CyberheistNews Vol 11 #34 [Heads Up] A Tricky New COVID-19 Phishing Caper

CyberheistNews Vol 11 #34
[Heads Up] A Tricky New COVID-19 Phishing Caper

A new phishing campaign is exploiting the ongoing uncertainty about company policies related to COVID-19, according to Roger Kay at INKY. The campaign uses emails that purport to come from a company’s HR office informing employees that they’re required to fill out a COVID-19 vaccination status form.

Clicking on the link in the email will take the user to a Microsoft Outlook credential phishing page. “This campaign was able to bypass existing email security in a number of ways,” Kay says. “It sent the lures from legitimate but hijacked email accounts to evade standard security checks.

If the recipient clicked through, they were taken to a hijacked web page that impersonated a trusted brand. Because the phishers used a hijacked site, their exploit had not yet appeared on any threat intelligence feed. The sally was effectively a zero-day attack.

Now that it’s been discovered and reported, any email security products that reference such feeds can find it, but it’s a little late for the first victims targeted by the campaign.” Kay also notes that the emails are sent from compromised email accounts, which further added to their legitimacy.

“While the pitches appeared to be local, in fact, they all originated from various legitimate — but hijacked — external accounts,” Kay says. “This legitimacy enabled them to pass standard email authentication (i.e., SPF, DKIM, and DMARC).”

Kay explains that this phishing campaign uses the following tactics:
  • The exploitation of current events — capitalizes on the uncertainty, fear, and urgency related to Covid-19 vaccinations and plans to return to the office
  • Brand impersonation — uses elements of a well-known brand to make an email look as if it came from that company
  • Credential harvesting — occurs when a victim thinks they are logging in to one of their resource sites but is actually entering credentials into a dialogue box owned by the attackers
  • Compromised email accounts — are used by phishers to pass most security software tests, allowing phishing emails to slip past corporate defenses and into hapless recipients’ inboxes
New-school security awareness training enables your employees to make smarter security decisions. We have phishing templates ready for you that simulate attacks like this.

Blog post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, September 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, September 8 @ 2:00 PM (ET)

Save My Spot!
Microsoft Warns of New Phishing-Turned-Vishing-Turned-Phishing Attack Aimed at Installing Ransomware

In what appears to be a phishing attack that includes a mix of emails and phone calls, Microsoft reminds us to be wary of only opening emails and attachments from known contacts.

Perhaps taking a page from the recent Amazon-themed credit card scam that leverages vishing instead of malicious links, Microsoft has put out a warning of a new attack that starts out as a fake payment notification.

The “call center” staffers inform the victim caller of a need to fill out a form, quickly sending over a password-protected zip file that actually contains a malicious Word doc used to infect endpoints with ransomware.

What makes this scam so interesting is the fact that users must be fooled three times:
  • That the initial fake invoice is real and that they must call to cancel it
  • That the call center support team is real and that an emailed Word doc (instead of a web form) is the means to cancel the payment
  • That a Word doc would be emailed inside of a zip file that sits behind a password
None of this sounds very customer-friendly – which should set off some red flags for users with any level of vigilance in place. It’s stories of users falling for attacks like these that make it critical for organizations to put security awareness training in place to educate users on various types of email attacks, methods used to install software or steal credentials, and the need for the user themselves to play a part in the organization’s security.

Blog post with links and Microsoft schematic of the attack:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, September 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, September 8 @ 1:00 PM (ET)

Save My Spot!
The FBI Takes a Look at a Ransomware Affiliate

The US Federal Bureau of Investigation (FBI) has issued an advisory describing a ransomware affiliate that calls itself “OnePercent Group,” the Record reports. The Record notes that the OnePercent Group is an affiliate of the REvil, Maze, and Egregor ransomware gangs. The threat actor gains initial access via phishing emails.

“OnePercent Group actors gain unauthorized access to victim networks through phishing emails with a malicious zip file attachment,” the FBI says. “The zip file includes a Microsoft Word or Excel document that contains malicious macros that allow the actors to subsequently infect the victim’s system with the banking Trojan IcedID.

The actors use IcedID to install and execute the Cobalt Strike malware on the victim’s network to move laterally to other systems within the environment through PowerShell remoting. The actors use rclone for data exfiltration from the victim’s network. The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware.”

The FBI says the gang exfiltrates the victim’s data before encrypting it, then holds the stolen data for ransom.

Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication,” the Bureau says. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.

When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.” The Bureau offers the following technical controls for organizations, but unfortunately forgot one of the most important ones when bad actors come in with phishing attacks: train those users with frequent simulated phishing attacks.

[FREE Resource Kit] Cybersecurity Awareness Month 2021 Now Available

Cybersecurity Awareness Month is right around the corner, but we’ve got you covered!

Between vacations, working from home, and coming back to something resembling “normal,” your users will be more susceptible than ever to phishing and social engineering attacks. So we’ve made sure our 2021 Cybersecurity Awareness Month Resource Kit comes packed with free courses, infographics, tip sheets and more to help you make the most out of October.

This year’s kit includes:
  • 2 interactive courses in multiple languages
  • 2 expert-led videos on password management and social engineering
  • 4 infographics
  • 4 posters and digital wallpapers
  • 4 tip sheets
Plus, new this year we have an interactive weekly planner that gives a visual representation on how you can best plan to share the free resources throughout October and a handy resource kit user guide with tips and campaign ideas for spreading the cybersecurity knowledge to your users!

This kit will help you and your users defend against cybercrime this October and beyond.

Get Your Kit Now!

Let's stay safe out there. Below you find some articles I published in DarkReading and Forbes that might help.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: DMARC 101: How to Keep Phishing Attacks Out of Your Inbox:

PPS: Ransomware Prevention: Use These 10 Security Recommendations from NYDFS:

Quotes of the Week
"He who asks is a fool for five minutes, but he who does not ask remains a fool forever."
- Chinese Proverb

"Daring ideas are like chessmen moved forward. They may be beaten, but they may start a winning game."
- Johann Wolfgang von Goethe - Writer (1749-1832)

Thanks for reading CyberheistNews

Security News
New Hampshire Town Loses 2.3 Million to Email Fraud

The New Hampshire town of Peterborough lost 2.3 million dollars to a business email compromise scam, NBC10 Boston reports. The criminals posed as Contoocook Valley (ConVal) School District staff and used phony documents to divert payments from the town.

Select Board Chairman Tyler Ward and Town Administrator Nicole MacStay stated in a press release on Facebook, “On July 26th town officials learned that ConVal School District had not received the $1.2m monthly transfer from the Town.

Upon investigation we quickly realized that the town had been victim of an email-based fraud. Finance Department staff immediately put a stop payment order on the transfer, however the funds had already left the Town’s account at Peoples Bank.”

The investigation then led to the discovery of two additional fraudulent payments diverted from a general contractor. “On August 18th, with the original investigation still ongoing, Finance Department staff learned that two bank transfers meant to go to Beck and Bellucci, the general contractor working on the Main Street Bridge project, had also been fraudulently diverted to thieves through similar means,” Ward and MacStay said.

“The U.S. Secret Service Cyber Security Fraud Task Force, ATOM Group and our insurance provider were immediately notified. Investigations into these forged email exchanges showed that they originated overseas. These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers.”

The press release added, “We do not believe that the funds can be recovered by reversing the transactions, and we do not yet know if these losses will be covered by insurance.” MacStay told NBC10 Boston that the phony emails were extremely convincing.

“They were incredibly sophisticated forgeries,” she said. “These email exchanges, you would have to look much closer than anyone would normally look at an email to see that they were in fact forgeries. They really understand how these transactions worked, and took the time to understand how we worked with the school district and the vendor to be able to divert the funds the way they did.”

New-school security awareness training can help your employees recognize and thwart targeted social engineering attacks.

NBC10 Boston has the story:
“Compromise” Is the “C” in “MICE”

The FBI is warning Silicon Valley companies to be wary of insider threats, Protocol reports. FBI special agent Nick Shenkin told Protocol in an interview that authoritarian governments—mainly China and Russia—frequently pressure employees at US companies to conduct espionage.

“This is a quotidian activity,” Shenkin said. “This is a massive fundamental activity that bolsters and is one of the mainstays of many autocratic countries and their governments.”

Shenkin said the FBI is offering briefings to raise awareness about these threats. “The reason why we're being so much more assertive about these briefings and trying to be more open with U.S. industry is because we've just come to the realization that if there is no cost, then they will continue to do what they're doing,” Shenkin said.

“So the briefings are like, ‘Please American companies, raise your shields, protect yourselves, make it more expensive for the thieves to rob you, and the country is stronger, and you're stronger.’”

What's "MICE" Stand For?

Shenkin stressed that employees are most often driven to espionage in these cases because they have family members living in an authoritarian country, which their governments use as leverage against them. This is one of the four types of motivations described by the acronym “MICE,” used in counter intelligence training: “M” for “money,” “I” for “ideology,” “C” for “compromise,” and “E” for “ego.”

“A lot of what the briefings cover is the idea that this is not about the ethnicity of the individual,” Shenkin said. “This is about: What is any individual's or entity's vulnerability to the jurisdiction of an autocracy? Because what we see overwhelmingly is people who end up stealing intellectual property, very often, they have no desire to be stealing intellectual property.”

He also added that companies shouldn’t be complacent just because they don’t think they have anything valuable to steal. “If you're a quantum computing company, or a biotech company, or a green tech company, you are a juicier zebra on the Serengeti,” Shenkin said. “But they're also going for just the slowest zebra on the Serengeti.”

So help your people out by building a supportive, non-punitive, and sympathetic culture of security. New-school security awareness training can give your organization that essential extra layer of defense.

Protocol has the story:
What KnowBe4 Customers Say

"Stu, I wanted to tell you about the outstanding level of service and support that we have received from CorbinB. Our people and our data are our most important assets here. I have spent the last month working with Corbin on implementing several training programs, PAB, and PhishER. His knowledge of your product and understanding of how to implement and the best practices increasing the knowledge of my team on information security and Phishing has been exceptional.

Corbin quickly instructed me on implementing PAB and PhishER in just a couple of meetings. He then followed up to help me understand how to utilize the information to better protect us.

In today's fast-moving, hi-tech world, when we have the opportunity to work together with an individual like Corbin, we need to take a minute and let the leaders of these companies know who is out there "making a difference".
- G.T., Head of Customer Support & Business Operations
The 10 Interesting News Items This Week
    1. Biden Says Cybersecurity is the ‘Core National Security Challenge’ at CEO Summit:

    2. FACT SHEET: Biden Administration and Private Sector Leaders Announce Ambitious Initiatives to Bolster the Nation’s Cybersecurity:

    3. China's Microsoft Hack May Have Had a Bigger Purpose Than Just Spying:

    4. Ragnarok ransomware releases master decryptor after shutdown:

    5. FBI shares technical details for Hive ransomware:

    6. California Reminds Healthcare Orgs of Data Breach Reporting Obligations:

    7. Ransomware Affiliate OnePercent Targeted US Orgs with Phishing Campaign:

    8. New Hampshire Town Loses $2.3M in Taxpayer Money to Cyberattack:

    9. Phishing campaign uses XSS vuln to distribute malware:

    10. That email asking for proof of vaccination might be a phishing scam:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews