CyberheistNews Vol 11 #30 [Eye Opener] Image Inversion as a New Phishing Technique

CyberheistNews Vol 11 #30
[Eye Opener] Image Inversion as a New Phishing Technique

Researchers at WMC Global have found that a phishing kit is using images with inverted colors to avoid detection.

“PhishFeed analysts recently discovered a novel way some threat actors are tricking these scanning engines, and this avoidance mechanism in particular has been deployed on multiple Office 365 credential phishing websites,” the researchers write. “WMC Global threat analysts attribute the use of this method to a single threat actor selling the phishing kit to multiple users.”

Many security scanners and web crawlers are able to identify phishing pages by their appearance. If a site appears identical to the Office 365 login portal but doesn’t have an Office 365 domain, then the scanner concludes that it’s likely a phishing page.

“Because image recognition software is improving and becoming more accurate, this new technique aims to deceive scanning engines by inverting the colors of the image, causing the image hash to differ from the original,” the researchers write. “This technique can hinder the software’s ability to flag this image altogether.

However, a victim visiting the website would likely recognize that the inverted picture is illegitimate and exit the website. As a result, the threat actor has stored the inverted image and, within the index[dot]php code, has used a CSS method to revert the color of the image to its original state.”

The researchers conclude that this is a simple but effective way to deploy a convincing phishing page while avoiding detection.

“This approach results in the final website’s appearing legitimate to users who visit, while crawlers and scanning engines are highly unlikely to detect the image as being an inverted copy of the Office365 background,” the researchers write. “It is notable that the inverted image was discovered within a deployed Office 365 credential phishing kit.

Our team reviewed other campaigns deployed by this threat actor, discovering that the individual was using the same inversion technique on the newer Office 365 background.”

New-school security awareness training can enable your employees to recognize phishing attacks that bypass your technical defenses.

Blog Post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, August 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 39,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, August 4 @ 2:00 PM (ET)

Save My Spot!
[OUCH] The Number of New Phishing Attacks Surged 280% in Q2 2021

Phishing activity increased dramatically in the second quarter of 2021, according to a recent report by Vade. The company observed 4.2 billion phishing emails in June alone.

“Overall phishing increased dramatically in Q2 2021, with a significant spike (281 percent) in May and another 284 percent increase in June, for a total of 4.2 billion phishing emails detected by Vade for the month,” the researchers write. “The increase in May can be attributed to spambot activity, as well as an increase in Amazon and SMBC phishing.”

Vade adds that the sophistication and quality of attacks are also increasing.
“H1 saw a surge of advanced phishing attacks featuring sophisticated automation techniques and abuse of high-reputation domains,” the researchers write. “Due to the high level of targeting and automation we have seen in the first half of 2021, we should place less emphasis on the total number of unique URLs detected and more on the nature and quality of the threats received.”

Vade discovered a phishing campaign that used automation to create phishing pages that were tailored to their victims.

“In late June, Vade detected a sophisticated Microsoft phishing attack featuring automated rendering of public logos and background images on Microsoft 365 login pages,” the researchers write. “When a victim clicks on an email phishing link, they are taken to a waiting page, the purpose of which is to determine if the user is the intended target.

If the user is not the intended target, the phishing page is not shown. If the victim is the intended target, the hacker then makes an HTTP post request for the logo and background image of the victim’s corporate entity. The victim is then redirected to a custom Microsoft 365 login page with their company’s corporate logo and background image.”

Blog post with links:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, August 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, August 4 @ 1:00 PM (ET)

Save My Spot!
Open Source Intelligence (OSINT): Learn the Methods Bad Actors Use to Hack Your Organization

The digital age has unleashed massive amounts of personal and organizational data on the internet. No breaking through firewalls or exploiting vulnerabilities required.

It is shockingly easy to gather detailed intelligence on individuals and organizations. Everything cybercriminals need to specifically target your end users is out there for the taking. Password clues, tech stack details, and banking/credit card accounts can be found easily and through public resources. There’s even a name for it: Open Source Intelligence (OSINT).

No one knows OSINT techniques and how bad actors use them better than Rosa Smothers, former CIA Cyber Threat Analyst and Technical Intelligence Officer, now KnowBe4’s SVP of Cyber Operations and James McQuiggan, KnowBe4’s Security Awareness Advocate.

Join Rosa and James for this webinar where you will gain insights on how to leverage OSINT to defend your organization and outthink cybercriminals!

In this webinar you’ll learn:
  • How to use OSINT techniques to gather the details you need for effective investigations
  • What specific apps and analytic techniques can enhance your research and data interpretation
  • Demonstrations of OSINT gathering techniques you can use before the cybercriminals do
  • How training your users to understand OSINT and their digital footprint can protect your organization
Learn how to use the cybercriminals’ best techniques before they do and earn CPE credit for attending!

Date/Time: Wednesday, August 11 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Biden: "If we end up in a war...with a major power, it’s going to be as a consequence of a cyber breach of great consequence." - US President Biden last Tuesday:

PPS: Did You Know? The Jerich Show discusses the cyber attacks of the week and more:

Quotes of the Week
"Education is the passport to the future, for tomorrow belongs to those who prepare for it today":
- Malcolm X (1925 – 1965)

“Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for.”:
- Socrates - Philosopher (469 - 399 BC)

Thanks for reading CyberheistNews

Security News
Cybercriminals Are Growing More Organized

The cybercriminal underground is becoming increasingly organized, according to researchers at HP. The criminal underground functions like a regular economy, with people selling goods and services such as phishing kits, malware, and access to compromised networks.

As a result, the bar of entry is lower since unskilled criminals can buy the things that previously prevented them from engaging in cybercrime. HP’s report shared the following findings:
  • “75% of malware detected was delivered via email, while web downloads were responsible for the remaining 25%. Threats downloaded using web browsers rose by 24%, partially driven by users downloading hacking tools and cryptocurrency mining software.
  • “The most common email phishing lures were invoices and business transactions (49%), while 15% were replies to intercepted email threads. Phishing lures mentioning COVID-19 made up less than 1%, dropping by 77% from H2 2020 to H1 2021.
  • “The most common type of malicious attachments were archive files (29%), spreadsheets (23%), documents (19%), and executable files (19%). Unusual archive file types – such as JAR (Java Archive files) – are being used to avoid detection and scanning tools, and install malware that’s easily obtained in underground marketplaces.
  • “The report found 34% of malware captured was previously unknown, a 4% drop from H2 2020.
  • “A 24% increase in malware that exploits CVE-2017-11882, a memory corruption vulnerability commonly used to exploit Microsoft Office or Microsoft WordPad and carry out fileless attacks.”
The researchers also observed a “resume-themed malicious spam campaign targeted shipping, maritime, logistics and related companies in seven countries (Chile, Japan, UK, Pakistan, US, Italy and the Philippines), exploiting a Microsoft Office vulnerability to deploy the commercially-available Remcos RAT and gain backdoor access to infected computers.”

Alex Holland, a Senior Malware Analyst at HP, stated that criminals continue to rely on phishing to gain initial access because it works so well. “Cybercriminals are bypassing detection tools with ease by simply tweaking their techniques,” Holland said. “We saw a surge in malware distributed via uncommon file types like JAR files – likely used to reduce the chances of being detected by anti-malware scanners.

The same old phishing tricks are reeling in victims, with transaction-themed lures convincing users to click on malicious attachments, links, and web pages.” New-school security awareness training can give your organization an essential last layer of defense by enabling your employees to spot phishing attacks that slip past your technical defenses.

HP has the story:
Two of the Most Common and Successful Ransomware Attack Methods Are Exposed

Researchers at Coveware recently analyzed ransomware attacks during Q2 of this year and noticed a similar trend in ransomware attack methods by cybercriminals.

These are the two ransomware attack methods that are gaining popularity by ransomware gangs:
  • Email Phishing Attacks - The most common form of a cyberattack. Cybercriminals are including a malicious attachment in the phishing emails that contain ransomware. Coveware reported that this method has been prevalent in 42% of known ransomware attacks.
  • Brute Force Attacks - This type of attack specifically focuses on remote desktop protocol services (RDP). They brute force weak or default usernames and passwords to gain access. This type of attack is also accounting for 42% of known ransomware attacks.
Cybercriminals gravitate to these methods because they are low-cost to carry out while also being effective. They're also very simple to execute and, if successful, can open doors to your whole network.

Ransomware groups have only gotten stronger with REvil being responsible for the infamous Kaseya hack and Conti against the Irish healthcare system. There are new ransomware groups that will come through the shadows in the near future and will be even more powerful than these well-known ransomware groups.

To help protect your organization's network you can take additional security measures such as multi-factor authentication, frequent software updates and patches, and most importantly, implement new-school security awareness training. Your users are the essential last layer of defense.

Blog post with links:
What KnowBe4 Customers Say

"Yes, very happy campers thank you! Your product is amazing! The ASAP has made the process of rolling out the program for our school so simple and easy to follow. Whoever decided to create that program to follow is a genius (and the team that has developed it, including the most recent changes)!

We have found in the past with other software that it can be hard to wrap your head around what features a product actually does... and more importantly what logical order to implement them in. The ASAP takes the guesswork out of everything - a few simple questions and you have a tailor made program to rollout with realistic timeline and well documented steps to carry out. Love it!

Both our regional account manager Charlie Watson and our success manager Sean Gordon have been amazing. They helped us quickly understand the product, both before and after our purchase and have been incredibly helpful with the few questions we have had. It is fantastic to know that Sean has already booked a 'check in' with us, so we know that this is an ongoing relationship where our security improvement is just as important to KnowBe4 as it is to us.

Definitely not just a case of "Hope the customer pays up and shuts up" which other companies seem to hope for.

Almost immediately following our rollout of the KnowBe4 system the whole school has been abuzz with thoughts around computer security, starting many great discussions and interest in the staff. Our attempts in the past to warn and educate on these security risks have often been met with either silence or resistance.

Yet sending out a baseline phishing email and then the Security Assessment Proficiency Training has started people taking interest in computer security across the breadth of the school, from school governors, head teacher and senior leadership, all the way to the site maintenance department. There was a lot of friendly competition based around the SAPA scores and it was great to overhear staff talking between themselves about subjects like phishing and ransomware, something we would have never really dreamed of before now.

We have been loving the KnowBe4 product and are eager to start sending out the training in September at the start of the new academic year once the teachers and other non-full time staff return!

Thanks for reaching out! :) If we can help with a testimonial or the like just let me know."
- H.J., ICT Technician
The 10 Interesting News Items This Week
    1. By Yours Truly in Forbes - "Seven Factors Analyzing Ransomware’s Cost To Business":

    2. What Will It Take to Defend Public Water from Cyber Attacks?:

    3. States Weigh Bans On Ransomware Payoffs:

    4. Kaseya Says It Did Not Pay Ransom to Obtain Universal Decryptor:

    5. FTC's right-to-repair ruling is a small step for security researchers, giant leap for DIY hackers:

    6. FBI reveals top targeted vulnerabilities of the last two years:

    7. FBI tracking more than 100 active ransomware groups:

    8. Enterprise data breach cost reached record high during COVID-19 pandemic:

    9. Whitehouse: "New US security memorandum bolsters critical infrastructure cybersecurity":

    10. McAfee: Babuk ransomware decryptor causes encryption 'beyond repair':
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month 2021 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews