CyberheistNews Vol 13 #41 [Risky New Data] More Than Half of Phishing Scams Now Use Obfuscation

Cyberheist News

CyberheistNews Vol 13 #41  |   October 10th, 2023

[Risky New Data] More Than Half of Phishing Scams Now Use ObfuscationStu Sjouwerman SACP

A new report shows staggering phishing trends using obfuscation techniques that should make any organization feel worried. In Egress's annual Phishing Threat Trends Report, new data was collected from January to September of this year with some key findings I want to highlight:

Phishing Campaigns Have Become More Sophisticated and Effective

Since obfuscation techniques were implemented the percentage of phishing emails increased by 24.4% this year, and now 55.2% of cybercriminals are using these tactics in their phishing emails.

Because of this, Microsoft cybersecurity defenses were bypassed by 25% year-over-year, and phishing emails are 29% more effective at fooling secure gateway products. One strategy bad actors are trying to execute in their attacks is chaining together multiple obfuscation methods to be successful.

The Most Widely Used Obfuscation Technique is HTML Smuggling

Research shows that 34% of obfuscated phishing emails analyzed use the HTML smuggling technique. Hackers distribute malware to appear dormant to make it more difficult to identify. As a result, the HTML page with the raw source code is really malware, which is why it's so difficult for network-based cybersecurity tools to spot.

AI Tools Are Not Detecting Obfuscation Techniques

Egress also cautioned that artificial intelligence tools are being taken advantage of by threat actors to launch their phishing campaigns. On the other side of the coin, tools designed to detect AI-generated phishing emails are unreliable or don't work in 71.4% of cases.

In a statement by Jack Chapman, VP of Threat Intelligence at Egress, "Without a doubt chatbots or large language models lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone."

These findings highlight the importance of educating your end users with new-school security awareness training. End-user education is the only way these types of obfuscation attacks can be stopped with helpful tips to spot and report these types of malicious attacks.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Open-Source Intelligence (OSINT): Learn the Methods Bad Actors Use to Hack Your Organization

They are out there, watching and waiting for an opportunity to strike — the bad actors who have carefully researched your organization in order to set the perfect trap using easily found public resources.

Open-Source Intelligence (OSINT) can provide cybercriminals everything they need to know to perfectly target your users by gathering data on everything from password clues to tech stack details, banking/credit card accounts, social media details and more. Emerging technologies like AI can make gathering this intelligence even easier.

Join Rosa Smothers, former CIA Cyber Threat Analyst and Technical Intelligence Officer, now KnowBe4's SVP of Cyber Operations, as she reveals the OSINT techniques employed by cybercriminals that can help you protect your organization before disaster strikes.

In this special Cybersecurity Awareness Month webinar, you'll learn:

  • What apps and analytic techniques can enhance your research and data interpretation
  • Real-world demonstrations of how to conduct (legal!) OSINT gathering techniques the hackers are using on you
  • How to deploy penetration testing exercises to map an attack surface
  • How to conduct cyber investigations of your own
  • And how understanding OSINT and training your users can help build your human firewall

Learn how to use the cybercriminals' best techniques before they do!

Date/Time: TOMORROW, Wednesday, October 11, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

[HEADS UP] Aurora Police Department Warns of Contactless Payment Processors Scams

If you didn't trust contactless payment processors before, you really won't after hearing about this recent scam. The Aurora Police Department Economic Crimes Unit posted this tweet last week with a warning that scammers drill holes in contactless payment screens forcing customers to swipe their card where the criminals have placed skimmers.

Aurora Police Sergeant's Dan Courtenay said: "Now they have Bluetooth, where they can just sit in the parking lot of the gas station and it feeds right onto their laptop," Courtenay said. "All your information from your credit cards, it feeds right there."

If you have end users that use your company credit cards for travel and expenses, your users' credit card information could be compromised if they fall for this new scam.

Blog post with picture how criminals use this new tactic. Warn your road warriors!

[Introducing PhishER Plus] Supercharge Your M365 Global Blocklist

Now there's a new, super easy way to protect your users against malicious emails through the power of KnowBe4's new PhishER Plus!

PhishER Plus gives you two extremely powerful capabilities:

Global Blocklist, an active global threat feed for Microsoft 365, and Global PhishRIP, a cutting-edge email quarantine feature that automatically removes malicious email before your user is exposed to the threat.

You can now harness the power of reported messages from over 10 million trained users worldwide with the Global Blocklist feature. It prevents future malicious emails, sharing the same sender, URL, or attachment, from reaching your users.

These are real-world phishing threats, triple-vetted by humans and AI. The result? Your Microsoft 365 email filters get a significant boost, all from within your PhishER console.

Join us for a live 30-minute demo of the Plus features of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • New! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • New! Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Find out how adding PhishER can be a huge time-saver for your Incident Response team while ensuring your users are safe!

Date/Time: Wednesday, October 18, @ 2:00 PM (ET)

Save My Spot:

Senior Executives Beware: The Rise of EvilProxy Phishing Campaigns

Menlo Security warns that a social engineering campaign is using the EvilProxy phishing kit to target senior executives across a range of industries, including banking and financial services, insurance, property management and real estate, and manufacturing.

EvilProxy allows threat actors to conduct adversary-in-the-middle (AitM) attacks by "harvesting session cookies enabling threat actors to bypass MFA protections."

The phishing campaign exploited an open-redirect vulnerability affecting the job listing site Indeed. This allowed the attackers to craft a phishing link that appeared to lead to Indeed's legitimate website, but redirected to a spoofed Microsoft login page. The blog post explains the attack chain.

Blog post with links:

[New Whitepaper] 8 Essential Capabilities to Consider When Evaluating Anti-Phishing SOAR Products

As cybercriminals continue to refine their tactics, security operation center (SOC) and incident response (IR) teams need tools that allow them to rapidly investigate and terminate phishing attacks before they can inflict damage.

This is why anti-phishing Security, Orchestration, Automation and Response (SOAR) products have emerged as powerful tools in the battle against phishing. They are now a critical component for IT security pros looking to counter the expanding threat landscape of phishing attacks and targeted spear phishing campaigns.

But not all SOAR products are created equal. During the past several years, additional powerful features have allowed SOAR products to go from reactive analysis and identification to proactive phishing mitigation. Understanding these capabilities and advancements is important as you assess the marketplace.

Read this whitepaper to learn:

  • The eight critical product capabilities a SOAR product must have to provide effective anti-phishing protection
  • Why anti-phishing SOAR products are critical for IT teams looking to counter the next generation of phishing attacks
  • What elements of a SOAR product are vital to mitigating existing and future threats.

Download Now:

Generative AI and the Automation of Social Engineering Increasingly Used by Threat Actors

Threat actors continue to use generative AI tools to craft convincing social engineering attacks, according to Glory Kaburu at Cryptopolitan. "In the past, poorly worded or grammatically incorrect emails were often telltale signs of phishing attempts," Kaburu writes.

"Cybersecurity awareness training emphasized identifying such anomalies to thwart potential threats. However, the emergence of ChatGPT has changed the game. Even those with limited English proficiency can now create flawless, convincing messages in perfect English, making it increasingly challenging to detect social engineering attempts."

Legitimate AI tools like ChatGPT attempt to curb malicious results, but threat actors can often find ways around these rules. "OpenAI has implemented some safeguards in ChatGPT to prevent misuse, but these barriers are not insurmountable, especially for social engineering purposes," Kaburu says.

"Malicious actors can instruct ChatGPT to generate scam emails, which can then be sent with malicious links or requests attached. The process is remarkably efficient, with ChatGPT quickly producing emails like a professional, as demonstrated in a sample email created on request."

Threat actors can also use AI-generated voice messages to supplement their attacks. "While ChatGPT primarily focuses on written communication, other AI tools can generate lifelike spoken words that mimic specific individuals," Kaburu writes. "This voice-mimicking capability opens the door to phone calls that convincingly imitate high-profile figures.

"This two-pronged approach—credible emails followed by voice calls—adds a layer of deception to social engineering attacks." Kabaru offers some recommendations to help users avoid falling for AI-generated social engineering attacks.

Blog post with links and list of recommendations:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: We have exciting news! We officially launched CyberheistNews on LinkedIn. We will be publishing this every Tuesday with the same stories and insights from the email version of CHN. Tell your LinkedIn friends to subscribe now:

PPS:[BUDGET AMMO] Gartner Forecasts Global Security and Risk Management Spending to Grow 14% in 2024:

Quotes of the Week  
"If the freedom of speech is taken away then dumb and silent we may be led, like sheep to the slaughter."
- George Washington - 1st U.S. President (1732 - 1799) (President from 1789 - 1797)

"I disapprove of what you say, but I will defend to the death your right to say it."
- Often attributed to Voltaire, this quote is actually the summation of Voltaire's beliefs by his biographer, Evelyn Beatrice Hall (1868 - 1956)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Business Email Compromise Remains a Top Threat

A new report from Secureworks has found that business email compromise (BEC) remains "one of the most financially damaging online crimes overall for orgs" in 2023. The security firm's 2023 State of the Threat report says BEC "exceeds even ransomware in aggregate, mainly because it is so prolific, even if individual financial losses from BEC may be lower than individual losses from ransomware."

The researchers explain, "Threat actors use a range of techniques including mass phishing campaigns to steal credentials which are then used to access the victim email account. Once they have access, they often monitor the activity of the email account, identifying email chains with vendors and suppliers in which they can insert themselves.

"After the attacker has successfully initiated communication with the victim, they provide modified legitimate financial documents or payment instructions for the victim to send money to the attacker-controlled accounts. Attackers may also spoof victim organizations to request payment without first compromising a victim's email account."

Teaching employees to follow security best practices, including using multifactor authentication (MFA), can help prevent targeted social engineering attacks.

"Organizations can mitigate BEC attacks by comprehensively implementing MFA across all user accounts, including those for senior executives," Secureworks says. "But remember that not all MFA solutions are created equal; using an authenticator app is better than SMS, and number matching is an improvement on click-to-accept, and represents a meaningful mitigation to MFA fatigue.

"It is advisable to closely follow Microsoft's Outlook authentication guidance to continually adopt best practices. Training employees not to accept MFA requests they did not generate is also a useful exercise. Robust business processes such as two-person payment processing, telephone-only approvals, and telephone-only vendor checks are essential."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

New SMS Phishing Campaign Impersonating the U.S. Postal Service

DomainTools is tracking an increase in SMS phishing (or "smishing") campaigns impersonating the US Postal Service (USPS). The text messages inform recipients that there's a problem with their delivery address and they need to click on a link to resolve the issue.

"At first glance, the choice of language in the text seems suspect," DomainTools says. "Likely adopted from another phishing script and used over in this campaign, the phrasing shows signs that it was written by someone that either has English as an additional language, or has limited proficiency and likely relied on a translation service to help craft the message. Thankfully they didn't have the foresight to use a platform like ChatGPT to help craft the content, which could have generated a more convincing lure."

The researchers note that attackers can use publicly available information to gather additional information about their targets in order to craft more convincing phishing attacks. "In this case, the person of interest used the same email addresses not only to register for different services, but tied the emails together by using them as back up or secondary emails for a number of other accounts," DomainTools says.

"When these additional accounts are included, we uncover an additional 20 domains tied to the same person. When individuals don't expect this data to come to light, they may become lax in what else they tie to these items, including social media and other accounts that are useful in expanding and adding new prospective avenues for inquiry."

DomainTools adds, "Even though phishing and smishing campaigns have become an unfortunate daily fact of life, they remain a significant source of prospective harm for not only individuals, but the companies and organizations whose services they use. The resulting harm both from a loss perspective as well as the emotional toll on individuals, is added to the cost in time, money, and resources that companies face in defending their customers and ensuring that their brand reputation and business operations are not impacted."

Blog post with links:

What KnowBe4 Customers Say

"Hi Stu, thank you for taking the time to check in. I am very happy with your product and services. Alex S. (and everyone else) have been great to work with. I understand Alex is changing positions and we will have a new CSM assigned. I am confident that the new CSM will be just as helpful as Alex. We have seen excellent improvement in our testing scores to date."

- B.A., Executive Vice President

The 10 Interesting News Items This Week
  1. Russian Cyber Attacks in 2023: Shifting Patterns, Goals, and Capacities:

  2. CISA Promotes Cybersecurity Awareness Month: Creating partnerships to raise cybersecurity awareness at home and abroad:

  3. Researchers show how easy it is to defeat AI watermarks:

  4. Putin's Next Target: U.S. Support for Ukraine, Officials Say:

  5. Diabolical - Thousands of teen boys are being extorted in sexting scams:

  6. Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid:

  7. New Report: Over half of phishing emails now use obfuscation tactics to avoid detection:

  8. China-linked cyberspies backdoor semiconductor firms with Cobalt Strike:

  9. Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day:

  10. GitHub's Stealthy Arsenal: The Open Marketplace for Malicious Tools - A Focus on The-Murk-Stealer:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews