CyberheistNews Vol 10 #30 [Heads Up] What Is Consent-Phishing? Microsoft Warns About New App-Based Attack Angle

CyberheistNews Vol 10 #30
[Heads Up] What Is Consent-Phishing? Microsoft Warns About New App-Based Attack Angle

Microsoft has issued an advisory warning about “consent phishing,” or application-based phishing attacks that rely on users granting permissions to malicious apps. These attacks aren’t as well-known or as obvious as credential-harvesting or email-based phishing attacks, but they can be just as dangerous.

In consent phishing attacks, the user sees a pop-up from an application requesting extensive permissions. This consent screen lists all the permissions the app will receive, and many users may go on to accept the terms uncritically because they assume the app is trustworthy.

“If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources,” Microsoft explains.

Microsoft describes the steps in such an attack:
  • “An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  • “The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  • “The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  • “The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  • “If a user clicks accept, they will grant the app permissions to access sensitive data.
  • “The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
  • “The access token is used to make API calls on behalf of the user.”
Microsoft says users should pay attention to which app is actually requesting permissions. “Keep a watchful eye on app names and domain URLs,” the company says. “Attackers like to spoof app names that make it appear to come from legitimate applications or companies but drive you to consent to a malicious app. Make sure you recognize the app name and domain URL before consenting to an application.”

New-school security awareness training helps your employees to stay up to date regarding these new attack vectors. Microsoft has the story:
Do Users Put Your Organization at Risk With Browser-Saved Passwords? Find Out Now!

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon’s new 2020 Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for the bad guys to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk!

KnowBe4’s Browser Password Inspector (BPI) is a new and complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately!

With Browser Password Inspector you can:
  • Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
  • Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
  • Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!
Twitter Employees Fall for Social Engineering Attack and the Bad Guys Get "God Mode"

A number of high-profile Twitter accounts were hacked including those of Elon Musk, Bill Gates, Kanye West, Joe Biden and Barack Obama. This is clearly the worst hacking incident in Twitter’s history. It began 7/15/2020 when compromised accounts began posting a bitcoin scam.

In a series of tweets posted under its support channel, Twitter said that its internal systems were compromised, confirming theories that the attack could not have been conducted without access to the company’s own tools and employee privileges. In the industry it's called God Mode and Facebook also has had trouble with this in the past.

Employees Fell for Social Engineering Attack

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the first tweet in a multi-tweet explainer thread reads. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”

Looks like Twitter found out that more than one person appears to have been involved in the hacks, not just one individual, and also that numerous employees were compromised, too.

Full story with updates at the KnowBe4 Blog:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster with PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, July 22 @ 2:00 PM (ET) for a 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, July 22 @ 2:00 PM (ET)

Save My Spot!
Like Twitter, MFA Will Not Save You!

By Roger Grimes, KnowBe4's Data-Driven Defense Evangelist

"I’m sure we are all interested in the latest Twitter hack. As the author of the soon to be released Wiley book called Hacking Multifactor Authentication, I have to laugh at the “experts” recommending for Twitter and people to use Multi-Factor Authentication (MFA) to prevent this type of social engineering and phishing attacks.

It's likely that everyone else involved already was. MFA will not save you!

In my book, I cover over 50 ways to hack different types of MFA solutions. I can hack any MFA solution at least 5 different ways…many times in ways that the MFA vendor or victim cannot stop. MFA can stop many types of hacking, especially the general, broadcasted, phishing attacks for logon credentials sent to millions of potential victims all at once. But MFA is far less successful at stopping targeted attacks and it oftentimes cannot stop many forms of general, broadcast attacks.

How Do I Know?

Well, history and science. The world is full of vendors who implemented MFA as a way to decrease hacking attacks, and while it did temporarily decrease them, ultimately, in every case the hackers just learned how to attack and circumvent the MFA protection.

It even happened in the latest Twitter hack. Likely, all the employees accounts involved were already using MFA. It would be a dereliction of duty if they were not. And Twitter is a good company with good security processes. Likely all the VIPs accounts involved were also using MFA. VIPs accounts are constantly under attack and have been for years. They likely moved to MFA-protected log-ons as soon as Twitter offered it.

And it did not stop Twitter or those celebrities from being hacked.

Welcome to the real world. If you didn’t already know this, all MFA can be hacked. Anyone telling you any different is lying to you to sell you something or naïve. Yes, MFA can significantly reduce some forms of hacking, and for that alone you should use MFA to protect your most critical accounts and information when and where possible.

But there is a difference between saying that MFA makes some hacking scenarios harder to accomplish and that MFA is unhackable or makes your account unhackable."

Does Your Domain Have an Evil Twin? Find Out for a Chance to Win Two Pairs of Beats Headphones!

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

Plus, if you're in the US or Canada, you’ll be entered for a chance to win two pairs of Beats Studio3 Wireless Headphones*!

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.

Find Your Look-Alike Domains!

*Terms & Conditions Apply

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Meet all the KnowBe4 evangelists! Want any of these stellar security speakers to present at your event? You can request that on this page:

Quotes of the Week
"Success is not final, failure is not fatal: it is the courage to continue that counts."
– Winston Churchill, U.K. Statesman (1874 - 1965)

"Nothing in this world can take the place of persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts.
Persistence and determination alone are omnipotent."

- Calvin Coolidge, 30th President of the United States

"If you're going through hell, keep going."
- Winston Churchill - U.K. Statesman (1874 - 1965)

Thanks for reading CyberheistNews

Security News
Ragnar Locker Ransomware Attacks Energy Company, Potentially Stealing 10TB in Data

In a letter to customers, EDP Renewables North America CEO acknowledges the attack occurred back in April of this year, but claims “no evidence” of data theft exists.

The ransomware “note” demanded approximately $10 million in Bitcoin. It also included a warning that over 10TB of information had been exfiltrated from encrypted systems, offering to decrypt some of the impacted files for free as a demonstration of their claim. EDP declined to pay the ransom and data has yet to be published.

This attack demonstrates a few things. First, it shows how pervasive ransomware can be. The attack started in the network of EDP Renewable’s parent company, Energias de Portugal in April, with their American subsidiary learning about the attack in early May.

Second, it shows how integrated the idea of stealing data as part of a ransomware attack (whether actual or simply claimed) is becoming the norm. I’ve talked about the Maze “cartel” before – there are plenty of ransomware gangs that partake in the “steal-and-publish” ransomware method.

But, it appears, thus far, that in the case of the attack in EDP, it’s merely a statement meant to improve the chances of payment. There is no detail on how many systems were impacted, but judging by the claim of 10TB, one would assume at least 10TB of data was encrypted, implying a number of critical systems were affected.

It’s Worse Than You Thought: Remote Employees Interaction With Unsafe Websites Is up 50%

New data shows just how frequently remote users are accessing risky web content that would normally be blocked by firewalls and other network monitoring solutions.

You still have some material portion of your workforce working remotely (or you wouldn’t be reading this article). And, it’s probably a safe guess that you propped them up to work from home rather quickly, without truly getting around to the part where you secure their home working environment as strongly as it would be if they worked at the office, right?

You’re not alone – but that doesn’t really make it any better; if your remote employees are unprotected, your organization and its data are at risk. So, just how much should you be concerned about remote cybersecurity now that your workforce seems to be productive?

New data from perimeter security vendor NetMotion shows just how exposed remote employees are to potentially malicious web content. According to the report, remote employees:
  • Encounter 8 potentially malicious URLs daily
  • Visit 1 malware site daily and 1 phishing domain every 3 days
  • 26% of risky sites visited were related to botnets
In addition, the volume of attempted clicks on potentially malicious URLs has increased 50% between the middle of the pandemic (mid-May to mid-June) and January of this year.

According to NetMotion, the lack of preventative and protective security in place is likely to blame. With 65% of organizations allowing employees to access managed applications from personal devices, this is a volatile combination.

Organizations need both a layered security strategy in place, and user enrollment in continual security awareness training. When it comes right down to it, users are choosing to click these risky URLs. Proper education on social engineering attacks, phishing tactics, and more that commonly are used to trick users can make the difference between a user unknowingly falling for a scam and one that easily spots the questionable, suspicious, or malicious web content.
Who's Behind Last Week's Epic 130 Twitter Celebrity Account Hack?

Brian Krebs Said: "Twitter was thrown into chaos on Wednesday after accounts for some of the world's most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams. Twitter says the attack happened because someone tricked or coerced an employee into providing access to internal Twitter administrative tools.

This post is an attempt to lay out some of the timeline of this attack, and point to clues about who may have been behind it:
What KnowBe4 Customers Say

"Thank you Stu for reaching out. Everything is going well and I am using all services available. The team at KnowBe4 from account management, Alek, to customer service, Jason, and to Project Management, John, and now the CEO have been amazing and very attentive. Thank you for that!"
- G.I., Director Information Security And Compliance

"We are doing pretty well so far, still learning the product a bit. Kyle has done a good job answering our questions and guiding us through things. We have been concentrating on the phishing campaigns for the most part, but I hope to implement other security awareness training soon."
- S.R., IT Operations Manager

"Stu, just had another great meeting / training with Alison. Awesome person! Also wanted to express how great it is to use your platform. It's so much easier than others I have used. I especially like the smart groups. Alison showed me how to make smart groups that automatically enroll / progress users in and out of separate groups tied to their number of failures. Very awesome feature!"
- T.P., Cyber Security Architect
The 10 Interesting News Items This Week
    1. Backdoors Identified in Tens of C-Data Fiber Broadband Devices:

    2. Trump Confirms U.S. Launched Cyberattack on Russian Troll Farm in 2018:

    3. Workplace COVID-19 lawsuits increasing 'exponentially,' Fisher Phillips says:

    4. Energy Department watchdog finds research labs fail to secure devices like USBs:

    5. Onion Browsers Can Make You Cry:

    6. Russian hackers are targeting coronavirus scientists with phishing and malware attacks:

    7. IRS updates annual Dirty Dozen tax schemes for 2020:

    8. Hacker releases database of 270 million alleged Wattpad records:

    9. Deepfake used to attack activist couple shows new disinformation frontier:

    10. The Cybersecurity 202: Twitter breach is another warning shot for election security:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews