CyberheistNews Vol 13 #04 [Heads Up] Unusual Blank-Image Phishing Attacks Impersonate DocuSign

Cyberheist News

CyberheistNews Vol 13 #04  |   January 24th, 2023

[Heads Up] Unusual Blank-Image Phishing Attacks Impersonate DocuSignStu Sjouwerman SACP

An unusual phishing technique has surfaced this week. Avanan, a Check Point Software company, released a blog Thursday morning detailing a new attack in which hackers hide malicious content inside a blank image within an HTML attachment in phishing emails claiming to be from DocuSign.

The campaign begins with an email appearing to originate from DocuSign, containing a link and an HTML attachment. The phishing email requests the review and signature of a document claiming to be "remittance advice."

If clicked, the "View Completed Document" button links to a clean, legitimate webpage, but the attachment, however, is not. If the document is opened, the blank image attack begins. The attachment includes an SVG image encoded with Base64 containing Javascript that redirects to the malicious link.

Hiding the malware within the empty image attachment hides the true intent of the message, and contains a legitimate link, allowing for the email to bypass link analysis and security scanners. Researchers advise caution around emails containing HTML, suggesting blocking all HTML attachments and treat them like executables.

Jeremy Fuchs, an Avanan Cybersecurity Researcher/Analyst, points out that this amounts to a new variation of existing attack methods. "Hackers can target practically anyone with this technique," he says. "Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target.

"HTML attachments aren't new, nor are using Base64 trickery. What is new and unique is using an empty image with active content inside—a javascript image—which redirects to a malicious URL. It's essentially using a dangerous image, with active content inside that traditional services like VirusTotal don't detect."

The threat actors evolve, and they'll inevitably come up with novel approaches, like this one, that can catch out defenders until the protective tools catch up. An informed, alert user is the best and final line of defense. New-school security awareness training gives your organization an essential layer of security by enabling your employees to recognize social engineering attacks, even innovative ones like the blank-image phish hook.

Blog post with links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, January 25, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, January 25, @ 2:00 PM (ET)

Save My Spot!

Phishing for Industrial Control Systems

Mandiant has published a report describing phishing emails that have breached orgs in the industrial sector. Mandiant explains that the majority of phishing attacks are untargeted and opportunistic. Most attackers wait to see which organizations they can compromise, and then decide how to monetize their successful attacks.

"Most of the phishing activity we observed across our industrial-themed phishing samples was distributed en masse," the researchers write. "Opportunistic phishing attempts often use weaker methods that are easily detected and blocked by automated systems such as enterprise email scanning solutions or endpoint protection software.

"Most often, this activity is associated with common financial crime schemes such as BEC, credential phishing, money mule and shipping scams, IT remote access or individual extortion and fake blackmail."

When phishing attacks breach organizations that work in the industrial sector, the attackers can sell their access to threat actors that are interested in carrying out more targeted attacks against operational technology (OT) systems.

"Groups involved in opportunistic phishing typically hold no interest in specific industries or organizations," Mandiant says. "However, actors that succeed in compromising industrial victims could then take advantage by selling the access to other actors at a premium if they realize that it provides potential access to OT.

"Regardless of the complexity of a phishing compromise, a successful attack can help actors cross the initial borders of target networks without attracting attention."

[CONTINUED] Blog post with links:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, February 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, February 1, @ 2:00 PM (ET)

Save My Spot!

The Amazing Thing Is That DHL Phishing Campaigns STILL Work

Researchers at Armorblox warn that a phishing campaign is impersonating DHL with fake shipping invoices.

"The subject of this email aimed to instill an automatic level of trust through the inclusion of the well-known and trusted brand name, DHL, reading: 'DHL Shipping Document/Invoice Receipt,'" the researchers write. "The inclusion of a legitimate brand name within the email subject encourages victims to open the email in a timely fashion, assuming the email is a legitimate communication from the brand that needs attention.

"At first glance, the email seems to be a legitimate communication from international shipping company, DHL, with the sender name and email address reading DHL but actually from the email address dhl@vaimti-yacht[.]com." However, the emails look close enough to legitimate DHL notifications, and they were able to bypass security filters.

"The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department," Armorblox says. "The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address.

"The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment."

[CONTINUED] Blog post with links:

[NEW WHITEPAPER] 4 Reasons Why SecurityCoach Helps Users Help Themselves

Your employees are your largest attack surface.

For too long the human component of cybersecurity has been neglected, leaving employees vulnerable and creating an easy target for cybercriminals to exploit.

But your users want to do the right thing. Rather than a hurdle to be overcome, organizations need to think of their employee base as an asset, once properly equipped.

In this whitepaper, learn how KnowBe4's SecurityCoach tool helps strengthen your security culture by enabling real-time coaching of your users in response to their risky security behavior. The real-time, focused, security awareness training is called coaching because these quick messaging opportunities are used to nudge users toward the right decisions and behaviors.

Read this whitepaper to learn how SecurityCoach can:

  • Deliver the right education where needed to maximize its impact
  • Encourage real-time learning with content provided when and where it will matter most
  • Provide critical insights to management to help determine where more focused training is needed

Download this whitepaper today!

[Eye Popper] Dramatic Drop In Ransomware Victims Who Paid Last Year

Finally, some good news from the ransomware front! Despite bad actors launching a number of ransomware campaigns throughout 2022, organizations refused to submit and paid criminals an estimated $456.8 million - 40% less than the astounding total of $765 million in ransom payments from 2020 and 2021.

According to blockchain analytics company Chainalysis, this decline is not attributed to fewer attacks but rather victims taking a stand against extortionists.

In a trend that has emerged since 2019, an increasing number of ransomware victims are refusing to pay the extortion demands imposed by threat actors. According to cyber-intelligence firm Coveware, this is shown in their data, which demonstrates a consistently declining rate of victim payments.

You see this remarkable shift has occurred in how ransomware victims have responded to being infected. In 2019, an overwhelming majority of 76% decided to pay the ransom. However, by 2022 that number drastically dropped down to 41%.

Evidently many people are now taking measures beforehand or finding alternate solutions after becoming victim instead of giving into extortioners' demands and paying up. This very encouraging change can likely be attributed to three causes:

[CONTINUED] Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [NEW BUDGET AMMO] Send this excellent 5-min Roger Grimes video to your c-level with your budget request:

PPS: [KILLER MOBILE APP] Protect Your Largest Attack Surface with Anytime, Anywhere Security Awareness and Compliance Training at No Additional Cost:

Quotes of the Week  
"The possibilities are numerous once we decide to act and not react."
- George Bernard Shaw - Dramatist (1856 - 1950)

"Life must be lived as play."
- Plato - Philosopher (427 - 347 BC)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

[HUH?] Russian Mercenary Group Wagner Group Sponsors a Hackathon

Cyberwire reported: "Russia's Wagner Group private military corporation hasn't neglected information technology, sponsoring a hackathon last month designed to contribute to the "development of IT projects to protect the interests of the Russian army."

The hackathon offers another example of the ways in which criminals serve as cyber auxiliaries for the Russian organs. The Atlantic Council reports that the winners were, from first to third place, GrAILab Development, SR Data-Iskander, and Artistrazh. Artistrazh's co-founder is one Igor Turashev, wanted by the U.S. FBI for his involvement with, among other things, Dridex banking malware.

Mr. Turashev was indicted in the Western District of Pennsylvania on November 13, 2019. The charges he faces, if the U.S. ever gets its hands on him, include "Conspiracy, Conspiracy to Commit Fraud, Wire Fraud, Bank Fraud, and Intentional Damage to a Computer." Hmmm.

[WHOA NELLIE] Cybercrime Damage Is Predicted to Cost the World $8 Trillion in 2023?

Cybercrime is predicted to cost the world $8 trillion in 2023, according to Cybersecurity Ventures. If it were measured as a country, then cybercrime would be the world's third largest economy after the U.S. and China.

"We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015."

"Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm."

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics that convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it.

Link to article and VIDEO:

What KnowBe4 Customers Say

"Hi Stu, I am very happy with your service and especially the personal contact, Alexandra, who helps me navigate the site. Although the site is excellent, it saves me a lot of time to have Alexandra assist me. I am just sorry I did not find your service sooner :)"

- C.S., HR & Administration Director

"Hi Stu, Thanks for reaching out. We are loving KnowBe4! When we signed on, I was concerned about "forcing" the staff to attend yet another tech training, but the reviews from staff have been overwhelmingly positive. As our org's liaison with KnowBe4, I have to say the support has been fantastic! Christian M. is my rep, and he has been very helpful and responsive every step of the way.

"On a personal note, my co-techie and I are totally addicted to The Inside Man. We were just supposed to be previewing videos for possible training campaigns, and we couldn't stop watching! Thanks for providing a great product and having customer service reps who are friendly, helpful, and encouraging."

- M.K., Head of Digital Services

The 10 Interesting News Items This Week
  1. [RoboHacker!] DANG. ChatGPT Creates Polymorphic Malware:

  2. The Biggest Global Risks of 2023. Check out where Cyberattacks landed!:

  3. Cybercrime The World's Third Largest Economy After the U.S. and China?!:

  4. Cyberattackers Pivot to Target Core Enterprise Tools CircleCI, LastPass, Okta, and Slack:

  5. TikTok access from government devices now restricted in more than half of U.S. states:

  6. WSJ Cyber Daily: Private-Equity Firms Step Up Cyber Scrutiny At Portfolio Companies:

  7. Ukraine links data-wiping attack on news agency to Russian hackers:

  8. OODA CEO Matt Devost on The Rise of AI-Powered Weapons and the Implications of OpenAI's ChatGPT:

  9. Ransomware attack on maritime software impacts 1,000 ships:

  10. Crypto exchanges freeze accounts tied to North Korea's notorious Lazarus Group (10 years too late):

  11. [HUMAN ERROR BONUS] Why a NOTAM Outage Grounds Flights (Scalable mission-critical systems with failover anyone?):

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews