CyberheistNews Vol 12 #46 [EYE OPENER] Here Is What You Can Do to Inspect SMS URL Links Before Clicking

Cyberheist News

CyberheistNews Vol 12 #46  |   November 15th, 2022

[EYE OPENER] Here Is What You Can Do to Inspect SMS URL Links Before ClickingStu Sjouwerman SACP

By Roger A. Grimes.

Phishing via Short Message Service (SMS) texts, what is known as smishing, is becoming increasingly common.

There is probably not a person on Earth who does not get at least one smishing message a month. It is a big problem.

The U.S. government has been warning about them for years, including here:

We have been warning about SMS scams for years as well, including here:

The Problem With SMS Messages

Unlike Internet browsers and email programs that display URL links, you cannot "hover" over a link to see what it really is or where it will take you. The good news is that what you see is what you get. There is no need to hover.

What you can see is the real link…at least the initial link that is being displayed. There is no secondary link "under-the-covers" that is the real link, like you get with non-SMS messages. That is the only good news.

The bad news is that most of the links shown in SMS are "shortened" links that lead to other links which may lead to other links with no good way to inspect or filter them before you and your phone arrive at the final destination.

Unfortunately, there are far less methods and tools to examine the links you can see in an SMS message to determine if they are going to take you to a legitimate or malicious site. In the non-SMS-message world, you cannot only hover over the link, but there is likely to be multiple content-inspecting tools which will try to determine if the involved link is malicious or not.

In the regular computer world, usually your Internet browser or email program has content inspection built-in, you probably have an antivirus program that inspects all downloaded content, and you or your organization may have additional layers of inspection, all of which help to detect and block malicious content. They do not always succeed, but at least you have a defense-in-depth chance. Not so much with SMS.

Inspecting SMS Links

There are a variety of tricks used by SMS phishers that make smishing harder to review. Here are some of the issues and how to mitigate them. Most SMS links are created with "shortening services," which take you to a longer eventual destination link and substitute it with something shorter. These services became vogue back when Twitter only allowed 140-character messages.

Any included URL could easily take up all 140 characters or at least enough of them that typing in a useful message became difficult. Today, there are dozens of URL shortening services. The top public ones are:

  • ly
  • gl (Google)
  • com
  • co (Twitter)

It is the rare smishing message that does not use a shortened URL. Shortening is so common and useful that malware developers often develop their own shortening services so they can generate shortened URLs that look legitimate.

The good thing about shortened URLs that they can be "expanded" without having to actually click on them. There are almost as many "expander" websites that will expand shortened URLs for you as there are shortening services. You copy or type in the shortened URL and it tells you what the longer URL substitution is. The one I use most of the time is Expand URL.

Unfortunately, many smishes use "nested" shortened URLs, sort of like a digital Russian Matryoshka dolls. They will have a shortened URL that leads to another shortened URL that leads to another shortened URL. Turns out many malware and URL inspection services do not handle nesting at all or only through a certain number of nestings (say three or four). The more nestings a smish can use, the more likely they are to avoid malware detection.

[CONTINUED] at the KnowBe4 blog with screenshots, examples and (a lot of) links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us THIS WEEK, Wednesday, November 16 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: THIS WEEK, Wednesday, November 16 @ 2:00 PM (ET)

Save My Spot!

Cookie-stealing Feature Added by Phishing-as-a-Service Provider to Bypass MFA

The Robin Banks phishing-as-a-service platform now has a feature to bypass multi-factor authentication by stealing login session cookies, according to researchers at IronNet. The phishing kit's developer used an open-source tool to implement this feature, which targets Google, Yahoo and Outlook accounts.

"Like many other open-source tools, Evilginx2 has become very popular among cybercriminals as it offers an easy way to launch adversary-in-the-middle (AiTM) attacks with a pre-built framework for phishing login credentials and authentication tokens (cookies)," the researchers write. "This, as a result, allows the attacker to bypass 2FA. Evilginx2 works by creating a reverse proxy.

"Once a user is lured to the phishing site, they are presented with a phishing page (via phishlets) with localized SSL certificates. The user is proxied internally, and once a successful login occurs to the destination (i.e. Gmail), the username, password, and login token are captured. The attacker can then view these stolen credentials through the Robin Banks GUI, their Telegram bot, or the evilginx2 server terminal. From there, the attacker can open their own browser, insert the stolen login token, enter the credentials to successfully bypass 2FA, and access the desired account."

IronNet notes that phishing kits are increasingly including ways to get around multi-factor authentication.

"Robin Banks' introduction of this new cookie-stealing feature is somewhat to be expected given the growing need for threat actors to bypass MFA for initial access," the researchers write. "With more and more organizations (hopefully) requiring 2FA and multi-factor authentication (MFA) to inhibit easy unauthorized access to user accounts, credential-stealing alone only goes so far.

"This is why we have seen a growing trend amongst threat actors devising ways to bypass MFA, such as through MFA fatigue or cookie-stealing." New-school security awareness training enables your employees to follow security best practices so they can thwart social engineering attacks.

Blog post with links:

[FREE RESOURCE KIT] Are Your Users Aware of the Holiday Phishing Scams Cybercriminals Will Be Sending Them?

It's the busiest time of year for everyone, especially cybercriminals. They know surges in online shopping, holiday travel, and time constraints can make it easier to catch users off their guard with relevant schemes.

That's why we put together this resource kit to help your users make smarter security decisions every day.

Here is what you'll get:

  • Free video module for your users "Stay Safe for the Holidays," available in 10 languages
  • Free training module for your users "Staying Safe for the Holidays," available in nine languages
  • Resources to share with your users including and educational video, plus security documents and digital signage to reinforce the free modules included in the kit
  • Newsletters about holiday shopping and travel safety for your users
  • Access to resources for you to help with security planning for the upcoming year

And to make life even easier, you will have printable and digital assets that you can use to promote cybersecurity awareness in your organization throughout the holiday season.

Get your kit now, and please send this to your friends:

New Business Email Compromise Gang Impersonates Lawyers

A criminal gang is launching business email compromise (BEC) attacks by posing as "real attorneys, law firms, and debt recovery services." The attackers send legitimate-looking invoices tailored to the targeted organization, asking for a payment of tens of thousands of dollars.

"These sophisticated invoices also list a bill number, account reference number, bank account details, and in Europe the company's actual VAT ID. Some invoices even include a 'notification of rights' and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we've observed, it's possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms."

If the employee refuses to authorize the transaction, the attackers will sometimes pose as an executive at the organization and send the employee an email granting permission to make the payment.

"When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company," the researchers write. "When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and 'authorizes' the employee to proceed with the payment."

The researchers note that the user could recognize these emails as fake if they know where to look for the sender's email address, but the attackers have included the executive’s real email in the display name.

Abnormal Security concludes that organizations should implement modern email security solutions, as well as providing training for employees to recognize these attacks. "If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important," the researchers write.

"Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment."

Blog post with links:

Re-Check Your Email Attack Surface Now. (We Are Always Adding New Breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Cybercriminals are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4's Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more of your users' compromised accounts that have been exposed in the most recent data breaches - fast.

Do this complimentary test now!

Get your EEC Pro Report in less than 5 minutes. It's often an eye-opening discovery. You are probably not going to like the results...

Get Your Report:

[INFOGRAPHIC] Why Cybercrime Thrives. See The Dark Web Price Index 2022

This is great to send to the executives that hold your infosec budget.

"Did you know that the internet you're familiar with is only 10% of the total data that makes up the World Wide Web? The rest of the web is hidden from plain sight, and requires special access to view. It's known as the Deep Web, and nestled far down in the depths of it is a dark, sometimes dangerous place, known as the darknet, or Dark Web.

"This graphic by Enrique Mendoza provides us a glimpse at this shrouded part of the internet, showing us some of the common items that are sold on there, and how much they typically cost."

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [NEW PRODUCT] KnowBe4's New SecurityCoach Helps to Reduce Risky Behavior With Real-Time Security Coaching:

PPS: Security Guru Bruce Schneier highlighted "Defeating Phishing-Resistant Multifactor Authentication":

Quotes of the Week  
"The longer I live, the more convinced am I that this planet is used by other planets as a lunatic asylum."
- George Bernard Shaw - Dramatist (1856 - 1950)

"Never attribute to malice that which is adequately explained by stupidity."
- Robert Heinlein - Writer (1907 - 1988)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

FBI Warns of Tech Support Scams That Impersonate Payment Portals for Fake Refunds

In the latest FBI warning, cybercriminals are now impersonating financial institutions' refund payment portals. This effort is to contain victims' personal information with legitimacy.

These bad actors are using social engineering to trick victims into giving them access to their computer by impersonating representatives of technical repair services. In details from the FBI's public service announcement lists the following, "Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund."

Although tech support scams are very common, the FBI did note that as recent as last month scammers are using scripts that portray a refund payment portal when it is actually a malicious site.

BleepingComputer found samples of these scripts below pretending to be various financial institutions. The FBI is encouraging any potential victims to not grant remote access at all to any unknown person and to not send wire transfers at all through online or phone communications. Frequent new-school security awareness training is highly encouraged for your users to avoid these types of tech support scams in their day-to-day operations.

Blog post with links:

[EYES OUT] This Scary Strain of Sleeper Ransomware Is Really a Data Wiper in Disguise

This Data wiper replaces every other 666 bytes of data with junk. Techradar reported that a new data-wiping malware has been detected, infecting more and more endpoints with each passing day - but what's most curious is that it poses as ransomware.

The malware is called Azov Ransomware, and when run on a victim's device, it overwrites file data with junk, rendering the files useless. The overwrites are cyclical - the malware would overwrite 666 bytes of data, then leave the next 666 intact, then repeat the process.

Even though there is no way to retrieve the corrupt files, there is no decryption key or ransom demands, the malware(opens in new tab) still comes with a ransom note, which says that victims should reach out to security researchers and journalists for help.

It's a Sleeper Program That Wakes up October 27th

Another curious thing about Azov Ransomware is that it comes with a trigger, having it sit idly on the endpoint until October 27, 10:14:30 AM UTC, after which all hell breaks loose. When this date comes, the victim doesn't necessarily need to run the exact executable - running pretty much any program will do. That's because the wiper will infect all other 64-bit executables on the devices whose file path does not hold specific strings.

Blog post with links:

What KnowBe4 Customers Say

"I wanted to let you know how appreciative I am of the support that Kim has provided throughout my entire task and for the future. She has been positive, supportive and assertive with any KB4 issues that I ask her all the time. Because of her my concerns are eased up. On a day-to-day basis. I’m just a satisfied KB4 user. Thank you."

- C.K., IT Risk Analyst – ETS Cyber Security Tech Risk

"Hi Stu! Absolutely a happy camper. The entire team at KnowBe4 has been great. I had some challenges on my side with onboarding and getting this program started. Dillon never gave up on me. He always followed up and made sure that I had everything I needed to get set up. I also had a very positive experience with the support team. I couldn't be happier with the product, and I have had positive feedback from my users about the training. They appreciate short, targeted sessions. I am ready to start harnessing the power of the KnowBe4 platform and get some real cyber security training going."

- S.A., IT Manager

The 10 Interesting News Items This Week
  1. SolarWinds Settles 2020 Supply Chain Shareholder Lawsuit for $26M:

  2. Venturebeat: "What is social engineering? Definition, types, attack techniques":

  3. Russia's Sway Over Criminal Ransomware Gangs Is Coming Into Focus:

  4. China is likely stockpiling and deploying vulnerabilities, says Microsoft. (But who isn't?):

  5. Hushpuppi: Notorious Nigerian fraudster jailed for 11 years in U.S.:

  6. Crimson Kingsnake: BEC Group Impersonates International Law Firms:

  7. Swiss Re wants government bail out as cybercrime insurance costs spike:

  8. "So long and thanks for all the bits." Great read by Ian Levy, NCSC's departing Technical Director:

  9. Meet Worok, the cyber espionage group hiding malware within PNG image files:

  10. Financials See Increase in Phishing Attacks, Compromised Sites Lead Staging Methods in Q3:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews