CyberheistNews Vol 10 #42 New Office 365 Phishing Attack Checks Your Stolen Credentials in Real-Time

CyberheistNews Vol 10 #42
New Office 365 Phishing Attack Checks Your Stolen Credentials in Real-Time

Nothing says the bad guys are intent on stealing credentials like testing them while you participate in their phishing attack so they can verify the validity before letting you off the hook.

There are tons of stories where a fake log on to Office 365 is the punchline. But seldom do we see an attacker go the length to develop code that passes the compromised credentials over to Office 365 to check them out mid-attack.

According to the Threat Research Team at Armorblox, this new attack uses lots of well-known brands to aid in tricking users into giving up their Office 365 credentials. Using Amazon’s Simple Email Service to improve deliverability, the attack uses a payment remittance theme to get potential victims to click.

A spoofed Office 365 logon page is offered up, but it’s one that passes any provided credentials to Azure Active Directory (AAD) behind the scenes, checks them and then either puts them back to the logon page (in the case of a failed logon) or over to a generic Zoom website page if validated.

The value of an Office 365 credential is pretty high for attackers; it can be used to commit brand and individual impersonation by taking over the compromised account, CEO fraud, business email compromise, infecting or scamming partner or customer organizations, and more.

Step those users through new-school security awareness training and make them highly suspicious of any emails that require authentication to Office 365 or any other cloud-based platform. Post with links here:
The Pesky Password Problem: Policies That Help You Gain the Upper Hand on the Bad Guys

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods?

For decades, end-users have borne the brunt of the password tyranny, a result of the IT industries’ inability to engineer secure systems. Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way!

Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy.

In this webinar you'll learn:
  • Why passwords are so easy to hack and how the bad guys do it
  • How to craft a secure, risk-focused password security policy
  • The truth about password managers and multi-factor authentication and how they impact your risk
  • How to empower your end users to become your best last line of defense
  • And earn CPE credit for attending!
Date/Time: THIS WEEK, Thursday, October 15 @ 2:00 PM (ET)

Save My Spot!
USPS and FedEx Phishing Attack Texts Flood Mobile Phones

Taking a page from traditional phishing scams that seek to use broadly-accepted messages and send them to everyone, last month officially brought SMiShing to the cybersecurity forefront.

The bad guys have figured out that, beyond ransomware, cyberattacks are a long-tailed game. Whether the endgame is fraud, data theft, or espionage, the initial play is almost always stealing credentials, infecting with trojan malware, or gaining access to a network.

Traditionally the target is an endpoint device running Windows or Mac OS. But last month’s widespread SMS-based phishing attack using a fake delivery message only proved that the bad guys can use any device to start an attack.

Pretending to be USPS, FedEx, or an unnamed shipper, U.S. residents began receiving multiple delivery notification texts offering a URL for more information.

Most of these attacks attempted to steal Google account credentials, while some pointed to fake casino games. Back in February, the Federal Trade Commission issued an alert on such scams, but it wasn’t until last month that these types of texts went mainstream.

With more legitimate companies using texts as a means to stay in contact with customers having an overloaded email Inbox, this kind of attack is only going to see more attention from cyberattacks.

And because it’s just as easy to create a business-related text (“An Office 365 email has been quarantined. CLICK HERE” is all it takes!) to steal credentials, it’s imperative that users be educated to understand why and how these scams are used to trick them, and the repercussions to your organization should the user fall for them.
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, October 21 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, October 21 @ 2:00 PM (ET)

Save My Spot!
Cybercriminals Launch Phishing Campaign to Capitalize on President's Health

As we predicted just a few days ago, malicious actors are now exploiting the media firestorm surrounding President Donald Trump's diagnosis late last week with COVID-19.

Yesterday customers using the Phish Alert Button (PAB) reported a phishing campaign attempting to capitalize on the news of Trump's health situation.

The email is matter-of-fact and to the point, sticking fairly close to themes already established in many mainstream news reports. No ridiculously hyperbolic claims here.

The email offers potential marks an embedded link pointing to a file on Google Docs and suggests that unwitting clickers will be provided a password-protected file of some sort. The file on Google Docs, however, merely provides a redirect to yet another file hosted on download2112 {dot} com, a domain created the very day we spotted this phishing campaign (10/6/2020).

Which Users in Your Organization Put You at Risk? Find Out for a Chance to Win a JBL PartyBox Speaker

October is National Cybersecurity Awareness Month, so it's a perfect time to fortify your human firewall. Start by identifying which users may be putting your organization at risk before the bad guys do.

Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen or weak passwords.

KnowBe4’s Password Exposure Test is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users so you can take action immediately.

Find out if your users are putting a big target on your organization’s back and if you're in the US or Canada, you will be entered for a chance to win a JBL PartyBox 300 Bluetooth Speaker*.

Find Your Password Exposure Risk:

*Terms and Conditions apply.
Great Budget Ammo in WSJ: "A Millionaire Hacker’s Lessons for Corporate America"

Santiago Lopez, a 21-year-old ethical hacker who shows corporations their cybersecurity fails, expects to keep going for years to come. He said the following:

"The larger problem is that people are not being cautioned about cybersecurity. Are all employees having training in cybersecurity? It doesn’t seem like it. Employees, when they click on links, make a big hole for a hacker to enter.

If you’re not training people well, no matter what technology you have, you’re only creating future problems. Customers aren’t happy when their data is hacked. They will go to a competitor. Make the investment."

Here is the URL, and I'd send this link to your budget holders together with your request to continue awareness training your users:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Inoculate your users against the next scam: Bad Guys Prep for Amazon Prime Day Phishing Attacks:

Quotes of the Week
"One way to get the most out of life is to look upon it as an adventure."
- William Feather, Author (1889 - 1981)

"Know how to listen, and you will profit even from those who talk badly."
- Plutarch, Philosopher, Writer (46 – 119)

Thanks for reading CyberheistNews

Security News
An Autopsy of a 15 Million Dollar Cyberheist

A company in the US lost $15 million in a two-month-long business email compromise scam, BleepingComputer reports. Researchers at Mitiga who investigated the attack told BleepingComputer that cybercriminals spent two weeks trying to gain access to email accounts at the targeted company.

Once they succeeded in hacking into an employee’s Office 365 account, they spent another week lurking in the account undetected while gathering information, and eventually identified a transaction they could hijack.

Over the next four weeks, the attackers were able to compromise email accounts belonging to senior executives at the company, and they set up email forwarding rules so they could still receive emails even if they were locked out of the accounts.

They also set up domains spoofing this company and one of its commercial partners so they could intercept both sides of their conversations and modify financial details when the transaction actually took place.

After the money had been stolen, the criminals were able to keep both parties to the commercial transaction in the dark about what had happened until it was too late.

“Banks can lock a transaction when money goes to the wrong account, and the error is flagged in time,” BleepingComputer writes. “The threat actor was well aware of this detail and had prepared for this phase. To conceal the theft until they moved the money to foreign banks and make it lost forever, the attacker used inbox filtering rules to move messages from specific email addresses to a hidden folder.

It was a move that kept the legitimate inbox owner unaware of communication about the money transfer. It lasted for about two weeks, Mitiga says, sufficient for the actor to make the $15 million disappear.”

Mitiga believes this group is going after many other organizations as well, and the researchers identified more than 150 spoofed domains set up by the group.

“Although researchers investigated events at a single victim, they found clues indicating that dozens of businesses in construction, retail, finance, and legal sectors are on their list of targets,” BleepingComputer says.

Notably, the criminals in this case didn’t use any malware. The entire attack relied on social engineering and misuse of legitimate features. New-school security awareness training can help your employees defend themselves against sophisticated social engineering attacks.

BleepingComputer has the story:
The Most Dangerous Celebrity of 2020 Is Anna Kendrick...

That is according to researchers at McAfee. The researchers analyzed Internet search results for celebrities and found that Kendrick’s search results (through no fault of her own) were the most likely to return malicious content.

Kendrick was followed by Sean Combs, Blake Lively, Mariah Carey, Justin Timberlake, Taylor Swift, Jimmy Kimmel, Julia Roberts, Kate McKinnon, and Jason Derulo.

Cybercriminals exploit popular names, movies, and TV shows to trick people into installing malware or handing over sensitive information. McAfee notes that this is particularly true now, since most theatrical releases have been delayed and people are seeking entertainment while confined at home. (Kendrick and Timberlake both starred in “Trolls World Tour,” the first major movie to premiere digitally during the COVID-related shutdowns.)

“Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links,” the researchers write.

“This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.”

The researchers recommend that users stick to well-known streaming services rather than trying to find a movie by searching the Internet. “The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware,” they write.

Torrents and sites offering pirated content are particularly risky. Not only is pirating illegal, but it also creates a perfect opportunity for criminals to bundle malware into your download.

“When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device,” the researchers write. “Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.”

New-school security awareness training can teach your employees how to stay safe while they use the Internet in their personal and professional lives. (Especially when the personal and the professional overlap as much as they do, nowadays.)

McAfee has the story:
Interesting Mini-Movie on Disinformation From the FBI

Found this over the weekend, the National Center for Missing & Exploited Children has a series of animated videos for elementary and middle/high school about, among other things, “Friend or Fake” and “TMI”.... basically kids versions of our “social media oversharing” modules. I’m impressed.

Here it is:
What KnowBe4 Customers Say

"The campaigns are working really well once we got the support KellyJ and AlbertB. Prior to their engagement we were struggling to set up the environment as it wouldn't easily integrate with our identity systems. But through their help, we managed to get our integration with Azure in place.
- P.S., Group Chief Security Officer

"Yes, I really like it. Probably the best purchase I have made all year. My success manager Mark has been super great getting me set up, too. Thanks."
- C.A., IT Director
The 10 Interesting News Items This Week
    1. Richard A. Clarke, a former White House counterterrorism: "Will We Have Cyberwar or Cyber Peace in 2030?":

    2. Microsoft says Iranian hackers are exploiting the Zerologon vulnerability:

    3. Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election:

    4. Boards Increase Investment in Cybersecurity in Face of Threats and Regulatory Fines:

    5. WSJ: "A Millionaire Hacker’s Lessons For Corporate America". Read what he said about awareness training:

    6. US seizes Iranian government domains masked as legitimate news outlets:

    7. U.K. Businesses Suffered a Cyberattack Every 45 Sec. During Lockdown!:

    8. Software AG hit with ransomware: Crooks leak staffers' passports, want millions for stolen files:

    9. How Kremlin-backed outlet Russia Today Skirts High-Tech Blockade to Reach U.S. Readers:

    10. Microsoft 365 vs. Office 365: What’s the difference?:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews