CyberheistNews Vol 11 #35 [Heads Up] When the URL Domain Is Not Enough To Avoid That Phish

CyberheistNews Vol 11 #35
[Heads Up] When the URL Domain Is Not Enough To Avoid That Phish

By Roger Grimes.

One of the most common mantras in security awareness training is “Examine the URL to determine if it points to the legitimate vendor or not!”

It is great advice. Teach yourself and others how to read internet uniform resource locator (URL) links so they can spot tricks from phishers trying to get them to visit bogus websites. Knowing how to spot the difference between microsoft[dot]com and microsoft[dot]com[dot]biztalk[dot]ru can save you a lot of misery and wasted hours.

So, even I say it (i.e., “Examine the URL”) all the time. I even have a one-hour webinar course called Combating Rogue URL Tricks. I wrote a related blog article, and you can even download a useful “12 Most Common Rogue URL Tricks” PDF. I am all about everyone learning how to spot rogue URLs.

Most of the time, simply looking for and identifying the fully qualified domain name is enough to rule out what is and is not legitimate. The vast majority of phishing attacks have a bogus (e.g., look-alike or sound-alike) domain name being used in the URL. So, a quick look can rule in or out whether an included URL points to a legitimate website or not.

But not always...

As I cover in my Rogue URL webinar (and article and PDF), there are a multitude of tricks that phishers can use to trick people into clicking on a rogue URL. One of the most devious types is known as a redirection attack.

CONTINUED with Links and example screenshots:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, September 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, September 8 @ 2:00 PM (ET)

Save My Spot!
Cybercriminals Can Post Jobs on LinkedIn Posing as Any Employer They Want

Lax verification around what company is offering a given job on LinkedIn allows attackers to create bogus job postings for malicious purposes.

It appears that LinkedIn is being used as medium by cybercriminals to connect with victims. The ability exists today for a threat actor to impersonate being part of a legitimate company when posting a job.

Scams using job postings are one of the most powerful social engineering tactics used today – using a well-established site like LinkedIn to begin with and completely putting aside email-based phishing, matched with the desire of the potential candidate to follow whatever process is necessary to get that cool job at that great company with the awesome pay adds up to be a perfect cyber-storm.

I wrote about such attacks back in 2019, where a developer at a bank was looking for a new job and was tricked into installing a RAT under the premise it was a program designed to allow him to fill out an application. It appears that LinkedIn still has no means for verifying that the poster is from the company they say they are.

According to Bleeping Computer, security researchers were recently able to walk through the posting process without needing to validate the company they purported to work for. This is a huge advantage for the threat actor. Think about it – if I want to target a specific industry or company, post a dev job as a competing company in that same sector. Simple, elegant, and likely effective social engineering – all thanks to LinkedIn.

This kind of attack is one of the slickest as the victim feels completely like they are initiating the connection (as opposed to a phishing email that shows up in your Inbox) and is emotionally invested in following the process through to completion.

Falling for social engineering is one of the main reasons organizations need their users to enroll in continual security awareness training – it’s not just within email that social engineering tactics are found; and this latest finding on LinkedIn affirms that notion.

Blog post with links:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, September 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, September 8 @ 1:00 PM (ET)

Save My Spot!
Microsoft Warns: Large Phishing Campaign Abuses Open Redirects

Researchers at Microsoft have observed a widespread phishing campaign that’s abusing open redirectors to fool users into visiting credential-harvesting pages. Open redirects are often used for legitimate purposes, such as tracking click rates. However, they can also be abused to disguise a link to a phishing page.

“The use of open redirects in email communications is common among organizations for various reasons,” the researchers write. “For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics.

However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.”

Microsoft explains that this tactic can fool both users and technology, since the URL itself appears legitimate.

“Users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it,” Microsoft says. “Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.”

The researchers also note that this campaign makes use of hundreds of unique domains. “This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure—another attempt to evade detection,” the researchers write. “These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains.

As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.”

New-school security awareness training can enable your employees to recognize red flags associated with social engineering attacks.

Microsoft has the story:
A Master Class on Cybersecurity: Roger Grimes Teaches Data-Driven Defense

Even the world’s most successful organizations have significant weaknesses in their cybersecurity defenses, which today’s determined hackers can exploit at will. There’s even a term for it: Assume Breach.

But assuming you’ll be hacked isn’t an option for you. Your organization can’t afford a loss of assets or downtime. And nobody knows this more than Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

With 30+ years of experience as an IT security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against quickly-evolving cybersecurity threats. He wrote the book on it, literally - A Data-Driven Computer Security Defense.

Join Roger Grimes for this thought-provoking webinar where he’ll share the most common reasons for data breaches and a data-driven approach to determining your organization’s specific weaknesses.

You’ll walk away from this session understanding:
  • What most organizations are doing wrong and how to fix it
  • How to build an action plan to improve your cybersecurity effectiveness
  • Why a strong human firewall is your best last line of defense
Start creating your data-driven defense plan today and earn CPE credit for attending!

Date/Time: Wednesday, September 15 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Yours Truly in Newsweek: "Teaching Active Listening to All Employees":

Quotes of the Week
"It is the mark of an educated mind to be able to
entertain a thought without accepting it."

- Aristotle - Philosopher (384 - 322 BC)

"Most people overestimate what they can do in one year and underestimate what they can do in ten years."
- Bill Gates

Thanks for reading CyberheistNews

Security News
Email-Based Cyberattacks Double Between January and June

Over 2.9 Billion email-based threats were detected in the first half of 2021. Business Email Compromise, obfuscation, and living off the land reigned, according to new data from Zix.

We’ve seen massive spikes before in the number of ransomware and other cyber attacks – usually when comparing a previous year to the current one. But rarely do we see a significant increase within just six months. According to the Global Threat Report: Mid-Year 2021 from Zix and AppRiver that’s exactly the case, with about 300,000 attacks in January of this year and over 600,000 in June.

The report provides several examples of attack trends observed by security researchers at Zix, including:
  • Increases in security solution obfuscation using Captcha and creatively encoding malicious attachments
  • The targeting of those looking for new jobs as workers return to the workplace
  • Living off the land using cloud resources, with Google APIs leading the way
  • Lots of Business Email Compromise
  • Use of many forms of banking trojans to steal banking and browser data
While most of the attack examples have equivalents here on our blog, this report does bring to light the increases in attack numbers and creativity you should expect to continue. The obfuscation is a particular focus for threat actors working to avoid detection by security solutions.

Should they be successful, the last layer of defense is a well-prepared and vigilant user who is always on the lookout for suspicious email content that may be the launching point for the next cyberattack.

Blog Post with links:
Money Mules Recruited on Campus

A Nigeria-based cybercrime group is targeting university students with money mule scams, according to Renatta Siewert from Mimecast. Money mules are people who launder stolen money through their bank accounts in exchange for a cut of the pay.

In many cases, the mules aren’t aware that the money was stolen and are tricked into facilitating a crime. In this instance, the criminals pose as a consulting company and send out phony job offers.

“In this two-part operation, the scammers compromise student email accounts through phishing attacks, and then they send the job offer to the compromised student’s address book, which could include friends, professors, or other staff at the college or university,” Siewert writes.

“The job offer emails contain short URLs that redirect to a Google Form, and, as part of the application process, the recipient is asked to fill out a large amount of personal information. The targets are usually asked to provide an alternative, non-academic email address, giving the scammers access to other targets outside of the college or university.”

Siewert notes that the criminals can also use the victim’s personal information for additional scams in the future. “Once the victim fills in the form revealing their personal information, the Nigeria-based scammers send a follow-up email providing details of the administrative tasks that come with the job, but the first responsibility always involves cashing checks,” Siewert says.

“The email goes on to ask for confirmation of full name, occupation, physical address for receiving mail deliveries, a mobile number to receive texts, and whether the recipient knows how to make mobile deposits. These emails also use short URLs and redirect to a Google Form in the same style as the application form.”

Mimecast has the story:
BEC and the Underworld's Resources

Researchers at Intel 471 have observed cybercriminals outsourcing talent for business email compromise (BEC) attacks. This tactic lowers the bar of entry for BEC attacks, which are extremely effective at raking in large amounts of money.

“In February, an actor on a popular Russian-language cybercrime forum announced he was searching for a team of native English speakers for the social engineering elements of BEC attacks after they had obtained access to custom Microsoft Office 365 domains,” the researchers write.

“Additionally, another actor on a different forum asked for the same thing in June, posting help wanted ads that essentially outsourced the social engineering work behind BEC, while the actor would take care of the related technical aspects.

The researchers note that this enables the criminals to overcome the language barrier, since typos and poor grammar often tip off users to the scam.

“Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams,” Intel 471 says. “The use of proper English is very important to these actors, as they want to ensure the messages they send to their victims — mainly high-level employees of an organization — do not raise any red flags.”

Criminals are also outsourcing the money laundering aspect, which further lowers the bar for these attacks.

“Another skill actors on the cybercrime underground are looking to outsource is laundering the money stolen via BEC schemes so it becomes untraceable and usable,” the researchers write. “Intel 471 observed a Russian language actor place an ad on a cybercrime forum, looking to launder sums as large as $250,000 through a cryptocurrency tumbler — a service that blends multiple transactions and disperses money to intended recipients in incomplete installments, which makes it significantly more difficult to trace.

The six-figure sum suggested the scams targeted large companies.” The researchers conclude that employee training is a valuable layer of defense against these attacks. “Awareness of the techniques threat actors employ and key indicators that an email or sender is fraudulent or inauthentic can help reduce the threat of BEC.”

New-school security awareness training can enable your employees to thwart social engineering attacks and make them that last line of defense.

Blog post with links:
What KnowBe4 Customers Say

"We are very happy campers! The content is great, the interface is great, all of the KB4 folks have been great, and we are even considering adding your compliance/harassment training to our package."
- H.M., Chief Information Officer

"I'm so happy with your product. I just started with phishing campaigns and trainings. There is so much content and very valuable training materials. This is the best training and phishing campaign I found this year. Very helpful for my colleagues to learn how phishing attacks work. Thank you so much for making such a valuable product."
I.S., Senior IT Infrastructure Lead
The 10 Interesting News Items This Week
    1. Conti ransomware now hacking Exchange servers with ProxyShell exploits. Spear phishing one of 3 initial attack vectors:

    2. Gift Card Gang Extracts Cash From 100k Inboxes Daily:

    3. Cyberattackers are now quietly selling off their victim's internet bandwidth:

    4. Report - Texas, California, New York, Louisiana, Missouri lead list of states with most ransomware attacks on schools:

    5. Expired driver’s licenses during COVID open lane for cybercriminals:

    6. Companies are tired of spending money on cybersecurity. Here's how to change their minds | ZDNet:

    7. Half of businesses can't spot these signs of insider cybersecurity threats:

    8. Australian data watchdog calls for greater vigilance against cybercrime:

    9. FBI: Spike in sextortion attacks cost victims $8 million this year:

    10. US House Debates Breach Notification Measure:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews