CyberheistNews Vol 11 #37 [Heads Up] A New Phishing Attack on Microsoft 365 Users Leverages Open Redirects To Avoid Detection

CyberheistNews Vol 11 #37
[Heads Up] A New Phishing Attack on Microsoft 365 Users Leverages Open Redirects To Avoid Detection

The use of open redirects from legitimate domains makes phishing emails that much more believable and credible, obfuscating the dangerous nature of these attacks.

In the ongoing saga of attacks on Microsoft 365 users, security analysts at Microsoft recently announced a widespread attack that utilizes open redirects – a technique used in web development to point to the URL visitors of a website should be taken to once the initially-visited page is done processing the visit.

A simple example of an open redirect is the following:

According to Microsoft, attackers will use a bit more trickery to fool those that choose to hover over links in emails before clicking on them, embedding a malicious URL within what appears to be a trusted URL (note the red portion of the screenshot at the blog)

In many cases, redirects to malicious URLs first take visitors to Google reCAPTCHA pages to further obfuscate the nature of the final destination from security solutions designed to evaluate email links.

While evaluating destination URLs via hovering over links in an email is definitely a good security practice, threat actors are becoming wise to this and are taking steps such as those mentioned above to make it even more difficult to spot a malicious link.

Users should be taught via Security Awareness Training to be more mindful of the actual message being sent – if unsolicited, it should be treated with at least a bit of distrust and scrutiny, being certain it is legitimate before engaging with links – benign or malicious.

Blog post with links and screenshot:
[New PhishER Feature] Turn the Tables on the Cybercriminals With PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately ‘flip’ a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, September 22 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, September 22 @ 2:00 PM (ET)

Save My Spot!
New WSJ Article About Social Engineering: 'Blame it on the Lizard Brain'

This is a good article to send to your C-level execs with your request for new-school security awareness training budget.

People need to work to overcome their inherent biases in order to avoid falling for social engineering attacks, according to Heidi Mitchell at the Wall Street Journal.

“Criminals lure smart people into their traps by taking advantage of the unconscious, automatic processes that act as shortcuts to make our decision-making more efficient,” Mitchell explains. “These cognitive biases—arising from what’s often referred to as our ‘lizard brains’—can cause us to misinterpret information and make snap judgments that may be irrational or inaccurate.”

Professor Cleotilde “Coty” Gonzalez from Carnegie Mellon University told the Journal that criminals take advantage of human psychology to make their attacks more effective, explaining that “if something is presented as a loss, we are more willing to take a risk [to avoid it]; if it’s presented as a gain, we are OK with taking a safe option.”

As a result, people are more likely to fall for a scam that tells them they’re going to lose money, as opposed to one that offers to give them money.

Mitchell adds, “Or a scammer might send a message to your work email, claiming that there is a problem with an account at one of your corporate suppliers, and warning that your shipment—one that your boss is counting on—will be delayed unless you verify your account information in a link provided by them. The fake link leads to a fake website that looks like the real thing. By playing on your fear of losing access to your account, the scammer gets your credentials.”

Scammers also take advantage of authority bias and urgency bias to compel their victims to act. Authority bias can be seen in business email compromise (BEC) attacks, in which an attacker impersonates a person of authority within an organization and sends a request to a lower-level employee. Urgency bias is often tied into these attacks, and involves making the victim believe they must act quickly to fulfill a request.

New-school security awareness training can give your employees a healthy sense of suspicion so they can spot red flags associated with social engineering attacks.

The Wall Street Journal has the story (paywall):
Are Any of Your Users Exposed in a Data Breach?

Almost every day we learn about a new data breach. This creates a very important need to address disclosed breaches. Do you know which of your users has put your organization at risk?

KnowBe4’s Password Exposure Test (PET) is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users.

PET makes it easy for you to identify users with exposed emails publicly available on the web and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!

Here's how the Password Exposure Test works:
  • Checks to see if any of your organization’s email addresses have been part of a data breach
  • Tests against 10 types of weak password related threats associated with user accounts
  • Checks against breached or weak passwords currently in use in your Active Directory
  • Reports on the accounts affected and does not show/report on actual passwords
Get your results in a few minutes! You are probably not going to like what you see.

Find Your Weakness!
Business Email Compromise Scam Takes New Hampshire Town for $2.3 Million

Social engineering is at the heart of this attack, where scammers successfully tricked a town into redirecting not just one but several bank transfers.

Last month, the town of Peterborough, New Hampshire, put out a press release stating they were the victims of a Business Email Compromise (BEC) scam in July focused on tricking their finance department into changing banking details on payments intent on being made to the Contoocook Valley School District as well as a general contractor Beck and Bellucci.

Taking advantage of the “transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers," the cybercriminals were able to redirect funds to scammer controlled bank accounts without raising any red flags with the town of Peterborough. It wasn’t until the ConVal School District called inquiring about their missing $1.2 million payment that the town was even aware of a problem.

As of the time of writing this article, the $2.3 million overall that was stolen had not been recovered.

This simple story of how social engineering is sometimes all it takes to become a victim is a stark warning for organizations that anyone involved with financial transactions should be taught to be vigilant when interacting with emails. Through security awareness training, stories like this could literally become a thing of the past – all it takes is a single user to recognize that something’s amiss and check the from email address, make a phone call to verify, something other than just unknowingly go along with the fraudulent request.

Blog post with links:
Ransomware Hostage Rescue Manual

Free your files! Get the most informative and complete hostage rescue manual on ransomware.

This Ransomware Manual is packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware. You will also receive a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.

You will learn more about:
  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources
Don’t be taken hostage by ransomware. Download your rescue manual now!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

FUN DEPT: KnowBe4, OneLogin and Eskenzi PR go for World Record to spread security awareness during European Cybersecurity Awareness Month:

Quotes of the Week
"You can easily judge the character of a man by how he treats those who can do nothing for him."
- Johann Wolfgang von Goethe - Writer (1749-1832)

"Courage and perseverance have a magical talisman, before which difficulties disappear and obstacles vanish into air."
- John Quincy Adams - 6th President of the United States (from 1825 to 1829)

Thanks for reading CyberheistNews

Security News
Researchers Discover Vulnerability Used for Deception and 'SSID Stripping'

Researchers at AirEye have discovered a vulnerability in the way in which devices connect to wireless networks that could allow an attacker to trick a user into connecting to a malicious network. The method, dubbed “SSID Stripping,” enables attackers to create an Access Point (AP) that appears to have the exact same name as a legitimate network. The flaw affects Windows, iOS and macOS, Android, and Ubuntu.

“Since the attacker creates a rogue AP with a name that looks exactly like the known legitimate network name, users are more likely to fall prey to this attack,” the researchers write.

“Operating system vendors have put in place controls to prevent users from connecting to rogue APs displaying the same network name as legitimate networks. These controls mainly rely on the fact that the device is configured to use the same security measures, such as a certificate, every time it connects to a network name it already has in its memory. Thus, a device cannot connect to a rogue AP with the same network name since the rogue AP does not require the same security measures.”

The vulnerability stems from the fact that certain characters aren’t displayed in the name of the network shown on the device.

“We found out that many special characters are simply omitted from the actual display (especially those considered ‘non-printable’ characters),” the researchers explain. “For example, the NULL byte when introduced into a network name is not part of the display on Android phones. A network name of the form ‘aireye_network’ would be displayed exactly the same as ‘aireye_network.’

The same holds true for Ubuntu machines when handling a NULL byte. Other ‘non-printable’ characters have similar effects on iPhone and Mac devices. For example, the network name ‘aireye_x1cnetwork’ (with x1c representing a byte with the value 0x1C hex), is displayed exactly the same as “aireye_network.’”

“SSID Stripping bypasses these security controls since the device itself processes the network names as they actually are, not as they are displayed,” the researchers add. “Hence, the devices do not consider the rogue AP to have the same name as the legitimate network.”

Blog post with link to full story, in-depth tech background and free tool to check for this vuln:
Social Media as Artillery Preparation for Spear Phishing

Researchers at ESTsecurity warn that a North Korean threat actor known as “Kumsong 121” is using compromised social media accounts to launch spear phishing attacks, the Daily NK reports. The attackers use the hacked accounts to target the victims’ acquaintances.

“After hacking an individual’s social media account, the attackers chose additional targets from the victim’s social media friends,” the Daily NK says. “The hackers lowered the guard of the target and earned their friendship by sending chat messages with friendly greetings and ordinary topics of interest or gossip.

The attackers then sent an infected document file to the target through email by soliciting advice on a column related to North Korean affairs they claimed to have recently written.” If the user opens the Word document and enables macros, their computer will be infected with malware.

The researchers note that the threat actor is also distributing mobile malware to target Android phones via malicious APK files. “If victims install an infected Android package created by the hackers, much of their private information gets leaked, including the address books, text messages, phone records, location information, sound recordings and photos saved on their phones,” the Daily NK says.

Mun Chong Hyun, the head of the ESTsecurity Security Response Center, told the Daily NK that the threat actor has successfully compromised the phones of “well-known figures, including a certain South Korean lawmaker.”

“In particular, they often use mobile phones or email to contact you, pretending to be an acquaintance or industry expert,” he said. “When sent .apk or .doc files, the safest thing is to directly call the sender and confirm whether they are legit.”

Users should of course never enable macros in a Word document unless they’re absolutely certain the document is safe. New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

The Daily NK has the story:
What KnowBe4 Customers Say

"Hi Stu, earlier this year, we were offered [redacted] security training and phishing simulation package as part of our bundle of email security services with them. When I joined our company in May 2021, I realized we had essentially two tools that are supposed to achieve the same goal: security awareness and training.

I was sharing with DavidG, my KB4 CSM, how the level of support, advice and mentorship he has provided to get us off the ground with KB4, completely surpasses [redacted] comparable offering and how I will be removing their service from our portfolio when renewals come up. He suggested that you may be interested in this positive feedback as well.

I continue to be thoroughly impressed and amazed by how easy David has made it for us to launch KB4 as the tool of choice for our end user security training and phishing simulations. It’s all the follow-up calls I’ve had with him, that have made this purchase both successful and meaningful to us as we are a small IT organization; David helped make our security awareness training launch a complete success!

Kudos to your leadership team for making sure that we have the robust level of after-sales support that David and others like him are providing to your customers. I look forward to the continued partnership with KB4 and am extremely happy to have selected your product for our end-user training and security awareness needs."
- T.V., Sr. Manager, IT Infrastructure & Security
The 10 Interesting News Items This Week
    1. WSJ: "U.S. to Target Crypto Ransomware Payments With Sanctions":

    2. You may have missed this. Colonial Pipeline Ransomware Attack: Stealing a Single VPN Password Allowed Hackers to Infiltrate System:

    3. U.S. Cyber Czar: Too soon to tell if Russia ransomware has stopped:

    4. "[NEW FEATURE] Admins Can Save and Schedule KnowBe4 Reports to Automatically Send on a Recurring Basis:

    5. Executives' Ransomware Concerns Are High, But Few Are Prepared for Such Attacks:

    6. Suffolk IT Supervisor Arrested for Allegedly Mining Bitcoin (with 46 devices!) at County Offices:

    7. Former U.S. intel operatives to pay $1.6M for hacking for foreign govt:

    8. Ransomware gang threatens to wipe decryption key if negotiator hired:

    9. REvil ransomware is back in full attack mode and leaking data:

    10. FBI and CISA warn of state hackers exploiting critical Zoho bug:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews