CyberheistNews Vol 11 #46 Phishing Emails Use Small Font Size To Bypass Security Filters

CyberheistNews Vol 11 #46
Phishing Emails Use Small Font Size To Bypass Security Filters

Researchers at Avanan have spotted phishing emails that use a font size of one to fool email security scanners. The emails appear to be password expiration notifications from Microsoft 365. The attackers have inserted benign links that are invisible to the human eye, but trick security scanners into viewing the email as a legitimate marketing email.

“In this attack, hackers utilize a number of obfuscation techniques to get a credential harvesting page through to the inbox,” the researchers write. “First, all links are hidden within the CSS. This confuses natural language filters. Natural language filters see random text; human readers see what the attackers want them to see. In addition, hackers put links within the (font) tag, and brought the font size down to one. This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Beyond that, there are invalid parameters, as the ‘Padding Left’ is set to ‘;’ further confusing scanners.”

Avanan concludes that the phishing emails themselves appear suspicious, so a trained user would be able to spot them as malicious. The emails simply state, “Notification for Password 365. Access To Your Email will be Expired.”

“To the end-user, this email looks like a standard request from their IT department,” the researchers write. “The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They should notice the stilted grammar, such as ‘Notification Microsoft 365’ as a red flag. They should also ask their own IT department before resetting any passwords.”

Thus, insecurity by obscurity. Attackers are constantly coming up with new ways to bypass email security filters. New-school security awareness training can give your employees a healthy level of skepticism so they can avoid falling for social engineering attacks.

Blog post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, December 1 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 1 @ 2:00 PM (ET)

Save My Spot!
Malicious Retail Phishing Sites Spike Ahead of Shopping Holidays

Researchers at Check Point have observed a record number of malicious phishing shopping websites that have been set up over the past two months. The researchers assume these sites were registered in anticipation of Black Friday and Cyber Monday in the US, Single’s Day in China, and Click Frenzy in Australia.

“Since the beginning of October 2021, CPR researchers witnessed the highest amount of malicious websites related to shopping and sales offers,” Check Point says. “On average, over 5300 different websites per week were spotted, marking a 178% increase, compared to the average in 2021, thus far.”

Check Point offers the following advice to help people avoid falling for these attacks:
  • “Always shop from an authentic, reliable source. Do not click on promotional links you get over email or social media. Proactively Google search your desired retail or brand
  • “Be attentive for lookalike domains. You should notice spelling accuracy in emails or websites, and note unfamiliar email senders or peculiar email addresses you receive promotions from
  • “Too good to happen shopping offers are indeed too good to happen. A new iPad will NOT go on an 80% discount this season, unfortunately.”
The researchers add that people should always be suspicious of unexpected password reset emails. “Always be attentive to password reset emails, especially when volumes of traffic online are at a peak, like the November shopping season,” Check Point says. “If you receive an uninvited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on that site.

Not knowing your password is, of course, the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and send those to them.”

Blog post with links:
See How You Can Get Audits Done In Half The Time, Half The Cost And Half The Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, December 1 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, December 1 @ 1:00 PM (ET)

Save My Spot!
"Fake Ransomware" as a Form of Social Engineering

Attackers are exploiting a vulnerability in a WordPress plugin to deface several hundred websites with phony warnings of ransomware, the Record reports. Researchers at Sucuri found that around three hundred WordPress sites displayed the text “SITE ENCRYPTED” followed by “FOR RESTORE SEND 0.1 BITCOIN.” (A Google search for this text shows that many sites are still affected.)

The researchers note that 0.1 Bitcoin is currently worth about $6,000, which is low enough that a small business might consider paying it if they thought their website had been encrypted. The Record says that no one has paid the ransom yet, which is probably due to the fact that the ransom note only appears on a few pages of the website.

The attackers used a vulnerability in the legitimate business directory listing plugin Directorist. “In checking the access logs for the website it was easy enough to determine the IP address responsible,” Sucuri says. Our client was located in the southern United States, however we saw quite a few requests from a foreign IP address which was interacting with the directorist plugin using the plugin editor feature of wp-admin.

This suggests that the legitimate plugin was already installed on the website and later tampered with by the attackers.” In the case that Sucuri examined, the researchers note that the attacker had access to the site’s administrative password.

“Interestingly, the very first request that we saw from the attacker IP address was from the wp-admin panel, suggesting that they had already established administrator access to the website before they began their shenanigans,” the researchers write.

“Whether they had brute forced the admin password using another IP address or had acquired the already-compromised login from the black market is anybody’s guess.”

New-school security awareness training can enable your employees to remain level-headed when they encounter social engineering attacks.

Sucuri has the story:
You Can Now Binge-watch The Inside Man Season 3

Looking for some binge-worthy watching? We've got just what you're looking for.

The Inside Man is an award-winning KnowBe4 Original Series that delivers security awareness principles embedded in each episode that teach your users key cybersecurity best practices and makes learning how to make smarter security decisions fun and engaging.

From social engineering, insider threats and physical security, to vishing and deepfakes: 'The Inside Man' reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.

The Story So Far... Six months after his transformation from undercover hacker to company defender, Mark Shepherd, our flawed hero from Season 1, struggles to keep his past a secret as he forges new relationships to thwart an elusive threat to the company's latest acquisition, while at the same time navigating a budding romance in Season 2, and delivering a cliff-hanger ending.

Season 3 reunites Mark and his newly-fledged team at 'Good Shepherd Security' to take flight into the world of security consulting and penetration testing. They've been commissioned by an international bank to do something that pushes both the limits of legality and their skill-set. They need to recruit new blood to help - but who can they trust?

The answer will set Mark, the ‘Inside Man’ himself on the emotional journey of a lifetime.

Watch the Series Now!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: "Don’t come to me with a ‘solution’. Come to me with my problem. Show that you understand it."
- Listening in on a CISO forum

Quotes of the Week
"Do something wonderful, people may imitate it."
- Albert Schweitzer - Humanitarian (1875 - 1965)

"The best way out is always through.":
- Robert Frost, Poet (1874 – 1963)

Thanks for reading CyberheistNews

Security News
Microsoft Exchange Server Flaws Now Exploited for BEC Attacks

Threat actors are using a couple of dangerous, new tactics to exploit the so-called ProxyShell set of vulnerabilities in on-premises Exchange Servers that Microsoft patched earlier this year — and were the targets of widespread attacks in July.

In multiple recent incident response engagements, Mandiant researchers found attackers had abused ProxyShell to drop Web shells on vulnerable systems in a different — and more difficult to detect — manner than used in previous attacks. In some attacks, threat actors skipped Web shells entirely and instead created their own hidden, privileged mailboxes, giving them the ability to take over accounts and create other problems.

As many as 30,000 Internet-facing Exchange Servers remain vulnerable to these attacks because they have not been patched, Mandiant said.

Blog post with link to full DarkReading article:
Trends in Cybercrime Report Phishing, Non-Payment Scams, and Extortion

Social engineering attacks account for the vast majority of cybercrime in the US, according to researchers at SEON. The security firm found that phishing, non-payment or non-delivery scams, and extortion made up 58% of reported cybercrime.

“The most common type of cybercrime in the US is phishing and pharming, which accounted for 32.96% of all reported cybercrime in the country in 2020,” SEON says. “Phishing and pharming refer to the fraudulent practice of luring people into revealing personal information, such as passwords, login details and credit card numbers.”

Non-payment and non-delivery scams accounted for just under 15% of cybercrime.

“The second most common type of cybercrime was non-payment and non-delivery, which was reported 108,869 times and made up 14.87% of cybercrimes,” the researchers write. “Non-payment refers to a buyer not paying for goods or services received, while non-delivery refers to the failure to deliver goods or services that have been paid for.”

Ransomware was the most common form of extortion. This malware usually gains access via a phishing attack or through a technical vulnerability like an exposed RDP port.

“Extortion is the third most common form of cybercrime, with 76,741 reported incidents in 2020, which reflect 10.48% of all cybercrime in the USA,” the researchers write. “Extortion comes in several forms, with the most common being the use of ransomware to seize access to your files and devices, followed by a demand for money, cryptocurrency, gift cards or any other form of payment.”

SEON concludes that companies should ensure that they have mitigations in place and ready-to-use to minimize the likelihood of these attacks succeeding. “Whether involved in ecommerce fraud or credit card fraud, these criminals now have a plethora of tools at their disposal to trick you into handing over your money,” SEON says.

“This puts both consumers and businesses at risk when conducting transactions online, with fraudsters counting both as fair targets. Ecommerce retailers now experience an average of 206,000 web attacks per month, with 42% of businesses saying that digital fraud hampers innovation and expansion into new channels.

Yet, despite this, only 34% of companies are investing in fraud prevention and mitigation.” New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize social engineering tactics.

SEON has the story:
What KnowBe4 Customers Say

"Hello, I just want to take a moment of your time to give you some feedback on JessicaC. I am the Service Desk Specialist here and I have had the pleasure of working with Jessica for well over a year now.

I have found her assistance in getting my knowledge of KnowBe4 to be above reproach. She has helped me time after time in getting campaigns created and started, even when I seem to ask the same questions over and over again. She has been a VALUABLE go to person for me.

She has answered every email or phone call that I have ever placed to her. Many times within mins of me sending it. She is always polite and very professional when speaking on the phone. When she is giving phone support it almost feels like she is watching what I am doing. She knowledge of the site and of KnowBe4 is amazing.

Thank you for receiving this feedback for her. I just find her an awesome person to talk with and understand. Thank you."
- H.R., Service Desk Specialist

"This morning I was able to sign up KnowBe4 as our cybertraining platform! I could not be more pleased with my experience so far – I had to ask Mike for a way to give him a positive review.

I signed up for a sales contact on Monday and within minutes Mike reached out to me with a demo and presentation. He listened to my specific needs and tailored the presentation for me which expedited the discussion and allowed us to target the vulnerabilities.

On Wednesday, we were hit with CEO fraud that one user clicked into. Mike went above and beyond by assisting with that situation, running tests on our exchange settings and suggesting improvements.

As you can see by the email chain below, Mike immediately replied to all the questions I had and was eager to help. We are just beginning the implementation phase, but I have to say that I am very excited to work with you guys if everyone is as skilled as Mike.

Post implementation, I’ll be happy to provide a positive review on whichever platform you feel would most help."
- N.M., Technology Director
The 10 Interesting News Items This Week
    1. Ransomware gangs are now rich enough to buy zero-day flaws, say researchers:

    2. Four Things Your CISO Wants Your Board to Know:

    3. US regulators order banks to report cyberattacks within 3 days:

    4. Emotet, once the world's most dangerous malware, is back:

    5. CISA issues cybersecurity incident, vulnerability response playbooks for federal agencies:

    6. Microsoft adds AI-driven ransomware protection to Defender:

    7. Belarus Linked to Big European Disinformation Campaign:

    8. Evil Corp: 'My hunt for the world's most wanted hackers':

    9. Insurers run from ransomware cover as losses mount:

    10. College for cyber criminals: Dark web crooks are teaching courses on how to build botnets:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews