CyberheistNews Vol 10 #29
[Heads Up] Microsoft Stops an O365 Phishing Campaign That Attacked CEOs in 60+ Countries 
Microsoft announced that the US District Court for the Eastern District of Virginia has ruled that the company can seize six domains that were being used in a widespread phishing campaign.
Microsoft said the sophisticated campaign targeted users in sixty-two countries around the world, and it capitalized on fears surrounding COVID-19.
Notably, the attackers didn’t use credential-harvesting login portals to trick victims into entering their usernames and passwords. Instead, the emails contained links that requested permissions for a malicious web app that impersonated Office 365.
“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft explained. “Web apps are familiar-looking as they are widely used in orgs to drive productivity, create efficiencies and increase security in a distributed network.
Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.”
After the victim had granted permissions, the attacker could access and manipulate everything in the victim’s Office 365 account, including their OneDrive storage and corporate SharePoint system.
“As we’ve observed, cybercriminals have been adapting their lures to take advantage of current events, using COVID-19-related themes to deceive victims,” Microsoft added. “While the lures may have changed, the underlying threats remain, evolve and grow, and it’s more important than ever to remain vigilant against cyberattacks.”
Attackers are always changing their tactics to trick employees, but the advice for users and organizations to thwart these attacks generally remains the same.
“To further protect yourself against phishing campaigns, including BEC, we recommend, first, that you enable two-factor authentication on all business and personal email accounts,” Microsoft concluded. “Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity. Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.”
New-school security awareness training gives give your your last line of defense by teaching your employees how to recognize and thwart phishing attacks.
Microsoft has the story:
https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/
Microsoft announced that the US District Court for the Eastern District of Virginia has ruled that the company can seize six domains that were being used in a widespread phishing campaign.
Microsoft said the sophisticated campaign targeted users in sixty-two countries around the world, and it capitalized on fears surrounding COVID-19.
Notably, the attackers didn’t use credential-harvesting login portals to trick victims into entering their usernames and passwords. Instead, the emails contained links that requested permissions for a malicious web app that impersonated Office 365.
“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft explained. “Web apps are familiar-looking as they are widely used in orgs to drive productivity, create efficiencies and increase security in a distributed network.
Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.”
After the victim had granted permissions, the attacker could access and manipulate everything in the victim’s Office 365 account, including their OneDrive storage and corporate SharePoint system.
“As we’ve observed, cybercriminals have been adapting their lures to take advantage of current events, using COVID-19-related themes to deceive victims,” Microsoft added. “While the lures may have changed, the underlying threats remain, evolve and grow, and it’s more important than ever to remain vigilant against cyberattacks.”
Attackers are always changing their tactics to trick employees, but the advice for users and organizations to thwart these attacks generally remains the same.
“To further protect yourself against phishing campaigns, including BEC, we recommend, first, that you enable two-factor authentication on all business and personal email accounts,” Microsoft concluded. “Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity. Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.”
New-school security awareness training gives give your your last line of defense by teaching your employees how to recognize and thwart phishing attacks.
Microsoft has the story:
https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/
[TOMORROW] Hackers Exposed: Kevin Mitnick Shares His Tradecraft and Tools to Help You Hack Proof Your Network
Months of quarantine, transitioning to work from home, economic uncertainty, social and political turmoil… it’s easy to see why your employees are tense and distracted. And the bad guys are preying on those vulnerabilities more savagely than ever.
Join us for this exclusive webinar where Kevin Mitnick, KnowBe4’s Chief Hacking Officer and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer dive deep into the strategies cybercriminals are using to raise the stakes.
In this webinar you’ll hear about:
Date/Time: TOMORROW, Wednesday, July 15 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2469831/8CE34235D63ECB2355E0D55A998F15F6?partnerref=CHN2
Months of quarantine, transitioning to work from home, economic uncertainty, social and political turmoil… it’s easy to see why your employees are tense and distracted. And the bad guys are preying on those vulnerabilities more savagely than ever.
Join us for this exclusive webinar where Kevin Mitnick, KnowBe4’s Chief Hacking Officer and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer dive deep into the strategies cybercriminals are using to raise the stakes.
In this webinar you’ll hear about:
- Router configurations that put WFH and hybrid home/office endpoints in danger
- New browser exploits that are making your employees more vulnerable
- Why you can’t trust your trusted senders (supply chain attacks)
- The ominous effects of several real-life ransomware attacks
Date/Time: TOMORROW, Wednesday, July 15 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2469831/8CE34235D63ECB2355E0D55A998F15F6?partnerref=CHN2
Office 365 Phishing Attacks Now Use Fake Zoom Suspension Alerts
Microsoft Office 365 users are targeted by a new phishing campaign using fake Zoom notifications to warn those who work in corporate environments that their Zoom accounts have been suspended, with the end goal of stealing Office 365 logins.
So far the phishing campaign impersonating automated Zoom account suspension alerts has landed in over 50,000 mailboxes based on stats provided by researchers as email security company Abnormal Security who spotted these ongoing attacks.
"The importance of Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic," Abnormal Security explained. "Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website."
If they fall for the attackers' tricks, the victims' Microsoft credentials will be used to take full control of their accounts and all their information will be ripe for the picking, later to be used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC) attacks.
Train your users so know how to spot the potential warning signs as they continue to work in an at-home environment.
Bleeping Computer has the story:
https://www.bleepingcomputer.com/news/security/persuasive-office-365-phishing-uses-fake-zoom-suspension-alerts/
Microsoft Office 365 users are targeted by a new phishing campaign using fake Zoom notifications to warn those who work in corporate environments that their Zoom accounts have been suspended, with the end goal of stealing Office 365 logins.
So far the phishing campaign impersonating automated Zoom account suspension alerts has landed in over 50,000 mailboxes based on stats provided by researchers as email security company Abnormal Security who spotted these ongoing attacks.
"The importance of Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic," Abnormal Security explained. "Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website."
If they fall for the attackers' tricks, the victims' Microsoft credentials will be used to take full control of their accounts and all their information will be ripe for the picking, later to be used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC) attacks.
Train your users so know how to spot the potential warning signs as they continue to work in an at-home environment.
Bleeping Computer has the story:
https://www.bleepingcomputer.com/news/security/persuasive-office-365-phishing-uses-fake-zoom-suspension-alerts/
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster with PhishRIP
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.
Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us Wednesday, July 22 @ 2:00 PM (ET) for a 30-minute demonstration of the PhishER platform. With PhishER you can:
Date/Time: Wednesday, July 22 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2466271/5DF2ED48E9583AA181C17B8BB0C21AF3?partnerref=CHN1
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.
Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us Wednesday, July 22 @ 2:00 PM (ET) for a 30-minute demonstration of the PhishER platform. With PhishER you can:
- NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
- Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Date/Time: Wednesday, July 22 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2466271/5DF2ED48E9583AA181C17B8BB0C21AF3?partnerref=CHN1
New Phishing Attack Targets 200M+ Microsoft 365 Accounts Via Malicious Excel .SLK Files to Bypass Security
Using an old (but supported) Excel filetype, attackers can bypass both Exchange Online Protection and Advanced Threat Protection to run malicious macros.
Security researchers at Avanan have discovered a new attack method where cybercriminals send phishing emails that contain what appears to be an Excel spreadsheet. The file is actually an SLK file – a “Symbolic Link” Excel file used to transfer data between spreadsheet programs and other databases – to host a macro that launches an MSI script.
There are a few aspects of this attack that make it particularly worrisome for organizations using Microsoft 365:
Organizations need to first configure their Microsoft 365 tenant to block these extensions. But, because the SLK-based attack is just the next attack in a long line of those to come, it’s as important to teach users to be on their toes related to inbound emails, looking for red flags that might be malicious.
Using an old (but supported) Excel filetype, attackers can bypass both Exchange Online Protection and Advanced Threat Protection to run malicious macros.
Security researchers at Avanan have discovered a new attack method where cybercriminals send phishing emails that contain what appears to be an Excel spreadsheet. The file is actually an SLK file – a “Symbolic Link” Excel file used to transfer data between spreadsheet programs and other databases – to host a macro that launches an MSI script.
There are a few aspects of this attack that make it particularly worrisome for organizations using Microsoft 365:
- The phishing emails are targeted and are written in an organization-specific, and sometimes user-specific manner
- It appears to be an Excel file (because it is) which is a known file format
- Most Office users know not to enable macros (or have them administratively disabled) and, therefore, think it’s fine to open an Excel spreadsheet (“It can’t hurt me, right?”)
- The filetype currently bypasses all Microsoft 365 security
- Windows “Protected View” does not apply to SLK files, so the file is NOT opened in read-only mode, leaving the user vulnerable to attack
- The call to run the Microsoft Installer runs in quiet mode and installs a hacked version of NetSupport remote control
Organizations need to first configure their Microsoft 365 tenant to block these extensions. But, because the SLK-based attack is just the next attack in a long line of those to come, it’s as important to teach users to be on their toes related to inbound emails, looking for red flags that might be malicious.
[On-Demand Webinar] 12 Ways to Defeat Multi-Factor Authentication
Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!
Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this on-demand webinar where he will explore 12 ways hackers can and do get around your favorite MFA solution.
The webinar includes a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick, and real-life successful examples of every attack type. Roger will share ideas about how to better defend your MFA solution so that you get maximum benefit and security.
You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:
https://info.knowbe4.com/webinar-12-ways-to-defeat-mfa
Let's stay safe out there.
PS: Perry Carpenter's top-selling book how to create a killer security awareness training program is now available as an audio book! Link to Amazon:
https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers-dp-B08CJQXHRR/dp/B08CJQXHRR
Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!
Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this on-demand webinar where he will explore 12 ways hackers can and do get around your favorite MFA solution.
The webinar includes a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick, and real-life successful examples of every attack type. Roger will share ideas about how to better defend your MFA solution so that you get maximum benefit and security.
You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:
- 12 ways hackers get around multi-factor authentication
- How to defend your multi-factor authentication solution
- The role humans play in a blended-defense strategy
https://info.knowbe4.com/webinar-12-ways-to-defeat-mfa
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: Perry Carpenter's top-selling book how to create a killer security awareness training program is now available as an audio book! Link to Amazon:
https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers-dp-B08CJQXHRR/dp/B08CJQXHRR
Quotes of the Week
"The beautiful thing about learning is that nobody can take it away from you."
- B.B. King
"The natural desire of good men is knowledge."
- Leonardo da Vinci
Thanks for reading CyberheistNews
- B.B. King
"The natural desire of good men is knowledge."
- Leonardo da Vinci
Thanks for reading CyberheistNews
Security News
New ‘WastedLocker’ Ransomware Released by Evil Corp
The group associated with the Zeus trojan, Locky and BitPaymer looks to have debuted a new ransomware and have already seen massive distribution of it in the wild.
The bad guys waste no time. This new variant of ransomware has already been used to attack major corporations. According to Symantec, at least 31 large private corporations – eight, of which, are Fortune 500 companies – were attacked using WastedLocker.
This new ransomware still utilizes the malicious JavaScript-based framework known as SocGholish to trick victims into believing they are actually downloading updates to Flash or their browser. Over 150 websites – including U.S. news websites – have been compromised and infected with SocGoulish in an attempt to increase the number of compromised machines and organizations.
Once an initial endpoint is compromised, traditional internal threat actions are taken including stealing of credentials, escalation of privileges, and lateral movement all occur until enough control over a network is achieved to make deploying WastedLocker worthwhile.
Organizations should take precautions – particularly in the area of user education. Teaching a user how to spot a fake “your browser needs to be updated” window on a website is an easy way to avoid becoming the victim of this new ransomware.
But organizations need to go farther than this single method of attack, using security awareness training to educate users on all common tactics, and to generally elevate the user’s thinking about how they approach email and the web with a mindset that scrutinizes every interaction.
Get your new (no-charge), updated for 2020 Ransomware Hostage Rescue Manual here:
https://blog.knowbe4.com/new-wastedlocker-ransomware-released-by-evil-corp
The group associated with the Zeus trojan, Locky and BitPaymer looks to have debuted a new ransomware and have already seen massive distribution of it in the wild.
The bad guys waste no time. This new variant of ransomware has already been used to attack major corporations. According to Symantec, at least 31 large private corporations – eight, of which, are Fortune 500 companies – were attacked using WastedLocker.
This new ransomware still utilizes the malicious JavaScript-based framework known as SocGholish to trick victims into believing they are actually downloading updates to Flash or their browser. Over 150 websites – including U.S. news websites – have been compromised and infected with SocGoulish in an attempt to increase the number of compromised machines and organizations.
Once an initial endpoint is compromised, traditional internal threat actions are taken including stealing of credentials, escalation of privileges, and lateral movement all occur until enough control over a network is achieved to make deploying WastedLocker worthwhile.
Organizations should take precautions – particularly in the area of user education. Teaching a user how to spot a fake “your browser needs to be updated” window on a website is an easy way to avoid becoming the victim of this new ransomware.
But organizations need to go farther than this single method of attack, using security awareness training to educate users on all common tactics, and to generally elevate the user’s thinking about how they approach email and the web with a mindset that scrutinizes every interaction.
Get your new (no-charge), updated for 2020 Ransomware Hostage Rescue Manual here:
https://blog.knowbe4.com/new-wastedlocker-ransomware-released-by-evil-corp
FakeSpy Android Malware Distributed Worldwide Via Smishing
Researchers at Cybereason are tracking a sophisticated malware campaign targeting Android devices around the world. The campaign involves a new version of the FakeSpy information-stealing malware, which is tied to the China-associated threat actor “Roaming Mantis.”
The attackers are using smishing to trick victims into installing spoofed apps. “The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering,” the researchers explain.
“The attackers send fake text messages to lure the victims to click on a malicious link. The link directs them to a malicious web page, which prompts them to download an Android application package (APK)....New versions of FakeSpy masquerade as government post office apps and transportation services apps.
Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries, but are targeting additional countries around the world.”
The malicious apps are impersonating the US Postal Service, Britain’s Royal Mail, the Deutsche Post in Germany, France’s La Poste, the Japan Post, the Swiss Post, and Taiwan’s Chunghwa Post. This marks an expansion in targeting for the malware, as previous FakeSpy campaigns had only targeted Japanese and Korean speakers.
Cybereason stresses that the malware can only operate if the victims themselves grant permissions to the malicious apps, which the researchers say “points to the importance of healthy skepticism when giving applications permissions.”
The researchers conclude that FakeSpy’s developers are still actively working on refining the tool, so the malware will likely surface again in the future.
“The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped,” they write. “These improvements render FakeSpy one of the most powerful information stealers on the market.
We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave.” New-school security awareness training can teach your employees how to avoid falling for smishing and other social engineering attacks.
Cybereason has the story:
https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world
Researchers at Cybereason are tracking a sophisticated malware campaign targeting Android devices around the world. The campaign involves a new version of the FakeSpy information-stealing malware, which is tied to the China-associated threat actor “Roaming Mantis.”
The attackers are using smishing to trick victims into installing spoofed apps. “The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering,” the researchers explain.
“The attackers send fake text messages to lure the victims to click on a malicious link. The link directs them to a malicious web page, which prompts them to download an Android application package (APK)....New versions of FakeSpy masquerade as government post office apps and transportation services apps.
Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries, but are targeting additional countries around the world.”
The malicious apps are impersonating the US Postal Service, Britain’s Royal Mail, the Deutsche Post in Germany, France’s La Poste, the Japan Post, the Swiss Post, and Taiwan’s Chunghwa Post. This marks an expansion in targeting for the malware, as previous FakeSpy campaigns had only targeted Japanese and Korean speakers.
Cybereason stresses that the malware can only operate if the victims themselves grant permissions to the malicious apps, which the researchers say “points to the importance of healthy skepticism when giving applications permissions.”
The researchers conclude that FakeSpy’s developers are still actively working on refining the tool, so the malware will likely surface again in the future.
“The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped,” they write. “These improvements render FakeSpy one of the most powerful information stealers on the market.
We anticipate this malware to continue to evolve with additional new features; the only question now is when we will see the next wave.” New-school security awareness training can teach your employees how to avoid falling for smishing and other social engineering attacks.
Cybereason has the story:
https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world
More Than 15 Billion Credentials Are for Sale in Criminal Markets
Researchers at Digital Shadows warn that there are more than 15 billion leaked login credentials for sale in online criminal marketplaces. This number is up 300% since 2018, and the researchers say the credentials come from more than 100,000 separate data breaches.
Additionally, more than 5 billion of the username/password pairs are unique. The researchers analyzed the pricing of these credentials on underground forums, and found that bank account logins fetch the highest prices for an individual account, with an average cost of just under $71. Antivirus logins came in second, averaging $21.67.
The most expensive logins, however, are the ones that claim to offer access to an organization’s entire network.
“We’ve also seen some criminal advertisements for domain administrator accesses (login details, credentials or sensitive files from an organization or individual’s machine, used to access systems/infrastructure, data, bank accounts, and/or other accounts),” the researchers say.
“This takes the conversation from ‘simple’ account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000.
The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.”
Online services should never store users’ passwords in plaintext, but Digital Shadows found that more than 80% of the passwords being sold by criminals are in plaintext. The researchers conclude that the passwords were either stored in plaintext originally, or they were stored using a weak hashing algorithm which allowed criminals to obtain the plaintext versions.
This conclusion is supported by the fact that of the passwords for sale that were in a hashed format, more than 80% used MD5 or SHA1 hashing algorithms, both of which can be easily cracked.
The researchers also describe a number of tools used by criminals that illustrate how easy it is to automate account takeover methods.
“Just gaining access to accounts that have reused credentials is not always the end goal,” the researchers write. “These accesses can be used as pivot points to access even more sensitive information. Take, for example, the Cre3dov3r tool, which searches for public leaks related to any specified email address; if passwords are identified, the tool checks seven popular websites—including GitHub and Stackoverflow—to see if the credentials are valid or whether CAPTCHA is blocking access.”
Using unique, complex passwords with a password manager is always recommended, since it will minimize the damage if attackers steal the credentials to one of your accounts. Multifactor authentication should also be used wherever possible to make it harder for attackers to log into an account even if they have the credentials.
Digital Shadows has the story:
https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover
Researchers at Digital Shadows warn that there are more than 15 billion leaked login credentials for sale in online criminal marketplaces. This number is up 300% since 2018, and the researchers say the credentials come from more than 100,000 separate data breaches.
Additionally, more than 5 billion of the username/password pairs are unique. The researchers analyzed the pricing of these credentials on underground forums, and found that bank account logins fetch the highest prices for an individual account, with an average cost of just under $71. Antivirus logins came in second, averaging $21.67.
The most expensive logins, however, are the ones that claim to offer access to an organization’s entire network.
“We’ve also seen some criminal advertisements for domain administrator accesses (login details, credentials or sensitive files from an organization or individual’s machine, used to access systems/infrastructure, data, bank accounts, and/or other accounts),” the researchers say.
“This takes the conversation from ‘simple’ account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000.
The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.”
Online services should never store users’ passwords in plaintext, but Digital Shadows found that more than 80% of the passwords being sold by criminals are in plaintext. The researchers conclude that the passwords were either stored in plaintext originally, or they were stored using a weak hashing algorithm which allowed criminals to obtain the plaintext versions.
This conclusion is supported by the fact that of the passwords for sale that were in a hashed format, more than 80% used MD5 or SHA1 hashing algorithms, both of which can be easily cracked.
The researchers also describe a number of tools used by criminals that illustrate how easy it is to automate account takeover methods.
“Just gaining access to accounts that have reused credentials is not always the end goal,” the researchers write. “These accesses can be used as pivot points to access even more sensitive information. Take, for example, the Cre3dov3r tool, which searches for public leaks related to any specified email address; if passwords are identified, the tool checks seven popular websites—including GitHub and Stackoverflow—to see if the credentials are valid or whether CAPTCHA is blocking access.”
Using unique, complex passwords with a password manager is always recommended, since it will minimize the damage if attackers steal the credentials to one of your accounts. Multifactor authentication should also be used wherever possible to make it harder for attackers to log into an account even if they have the credentials.
Digital Shadows has the story:
https://resources.digitalshadows.com/whitepapers-and-reports/from-exposure-to-takeover
What KnowBe4 Customers Say
"I’ve used KnowBe4 for years at three different organizations with roles ranging from IT Director/Manager, ISO, ITO, Network Admin, etc. I’m a big supporter. I haven't looked at other systems because I haven't seen a need. KnowBe4 is very well designed and works great. Keep up the good work!"
- H.B.
"Stu, Thanks for reaching out. I must say that I'm quite impressed with your product. Your sales people, trainers and success managers have all been very helpful and I must complement you on Stephanie Rubin, Melissa Kronen, and Jackson Hollingsworth. You personally reaching out is another nice touch in today's day and age."
- D.J. System Administrator
"Thanks for reaching out Stu! So far the training and phishing test has been great and it has been a real eye opener for some employees in our company. We had a real attack a few days before we got started and it was a perfect introduction to KnowBe4. Thanks again!"
- D.A., Lead IT Technical Support Specialist
"I’ve used KnowBe4 for years at three different organizations with roles ranging from IT Director/Manager, ISO, ITO, Network Admin, etc. I’m a big supporter. I haven't looked at other systems because I haven't seen a need. KnowBe4 is very well designed and works great. Keep up the good work!"
- H.B.
"Stu, Thanks for reaching out. I must say that I'm quite impressed with your product. Your sales people, trainers and success managers have all been very helpful and I must complement you on Stephanie Rubin, Melissa Kronen, and Jackson Hollingsworth. You personally reaching out is another nice touch in today's day and age."
- D.J. System Administrator
"Thanks for reaching out Stu! So far the training and phishing test has been great and it has been a real eye opener for some employees in our company. We had a real attack a few days before we got started and it was a perfect introduction to KnowBe4. Thanks again!"
- D.A., Lead IT Technical Support Specialist
The 10 Interesting News Items This Week
- US Secret Service creates new Cyber Fraud Task Force:
https://www.bleepingcomputer.com/news/security/us-secret-service-creates-new-cyber-fraud-task-force/ - Try2Cry ransomware tries to worm its way to other Windows systems:
https://www.bleepingcomputer.com/news/security/try2cry-ransomware-tries-to-worm-its-way-to-other-windows-systems/ - Right-Wing Media Outlets Duped by a Middle East Propaganda Campaign:
https://www.thedailybeast.com/right-wing-media-outlets-duped-by-a-middle-east-propaganda-campaign - North Korean hackers linked to credit card stealing attacks on US stores:
https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ - Microsoft takes legal action against COVID-19-related cybercrime:
https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/ - DOJ indict Fxmsp hacker for selling access to hacked orgs, AV firms:
https://www.bleepingcomputer.com/news/security/doj-indict-fxmsp-hacker-for-selling-access-to-hacked-orgs-av-firms/ - Researchers connect Evilnum hacking group to cyberattacks against Fintech firms:
https://www.zdnet.com/article/researchers-connect-evilnum-hacking-group-to-cyberattacks-against-fintech-firms/ - Anatomy of a Long-Con Phish. Good example of LinkedIn phish and why investigating profiles is necessary:
https://www.darkreading.com/cloud/anatomy-of-a-long-con-phish/d/d-id/1338268 - As Offices Reopen, Hardware from Home Threatens Security:
https://www.darkreading.com/edge/theedge/as-offices-reopen-hardware-from-home-threatens-security/b/d-id/1338330 - [TOMORROW] Hackers Exposed: Kevin Mitnick Shares His Tradecraft and Tools to Help You Hack Proof Your Network:
https://event.on24.com/wcc/r/2469831/8CE34235D63ECB2355E0D55A998F15F6?partnerref=CHN2
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Your 6-minute Virtual Vacation in Colorado. Aspen, Ice Lakes, Blue Lakes Trail, & More in 4K:
https://www.youtube.com/watch?v=3z6hP1_uSVk - Virtual vaca to the past! Views of Tokyo, Japan, 1913-1915 Reprocessed footage:
https://youtu.be/MQAmZ_kR8S8 - Virtual Vaca #3 The Dutch City With No Roads, No Cars, Just... Boats:
https://www.youtube.com/watch?v=R3t1cg2ZOxc - Even more Virtual Vaca!: Idaho By Drone. Beyond Boise, Castle Rocks, Grand Tetons & More 4K Travel Footage:
https://www.youtube.com/watch?v=mPHSlujbatc - Amazing barefoot skiing behind an airplane at the World Barefoot Center...OUCH:
https://www.flixxy.com/barefoot-skiing-behind-airplane-in-4k.htm?utm_source=4 - 68mph Leg Wing (that's a bunch of micro-jets) Flying In Bermuda. I want one!
https://www.youtube.com/watch?v=y3o_vbAW0lE - Impossible Card Trick at Penn & Teller Fool Us:
https://www.youtube.com/watch?v=d4X63CjFLf4 - A Norwegian Government helicopter induces a Rock Fall beside a Fjord. Interesting how they do that:
https://www.youtube.com/watch?v=afI58PRmTJ0 - "We May Finally Know Why Earth’s Magnetic North Keeps Moving" Your geekly update!:
https://youtu.be/g1qWeMH6xIw - Classic Training Glider Flight - This looks like so much fun:
https://www.youtube.com/watch?v=h5vtPkB1h3s - Paraglider Hasan Kaval took to the skies over the Turkish Rivera on a couch with a drink, snack and TV:
https://www.flixxy.com/couch-potato-in-the-sky.htm?utm_source=4 - Hilarious: "Home Stallone" DeepFake:
https://www.youtube.com/watch?v=2svOtXaD3gg - How To Dispose of a Skyscraper:
https://youtu.be/b-H7E-KQgHQ - For Da Kids #1 - A white cockatoo takes itself for a dog and walks in an alley barking on passers-by. Beware, he stands guard!:
https://www.flixxy.com/cockatoo-thinks-he-is-a-dog.htm?utm_source=4 - For Da Kids #2 - Cat gives dog a relaxing massage:
https://www.flixxy.com/cat-massaging-dog.htm?utm_source=4 - For Da Kids #3 - Ratatouille - A rat named Remy dreams of becoming a great French chef:
https://www.flixxy.com/culinary-chef.htm?utm_source=4
