CyberheistNews Vol 11 #07 [HEADS UP] New Phishing Attack Uses Morse Code to Avoid Detection By Your Email Scanners

CyberheistNews Vol 11 #07
[HEADS UP] New Phishing Attack Uses Morse Code to Avoid Detection By Your Email Scanners

Yes – you read that right: Cybercriminals have found a way to use 1830’s technology to trick 2020s security solutions into not identifying phishing attachments as malicious.

Like you, when I first read about this I shook my head and through "no way – how would that even work?!?"" But according to a post on reddit, the bad guys realized they could digitally encode their malicious java script in Morse Code, effectively bypassing any email scanners.

The phishing attack starts out like any other, using some basic social engineering around paying an invoice and hosting an attachment made to look like an invoice with the filename '[company_name]_invoice_[number]._xlsx.hTML.'

But upon further inspection of the attachment, it leverages JavaScript, containing a basic decoding function where each letter and number is assigned a Morse code value, and then calls to decode a massive amount of Morse code stored within the file.

The result is when the html attachment is scanned, its contents appear benign to a security solution. But when run, the script converts the Morse code into two additional JavaScript tags that are injected into the page and executed.

The result of all this is a pretty creative rendering of a fake Excel document and an Office 365 logon screen, stating the user’s session had timed out.

Creative? Yes. Unique? No – bad guys can derive even their own simple character replacement encoding (e.g., ‘A’ would be replaced with ‘D’, ‘B’ with ‘E’, etc.) and one can achieve the same result.

The real stopping point here is the bogus email theming and horrible attachment name. Users that get stepped through security awareness training are able to quickly see this for what it is and stop the attack before it goes any further than making it past your filters.

Blog post with example screen shot:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, February 17 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, February 17 @ 2:00 PM (ET)

Save My Spot!
Deep Analysis of More Than 60,000 Breach Reports Over Three Years

Here's a quick excerpt of note: "In 2018, HackNotice discovered 29,562 reported breaches. By December 2019, the total discovered had risen to 44,863 ‒ a 51.7% increase over the year. By December 2020, the total had risen to 67,529 ‒ a 50.5% over the year. In absolute terms, these figures show an increase from 15,301 in 2019 to 22,666 in 2020.

The obvious question is why have the hackers become more successful at a time when we have increased security budgets, and more and supposedly superior security products?

Thomas believes it is because companies concentrate defenses in the wrong areas. “Hackers are winning the cyberwar,” he said, “largely because they don’t target the infrastructure, but they target people. Phishing, credential stuffing, account takeover of personal accounts to get into business accounts…

All the major attack vectors rely on the fact that average employees are not informed as to how exposed they are, and they value security much less than the security team does.”

Here is the link. Excellent budget ammo:
Does Your Domain Have an Evil Twin? Find out for a chance to win two pairs of Bose Headphones!

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

Plus, if you're in the US or Canada, you’ll be entered for a chance to win two pairs of Bose Quiet Comfort Wireless Headphones*!

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!

*Terms and conditions apply.
Cannabis Company Loses Millions in BEC Scam

Australian medicinal cannabis company Cann Group has lost $3.6 million in a business email compromise (BEC) attack, Stockhead reports. The company had thought it was paying an unnamed “overseas contractor,” but the payments were actually going to “an unknown third party.” The attack was discovered overnight on February 4th, and the fraudulent payments were related to the construction of the company’s 34,000 sq/m growing facility in Mildura, Victoria.

Cann Group said it’s “working with its bank to determine if any of the payments can be halted and if any of the funds involved are recoverable.” The company added that “[t]he matter has been reported to police in Victoria, Australia, the Netherlands and Hong Kong, as well as the Office of Drug Control.” The company’s stock price fell 6% upon the news.

Blog with links:
Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4’s Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:
  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!
Find out now if your mailserver is configured correctly, many are not!
The Three Best Things You Can Do to Improve Your Computer Security

By Roger Grimes. The three best things you can do to improve your computer security, bar anything, have been the same three things you should have already been doing for the entirety of computers. The top three threats have been in the list of top threats since they made enough computers with shared access to allow unscrupulous people to do malicious things with them.

1) Don’t Get Social Engineered

At the top of the computer threat list is social engineering. Social engineering is done by someone or something pretending to be something it’s not, often posing as a brand or item that you would otherwise trust more than something unknown. It then asks you to reveal confidential information (like a password) or to run a Trojan Horse malware program. It’s a con!

Social engineering is responsible for 70% to 90% of all malicious digital breaches. No other single root cause of a computer exploit comes close. The single best thing you can do to prevent computer maliciousness is to focus on mitigating social engineering. Concentrate on it first and best. To do otherwise, unless you have it well handled, is to be inefficient in your computer security defense.

2) Patch Your Software

Unpatched software is responsible for 20% to 40% of all computer attacks. There have been times when unpatched software, and in particular, a single program, like unpatched Oracle Java or unpatched Microsoft Windows, was responsible for nearly all successful breaches in a particular year.

But since social engineering took over the number one spot (around 2009), unpatched software’s involvement has fallen. But it’s still a strong number two, and anything you can do to better and more consistently patch your most likely to be attacked software should be done as the second most important effort you can undertake.

3) Use Different Passwords Between Sites and Services

Contrary to popular belief, your passwords do not have to be super long and complex. An 8-character password with some complexity likely blocks 95% of all password attacks. The only attack type it does not mitigate is password hash cracking, but in order to do that attack, the hacker already has to have complete control of your computer (or somehow obtained your password hash another way).

If you are worried about password hash cracking, which most hackers in real-attack scenarios do not do, your passwords have to be at least 16-characters long (with or without complexity).


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

What I Am Reading: The fascinating (and scary as heck) "Active Measures: The Secret History of Disinformation and Political Warfare":

Announcing A New KnowBe4 E-Book: "Comprehensive Anti-Phishing Guide":

Quotes of the Week
"Formal education will make you a living; self-education will make you a fortune."
- Jim Rohn, Entrepreneur (1930 - 2009)

"There is nothing on this earth more to be prized than true friendship."
- Thomas Aquinas - Philosopher (1225 - 1274)

Thanks for reading CyberheistNews

Security News
US Gmail Users Are Preferred Phishing Targets

Google has found that most phishing attacks (42%) target Gmail users in the US. Users in the UK were the second most targeted, with 10% of attacks. Japan came in third with 5% of phishing attacks.

The researchers note that most attacks reuse the same English email templates, although attackers often adjust the language based on the targeted nations: “78% of the attacks targeting users in Japan occurred in Japanese, while 66% of attacks targeting Brazilian users occurred in Portuguese.”

The researchers also found that most phishing campaigns are “brief and bursty,” lasting about one to three days and targeting between 100 to 1,000 users with each email template. Attackers launch many of these campaigns, however, so the numbers quickly add up.

“In a single week, these small-scale campaigns accounted for over 100 million phishing and malware emails in aggregate, targeting Gmail users around the globe,” the researchers write.

Google shares the following findings related to the likelihood of certain users receiving phishing emails:
  • “Having your email or other personal details exposed in a third-party data breach increased the odds of being targeted by phishing or malware by 5X.
  • “Where you live also affects risk. In Australia, users faced 2X the odds of attack compared to the United States, despite the United States being the most popular target by volume (not per capita).
  • “With respect to demographics, the odds of experiencing an attack was 1.64X higher for 55- to 64-year-olds, compared to 18- to 24-year-olds.
  • “Mobile-only users experienced lower odds of attack: 0.80X compared to multi-device users. This may stem from socioeconomic factors related to device ownership and attackers targeting wealthier groups.”
Users can defend themselves against phishing attacks if they know how to spot them. New-school security awareness training combined with frequent simulated phishing attacks can help your employees recognize and thwart social engineering attacks.

Google has the story:
Every Employee Is Part of Your Security Posture

Employees are an essential component of an organization’s security defenses, according to Nico Popp, Chief Product Officer at Forcepoint. On the CyberWire’s Hacking Humans podcast, Popp explained that humans generally want to do the right thing and can help prevent cyberattacks that can’t be stopped by technical safeguards.

Popp pointed to the way financial institutions have their customers verify potentially suspicious transactions as an example of this.

“I always use the example of credit card companies,” he said. “They have been brilliant. You know, they have huge fraud issues. And what have they done? They basically involve us in the process of solving, right? They don't always block your credit card.

They may block you, but they may ask you, you know what? We've seen that transaction. It looks suspicious to us. Is that really you trying to complete this thing? And it's working, right? Can you imagine, they are using all these consumers to solve the fraud problem? And, of course, we care. So we participate.”

Popp concluded that organizations need to shift the way they think about how employees fit into their security posture.

“So, taking that concept of putting the human in the middle and saying, look, you’re part of the solution,” Popp said. “We're going to engage you. It’s not just about monitoring you, spying on you. Quite the opposite. We’re trying to make you better.

But also, we want you to be part of our cybersecurity team, you know, because we want to be able to leverage the fact that we have this smart and caring human being, common folks behind the keyboard that also care about the company assets and can help there.

Something that cyber has never done, really, that whole idea of putting humans in the middle of cyber. It’s all this different dimension, these different approaches.”

The CyberWire has the story:
What KnowBe4 Customers Say

"Yes we were a KnowBe4 customer, for a year I believe. We had a gentleman running the project training our userbase. I will be the first to say that the product KnowBe4 offered was excellent! This might be a bit overboard, but I feel like it put the fear of “God” into most if not all of our users.

The training was very well done. It was not overly difficult and it was not tedious or boring either. It kept our user base engaged during the training scenario’s. I think it had a profound impact on our infrastructure security as we all know humans are the weakest link when it comes to network security.

However at the end of that year we began implementing an enormous company-wide project that pulled our department into different directions. The gentleman who ran KnowBe4 transitioned to a new role. Shortly after that KnowBe4 fizzled out.

I have maintained a training posture for our userbase sending out periodic reminders and trainings that help keep them engaged. But the really big problem is that over the last year and a half we have hired waves of new employees.

These new hires who have not experienced the KnowBe4 training are now a large soft spot in our infrastructures defenses. While I do use what I learned during our KnowBe4 experience to educate these new hires, it is not nearly enough.

The project that had consumed a lot of our teams time and resources is finally beginning to taper down. As their reliance on us to support that project also dwindles down this will begin to free up some of our staff to dedicate our time to other projects.

One of these projects I would love to see return is KnowBe4. I would like to evaluate what you are offering these days compared to what we had used back then. Once things start to shake lose and business begins to pick back up, I think you will see our business again. I do believe 100% that our org is better with KnowBe4." [edited for brevity]
- D.J., IT Supervisor
The 10 Interesting News Items This Week
    1. Gartner predicts 40% of boards will have security committees by 2025:

    2. [Scary?] AI Can Now Learn to Manipulate Human Behavior:

    3. We uncovered a Facebook phishing campaign that tricked nearly 500,000 users in two weeks:

    4. Scammers Selling Fake Covid-19 Vaccination Cards for Just $20:

    5. 42% of Gmail scams targeted American users, Google finds:

    6. Why security awareness training is about finding your Trojan horse:

    7. Use business email compromise training to mitigate risk:

    8. IRS warns of e-file identity theft scam:

    9. The Long Hack: How China Exploited U.S. Tech Supplier Supermicro:

    10. A Hacker Tried to Poison a Florida City's Water Supply:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews