CyberheistNews Vol 14 #15 [Heads Up] Your Apple Users Are Now Targeted With New MFA Attacks



Cyberheist News

CyberheistNews Vol 14 #15  |   April 9th, 2024

[Heads Up] Your Apple Users Are Now Targeted With New MFA AttacksStu Sjouwerman SACP

A new string of multi-factor authentication (MFA) attacks targeting the reset of Apple IDs seem to be popping up in a likely attempt to steal the victim's digital identity and more.

A recent post on Twitter/X from entrepreneur Parth Patel outlines his experience when his phone became inundated with requests to reset his Apple ID password – to the tune of over 100.

Similar to the MFA fatigue attacks we've seen last year, this attack sought to use the same technique to get the victim to either answer "yes" to make the prompts stop, or to make a mistake and accidentally allow the password reset.

While this kind of attack may not seem mainstream enough to pay attention on terms of warning users about it, etc., it does demonstrate how the cyber crime economy is growing enough that threat actors are looking for ways to fit into the economy by establishing a niche victim set for them to go after – digital identity theft via Apple IDs.

These attacks aren't unique as Krebs on Security covered this and another similar attack on an IT professional, demonstrating it's more than a one-off experience.

What can be taken from this specific attack is something we teach in our new-school security awareness training. If something looks suspicious, vigilance should immediately go up, a slowing of the response should be the status quo, and meticulously disengage and report the attack.

Blog post with links:
https://blog.knowbe4.com/apple-users-become-targets-of-mfa-attacks

All The Ways the Internet is Surveilling You

Your personal information is continuously harvested and analyzed by countless data brokers eager to sell to the highest bidder. From your name to your online activities, to your employment details and even your real-time location — all are on the market for anyone interested.

Join us for this webinar with Roger A. Grimes, Data-Driven Security Evangelist at KnowBe4, as he discusses the extensive surveillance enabled by the internet, the risks of your personal data falling into the hands of malicious entities, and methods to protect yourself.

In this session, you will learn:

  • The various ways you are being surveilled, including through "free" GPS-enabled apps you've downloaded
  • How your digital footprint is commodified and utilized by social engineers
  • Techniques to detect signs of surveillance
  • Effective strategies to protect yourself from malicious tracking and defend against the tactics of social engineering

Learn ways to keep your online information safe and protect yourself against malicious scams. Plus, you'll earn continuing professional education (CPE) credits for attending!

Date/Time: TOMORROW, Wednesday, April 10 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/ways-the-internet-is-surveilling-you?partnerref=CHN2

Malicious App Impersonates McAfee to Distribute Malware Via Text and Phone Calls

A trojanized version of the McAfee Security app is installing the Android banking Trojan "Vultur," according to researchers at Fox-IT. The attackers are spreading links to the malicious app via text messages and phone calls.

"In order to deceive unsuspecting individuals into installing malware, the threat actors employ a hybrid attack using two SMS messages and a phone call," the researchers write. "First, the victim receives an SMS message that instructs them to call a number if they did not authorize a transaction involving a large amount of money. In reality, this transaction never occurred, but it creates a false sense of urgency to trick the victim into acting quickly."

If a victim calls the phone number, they'll receive another text with a link to a malicious version of the McAfee Security app, which will install the Vultur malware.

"A second SMS is sent during the phone call, where the victim is instructed into installing a trojanized version of the McAfee Security app from a link," Fox-IT says.

"This application is actually Brunhilda dropper, which looks benign to the victim as it contains functionality that the original McAfee Security app would have. As illustrated below, this dropper decrypts and executes a total of 3 Vultur-related payloads, giving the threat actors total control over the victim's mobile device."

The researchers note that this version of Vultur has new features that make it harder to detect. "The most intriguing addition is the malware's ability to remotely interact with the infected device through the use of Android's Accessibility Services," the researchers write.

"The malware operator can now send commands in order to perform clicks, scrolls, swipe gestures, and more. Firebase Cloud Messaging (FCM), a messaging service provided by Google, is used for sending messages from the C2 server to the infected device. The message sent by the malware operator through FCM can contain a command, which, upon receipt, triggers the execution of corresponding functionality within the malware. This eliminates the need for an ongoing connection with the device."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/malicious-app-impersonates-mcafee-to-distribute-malware

RIP Malicious Emails With KnowBe4's PhishER Plus

RIP malicious emails out of your users' mailbox with KnowBe4's PhishER Plus!

It's time to supercharge your phishing defenses using these two powerful features:
1) Automatically blocking malicious emails that your filters miss
2) Being able to RIP malicious emails before your users click on them

With PhishER Plus you can:

  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: Wednesday, April 17, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-1?partnerref=CHN

New Report Shows Phishing Links and Malicious Attachments Are The Top Entry Points of Cyber Attacks

New TTP attack data covering 2023 sheds much needed light on the threat actor and user actions that are putting organizations at the most risk.

In cybersecurity vendor ReliaQuest's Annual Cyber-Threat Report: 2024, there is a ton of great detail mapped to the MITRE ATT&CK Framework outlining which threat actions are used and how organizations are most effectively fighting back and stopping attacks.

According to the report:

  • Phishing links or attachments were involved in 71% of all initial access phases of cyber attacks
  • The top three MITRE ATT&CK techniques in attacks involved phishing or spear phishing
  • Drive-by-compromise was used in 29% of attack
  • QR code phishing saw a 51% increase in just one month – September – over the previous 8 months combined

It appears that there's a ton of effort around attacks that involve targeting the user. So, just how well are your users responding?

According to ReliaQuest, sadly, in 29% of incidents, users helped to facilitate initial access. In other words, users aren't exactly helping.

ReliaQuest has some recommendations to better secure users:

  • Require employees verify transaction requests through an alternate means of communication
  • Block newly-registered domains
  • Monitor high-risk roles
  • And educate employees through continual security awareness training

Blog post with links:
https://blog.knowbe4.com/phishing-and-users-top-list-as-cyberattack-initial-access-enablers

The Outstanding ROI of KnowBe4's PhishER Plus Platform

91% of cyberattacks start with a spear-phishing attack, and phishing is responsible for two-thirds of ransomware infections. If your organization is combating phishing threats with manual workflows, you're dramatically increasing the risk that phishing presents to your organization.

You need to arm your IT and infosec teams with the tools to accurately and quickly mitigate phishing threats before they strike. But creating a compelling business case for your CFO and leadership is the critical first step.

This guide is designed to help you articulate the value of PhishER Plus, KnowBe4's Security Orchestration, Automation and Response (SOAR) platform, to your CFO and leadership. It provides concrete examples of the return on investment that KnowBe4 customers have realized, empowering you to present a strong business case for the investment.

Download this return on investment guide for insights into:

  • The ongoing problem of overcoming the phishing tsunami for organizations of all sizes
  • The risk and cost of combating phishing threats with manual workflows
  • The cost savings and risk reduction realized through using PhishER Plus

Download Now:
https://info.knowbe4.com/en-us/wp-outstanding-roi-phisher-plus-platform-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: The Cyber Achilles' Heel: Why World Leaders and High-Profile Individuals Must Prioritise Cybersecurity:
https://blog.knowbe4.com/why-world-leaders-and-high-profile-individuals-must-prioritise-cybersecurity?hs_preview=ywqLOHWX-163434793740

Quotes of the Week  
"You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time."
- Abraham Lincoln (1809 - 1865)

"I've learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel."
- Maya Angelou (1928 - 2014)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-15-heads-up-your-apple-users-are-now-targeted-with-new-mfa-attacks

Security News

Catfishing Campaign Targets Members of the UK Government

At least twelve men working in the UK parliament have recently been targeted by WhatsApp spear phishing messages, POLITICO reports. The targeted individuals include "a senior Labour MP, four party staffers, and a political journalist."

The messages are sexual in nature, and may be intended to obtain compromising photos of the targets in order to blackmail them.

"Many of the messages contain striking similarities, including personalized references to the victims' appearances at U.K. political events and drinking spots," POLITICO says. "In several cases explicit photos were also sent — and in at least one case, the victim reciprocated.

"A dossier of evidence compiled by POLITICO has been reviewed by four cybersecurity experts who agreed people in key positions in parliament are being targeted with ill intent."

Notably, the messages are highly personalized and tailored to each target, referencing specific aspects of their lives.

"Strikingly, the sender or senders of the messages often displays extensive knowledge of their target and their movements within the narrow world of Westminster politics," POLITICO says.

"Two people were sent references to their work on the Mid Bedfordshire by-election of October 2023. One received a message discussing their work on 'the Nandy campaign' (Labour MP Lisa Nandy stood for the party leadership in 2020.)

"The other was sent a WhatsApp message referring to the breakdown of a recent relationship. A third person was told they had previously met the message-sender in the 'Sports' — a nickname for Parliament's Woolsack bar, formerly the Sports and Social Club. A fourth was told they met the sender at the annual Labour Party conference in Manchester. A fifth was asked if they still worked for their current boss."

Ciaran Martin, former head of the UK's National Cyber Security Centre, told POLITICO, "Malicious actors, including nation states, have a history of using digital messaging to try to cultivate relationships with people they think have political influence. Some of this activity is high quality and convincing. Some of it can be spotted a mile away. The key message is that anyone working in Westminster can expect stuff like this...trust your own instincts, don't respond, and report it if you're concerned."

Blog post with links:
https://blog.knowbe4.com/catfishing-campaign-targets-members-of-uk-government

[FTC ALERT] Impersonation Scammers Stole More than $1 Billion in 2023

The U.S. Federal Trade Commission (FTC) has found that Americans lost $1.1 billion to impersonation scams last year, more than three times the losses that were reported in 2020. A new report from the FTC found that scammers have shifted tactics over the past three years.

"While these types of scams aren't new, reports tell us scammers have switched things up," the FTC says. "Comparing 2020 to 2023, for example, reports of scams starting with a phone call have plummeted, while reports of scams starting with a text or email have increased. In that same period, people reported skyrocketing losses through bank transfer and cryptocurrency.

And reports show an increasingly blurred line between business and government impersonation scams: many scammers impersonate more than one organization in a single scam – for example, a fake Amazon employee might transfer you to a fake bank or even a fake FBI or FTC employee for fake help."

The FTC offers the following advice to help users avoid falling for these types of scams:

  • "Never click on links or respond to unexpected messages. If you think a story might be legit, contact the company or agency using a phone number or website you know is real. Don't use the information in the message.
  • "Don't believe anyone who says you need to buy gift cards, use a Bitcoin ATM, or move money to protect it or fix a problem. Real businesses and government agencies will never do that – and anyone who asks is a scammer.
  • "Slow down. Scammers want to rush you, so, again: stop and check it out. Before you do anything else, talk with someone you trust. Anyone who's rushing you into paying or giving information is almost certainly a scammer."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

The FTC has the story:
https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2024/04/impersonation-scams-not-what-they-used-be

What KnowBe4 Customers Say

"Good morning Stu, Thanks for checking in! We are happy with the product, and I cannot emphasize enough how excellent the service that April H. provides to me. I pester her with questions constantly and she is quick to respond and always gets me the answers I need. Thank you!"

- S.W., Manager, Security Governance, Risk, & Compliance


"Hi Stu, It was quite unexpected yet delightful to receive your email. As a security professional, I can attest to the pivotal role that KnowBe4 has played in fostering a culture of security awareness within our organization and the broader security community.

The integrated phishing service within the tool has proven to be invaluable in pinpointing vulnerabilities within our workforce, which we have been able to address effectively through targeted training.

Please keep up the excellent work, and my commendations to the entire KnowBe4 team!"

- H.R., Security, Risk and Compliance Director

The 10 Interesting News Items This Week
  1. IT Leaders Can't Stop AI and Deepfake Scams as They Top the List of Most Frequent Attacks:
    https://blog.knowbe4.com/it-leaders-cant-stop-ai-and-deepfakes-scams

  2. British nuclear site Sellafield to be prosecuted for cybersecurity failures:
    https://therecord.media/sellafield-site-prosecution-nuclear-facility-cybersecurity

  3. Microsoft warns deepfake election subversion is disturbingly easy:
    https://www.theregister.com/2024/04/02/microsoft_election_ai_fakes/

  4. China Is Targeting U.S. Voters and Taiwan With AI-Powered Disinformation:
    https://www.wsj.com/politics/national-security/china-is-targeting-u-s-voters-and-taiwan-with-ai-powered-disinformation-34f59e21?

  5. Deepfakes Are Coming for the Financial Sector:
    https://www.wsj.com/articles/deepfakes-are-coming-for-the-financial-sector-0c72d1e5

  6. 'The Manipulaters' Improve Phishing, Still Fail at Opsec:
    https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec/

  7. The Mystery of 'Jia Tan,' the XZ Backdoor Mastermind:
    https://www.wired.com/story/jia-tan-xz-backdoor/

  8. FCC to probe 'grave' weaknesses in phone network infrastructure:
    https://therecord.media/fcc-ss7-diameter-protocols-investigation

  9. Google survey: 63% of IT and security pros believe AI will improve corporate cybersecurity:
    https://www.zdnet.com/article/ai-should-improve-corporate-cybersecurity-google-and-csa-survey-finds

  10. Indian government rescues 250 citizens from cyber slavery:
    https://therecord.media/india-rescued-cambodia-scam-centers-citizens

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews