CyberheistNews Vol 12 #29 [Heads Up] New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials

Cyberheist News

CyberheistNews Vol 12 #29  |   July 19th, 2022

[Heads Up] New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord CredentialsStu Sjouwerman SACP

A new wave of social media phishing attacks are now using scare tactics to lure victims into sending their logins.

First, a Twitter phishing attack was reported earlier last week. Threat actors would send direct messages to the victims, flagging the account for use of hate speech. They would then be redirected to a fake Twitter Help Center to input their login credentials.

Then, a Discord phishing campaign was discovered by sending user a message from friends and/or strangers accusing the user of sending explicit photos on a server. The message also included a link, and if clicked would then lead to a QR code. This resulted in the account being taken over by the cybercriminals.

Social media have always been used for successful phishing attacks, using social engineering to manipulate victims to disclose confidential logins. And if successful, social media attacks can open the flood gates to the company network.

James McQuiggan, Security Awareness Advocate at KnowBe4, explained to Dark Reading about how effective social media phishing attacks can be, "A lot of the time, phishing attacks rely on the victim reacting to the email in an emotional state," he says. "The victim sees the email and responds without adequately checking the sender or the link."

These types of attacks are not going away anytime soon. And with the continual remote workforce, there is a higher risk of being targeted through your social networks without the word-of-mouth alerts you would get at the office from other employees. Get ahead of the curve now with your employees by implementing new-school security awareness training.

Blog post with links:

Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant

The average person believes using Multi-Factor Authentication (MFA) makes them significantly less likely to be hacked. That is simply not true! Hackers can bypass 90-95% of MFA solutions much easier than you would think. Using a regular looking phishing email, they can bypass MFA just as easily as if it were a simple password.

Join Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, for this new webinar to learn common MFA hacking techniques and what it takes to make your MFA phishing resistant. He’ll also share a pre-filmed MFA hacking demo from Kevin Mitnick, KnowBe4’s Chief Hacking Officer.

In this webinar you’ll learn:

  • Government recommendations for effective MFA
  • Characteristics that make MFA easily hackable
  • Features you should look for in a strong MFA solution
  • Which phish-resistant MFA you should be using
  • Why a strong human firewall is your best, last line of defense

Get the information you need to know now to better defend your network. And earn CPE for attending!

Date/Time: TOMORROW, Wednesday, July 20 @ 2:00 PM (ET)

Save My Spot!

QuickBooks Phishing Scam Is Back and Sails Through Your Filters

Scammers are continuing to abuse the QuickBooks tax accounting software to send phishing scams, according to Roger Kay at INKY.

"All versions of QuickBooks have the ability to send invoices, and in this case, the bad guys turned this capability into an attack vector for a low-tech phone scam," Kay writes. "In the past year, phone scams have been on the rise as phishers respond to the increasing sophistication of anti-phishing defenses: defenders go high, phishers go low. A simple mechanism is a phone number that the phishers want the mark to call. When they do, an operative will try to extract valuable information from them."

The messages are impersonating Amazon, Apple, Best Buy, PayPal, Norton and McAfee. Users are instructed to call a phone number to cancel a purchase they didn't make.

"INKY began to see instances of this particular attack in December 2021," Kay says. "They accelerated significantly in March 2022. Although we have detected 2,272 to date, that number is surely an undercount. The exact count is difficult to determine since the subtle scam emails and legitimate QuickBooks notifications all originate from the real QuickBooks notification site: quickbooks[@][.]com."

Since QuickBooks is a legitimate software product, the phishing messages were able to bypass security filters. "These attacks were highly effective at evading detection because they were identical to non-fraudulent QuickBooks notifications, even when examining the emails' raw HTML files closely," Kay says.

"All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit[.]com, and only contained high-reputation intuit[.]com URLs."

Kay concludes that users should pause and think before reacting to messages that instill a sense of urgency. "The effectiveness of these techniques relies on the panic a victim might feel if they received an invoice for goods or services that they did not purchase," Kay writes. "The emotional reaction to notification of this sort can be strong and may impair judgment.

"The natural response is to get right on the phone and try to back the order out, or barring that, find a way to obtain a refund. The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

Blog post with links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, July 27 @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, July 27 @ 2:00 PM (ET)

Save My Spot!

Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies

On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike. The phishing email implies the recipient's company has been breached and insists the victim call the included phone number. This campaign leverages similar social-engineering tactics to those employed in recent callback campaigns including WIZARD SPIDER's 2021 BazarCall campaign.

This campaign will highly likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.

The callback campaign employs emails that appear to originate from prominent security companies; the message claims the security company identified a potential compromise in the recipient’s network. As with prior callback campaigns, the operators provide a phone number for the recipient to call.


[New Report] Here Are Your Updated 2022 Phishing By Industry Benchmark Results

With phishing on the rise, your employee's mindset and actions are critical to the security posture of your organization.

You need to know what happens when your employees receive phishing emails: are they likely to click the link? Get tricked into giving away their credentials or download malware? Or will they report the suspected phish and play an active role in your human defense layer?

Perhaps more importantly, do you know how effective new-school security awareness training is as a mission-critical layer in your security stack?

Find out with the 2022 Phishing By Industry Benchmarking Report, which analyzed a data set of 9.5 million users across 30,173 organizations with over 23.4 million simulated phishing security tests. In this unique report, research from KnowBe4 highlights employee Phish-prone™ Percentages by industry, revealing the likelihood that users are susceptible to phishing or social engineering attacks.

Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Do you know how your organization compares to your peers of similar size?

Download this new whitepaper to find out!

All it Takes Is "Free" Beer to Steal Your Personal Data

A recent phishing scam impersonating the Heineken beer brand demonstrates how very little effort is needed by scammers to convince victims to give up all kinds of personal information.

If you're someone that likes beer, seeing a giveaway from a beer vendor seems plausible. Perhaps some hats, a coupon, a beer koozie, etc. all would be reasonable "prizes" in said giveaway. But scammers intent on collecting the personal information of victims went all out impersonating Heineken and promoting the giveaway of 5,000 coolers filled with their beer for Father's Day last month.

As part of the scam, personal details were collected including birthdate, email, address, name and more. This kind of information could be used to attempt takeovers of legitimate email addresses, used as part of a longer-term doxing effort, or simply be used to impersonate the victim in another scam.

In a statement put out by Heineken, the free beer scam was denounced, with Heineken recommending that individuals not engage with such communications. But the scam does make a point: as part of creating the illusion of legitimacy, the scammers used a well-known worldwide brand and placed the scam's hook (the 5,000 coolers) just on the cusp of being implausible.

This is what creates a sense of urgency and causes potential victims to forget the need to remain vigilant when interacting with email and web content that is unsolicited – something taught to employees via security awareness training in organizations that are serious about reducing the organization's threat surface – something that includes the user.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: One-Third of Users Without Security Awareness Training Click on Phishing URLs:

PPS: Before the Ransomware Attack: 5 Initial Access Methods:

Quotes of the Week  
"Success is not final, failure is not fatal: it is the courage to continue that counts."
- Winston Churchill (1874 - 1965)

"The best way to resolve any problem in the human world is for all sides to sit down and talk."
- Dalai Lama (born 1935)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Phishing Attack Steals $8 Million Worth of Cryptocurrency

Scammers stole $8 million worth of Ethereum from users of the Uniswap cryptocurrency exchange, according to Sujith Somraaj at Decrypt. Notably, the attackers relied purely on social engineering to pull off the theft, despite some early claims that they exploited a vulnerability in Uniswap's underlying protocol.

"The phishing scam promised a free airdrop of 400 UNI tokens (worth approx. $2,200)," Somraaj writes. "Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract."

The scammers used this malicious contract to trick the victims into granting access to their cryptocurrency. "Notably, the code was not verified for the smart contract deployed on Etherscan—something most legitimate projects do," Somraaj says. "After deployment, for collecting their airdropped tokens, the hacker tricked users into signing a transaction. Instead, this transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user."

Somraaj explains how the attackers were able to gain access to the funds. "Whenever users add liquidity to Uniswap, they receive LP tokens in return as a representation of their liquidity positions," Somraaj writes. "These tokens are transferable and use the ERC-721 token standard, like all other NFTs.

"Hence through an approval transaction, a third-party (the hacker wallet in this case) could spend funds on behalf of the user. After gaining access from the previous approval transaction, the hacker transferred all the LP tokens to his wallet and withdrew all the liquidity from Uniswap."

People should always be wary when they see offers that seem too good to be true, particularly when cryptocurrency is involved. We tend to think of cryptocurrency transactions as something individual speculators engage in, but increasingly they touch many businesses as well. They're novel enough that employees may find themselves gulled through simple unfamiliarity. New-school security awareness training can give your employees a healthy sense of skepticism so they can thwart social engineering attacks.

Blog post with links:

Phishing Campaign Targets Apple IDs

Researchers at Trend Micro warn that a phishing campaign is using leaked Apple ID credentials to trigger password reset messages. The scammers then attempt to trick the user into granting them access to the account.

"[T]he emails or text messages you receive are LEGITIMATE, generated automatically from the Apple system — due to the scammer's actions," the researchers write. "Remember, NEVER reveal the verification code to anyone.

"Scammers can also contact you, impersonating Apple support, and ask you to provide that code. If you fall for it, scammers can gain full access to your Apple ID and reset the password to block you out. What for? All the private data stored in iCloud."

In addition to password reset emails, attackers continue to use regular phishing emails that impersonate Apple. "More commonly, scammers just pose as Apple and send you fake emails or text messages that contain phishing links to entice you," the researchers write. "Using various excuses like a security alert, Apple ID lock, billing error, or whatever else works, they prompt you into clicking on the phishing link to fix the issue."

Trend Micro has observed the following phishing text messages:

  • We've noticed a discrepancy in your contact information, please update your information to avoid restrictions on your account[dot]applesecured01[.]com
  • Your last payment failed, please update your payment information {URL}
  • Support has noticed a billing error, all features will be disabled until we receive a response. please visit {URL}
  • For your protection, your login has been automatically paused. please verify your identity today or your account will be disabled. {URL}

The researchers offer the following advice to help users avoid falling for these attacks:

  • Double-check senders' email addresses or phone numbers, but also keep in mind that caller/sender IDs can be spoofed
  • Never share any verification codes with anyone
  • Don’t click on links or buttons from unknown sources

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for social engineering attacks.

Trend Micro has the story:

What KnowBe4 Customers Say

"I asked Ayla to provide your information to me so I could let you know how great Ayla has been during her time as our KnowBe4 rep. She is extremely knowledgeable about the product and is a great ambassador for the brand.

"Our meetings identified all the ways in which I could increase participation, reduce misconfigurations, and were great training on how to use the app. My CIO is impressed with the improvements, and we can't wait to roll out our next set of trainings during our Fall semester. I felt like I had a good grasp on the console before we started our meetings, but was I mistaken.

I've had many different reps across many different vendors, and I just wanted you to know that Ayla is among the best I've ever worked with! I wish more vendors did the sort of checkup Ayla provided. I hope I get to work with her again down the road."

- G.N., Information Security Analyst

The 10 Interesting News Items This Week
  1. ITRC report says "Phishing remained the No. 1 root cause of data compromises in first half 2022":

  2. Russian Information Operations Aim to Divide the Western Coalition on Ukraine:

  3. Russian? Hackers posing as Merkel target ECB's Lagarde - German source:

  4. Feds Offer $5 Million for Information on North Korean Cyber Threats:

  5. Google's AI spotlights a human glitch: Mistaking fluent speech for fluent thought:

  6. What Do All of Those Cloud Cybersecurity Acronyms Mean?:

  7. Florida's New Ransomware and Cybersecurity Requirements/Restrictions:

  8. Don't Pay Ransoms, UK Government and Privacy Watchdog Urge:

  9. Barracuda report: Almost everyone faced an industrial attack in the last year:

  10. First Cyber Safety Review Board report finds Log4j has become an 'endemic vulnerability':

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews