installment of our COVID-19 phishing reports, we will review the new crop of Coronavirus phishing emails that landed this week. And, as before, we will be offering a generous helping of screenshots so that you and your users and employees know what to look for.

The Three Waves

Before tackling the very latest phishing emails reported to us by customers using the Phish Alert Button (PAB), we thought it might be useful to do a quick review of the development of COVID-19-themed phishing emails that we've been tracking since early February.

Looking back, we can now discern three distinct waves of phishing emails reported by customers.

1. The first wave, which began growing slowing over the course of February and early March, mainly involved straightforward spoofs of the CDC (Centers for Disease Control), WHO (World Health Organization), and a few other reputable authorities including HR departments within targeted organizations. These spoofs generally purported to offer information and updates on the unfolding crisis, leveraging the trust vested in those spoofed authorities to trick users into clicking through links and attachments to malicious content (mostly credentials phishes, but occasionally malware, including Emotet).

During that time period we also observed a rather predictable rise in spam/scam emails trading on fear and confusion to push the usual variety of dodgy products and services -- fake vaccines, price-gouged health care products (masks, sanitizers), as well as books, videos, and bogus "miracle cures."

2. In the second wave, malicious actors began experimenting with new and novel social engineering schemes -- some more successful and convincing than others. If nothing else, though, this second wave demonstrated that the bad guys were seriously committed to exploiting the chaos and growing hysteria over the spread of virus by rapidly developing a larger menu of phishing templates.

We covered the first and second waves of Coronavirus phishes in our earlier blog pieces. This second wave, in particular, proved to be relatively brief and was soon overtaken by a massive wave of new virus-themed phishing emails that crashed into users' inboxes starting Wednesday and Thursday.

3. The third wave, which arrived mid-week, saw the bad guys building out their repertoire of customized social engineering schemes by re-purposing a wide variety of older phishing emails -- all those golden oldies so depressingly familiar to end users and IT departments alike, now newly re-invigorated and sent into battle once again under the banner of the mighty Coronavirus.

It's that third wave of re-purposed, "standard" phishing emails that we'll be focusing on in this blog piece, for it turns out that the Coronavirus is always the perfect complement to whatever phishing campaigns your average bad guy happens to enjoy running.

We should note that we will not be covering the kinds of more traditional spam/scam emails that we did in our earlier blog pieces. Those emails are still in circulation, but they've now been utterly eclipsed by the sheer volume of truly malicious phishing emails washing into users' inboxes.

Continued at the KnowBe4 blog with more than 100 examples (!) of live in-the-wild screenshots:
[ALERT] Re-Check Your Email Attack Surface Now

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with the NEW version of KnowBe4’s Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of new breach databases.

This updated EEC Pro now leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.


Get Your EEC Pro Report in Less Than 5 Minutes! It’s often an eye-opening discovery. You are probably not going to like the results...

Send Me My Free Report!
Organizations Need to Be Wary of Home Worker Phishing Risks

Last week the Department of Homeland Security issued a warning that many organizations prepare for possible impacts of COVID-19, and consider alternate workplace options for their employees.

Remote work options—or WFH for short—often require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. The Infrastructure Security Agency (CISA) encouraged organizations to adopt a heightened state of cybersecurity.

They also specifically noted: Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords. Since that warning, many companies and organizations are now requiring their employees to work from home.

We’ve never seen this many workers conducting company business simultaneously from their homes. It’s truly an historic event that will require adaptations to our lives and normal routines. We may be managing our children who are off from school, living in a more packed or noisy home with interruptions. Many will be feeling anxiety about the crisis or experiencing financial stress.

Those living alone may feel even more isolated. Organizations are finding themselves moving their work forces almost overnight to virtual work environments along with the monumental security and IT challenges.

Working from home, users will need to maintain a measure of normalcy in business and social lives, even while many facets of life are changing all around us every day. Continued and links:
[NEW WEBINAR] 2020 Phishing by Industry Benchmarking Report: How Does Your Organization Measure Up

As a security leader, you have a lot on your plate. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up. IT security seems to be a race between effective technology and ever-evolving attack strategies from the bad guys. However, there’s an often-overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

Join Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, for a review of our new 2020 Phishing by Industry Benchmarking Report, a data set of nearly four million users across 17,000 organizations.

You will learn more about:
  • New phishing benchmark data for 19 industries
  • Understanding who’s at risk and what you can do about it
  • Actionable tips to create your “human firewall”
  • The value of new-school security awareness training
Do you know how your organization compares to your peers? Watch this webinar to find out!

Date/Time: TOMORROW, Wednesday, March 25 @ 2:00 PM (ET)

Save My Spot!
FBI Sends Private Industry Notification Warning of BEC Techniques

The FBI sent out a Private Industry Notification (PIN) warning companies that attackers are abusing Microsoft Office 365 and Google’s G Suite to launch business email compromise (BEC) attacks, BleepingComputer reports.

The criminals are using well-designed phishing kits to facilitate these attacks. “The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds," the FBI said. “Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.”

These attacks are far more sophisticated and targeted than other types of phishing attacks. The scammers sometimes lurk for months within the compromised account, observing the normal operations of the organization.

“Upon compromising victim email accounts, cybercriminals analyze the content to look for evidence of financial transactions,” the FBI said. “Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers.”

Once the attackers have gained inside knowledge of the organization’s business operations, they’ll pose as employees of either the compromised organization itself or one of its partners and trick employees into sending payments to attacker-controlled bank accounts.

In addition, the attackers will steal the contact lists of the compromised email accounts. They can then target those contacts with spearphishing attacks and potentially gain a foothold within another organization.

These attacks are among the most difficult to spot from both a technical and a human perspective, because they appear to come from a trusted account belonging to a real employee within the organization. New-school security awareness training can create a culture of security within your organization that will enable your employees to verify the legitimacy of sensitive requests. BleepingComputer has the story:
[Live Demo] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, April 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 32,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, April 8 @ 2:00 pm (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: My fave movie at the moment: Contagion with Matt Damon and others. Director: Steven Soderberg
Quotes of the Week
"Don't part with your illusions. When they are gone, you may still exist, but you have ceased to live." - Mark Twain

"Never give up on what you really want to do. The person with big dreams is more powerful than one with all the facts." - Albert Einstein

Thanks for reading CyberheistNews
Security News
Kevin Mitnick’s Outlook On Ransomware

Ransomware attacks are getting worse as attackers shift their strategies to place more pressure on their victims, according to KnowBe4’s Chief Hacking Officer Kevin Mitnick. On the CyberWire’s Daily Podcast, Mitnick explained that managed service providers (MSPs) are increasingly at risk for targeted attacks, and all organizations need to be concerned about attackers exfiltrating their data.

“I still see that we have the same problems that we did last year,” he said. “I see ransomware is getting much, for example, a threat actor compromises MSP. They get enough data from the MSP, they could access internal networks of their clients - the MSP's clients. They basically deploy ransomware into the MSP after they've compromised their clients and exfil’d data.”

While the widespread use of ransomware is a newer trend, social engineering has been with us throughout human history. Mitnick said he told Congress twenty years ago that social engineering would remain the most efficient attack vector unless everyone was trained to watch out for it.

“I warned them back in 2000 – March of 2000 – that social engineering is here and now, and a way in not only to private-sector, but to public-sector networks and systems,” he said. “And it will probably be here for a long time unless you start doing – you know, unless you start educating the masses.

I was going for mass education, like public service announcements on television and stuff to educate the everyday person.” Mitnick added that some new technologies, such as passwordless authentication, are very useful security tools, and they force attackers to change their strategies.

“So a lot of phishing attacks...not the pretext, phone-call side but from the phishing side, a lot of those attacks are what we call credential-harvesting attacks,” he said. “So it's not to get a malicious payload onto the victim's endpoint; it's to get the credentials. So in those types of attacks of, you know, people adopt, companies adopt these passwordless technologies, then there's no passwords to steal.”

However, losing access to tried-and-true phishing techniques won’t compel criminals to pursue a more constructive line of work. They’ll simply shift their efforts to techniques that are still effective, such as delivering malware or tricking employees into handing over money or sensitive information.

“You just see these scams happening all the time,” Mitnick concluded. “So I really think – I'm really a true believer that education is key.”

The CyberWire has the story:
Domains Use Homographic Characters to Create Hard to Spot Phishing URLs

Website domains can use homographic characters to create very hard-to-spot phishing URLs, Threatpost reports. Cybersecurity researcher Avi Lumelsky demonstrated how easy it is to create one of these domains using the symbol “ɢ” instead of the ASCII character “G” to set up fake Google domains.

Lumelsky was able to register ɢ, ɢ, ɢ, ɢ, ɢ, ɢ, and ɢ

Lumelsky then obtained LetsEncrypt certificates for his domains so the browser would mark them as secure, and he copied and pasted the JavaScript code from Google’s real sites onto his own matching domains. This made his sites look and act just like Google’s services. For example, “ɢ” works

He posted links to his sites on security-focused subreddits and showed that these domains were able to fool even some technically-minded people. While some platforms display the “ɢ” as “xn--,” Lumelsky noted that on mobile devices, the “ɢ” looks much the same as a regular “G.” Additionally, on every platform, the link preview is identical to the real Google site’s preview.

“Eventually, without much work, I ended up with hundreds of unique visitors (excluding the bots and security scanners or the platforms in which I posted),” Lumelsky said. “It looks and acts just like any google single-page application.”

Lumelsky explained that this technique could be used in phishing campaigns as well as for man-in-the-middle attacks. “I am making the SSL handshake with the user,” he said. “The original Google application is served, it functions as expected, but I am exposed to the user’s traffic with the domain. Therefore, I can change the body of Google’s response.”

Fortunately, since Lumelsky is a white-hat researcher, he didn’t use these sites for anything malicious. However, criminals can use the same techniques to trick people into handing over their credentials and other sensitive information.

New-school security awareness training can teach your employees to be wary when they follow a link to a website, even if they don’t spot any easily visible warning signs.

Threatpost has the story:
Malicious IQY Files Found in Spam Campaign

Researchers at Lastline have come across a phishing campaign that’s using Internet Query (IQY) files to bypass security filters and deliver a new version of the Paradise ransomware. The researchers explain that IQY is an obscure but legitimate Microsoft Office file format that won’t be flagged by many security solutions.

“IQY, or Internet Query files, are simple text files read by Excel that download data from the Internet,” they write. “This file type can be leveraged to download an Excel formula (command) that could abuse a system process, such as PowerShell, cmd, mshta, or any other LoLBins (Living-off-the-Land Binaries).

As this is a legitimate Excel file type, many organizations will not block or filter it. For organizations that do have security appliances that analyze attachments, these files may not flag as malware, as there is no payload.”

Paradise ransomware has been in circulation since 2017, and it’s still receiving updates from its developers. In this case, the ransom note contains a link to a chat room where the victim can communicate with the attacker, although the researchers didn’t get a response to their messages.

The researchers conclude that these files are difficult to flag since there’s nothing inherently malicious in them, so organizations need to focus on the URL.

“In summary, this campaign exhibited how weaponized IQYs can be an effective technique for an attacker to infiltrate a network,” they write. “Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a 3rd party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs.”

Even URL reputation services aren’t foolproof, since attackers are constantly shifting to new domains. Technical defenses can’t stop every malicious email from entering your network, and it only takes one employee opening an attachment or clicking on a link for your organization to be compromised.

Lastline has the story:
What KnowBe4 Customers Say

"As I mentioned on our call on Friday, I am a member of a US-based security awareness professionals working group that meets once a quarter. I was unable to attend the last session, however there was a discussion on phishing simulations and someone sent a positive review for Knowbe4 via email after the call. What ensued after that was a myriad of others validating their positive experience with Knowbe4. So often we have a tendency to remark on what is not working, so to see such positive remarks on a solution that is working is refreshing and should make you and the team at Knowbe4 proud."
- M.G., Awareness Training Project Manager

The 10 11 Interesting News Items This Week
    1. Top US health agency suffers cyberattack. Report:

    2. Phishing Scams And Unpatched Software Are The Biggest Cybersecurity Threats In 2020:

    3. More Glimpses Of How Russian Intelligence Utilized Hackers Revealed in U.S. Trial:

    4. An article by yours truly in SC Mag: Ransomware: Avoid Becoming the Next Victim:

    5. The Inside Scoop on a Six-Figure Nigerian Fraud Campaign:

    6. Coronavirus Widens the Money Mule Pool:

    7. Russia deploying coronavirus disinformation to sow panic in West, EU document says:

    8. Most Ransomware Gets Executed Three Days After Initial Breach:

    9. APT28 has been scanning vulnerable email servers for more than a year:

    10. Russian Cyberspies Hacked High-Profile Email Accounts for Phishing:

    11. BONUS: Beware of ‘ZoomBombing:’ trolls are screensharing filth to video calls:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Your Coronavirus and Work From Home Resource Center

Get the latest about social engineering

Subscribe to CyberheistNews