CyberheistNews Vol 10 #35 [Heads Up] Watch Out for OAuth Phishing Attacks and How You Can Stay Safe


CyberheistNews Vol 10 #35
[Heads Up] Watch Out for OAuth Phishing Attacks and How You Can Stay Safe

Roger Grimes wrote: "A steadily growing phishing trend involves phishing emails which attempt to modify your OAuth permissions. Simply clicking on one Allow button or hitting ENTER by mistake can significantly and semi-permanently allow a whole lot of maliciousness.

This article will discuss phishing emails that attempt to exploit OAuth, explain what OAuth is, and then discuss what you need to do to reduce risk of malicious compromise.

I got this phishing email a few weeks ago (screenshot at blog). After a bunch of subsequent clicks and redirects, eventually I was led to a Microsoft O365 login (screenshot at blog).

It’s a real O365 login. It is logging me into my O365 account. Note that the URL has oauth2 in it. It is linking to and using OAuth, which I will cover in more detail in the next section below. This is a real, legitimate login and anything I type in there will NOT be stolen by the phisher. But what happens next after I successfully authenticate is what the hacker is really after.

After I successfully login, the website/service hosting the phisher’s maliciousness will communicate with my OAuth provider and request more permissions (example shown below), which I will be prompted to approve.

An unwary user might click on Accept or hit ENTER, which would grant the malicious website/service those requested permissions.

The default “allow” is unfortunate. Since the days of Microsoft Vista, Microsoft has strived to make any default security choice the user faces to always default to the safest alternative of the proposed choices. They fail here. Perhaps it’s an issue with OAuth itself; but regardless, any user being tricked into accepting the permission request would be giving the phisher access to every document he or she has access to (stored by the current service and any other services sharing the same OAuth account).

This is true for not only their own documents, but documents of others that they have been given access to. Full Access means the phishers can read, copy, delete, and malicious modify the documents at will. They can read the victim’s contacts and send malicious documents pretending to be from the victim and their org, all because the victim gave them permission to read his or her contacts and change his or her mailbox settings. Well, all the victim did was click the default suggested button or hit ENTER. OAuth automation did the rest.

Note: Microsoft published a warning about OAuth phishing a few weeks ago. It is important that admins and everyone they help be aware of the dangerous of malicious OAuth misuse." CONTINUED:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us for a 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, August 26 @ 2:00 PM (ET)

Save My Spot!
[Heads Up] Sophisticated New Customized Ransomware Strain DarkSide Demands Millions of Dollars

Breaking News: A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts. But here is the clincher: When performing attacks, DarkSide will create a customized ransomware executable for the specific company they are attacking.

Our friends at Bleepingcomputer said: "Starting around August 10th, 2020, the new ransomware operation began performing targeted attacks against numerous companies. After not finding a "product" that suited their needs, they decided to launch their own operation.

DarkSide stated: "We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn't find the perfect product for us. Now we have it."

DarkSide states that they only target companies that can pay the specified ransom as they do not "want to kill your business." The threat actors have also stated that they do not target the following types of organizations.
  • Medicine (hospitals, hospices).
  • Education (schools, universities).
  • Non-profit organizations.
  • Government sector.
It is too soon to tell if they will honor this statement. From victims seen by BleepingComputer, DarkSide's ransom demands range from $200,000 to $2,000,000. These numbers can likely be more or less depending on the victim. At least one of the victims seen by BleepingComputer appears to have paid a million+ dollar ransom.

Read the full post with technical detail at the blog right away:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, September 2 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 34,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, September 2 @ 2:00 PM (ET)

Save My Spot!
KnowBe4 Launches New Research Arm With Its First Report on Security Culture

At KnowBe4, we’ve had some exciting news on the horizon for some time now that we’re thrilled to share with you – we’ve created a new research arm called KnowBe4 Research.

When we acquired CLTRe, a research-based organization, last year, we knew that our research capabilities would be greatly enhanced. Given that we also have several former research analysts on staff, developing the KnowBe4 Research brand makes perfect sense as we look to position KnowBe4 for the future.

The mission of KnowBe4 Research is to provide IT and security leaders like you with high quality, vendor neutral data-driven insights related to cybersecurity and the human element.

Both KnowBe4 and CLTRe were founded because the human element of security awareness was underserved. The “Security Culture Survey” is CLTRe’s secret sauce and is the first project to come out of KnowBe4 Research. With this survey, we aim to provide the most comprehensive study of cybersecurity culture-related data. No other organization has taken this unique approach to evaluating security culture using seven different dimensions across multiple industries.

The 2020 “Security Culture Survey”, is comprised of data collected from 120,050 employees in 1,107 organizations across 24 countries. A total of 17 industry sectors were examined in detail. As you read through the results of the report, you’ll find a large gap between the best performers and the poor performers when it comes to security culture.

The best performers were from Banking, Financial Services, and Insurance and the worst performers were from Education, Transportation and Energy & Utilities.

Security culture varies across industries. In the industry comparison report, you’ll note that all industries were compared according to their security culture scores and across each of the seven dimensions (Attitudes, Behaviors, Cognition, Communication, Compliance, Norms and Responsibilities) of security culture.

At the end of the day, the data found that all industries need to improve when it comes to security culture. The data shows that no industry (even the highest scoring industries) should be overly pleased with their scores. One of the main problems that we’ve found in conducting this research is that while organizations believe security culture is important, they struggle to define it.

This report can help organizations like yours get more clarity around security culture by helping to identify gaps and determine how to put your best foot forward. You can download the 2020 “Security Culture Survey” by KnowBe4 Research to help better define and improve security culture within your organization. You should be on the lookout for more research from our new branch in the future.

No registration required for this PDF:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, September 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • NEW! Assign additional users as approving managers to review task evidence before a task is closed with tiered-level approvals.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, September 2 @ 1:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Send this to your C-Suite. WSJ: "The Other Pandemic: Corporate Hacking Attempts":

Quotes of the Week
"Certain things catch your eye, but pursue only those that capture the heart."
- Ancient Indian Proverb

"All, everything that I understand, I understand only because I love."
- Leo Tolstoy, Writer (1828 - 1910)

Thanks for reading CyberheistNews

Security News
The Most Effective Attacks Are Often the Simplest

The recent Twitter hack shows that devastating security breaches don’t always involve sophisticated actors or methods, according to Rachel Tobac, CEO of SocialProof Security. On the CyberWire’s Hacking Humans podcast, Tobac explained that social engineering only requires an attacker to trick an employee into doing something.

“That's like a knee-jerk first reaction, is the word sophisticated is used in almost every press release – a sophisticated actor. I think we saw that in the case of the Twitter announcement as well – a coordinated, sophisticated social engineering attack,” Tobac said. “And while it was coordinated – they did likely coordinate on Discord from what we're seeing – it doesn't necessarily mean it's sophisticated.

Social engineering somebody and calling to gain access to credentials while pretexting or pretending to be IT support, I wouldn't call that sophisticated. The things that I do are interesting, but I wouldn't say they're so hard that the average person couldn't do them.”

Tobac also noted that the hack could have been much worse if the hacker hadn’t simply been a teenager interested in running a Bitcoin scam.

“If I were a real malicious person, I'd probably try and start World War III,” she said. “I would take over accounts for, you know, leaders across the world and have them fight with each other and really escalate that. If I were really malicious, that's probably what I would do.

Now, of course, it's malicious to take over accounts, but it's not that level of maliciousness where they're trying to incite violence or war. It's just, I'm looking to get some money quick. That points to more teenager behavior, and there were a couple other things that showed that it was more in the teenager direction rather than the APT direction.”

Tobac concluded that the incident shows the importance of a defense-in-depth strategy. Training is important, but organizations also need protocols and technical defenses to minimize the chances of a successful attack.

“There are so many things that we need,” Tobac said. “We need to make sure that we have protocols in place - you know, maybe, like, two eyes or four eyes to make sure that two people are able to make that request before it goes through.

Like, for instance, can you imagine if you had to get two Twitter employees to say, sure, we'll change the email on former President Barack Obama's account before actually having it go through?” Tobac added that the Twitter incident shows that organizations will never be in a place where they can relax when it comes to security.

“It's very possible that they were doing all of the suggestions that I recommended, and it still didn't work,” she said. “So I can't really comment to that, but I can say that we know many organizations out there do not take these steps.

They might not have hardware MFA. They might not have social engineering training with up-to-date examples of how exactly it happens, not just over email but also over the phone, which is a big limitation of a lot of trainings now, and also making sure that we have all of the technical tools to backup if a person inevitably makes a mistake, which is, of course, bound to happen.

Twitter might have been doing this. They might not have. But we do know that it's a learning point for every organization, regardless of whether or not they're currently doing it. So just keep it up.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees about social engineering and instilling in them the importance of following security protocols.

KnowBe4 has three training videos with Rachel Tobac and Kevin Mitnick, showing in live action how this type of pretexting works.

The CyberWire has the story:

Get a free KnowBe4 ModStore account and check out these scary pretexting videos for yourself:
Social Media Doppelgangers, Again

Most people would be surprised by how easy it is to scam people online using duplicate versions of public accounts, according to Jake Moore, a security specialist at ESET. Moore describes an experiment he ran on Instagram by creating a duplicate of his real Instagram account to see how many of his friends would trust the new account.

The fake account had a very similar handle, and Moore screenshotted some pictures from his real Instagram account and uploaded them to the duplicate account. He also used the same bio, but added “NEW ACCOUNT AFTER LOSING ACCESS TO ORIGINAL.” He then sent follow requests to people who followed his real account.

“Within moments I had three private account owners accept my request and two followed me back,” Moore said. “This was a good start. I was expecting someone to contact me via a different communication method and question this request, particularly due to my line of work and the embarrassment that I could have been subjected to, understanding that even I am susceptible to an account compromise!

But no one did. In fact, the numbers increased. Thirteen accounts followed me back on the same day and by the evening I decided to message these people and see what sort of responses I would receive.”

Eight of the thirteen contacts messaged him back, and Moore casually mentioned that in addition to having his Instagram account hacked, the hackers also cleaned out his bank account. At least one of his contacts offered to help him out, and Moore sent her a PayPal address (he revealed the ruse before she sent any money).

“What I found most disconcerting was how quickly it all escalated and I was able to trick the target into thinking it was genuine with no extra checks required,” he said. “I was even able to make her be the one to offer to help me which was a nice little twist.

This is usually a clever technique used by professional social engineers reversing the psychology to avoid the request of the money.”

While it’s good to help out friends, the people in this case were prepared to send money based solely on the word of a new Instagram account. Many people have their Instagram accounts set to “public,” and scammers can easily set up duplicates and send messages to the person’s followers.

“It is vital to try to reduce the amount of personal information and photos of ourselves online where possible,” Moore explains. “Although this is a huge task, it is important to teach the next generation of social media users to try to limit the amount of information that is posted online before it is out in the open forever.

This scam won’t work if accounts are private. Saying that, however, many people whose accounts are private still allow people they do not necessarily know to follow them due to minimal vetting. It is extremely important to think about what you post as well as accepting only followers you don’t mind knowing more about you. Being completely public has the potential of creating dangers such as this.”

Even if the real account of someone you know messages you and requests money, you should still be very suspicious and use a separate mode of communication such as a phone call to verify that they haven’t been hacked. Moore’s experiment shows how easily scammers can exploit people’s charitable impulses. New-school security awareness training can give your employees a healthy sense of skepticism by enabling them to see things from a scammer’s point of view.

ESET has the story:
What KnowBe4 Customers Say

"Hi Stu, I couldn’t be happier with the performance of the product and the superb assistance we’ve received from Craig Hyla who consistently keeps us apprised of new features we might be interested in. Keep up the good work; I seldom have occasion to send any of our vendors messages like this but your product and team certainly earned it."
- S.S., InfoSec Director
The 11 Interesting News Items This Week
    1. Operation InfeKtion: How Russia Perfected the Art of (cyber) War:

    2. How To Defend Your Business In Today’s Cyber Cold War. Yours truly at Forbes:

    3. Survey: Just 4% of Singaporeans were able to identify all phishing email:

    4. U.S. Seizes Fake Website, Cryptocurrency Assets From Terrorist Groups:

    5. Phishing Emails Used to Deploy KONNI Malware:

    6. This New Malware Added An Email Attachment Stealer:

    7. Credential Stuffing Attacks Shut Down Canada's Revenues Service:

    8. AI-enabled future crimes ranked: Deepfakes, spearphishing, and more:

    9. These Illicit "White SIM Cards" Are Making Vishing Hacks Like Twitter’s Easier:

    10. New phishing campaign abuses a trio of enterprise cloud services:

    11. BONUS: Analyzing the Threat of Ransomware Attacks Against US Elections. Scary. (PDF):
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews