CyberheistNews Vol 12 #25 [Heads Up] Facebook Phishing Scam Steals Millions of Credentials

Cyberheist News

CyberheistNews Vol 12 #25  |   June 21st, 2022

[Heads Up] Facebook Phishing Scam Steals Millions of CredentialsStu Sjouwerman SACP

Researchers at PIXM have uncovered a major Facebook Messenger phishing scam that’s "potentially impacted hundreds of millions of Facebook users." More than eight million people have visited just one of these phishing pages so far this year.

"While viewing the Yearly Views page, we see 2.7 million users visited one of their pages in 2021, and around 8.5 million so far in 2022," the researchers write. "This represents tremendous growth in the campaign from 2021 to 2022."

The threat actors used compromised Facebook accounts to spread the phishing pages through Facebook Messenger.

"It appeared evident that these links originated from Facebook itself," the researchers write. "That is, a user's account would be compromised and, in a likely automated fashion, the threat actor would login to that account, and send out the link to the user's friends via Facebook Messenger.

"Facebook's internal threat intelligence team is privy to these credential harvesting schemes, however this group employs a technique to circumvent their URLs from being blocked. This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link.

"After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well."

Notably, the campaign used automation to cycle through different phishing pages, which enabled it to avoid detection by security technologies.

"Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID," the researchers write. "We would often observe several used in a day, per service.

"The use of these services allows the threat actors' links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor."

New-school security awareness training enables your employees to make smarter security decisions.

Blog post with links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, June 22 @ 2:00 PM (ET), for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, June 22 @ 2:00 PM (ET)

Save My Spot!

A Closer Look at HR Phishing: Does Niceness Have a Downside?

Threat actors are targeting HR employees who are looking to hire new people, according to Lisa Vaas at Contrast Security. As part of their job, HR employees frequently interact with people outside of the organization and are more likely to open external files. Attackers frequently take advantage of this by hiding malware within phony resumé files.

Vaas cites Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, as saying in a talk at RSAC that North Korean threat actors are particularly fond of this technique.

"[One thing] that's been really interesting to watch is their attempts to infiltrate organizations remotely by trying to actually get hired inside of these companies, particularly in the web3 crypto space, where they're responding to advertisements," Alperovitch said.

"They're saying they're willing to do remote development work. They're saying they're from 'a' Bay Area, although in many of the interviews they failed to identify even the most common locations in 'the' [San Francisco] Bay Area."

Attackers use job-listing and networking sites such as LinkedIn to identify potential targets. "They’re still having a tough time actually passing these interviews, but they don't have to pose as Bay Area natives when it comes to packing resumés with malware," Vaas writes.

"One example: In April, eSentire research showed that new phishing attacks, targeting corporate hiring managers, were delivering the more_eggs malware, tucked into bogus CVs. These campaigns sprang up a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers: The offers dangled malicious ZIP archive files with the same name as that of the victims' job titles, as lifted from their LinkedIn profiles."

Niceness, to be sure, is a good thing, everything else being equal. But it can also render you vulnerable to scams and cons. Every employee needs to know that they should never click the "Enable content" button in a Microsoft Office document.

Blog post with links:

Incredible Email Hacks You'd Never Expect and How You Can Stop Them

If you think the only way your network and devices can be compromised via email is phishing, think again!

A majority of data breaches are caused by attacks on the human layer, but email hacking is much more than phishing and launching malware. From code execution and clickjacking to password theft and rogue forms, cybercriminals have more than enough email-based tricks that mean trouble for your InfoSec team.

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, explores many ways hackers use social engineering and phishing to trick your users into revealing sensitive data or enabling malicious code to run.

Roger shows you how hackers compromise your network. You’ll also see incredible demos including a (pre-filmed) hacking demo by Kevin Mitnick, the World’s Most Famous Hacker and KnowBe4's Chief Hacking Officer.

Roger teaches you:

  • How remote password hash capture, silent malware launches and rogue rules work
  • Why rogue documents, establishing fake relationships and tricking you into compromising your ethics are so effective
  • The ins and outs of clickjacking
  • Actionable steps on how to defend against them all

Email is still a top attack vector cybercriminals use. Don't leave your network vulnerable to these attacks.

Watch the Webinar Now!

Monkeypox Scams Continue To Increase

Attackers are taking advantage of the current news about monkeypox to trick people into clicking on malicious links, Pickr reports. Researchers at Mimecast have spotted a phishing campaign that impersonates companies in an attempt to trick employees into visiting phony health safety sites that steal their information.

The subject line is designed to grab the user's attention, stating, "Attention all [Company] Employees - Please Read and Comply."

The emails then state, "[Company name] has been closely monitoring developments related to the Monkeypox outbreak, including all updates provided by the Centers for Disease Control, World Health Organization, and local health officials. In an effort to keep all team members safe and informed, as well as our business protected, included here are the precautions that have been put in place."

The email includes a link that says, "Click here to complete Mandatory Monkeypox safety awareness training." This link leads to a phishing site that will steal their information. Tim Campbell, Head of Threat Intelligence Analysis at Mimecast, stated that criminals frequently take advantage of current news.

"Monkeypox is high on the news agenda so it comes as no surprise that cyber criminals are exploiting it," Campbell said. "Cybercriminals [are] adjust[ing] their phishing campaigns to be as timely and relevant as possible, using traditional attack methods to exploit current events in an attempt to lure busy and distracted people to engage with links in emails, applications or texts.

"Now, they are using monkeypox as an opportunity to send phishing emails to company employees for 'mandatory monkeypox awareness training.' As the phishing email is made to look like an internal company email, employees are at risk of clicking the link and entering their login details, which will then be stolen and used to access systems within the organization and steal information."

People have probably been primed by the COVID pandemic to take healthcare warnings seriously, and so bad actors will seek to use their attention against them. New-school security awareness training can give your employees a healthy sense of skepticism so they can recognize red flags associated with social engineering attacks.

Blog post with links:

Can You Be Spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly "security awareness'" trained. KnowBe4 can help you find out if this is the case with our free Domain Spoof Test.

Find out now if your email server is configured correctly; many are not!

  • This is a simple, non-intrusive "pass/fail" test
  • We will send a spoofed email "from you to you"
  • If it makes it through into your inbox, you know you have a problem
  • You'll know within 48 hours!

Try to Spoof Me!

My Current Perspective

Information security is mission-critical today. The global risk situation is higher than ever. Your employees are still your largest attack vector. New-school security awareness training is a must-have layer in your security stack. Compared to the risk, the subscription is a complete no-brainer.

So which vendor are you going to choose? You absolutely have to have an effective program to mitigate this high risk. You want a best-of-breed platform with proven results. You want a highly stable, industry-leading vendor that will actually partner with you. KnowBe4 is that vendor. When do you think we can expect your PO?

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: By Yours Truly. "5 Reasons Why Compliance Alone Is Not Efficient at Reducing Cyber Risks":

PPS: The new must-read Security Culture Playbook reviewed at Medium:

Quotes of the Week  
"Let the refining and improving of your own life keep you so busy that you have little time to criticize others."
- H. Jackson Brown, Jr. - Author

"Education is for improving the lives of others and for leaving your community and world better than you found it."
- Marian Wright Edelman

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

A New PayPal Spoofing Attack Steals Your Money and Harvests Your Phone Number

A phishing campaign is impersonating PayPal in order to steal money and harvest victims' phone numbers for further attacks, according to researchers at Avanan.

"This scam uses what we call 'phone number harvesting,'" Avanan says. "Instead of harvesting credentials for online logins, this attack easily obtains phone numbers through the caller ID feature. Once they obtain the phone number, they can carry out a series of attacks, whether it's through text messages, phone calls or WhatsApp messages. Just one successful attack can lead to dozens of other ones.

"The number listed on the email is a Hawaii-based number that’s been linked to scams in the past. When calling, they will ask for your credit card number and CVV to 'cancel' the charge. It's worth noting that the scammers are not based out of places like Hawaii; they've simply registered a phone number to a US-based area code and are forwarding calls to an international relay."

The attackers are using various techniques to avoid detection by security technologies. "In this attack, the hackers are reversing the text. This has the security system seeing what looks like gibberish," the researchers write. "With the Natural Language Processing unable to make sense of it, it seems instead like a normal email. For the end-user, it looks like a typical email, with no issues, making it more liable to be clicked on.

"With the combination of social engineering in the form of what looks like a fraudulent payment, and no malicious links or otherwise malicious text, this is a tricky attack that has proven hard to stop."

Additionally, the emails don't contain any links, so security filters won't detect any potential phishing URLs. "This attack also works because there are no links at all in the email body," the researchers write. "When there is a link, the email security solution can check it to see if it’s malicious or not.

"Without any links, it becomes much harder. There are countless ways to do this, and we have written about many in the past. There's the ZeroFont attack; the OneFont attack; highlighting text in white; the No Display attack; and much more."

Avanan has the story:

Chinese APT Deploys New Cyberespionage Tool

In a report released Monday, Palo Alto Networks' Unit 42 outlines the recent activities of Gallium, a Chinese government threat actor particularly active against selective targets in Australia, Southeast Asia, Africa and Europe.

Gallium has also been associated with Operation Soft Cell, a campaign against telecommunications providers. The recent operations Palo Alto describes are distinguished by their employment of "new, difficult-to-detect remote access trojan named PingPull." They're also marked by an expansion to sectors other than telecommunications, specifically government organizations and financial services.

Palo Alto has shared detailed findings with fellow members of the Cyber Threat Alliance. The company also extends "special thanks to the NSA Cybersecurity Collaboration Center, the Australian Cyber Security Centre and other government partners for their collaboration and insights offered in support of this research."

What KnowBe4 Customers Say

"Hi Stu, Thanks for emailing. Yes we're pleased with KnowBe4's service - it's all been a simple and easy process from day one. Jason is an excellent account rep. Kudos to you and your company!"

- R.M., Finance Manager

"Michael has been fantastic to work with. He has been proactive in making sure we are getting value from our KnowBe4 subscription and each time we meet with him he brings enthusiasm and excellent customer support.

"We partner with a lot of companies to bring technology to our city and it is really refreshing to have a relationship that doesn’t end after we sign the purchase agreement. We just renewed our KnowBe4 subscription and Michael’s customer support made it easy for us to choose to continue our relationship with KnowBe4. Thank you for operating this way and employing great staff members like Michael."

- S.R., Chief Information Officer

The 10 Interesting News Items This Week
  1. This new Linux malware is 'almost impossible' to detect:

  2. U.S. State and Federal Funding for Cybersecurity is on the Rise:

  3. WIRED | An Alleged Russian Spy Was Busted Trying to Intern at The Hague:

  4. Looking for Cyber Insurance? Know Your Eligibility:

  5. Chinese 'Aoqin Dragon' gang runs ten-year espionage spree:

  6. Russian hackers start targeting Ukraine with Follina exploits:

  7. Ransomware Group Debuts Searchable Victim Data:

  8. Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams:

  9. 24 billion usernames and passwords available on the dark web - an increase of 65% in just two years:

  10. New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews