CyberheistNews Vol 11 #48 [Heads Up] Morgan Stanley Warns Against Recent “Brushing Scam”




CyberheistNews Vol 11 #48
[Heads Up] Morgan Stanley Warns Against Recent “Brushing Scam”

Morgan Stanley has outlined several common scams everyone should be on the lookout for during the holiday season. The first involves phony delivery notifications. These scams are common year-round, but they’re particularly relevant during the holidays.

“A popular scam involves receiving a text or email that asks you to click on a link for a number of phony reasons, such as to get an update about the delivery date, track the package location, give your payment preferences, provide delivery instructions or pay a shipping fee,” Morgan Stanley says.

“You may also be given a phone number to call for more information about your delivery. Since fraudsters want you to act without thinking, they may convey a sense of urgency in their message. While some of these communications are obviously fraudulent—perhaps containing multiple misspellings or other errors—many are carefully crafted, even replicating a shipping company’s logo or email format in some cases.”

Brushing Scams

Morgan Stanley also describes “brushing,” which is a way for scammers or dishonest sellers to boost their products with phony positive reviews.

“You’ll receive a package you didn’t order bought from an online marketplace that allows customers to post reviews of their purchase,” Morgan Stanley says. “The item is typically cheap and lightweight. Since it’s the holiday season, you might think it’s just a gift from a stranger looking to pay it forward.

In reality, it’s likely from someone who sells products on online marketplaces who wants to create fake, positive reviews. But, in order to post a review, the marketplace requires that a transaction be verified with a legitimate tracking number that shows a successful delivery. And that’s where your mystery package comes into play. That purchase creates a tracking number.

So, after the package is delivered, your fake gift giver can write the review.” New-school security awareness training helps your employees to recognize these types of scams.

Blog post with links:
https://blog.knowbe4.com/morgan-stanley-warns-against-brushing-scam
[TOMORROW] Kevin Mitnick Presents When Cybercriminals Hide in Plain Sight: Hacking Platforms You Know and Trust

Today’s hackers are concealing their attacks in places you wouldn’t expect… utilizing tools your users know and trust to deliver their malicious payloads. From hijacked single sign-on apps, to weaponized calendar invites, and even malicious office printers, you’ll learn why trusted tools just aren’t as trustworthy as your end users believe.

In this exclusive webinar Kevin Mitnick, KnowBe4’s Chief Hacking Officer and The World’s Most Famous Hacker, and Perry Carpenter, KnowBe4’s Chief Evangelist & Strategy Officer, show you why your users should think twice before trusting even the most established platforms.

In this webinar they’ll share:
  • Why you shouldn’t always trust legitimate providers like Microsoft Teams
  • How something as innocuous as an office printer can be weaponized
  • Why pre-texting bots may be your organization’s biggest threat
  • Kevin’s top three tips for preventing cyber attacks
  • Eye-opening hacking demos you won't want to miss
See the dangers lurking behind these seemingly innocent actions for yourself. And earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, December 8 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3545187/26BE4D26544A2C533782A5B93E452ED3?partnerref=CHN2
Ingenious New Attack Technique Uses Windows Store to Install Malware

Just when you thought threat actors couldn’t find another way to launch a dropper, a new method has surfaced that takes advantage of native functionality found in Windows 10.

If you’ve been following phishing attacks at all over the last few years, you’re very aware of threat actors using methods like Office app macros to launch a malware dropper or installer, or leveraging a PDF to run a script, etc.

But a new technique has been identified by security researchers at Sophos that invokes the Windows App Installer from within Windows 10 to be the catalyst for infecting a machine with malware.

According to Sophos, the email targeted Sophos employees purporting to be from another Sophos employee, linking to a PDF within the email asking “Why didn’t you inform us about the Customer Complaint on you?” and requesting that the recipient call them back now. Because there is no phone number to call, the logical next step is to click the link and see the complaint.

The link takes victims to a windows[dot]net site with a “Preview PDF” button and, when clicked, the really trick stuff starts. As you can see pointed out in the screenshot, the preview button includes a link that begins with ms-appinstaller: that will trigger the Windows Store application, AppInstaller [dot]exe, to download and run whatever’s on the other end of that link.

Simply brilliant.

The installer is made to look like an Adobe PDF “component” in the hopes that users will see it as being benign (and that, possibly, the downloading of the complaint “PDF” simply triggered an update, etc.). What’s actually installed is the BazarBackdoor malware.

This is a pretty ingenious way to trick users into installing malware on a few fronts. It seems the cybercriminals are stepping up their game – which means you need to as well with security awareness training to educate users to not engage such emails in the first place; anything unexpected should be interpreted as being potentially hostile.

Blog post with links and screenshot:
https://blog.knowbe4.com/ingenious-new-attack-technique-uses-windows-store-to-install-malware
[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature, which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, December 15 @ 2:00 PM (ET) for a live 30-minute demo of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, December 15 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458588/1797AEC9B908F8903F3DAEFAA59E2B76?partnerref=CHN
Phishing Reported in IKEA’s Internal Email System

IKEA has been working to contain a continuing phishing campaign that’s afflicting the furniture and houseware chain’s internal email system. BleepingComputer describes it as a “reply-chain email attack.” This form of attack is unusual but not unknown. The attackers obtain a legitimate corporate email and reply to it.

“As the reply-chain emails are legitimate emails from a company,” they explain, “and are commonly sent from compromised email accounts and internal servers, recipients will trust the email and be more likely to open the malicious documents.”

"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees and seen by BleepingComputer.

"This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."

The malicious emails have tended to trip filters designed to quarantine threats. But they’re convincing enough to induce employees to release them, quite innocently, from quarantine. IKEA is taking steps to preclude that possibility. IKEA has explained this to the retailer’s employees:

"Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.”

As is usually the case, a trained and well-informed employee seems to be the last line of defense. The malicious reply-chain emails do carry certain marks that might alert employees to the possibility they’re being subjected to phishing, and IKEA is working to raise awareness of those marks. For one thing, the links the phishing emails contain end with seven digits.

How the attackers have succeeded in compromising the email accounts isn’t clear. In other cases attackers have exploited ProxyShell and ProxyLogin vulnerabilities to compromise Microsoft Exchange Servers. IKEA has been tight-lipped about the incident, and it’s unknown whether the company’s internal servers were compromised.

New-school security awareness training can help your employees become alert to the threat posed by reply-chain attacks.

Blog post with links:
https://blog.knowbe4.com/phishing-reported-in-ikeas-internal-email-system
Conducting Data Protection Impact Assessments on Your Cloud Environments

Whether you're creating a new product, going through mergers & acquisitions, or significantly changing a process in your organization, new processing activities can present high risk. As we can see from the slew of cloud data breaches - no environment is safe. It’s becoming increasingly more difficult for privacy teams to keep up with new technologies to ensure data is secured and protected adequately.

One way to reduce security/privacy risk is to conduct a data protection impact assessment. Not only will this assessment help you reduce business risk, but it also helps identify new processes in your organization to maintain compliance with GDPR, LGPD and other global privacy laws.

Join Lecio DePaula, KnowBe4’s VP of Data Protection for this webinar to hear about creating a robust data protection impact assessment to analyze new processes, workflows, and products to identify problems before they happen.

In this webinar you’ll learn:
  • Best practices for conducting a robust DPIA on your cloud environments
  • The privacy and security risks of operating in the cloud
  • How conducting a DPIA aligns with global privacy requirements
  • Common DPIA mistakes and how to avoid them
  • Tools that help manage and streamline your DPIA process
Gain the insight you need to create a robust data protection impact assessment.

And earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, December 8 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3539794/83964E4AACF29CB65F0FBEA2AACC8A40?partnerref=CHN
Bitcoin Scam Videos on Instagram are Part of an Elaborate Account Takeover Scam

This elaborate scam uses social engineering to trick victims into sending the hacker Bitcoin while holding Instagram accounts hostage.

It’s an interesting use of hacking skills. According to a recent story on Motherboard, hackers are taking over Instagram accounts using spoofed Instagram logon pages and promising to release the hostage account to its owner if they create a video promoting a bitcoin scam in which the Instagram victim states they “invested” in bitcoin and are getting amazing returns on their investment.

Instead of releasing the account, the hackers share the video in an attempt to get account followers to send the hacker Bitcoin (with no return on their “investment”, of course).

We’ve seen attacks like this previously on Twitter, with high-profile accounts being hacked to promote these same kinds of scams. But the video angle (especially if the account owner puts some effort into make it seem legitimate) is an interesting form of hostage-based social engineering.

I’m wondering if ransomware actors may take to this tactic, forcing victim organizations to get followers on social media to do something similar.

The root cause of these attacks is a credential attack on the influencer’s Instagram account. Employees that are stepped through security awareness training will have strong and unique passwords for their social media accounts and won't fall for spoofed login pages.

Blog post with links:
https://blog.knowbe4.com/bitcoin-scam-videos-on-instagram-are-part-of-an-elaborate-account-takeover-scam


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Did You Know? You can now use the KnowBe4 platform to replace your expensive, old-school compliance training for a no-brainer price. Check out the new Compliance Plus Content Catalog. We have 100+ fresh compliance training modules:
https://www.knowbe4.com/hubfs/CompliancePlus-Content-Catalog-Datasheet_EN-US.pdf

Want to see this for yourself? Get your free demo right away:
https://www.knowbe4.com/compliance-plus

Quotes of the Week
"Knowledge is not power, it is only potential. Applying that knowledge is power. Understanding why and when to apply that knowledge is wisdom."
- Takeda Shingen, Daimyo (Japanese Lord) (1521 - 1573)


"One who gains strength by overcoming obstacles possesses the only strength which can overcome adversity."
- Albert Schweitzer - Humanitarian (1875 - 1965)



Thanks for reading CyberheistNews

Security News
Mobile Phishing Attacks Surge 161% in the Energy Industry

The need for increased mobile security in the energy sector has become evident with new data highlighting why these phishing attacks are occurring and effective ways to stop them.

It shouldn’t entirely be a surprise to see the energy industry as a primary target. Everyone is very aware of the attacks on oil pipelines and other critical infrastructure companies this year. But new data from security vendor Lookout provides some insight into at least one growing initial attack vector – mobile devices. In their 2021 Lookout Energy Industry Threat Report, mobile devices are front and center:
  • 20% of energy employees were exposed to a mobile phishing attack in H1 2021, a 161% increase over 2H 2020
  • Two-thirds of mobile attacks on the energy sector had the goal of credential harvesting
  • There was a 44% increase in mobile devices connecting to energy organizations, with unmanaged and BYOD mobile devices increasing by 41% over the last 12 months
The energy sector was the number one industry targeted with mobile attacks, experiencing 17% of all attacks. Finance, government, pharma and manufacturing were the other top-targeted sectors.

The report does provide some good news, covering some security measures that reduce the threat surface and the risk of attack:
  • Ensure that mobile devices are included in overall cybersecurity programs
  • Ensure mobile phishing protection is running on every mobile device
  • Ensure visibility into mobile apps on devices connecting to corporate resources
The report also mentions the value of security awareness training, citing that 62.5% of employees that were educated on phishing links did not click on a subsequent phishing link.

Blog post with links:
https://blog.knowbe4.com/mobile-phishing-attacks-surge-161-in-the-energy-industry
Holiday Shopping and Phishing-as-a-Service

Researchers at Egress observed a massive increase in phishing kits in the run-up to the holidays, particularly those impersonating Amazon.

“The research, conducted in partnership with Orpheus Cyber, has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits,” Egress said. “Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions.

Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for the popular online auction site eBay and over four times as many as for retail giant Walmart.”

Jack Chapman, Egress’s Vice President of Threat Intelligence, stated that people should continue to be vigilant throughout the rest of the holiday shopping season. “We all want to buy our loved ones the best possible Christmas present and net a bargain price in the Black Friday sales, and each year cybercriminals use this to their advantage,” Chapman said.

“PhaaS has lowered the barriers to entry for cybercriminals, making it easy to impersonate well-known brands and trick victims. The recent increase in the number of phishing kits listed for sale highlights the criminals’ appetite for carrying out attacks during busy shopping periods.

Blog post with links:
https://blog.knowbe4.com/holiday-shopping-and-phishing-as-a-service
What KnowBe4 Customers Say

"Stu, not sure who to send this to, but I am sure glad I was assigned to Wendy for customer management. When we met the first time, she opened up available items on KnowBe4 I was unaware of and helped me get some great functionality working.

Then when I had a support issue, she followed through to make sure I had the right person to assist and to make sure it was handled properly. Very much appreciated! Please pass this compliment on to her leadership."
- C.B., Senior Software Developer



"Gentlemen, please be advised that SteveK is perhaps the most useful, considerate, and knowledgeable-about-his-product-line Account Rep I’ve ever worked with. We had been massively underutilizing our licensed KnowBe4 toolset for months, and he quite literally took us from “zero to hero” with KnowBe4 in a matter of just a few weeks. I was 15 minutes late for our first two meetings (unintentionally), but he didn’t bat an eye.

His patience, professionalism, and willingness to help us leverage our environment to its fullest have been truly beyond reproach. He's been a customer service Rockstar for us, and I thought you should know it."
- L.J., Global IT Security Architect



"Just a quick note of commendation and appreciation for all of the assistance IvanB has provided to my company, and to me personally. On multiple occasions, he has delivered timely and appropriate recommendations and guidance on how to better optimize our experience with KMSAT.

I am truly grateful for him being assigned to our company and wanted to share that information with you. Ivan is truly a wonderful ambassador of your company and a key to our company’s success. Thank you for your consideration."
- S.T., Chief Information Security Officer


The 10 Interesting News Items This Week
    1. The Fall Of A Russian Cyber Security Executive Who Went Against The Kremlin:
      https://www.bloomberg.com/news/features/2021-12-03/who-is-ilya-sachkov-russian-cyber-ceo-linked-to-2016-election-fancy-bear-leaks

    2. AI vigilantes fuel censorship fears in Russian cyberspace:
      https://news.trust.org/item/20211130025804-jrp7x/

    3. Lloyd's of London suggests insurers should not cover 'retaliatory cyber operations' between nation states:
      https://www.theregister.com/2021/11/30/lloyds_london_cyber_insurance_clauses/

    4. UK Spy chief's warning: Our foes are now 'pouring money' into quantum computing and AI:
      https://www.zdnet.com/article/spy-chiefs-warning-our-foes-are-now-pouring-money-into-quantum-computing-and-ai/

    5. U.S. Satellites Are Being Attacked Every Day According To Space Force General:
      https://www.thedrive.com/the-war-zone/43328/u-s-satellites-are-being-attacked-everyday-according-to-space-force-general

    6. Want to boost #cybersecurity? Embrace the attacker mindset:
      https://www.propertycasualty360.com/2021/11/30/want-to-boost-cybersecurity-embrace-the-attacker-mindset/

    7. Microsoft Exchange servers hacked to deploy BlackByte ransomware:
      https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/

    8. FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs:
      https://www.bleepingcomputer.com/news/security/fbi-seized-23m-from-affiliate-of-revil-gandcrab-ransomware-gangs/

    9. Microsoft Defender scares admins with Emotet false positives:
      https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-scares-admins-with-emotet-false-positives/

    10. Suspected Chinese hackers breach more US defense and tech firms:
      https://www.cnn.com/2021/12/02/politics/china-hackers-espionage-defense-contractors/index.html
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews