CyberheistNews Vol 13 #06 [Eye Opener] Russian and Iranian Spear Phishing Campaigns Are Running Rampant in the U.K.



Cyberheist News

CyberheistNews Vol 13 #06  |   February 7th, 2023

[Eye Opener] Russian and Iranian Spear Phishing Campaigns Are Running Rampant in the U.K.Stu Sjouwerman SACP

The U.K.'s National Cyber Security Centre (NCSC) has described two separate spear phishing campaigns launched by Russia's SEABORGIUM threat actor and Iran's TA453 (also known as Charming Kitten). The NCSC says both threat actors have targeted entities in the U.K., including "academia, defence, governmental orgs, NGOs, think-tanks, as well as politicians, journalists, and activists."

The threat actors first conduct reconnaissance on their targets by researching social media and other open-source information. After this, they'll make contact under the guise of a journalist, colleague, or someone else the victim would be likely to respond to.

"Having taken the time to research their targets' interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust," the report says. "They often begin by establishing benign contact on a topic they hope will engage their targets.

"There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport." The threat actors then send the victim a link disguised as something related to their previous conversations.

"Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest," the NCSC says. "This leads the target to an actor-controlled server, prompting the target to enter account credentials. The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, GoogleDrive, or other file-sharing platforms.

"TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call. Industry partners have also reported the use of multi-persona impersonation (use of two or more actor-controlled personas on a spear-phishing thread) to add the appearance of legitimacy."

New-school security awareness training enables your employees to make smarter security decisions every day and spot these attacks for what they are.

Blog post with links:
https://blog.knowbe4.com/russian-iranian-spear-phishing-campaigns-in-uk

Artificial Intelligence, ChatGPT and Cybersecurity: A Match Made in Heaven or a Hack Waiting to Happen?

AI is no longer science fiction.

Software vendors have been integrating AI into products for years, which has led to innovations such as improved threat detection and training opportunities. But the emergence of newer technologies like DALL-E and ChatGPT has raised new questions about the real threats AI poses.

In this presentation, James McQuiggan, Security Awareness Advocate at KnowBe4, will discuss the benefits of AI, the potential threats, and strategies you can use to protect your network today and in the future.

You'll learn:

  • The key benefits and uses of AI for cybersecurity
  • How AI could put your organization at risk
  • Strategies for integrating AI into your cybersecurity defenses
  • Why security awareness training is your best, last line of defense

Get the information you need now to protect your network and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, February 8, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/ai-chatgpt-and-cybersecurity?partnerref=CHN2

Microsoft OneNote Attachments Become the Latest Method to Spread Malware

With Microsoft disabling macros by default on Office documents, cybercriminals are left needing another means to launch malware that's victim-supported by default.

We should expect nothing less of threat actors; when pushed up against a wall with their most powerful asset – Office macros – taken away from them, the most cunning of them will find alternative methods. The challenge for the most sophisticated of cybercriminals is to ensure that the greatest number of potential victims have the application needed that acts as the launcher.

According to a recent tweet from email security company Prevention Point, a new method involving weaponized OneNote attachments has been spotted in the wild. The initial phish looks relatively standard for a socially-engineered email.

With the OneNote execution looking somewhere between unexpected (after all, who ever needs to double-click a button within an application to see a supported document?) and sort of brilliant (I would assume that most knowledge workers haven't interacted frequently with OneNote, so, "maybe this is how it works?").

And to boot, the default installation of Office 365 (that is, the software installed on a Windows endpoint) includes OneNote.

The takeaway here is this is downright dangerous – threat actors have found yet another new way to engage with users in a way that helps move their attack forward with a double-click. This example of the constant evolution of the phish perfectly justifies why organizations need to keep users continually enrolled in security awareness training so that Joe User is always kept up on their toes with security top of mind.

Blog post with screenshots and links:
https://blog.knowbe4.com/microsoft-onenote-attachments-spread-malware

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us Wednesday, February 15, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, February 15, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-february-2023?partnerref=CHN

Travel-Themed Phishing Attacks Lure Victims with Promises of Free Tickets, Points and Exclusive Deals

New analysis of December and January emails shows massive spikes in attacks aimed at stealing personal information and credit cards under the guise of once-in-a-lifetime travel deals.

Who wouldn't want a free airline ticket, or a ton of frequent flyer points in exchange for little-to-no effort? That's exactly the sentiment attackers are going for, according to new analysis by email security vendor BitDefender's Antispam Lab. Nearly 10% of all spam was travel themed within the timeframe of December 20 through January 10, with a little more than half (53%) of it targeting the United States.

Many of these scams focus on credential theft. According to the findings, travel rewards programs and gift cards are the most often used subjects, as the personal details held within those programs include birthdates, social security numbers, etc. that can be monetized by selling them on the dark web. BitDefender offered up a few examples of these emails – notice how legit they look:

[CONTINUED] Blog post with screenshots and links:
https://blog.knowbe4.com/travel-themed-phishing-attacks-lure-victims

Buyer's Guide: Using SOAR in Your Automated Incident Response Plan

End users report emails they think could be malicious, resulting in a lot of alert noise your security teams must analyze. The question: how to effectively manage the volume of traffic and stop email threats that are truly malicious from reaching your employees' mailboxes in the first place?

A Security Orchestration, Automation and Response (SOAR) platform will help, but you need a roadmap to determine requirements, vet SOAR providers and properly plan deployments.

Paul Wagenseil from SC Media walks you through the process, using KnowBe4's PhishER platform as an example.

Get Your Copy Now:
https://info.knowbe4.com/wp-buyers-guide-using-soar-your-automated-incident-response-plan-chn

[Scary Post of the Week] The Profound Danger of Conversational AI

Louis Rosenberg is founder of Unanimous AI and has been awarded more than 300 patents for VR, AR and AI technologies. His post this week at VentureBeat correctly describes how AI can be used for social engineering at scale. Here is an extract and you should read the rest of the article; it's scary.

"I'm deeply concerned about a different type of control problem that is already within our grasp and could pose a major threat to society unless policymakers take rapid action. I'm referring to the increasing possibility that currently available AI technologies can be used to target and manipulate individual users with extreme precision and efficiency. Even worse, this new form of personalized manipulation could be deployed at scale by corporate interests, state actors or even rogue despots to influence broad populations."

"That's because the most efficient and effective deployment mechanism for AI-driven human manipulation is through conversational AI. And, over the last year, a remarkable AI technology called Large Language Models (LLMs) has rapidly reached a maturity level. This has suddenly made natural conversational interactions between targeted users and AI-driven software a viable means of persuasion, coercion, and manipulation."

"This is very dangerous, as we will soon find ourselves in personalized conversations with AI-driven spokespeople that are (a) indistinguishable from authentic humans, (b) inspire more trust than real people, and (c) could be deployed by corporations or state actors to pursue a specific conversational agenda, whether it's to convince people to buy a particular product or believe a particular piece of misinformation."

Warmly recommended scary perspective:
https://venturebeat.com/ai/the-profound-danger-of-conversational-ai/


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from January 2023:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-january-2023

PPS: [New Whitepaper] 9 Cognitive Biases Hackers Exploit the Most:
https://info.knowbe4.com/wp-nine-cognitive-biases-hackers-exploit-most

Quotes of the Week  
"Only a man who lives not in time but in the present is happy."
- Ludwig Wittgenstein - Philosopher (1889 - 1951)

"These [LLM] systems predict sequences of words in sentences, like autocomplete on steroids. But they don't actually have mechanisms in place to track the truth of what they say."
- Gary Marcus, Professor Emeritus of Cognitive Science, New York University

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-06-eye-opener-russian-and-iranian-spear-phishing-campaigns-are-running-rampant-in-the-uk

Security News

BEC Group Launches Hundreds of Campaigns

A business email compromise (BEC) gang has launched more than 350 attacks against organizations in the U.S., according to researchers at Abnormal Security. The threat actor, which Abnormal Security tracks as "Firebrick Ostrich," conducts open-source reconnaissance on their targets in order to construct their scam.

"In contrast to other forms of financial supply chain compromise where an attacker has deep insight into a specific vendor/customer relationship, third-party reconnaissance occurs when an attacker knows that there is a relationship between two organizations but has limited or no knowledge about actual outstanding payments," the researchers write.

"In essence, an attacker in these cases has the necessary context to impersonate a vendor but not enough information to be specific in their payment request."

The threat actor then sends the customer organization an invoice posing as the vendor. "Once an attacker has collected this information, they will then initiate their attack by impersonating the vendor and emailing the customer, inquiring about a potential outstanding payment," the researchers write.

"Because the attacker doesn't have specific knowledge about an actual overdue invoice, these initial emails tend to be more general requests—rather than containing specific details that might be found in a traditional vendor email compromise attack."

In addition, the threat actors can ask the victim to change the vendor's banking information, so that future payments will be sent to the attackers until the vendor notices they haven't been paid.

"Instead of requesting payment for a current invoice, another tactic that a threat actor might use is to simply request that a vendor's stored bank account details be updated so any future payments get redirected to the new account," the researchers explain. "This tactic is a little more stealthy, as the attacker isn't requesting an immediate payment—the red flag accounts payable specialists are taught to notice.

"These attackers are playing a longer game, hoping that a simple request now will result in a payment to their redirected account with the next payment."

New-school security awareness training can enable your employees to thwart BEC attacks and other forms of social engineering.

Blog post with links:
https://blog.knowbe4.com/bec-group-launches-hundreds-of-campaigns

Scammers Impersonate Financial Advisors Through Social Media Platforms

A large scam campaign is targeting users on LinkedIn and other social media platforms posing as financial advisors, according to researchers at DomainTools. The researchers explain that these scams can be very difficult to detect, even for users who know how to recognize them. The scammers contact targets over LinkedIn, as well as social media platforms like TikTok and Instagram.

"Financial advisor impersonation is straightforward conceptually, but simplicity in subject belies complexity in practice," the researchers write. "Financial impersonation scams require careful, layered deception involving significant interaction with a target to succeed. To that point, engagements as prospective clients with several financial advisor impersonators suggest they possess a competent understanding of financial markets."

The threat actors also set up convincing financial advisor websites using bulletproof hosting providers.

"Given the complexity of manipulating a target when impersonating a financial advisor, impersonation websites must remain accessible for as long as possible," the researchers write. "Therefore, the selection of a hosting provider is critical to the success of this scam. This report explores this point in detail in the next section, using a particularly suspicious hosting provider as an example."

The researchers conclude that users and organizations should use security best practices to avoid falling for spear phishing attacks.

"Prospective clients would be wise to contact financial advisors through their respective financial institution's official website and insist on speaking with them over the telephone, preferably in a video call," the researchers write. "Consumers would also be wise to approach any cryptocurrency investment with extreme caution and avoid nontraditional investments with ‘guaranteed' rates of return.

"Investment opportunities that seem too good to be true probably are."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for these types of social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/scammers-impersonate-financial-advisors-through-social-media-platforms

What KnowBe4 Customers Say

"Hi Stu, I wanted to reach out to give KnowBe4 and Courtney giving some kudos. We have been very happy with Courtney's knowledge base both with the KNOWBE4 platform along with the whole world of phishing. Courtney has been able to answer all our questions. We have reduced our meeting times to once a month due to a phenomenal training job. I am confident she has us pointed in the correct direction. Thank you for having a great team."

- C.T., Chief Information Officer


"Stu: Thank you for reaching out personally. I sincerely appreciate it. The platform and your team experience has been nothing but First Class. From my sales rep (Danny) to my CSM (Alexandra), have been an absolute pleasure to work with. I now understand why KnowBe4 is so widely accepted and utilized. Keep up the good work and I look forward to working with KnowBe4 for years to come. Thanks again!"

- P.T., CISO

The 10 Interesting News Items This Week
  1. Fascinating Eye Opener. InfoSec Interview with ChatGPT, part one:
    https://thecyberwire.com/podcasts/special-edition/48/notes

  2. U.K. Phishing attacks are getting scarily sophisticated. Here's what to watch out for:
    https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest

  3. Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web:
    https://cyberscoop.com/cybercrime-groups-jobs-talent-dark-web/

  4. Russian foreign ministry claims to be the target of ‘coordinated' cyber aggression:
    https://therecord.media/russian-foreign-ministry-claims-to-be-the-target-of-coordinated-cyber-aggression/

  5. Hacker finds bug that allowed anyone to bypass Facebook 2FA:
    https://techcrunch.com/2023/01/30/facebook-two-factor-bypass-bug/

  6. Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine:
    https://www.recordedfuture.com/dark-covenant-2-cybercrime-russian-state-war-ukraine

  7. TSA issues security directive to airports, carriers after ‘no-fly' list leak:
    https://therecord.media/no-fly-list-breach-tsa-domestic-airlines-warning/

  8. [U.K.] Ransomware attack on ION Group impacts derivatives trading market:
    https://www.bleepingcomputer.com/news/security/ransomware-attack-on-ion-group-impacts-derivatives-trading-market/

  9. [OUCH] Google Fi hack victim had Coinbase, 2FA app hijacked by hackers:
    https://techcrunch.com/2023/02/01/google-fi-hack-victim-had-coinbase-2fa-app-hijacked-by-hackers/

  10. Ukraine: Sandworm hackers hit news agency with 5 data wipers:
    https://www.bleepingcomputer.com/news/security/ukraine-sandworm-hackers-hit-news-agency-with-5-data-wipers/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews