CyberheistNews Vol 8 #20 [Heads-up] New Attack Blindsides Microsoft Office 365 Anti-Phishing Filter and Blacklists

CyberheistNews Vol 8 #20
[Heads-up] New Attack Blindsides Microsoft Office 365 Anti-Phishing Filter and Blacklists

Phishers have found a way of moving the malicious URLs in their emails past Office 365's protections. The security company Avanan says they've observed criminals using a [base] tag in the HTML header used with the URL.

The hack works because newer email clients are equipped to handle the [base] tag, and they render the split URL as a link. Office 365's Advanced Threat Protection includes Safe Links, which checks links in emails against a blacklist.

Avanan calls the technique "baseStriker." It works against Microsoft Outlook clients that support the [base] tag. Gmail is said to be immune. Avanan has informed Microsoft, which is investigating. In the meantime, Microsoft has told SecurityWeek, "We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize."

That's a start, but it would be better to also tell them to not open an attachment they did not ask for, and use the phone to verify before opening.

Any organization should reinforce this with some realistic, interactive security awareness training. Remember that technical defensive layers always have their limitations, which hackers are continuously exploiting.

Note that other email clients may be vulnerable to this exploit as well. Blog post with links and example HTML code:
What Is The Reason Why The Ransomware Threat Is Not Going Away Any Time Soon?

It's KnowBe4's general policy to not mix business with politics or religion. However, sometimes geopolitics-which focuses on political power in relation to geographic space-is the only thing that explains a particular and persistent problem. A good example would be the trouble in the Middle East and its complex relationship to Oil.

However in IT, one of the major problems is ransomware. Why is it here to stay, and will likely not get any better the next coming years? There are three main factors at work here, which we'll go into at the KnowBe4 blog:
Police Dept Loses 10 Months of Work to Ransomware. Gets Infected a Second Time!

Bleepingcomputer reported: "Ransomware has infected the servers of the Riverside Fire and Police department for the second time in a month.

The first ransomware infection took place on April 23, last month and encrypted ten months' worth of work data related to active investigations.

Officials said they didn't pay the ransom and were able to recover some of the data from previous backups. Other data they recovered from public court records, but to this day, the Riverside Fire and Police department have not fully recovered from the first attack.

The second infection took place last week, May 4, but only came to light today when US Secret Service agents arrived in the Ohio town to help with the investigation." OUCH. More at the KnowBe4 blog:
Live Webinar: 11 Ways to Defeat Two-Factor Authentication

Everyone knows that two-factor authentication (2FA) is more secure than a simple login name and password, but too many people think that 2FA is a perfect, unhackable solution. It isn't!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this webinar where he will explore 11 ways hackers can and do get around your favorite 2FA solution.

The webinar will include a (pre-filmed) 6-minute demo by KnowBe4's Chief Hacking Officer Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your 2FA solution so that you get maximum benefit and security.

You'll learn about the good and bad of 2FA, and become a better computer security defender in the process.

This webinar will cover:
  • 11 ways hackers get around two-factor authentication
  • How to defend your two-factor authentication solution
  • The role humans play in a blended-defense strategy
Date/Time: Monday, May 21st, 2018, 1:00 pm ET Register Now!
Do You Have Compliance Headaches When Trying to Manage Multiple Regulations?

Did you know about a platform KnowBe4 specifically built to help you manage your compliance headaches? It’s intuitive, easy to use, and backed with exceptional service.

KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year-round. With KCM you are dramatically reducing the time and money to meet your compliance goals.

Using KCM’s powerful but simple mapping feature, you will be able to just do things once and re-use that effort again and again in other compliance frameworks. This means you spend significantly less time and expand your current posture with minimal effort.

See how you can get audits done in half the time at half the cost.
Check out KCM and request a demo:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"This above all; to thine own self be true." - William Shakespeare

"To thine own self be true, and it must follow, as the night the day, thou canst not then be false to any man." - William Shakespeare

Thanks for reading CyberheistNews
Security News
Vega Credential-Stealer Targets Marketing, Advertising, and PR

A low-volume, highly targeted phishing campaign is targeting Marketing, Advertising, and Public Relations, and to a lesser degree Retail and Manufacturing. The phishbait in the subject lines tended to run to phrases like "Online store developer required."

An attached "brief.doc" carries the malicious payload, Vega Stealer, which infects its victims through a macro. The malicious macro appears to be commodity malware readily available on the black market.

A newly observed variant of the older August Stealer malware, Vega Stealer goes after credentials and payment card numbers saved in Firefox and Chrome browsers. It can also exfiltrate sensitive documents from infected computers.

It does so by searching directories for files ending in doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf. It then quietly sends them one-by-one to a command-and-control server. Vega Stealer may not be particularly sophisticated, but then, it doesn't have to be as long as it meets the criminals' needs.

One interesting feature that almost amounts to a tell is the phishing emails' preference for going after distribution lists in an organization, the better to expand its target set. These lists have included “info@”, “clientservice@”, and “publicaffairs@.

Employees should be alert for Vega Stealer. They're likely to see it in the near future. Proofpoint has the story:
Phishing and Waterholing Versus Power Grids

On May 10th, industrial cybersecurity company Dragos released the results of its study of a threat actor working against the US and UK power grids. The researchers call the group "ALLANITE," and they associate it with the Palmetto Fusion group the US Department of Homeland Security warned against late last year.

Palmetto Fusion was attributed to Russian intelligence services. It's reasonable to conclude that ALLANITE is a member of the same stable. The phishing and waterholing currently in progress represent reconnaissance directed against industrial control systems.

ALLANITE appears to be interested in taking screen shots of workstations. This is worrisome because phishing of utility operators was a prominent feature of Russian attacks against the Ukrainian power grid. Network segmentation is always a good idea, and especially so when dealing with operational technology (OT) and information technology (IT) networks operated by the same organization.

But industrial operations, including especially utilities, should avail themselves of realistic, interactive training to enable their employees to recognize phishing and other social engineering campaigns. ALLANITE is active and dangerous. Equip your employees to recognize the threat and spit the hook when they're phished. Dragos's report may be found here:
How AI Is Being Leveraged for Social Engineering Attacks

With respect to artificial intelligence, does the offense or the defense have the advantage? It's not clear yet. There's no definitive evidence of AI social engineering in the wild, and, according to Phil Tully, Principal Data Researcher at ZeroFOX, such evidence would tend to be ambiguous and inconclusive.

But we do know certain things about social media that suggest they could be exploited in an AI attack.

As Tully notes, individuals are very free with their information (and their selfies). They share personal information in their search for likes and shares. Much of the attention they draw to themselves will be benign.

AI defenses need to sift through the benign attention to identify the malicious traffic. However, AI attacks can skip this step, which makes them more nimble and dangerous.

Remember, “The adage is true that the security systems have to win every time, the attacker only has to win once.” — Dustin Dykes.

Tully offered what he characterized as a cautionary tale. Users of social media tend to be overconfident with respect to how quickly the social media platforms respond to complaints of account hijacking. They also tend to be too optimistic about the uses attackers can make of their personal data in credential harvesting.

Once an account is compromised, hackers have access to personal direct messages going back years. The information contained in those messages can be leveraged in future social engineering attacks. Better to learn, and keep the social engineers out, whether they're artificial or natural intelligences.

CyberScoop, which interviewed Tully at RSA, has the six minute interview, which we warmly recommend you watch!:
JavaScript Inside Excel. New Feature, New Phishing. Arg.

Microsoft recently announced that it was enabling support for JavaScript in its Excel spreadsheets' array of custom functions. For now the functionality is included only the Office 365 Developer Preview that subscribers to the Office Insiders program receive, but the feature seems destined for more general release sometime in the near future. Hmmmm.

Using only the documentation Microsoft provides Office Insiders, a security researcher has demonstrated a proof-of-concept coinjacking exploit loaded into one of the new, enhanced Excel spreadsheets. He successfully linked a spreadsheet to the Coinhive cryptomining service.

Education and training as always have an important place as businesses build their defenses. Caution employees, again, about opening attachments in suspect emails. Here, however, there's also a protective step administrators should consider. If you haven’t already done so, disable JavaScript, especially before the new feature hits Excel. Graham Cluley has the story:
Relative Risk: Phishing Attacks on iOS Users Skyrocket

Some 57% of all Internet traffic now comes from mobile devices. Those devices have become a prime target for phishing attacks. A study by Wandera indicates that iOS users are far more likely to succumb to phishing than they are to be the victims of a more conventional malware infection.

iOS users are, in fact, eighteen times more likely to be phished than they are to download malware. They're also likelier to be phished than are Android users. The reputation Apple devices enjoy for strong security tends to lull victims into a false sense of security.

In fact these devices, while being relatively robust, aren't immune to attack. Their relative resistance to malware infection also tends to divert attackers into a path of lesser resistance, in this case, phishing.

The two principal vectors for phishing attacks are messaging (accounting for 17.3% of such attacks) and social media (with 16.4% of phishing attacks).

Both vectors have seen a large increase in 2018: messaging attacks are up 170%, social media attacks 102%. Employees use their phones for work, but they tend to co-mingle work and personal matters on the same device. Navigation to dating apps, for example, is a common way in which they're exposed to phishing.

Organizations should devote some training and attention to employee mobile device use. Make it quick and interactive. After all, quick and interactive are how they use their phones. Help Net Security has the story:

And KnowBe4 has a brand new 2018 Mobile Device Security training module in 20 major languages:
Romanian Criminals Cause 18 Mil in Losses With Vishing and Smishing

A lot of social engineering is accomplished by email, but there are other ways an organization can be compromised. Employees can be subjected to vishing (phishing by voice, over the telephone or perhaps even in a teleconference) and smishing (phishing by SMS message). Here's a cautionary tale.

A vishing and smishing scheme was the basis for the extradition of two Romanian nationals to the United States. A third is awaiting extradition in Romania. The trio has been charged with carrying out vishing and smishing from Romania, targeting potential victims in the US.

The criminal approach involved the use of a phone message or a text that impersonates some legitimate, trustworthy, or plausible source. In this case, the criminals pretended to be a bank.

Vulnerable computers in the US were identified and used to develop contact information for the intended victims. The messages, in this case a phone call, spoofed a financial institution. The messages delivered during the call reported a "problem" with the victims' account.

They instructed the victims to call a number where they were prompted to enter their account number, PIN ,or their social security number. Once harvested, the data were then sold.

When they were arrested in Romania, the trio had 36,051 fraudulently acquired financial account numbers. The scheme was responsible for more than 18 million dollars in losses. Here's one comforting fact: even though the criminals operated in Romania and targeted victims in the US, US and Romanian authorities cooperated closely to secure the arrests and extraditions.

When you develop training and awareness programs for your employees, consider including the full range of social engineering they may encounter. Make sure to remember the phone, and don't neglect voice mail and texting. SecurityWeek has the story:

KnowBe4 just released a massive improvement of their Vishing Security Test platform, more details here:
9th Circ. Assesses Insurance for Social Engineering Scams

Law360 wrote: "Losses from social engineering schemes continue to grow exponentially. According to FBI data published in early 2017, losses from these schemes totaled over 3 billion dollars between 2013, when the FBI started tracking data, and the end of 2016. One recent estimate suggests projected growth to over 9 billion in 2018 alone. The problem is not going away; it’s getting much, much worse.

Under these schemes, perpetrators trick company employees into believing that they have received instructions from a high-ranking officer such as a chief financial officer."

The takeaway is that social engineering, phishing coverage and Business Email Compromise (aka CEO Fraud) may or may not be covered by your liability and cyber insurance policies. Until this becomes "settled law" you’d want to know specifically ahead of time from your brokers/agents or underwriters. At the moment, it’s like betting at the Kentucky Derby. You can read the full article here but you need to register for a no-charge 7-day trial:
KnowBe4 Adds ThinkHR Training Modules to its Massive Library of Security Awareness Training Materials

KnowBe4’s scope of training materials has expanded beyond security awareness to address HR concerns. ThinkHR combines live human resources with innovative online technology to deliver trusted knowledge solutions that enable organizations to thrive.

Their industry-leading HR knowledge products help their partners strengthen their client relationships and win more business. HR professionals use ThinkHR’s tools to be more effective in their roles, while business and risk managers leverage its industry-leading team of HR advisors for compliance and risk guidance.

And, all employers benefit from their HR compliance tools while building a positive and productive workplace. The content is centered around HR compliance issues such as FERPA, harassment training, physical security, and managerial training with most modules running between thirty and sixty minutes each.

Availability starts with 17 modules and 2 versions available in Spanish, 4 more and 1 more Spanish language option will be added in the coming weeks. The training is available in the KnowBe4 “Mod Store” for Diamond Level customers.

You can check them out immediately in the KnowBe4 Modstore, no need to talk to anyone. Go to the Search Filters (top right) and in the Publishers section, choose ThinkHR:

KnowBe4 Releases Delegated Admin Permissions

KnowBe4 just announced support for delegated permissions as part of the Security Roles feature which allows you to limit roles to only display specific data or allow for the phishing, training, and user management of specific groups.

Each Security Role is completely customizable to allow for the creation of the exact roles and responsibilities for Target Groups in your organization.

Example scenarios include:
  • Auditors that need to review training history only
  • HR departments that want to see individual user results
  • Training groups that want to review training content prior to deployment
  • IT managers that oversee security awareness training within their own business unit that need to create both phishing and training campaigns
  • Corporate IT needs to lock down templates to ensure the use of approved phishing templates
More detail at:

What Our Customers Say About Us

"Hi Stu, I think it is great product. I am a bit horrified at how easily our employees “bit the hook” so to speak but it’s good information to know. I look forward to the continued education of our users. It has saved me a ton of time not having to created education campaigns myself. Thank you." - H.T. Network Security Administrator
Interesting News Items This Week
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Run Atlas, Run! Apart from doing backflips, the terrifying Boston Dynamics bipedal robot can jog now. Terminator, here we come:
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews