CyberheistNews Vol 8 #33 Scam of the Week: SharePoint Phishing Attack on Office 365 Users

CyberheistNews Vol 8 #33
Scam of the Week: SharePoint Phishing Attack on Office 365 Users

The attack dubbed “PhishPoint” by Cloud Security vendor Avanan demonstrates the craftiness and extent cybercriminals will go to in order to harvest Office 365 credentials.

I’ve talked about how context can be a major influencer in the success of any social engineering attack. This latest attack uses several familiar aspects of O365 to lull potential victims into an assumption everything is above board.

Here’s how the PhishPoint attack works:
  • The user receives the malicious email – They confirm there is often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLS, which adds credibility and legitimacy to the email and link, since the user is being directed to a known-good hosting site.
  • Users are shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an "Access Document" hyperlink that is actually a malicious URL.
  • Users are presented with an Office 365 logon screen – Here is where the scam takes place. Using a very authentic-looking logon page where the cybercriminals harvest the user’s credentials.
What makes this attack so evil is that even Microsoft didn’t see this one coming. While they scan emails for suspicious links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious.

And, since Microsoft isn’t scanning files hosted on SharePoint, they left attackers with an easy means to utilize the very platform on which they are trying to con users of their credentials.

Users stepped through new-school security awareness training have a better chance of spotting the telltale signs of online malice. In this specific scam, several factors stood out:
  • The email was unsolicited and had a generic subject of “ has sent you a OneDrive for Business file”
  • Opening the document required several user-initiated steps
  • The URL for the logon page wasn’t on the domain
This scam represents the risk associated with cloud-based applications. Using context and services users are familiar with, scammers can take advantage of the lowered level of alertness and gain access to corporate resources online – all without the organization ever knowing.

I suggest you send the following to any of your employees that use O365. You're welcome to copy, paste, and/or edit:

Be on alert! The bad guys have a new way of stealing your login credentials. They target you by sending you an invite via email to open a SharePoint document. The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it- don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don't be tricked.

Whenever you're submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you. Remember, Think Before You Click.

For KnowBe4 customers that use O365, we have created a template you can use to inoculate your users, and suggest you send this ASAP. The template is called "SharePoint: Admin has invited you to '[[company_name]] Team Site'" and it lives in the Current Events category.

Here is the blog post with screen shots and more new Current Events templates. Please warn your friends:

PS: There is something fun as well at the end of that post: "KnowBe4 Rockets to No 96 on the Inc. 500, Appearing for the Third Time, and Stu Takes a CakeDive."

I *do* actually, you can see me dive headfirst in a bed-sized cake!:
Healthcare Sees 278% Increase in Data Breaches in Q2, 30% Caused by Repeat Offenders!

It’s not good to be in Healthcare IT these days, judging by the latest data. With over 3 million records put at risk by both insiders and external attacks in Q2, healthcare orgs need to be more vigilant.

The Q2 2018 Breach Barometer report from Protenus paints a bleak picture for the security of health data. If you’re in healthcare, you should be concerned.

What’s worse is that about 30 percent of those breaches were caused by repeat offenders from within the organizations. It highlights a continued issue facing the sector: Risk accumulates over time when proper education and reporting do not happen. Some of the Q2 2018 findings include:
  • 142 Data Breaches (up 29% over Q1)
  • 3.1 million records (up from 1.1 million in Q1)
  • Healthcare worker-related breaches are up 272%
This problem of accumulating risk is true for any other organization as well. Read this story, shiver, and then take action!
Combating Social Engineering: Tips From Black Hat 2018

Candice Lanier, who works for Ghost Cyber Intelligence, wrote a great post on the Bleepingcomputer site about social engineering (SE) and what you can do to manage this ongoing problem.

She suggested a series of interesting techniques to circumvent SE attacks, most of these are not usable for your employees, but certainly you yourself might have some fun with these!:
  • Drip-feed them false information
  • Elicit information for use in attribution. This can be done openly or surreptitiously, depending on the situation.
  • Have you ever met the attacker in person? Has anyone you know ever met them in person?
  • Does their knowledge check out?
  • Conduct background verification checks
  • Consider how you were contacted. Was it via social media, your company's website, company email or telephone? Did anything stand out, in the first contact made, as a red flag?
  • Determine what it is that the person wants, and why? Specifically, why from you?
  • Any interest expressed in the technical aspects of the business? A lot?
  • Are they evasive when asked to meet in person? What about a phone call or video call?
  • Check for linguistic deception markers
  • Also check for similarities to other profiles (behavioral/linguistic/nonverbal). Attackers often do not alter their attack behavior or modus operandi.
  • Is conditioning behavior being used?
  • Note any marked interest in your job, industry or research
  • Age of the profile. What’s the earliest trace?
  • Observe any inconsistencies in background, activity, or reactions
  • Report suspicious behavior to the authorities
Next she notes that the United States Computer Emergency Readiness Team (US-CERT) also has advice on how to avoid becoming a victim of social engineering, and quotes KnowBe4's Chief Hacking Officer with hints and tips to prevent SE attacks.

This is a good post, and comes warmly recommended:
[Live Webinar] Exploring the Dirty Little Secrets of Social Engineering, Featuring Kevin Mitnick

You won’t want to miss this!

In this rare live event, Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, along with Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, will share social engineering insights and experiences.

As the author of four best-selling books on the art of social engineering, Kevin is famous for his use of deception, intrusion, and invisibility as a tradecraft. The secrets he shares will help you defend against social engineering threats posed by the bad guys and keep them from manipulating your unsuspecting users.

Key topics covered will include:
  • How social engineering has changed over time
  • Some of the cleverest social engineering techniques
  • Common ways malicious actors find information to use in spear phishing campaigns
  • Psychology of a social engineering exploit and how an organization can protect its users
Join us on Friday, August 24, 2018 at 1:00 pm ET when Kevin will expose the dirty little secrets of social engineering.

Seats are limited. Reserve your spot!
Can You Be Spoofed? Find Out for a Chance to Win an Embrava Blynclight

Are you aware that one of the first things hackers try is to see if they can spoof the email address of some C-level executive in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus you'll be entered for a chance to win one of 10 Wireless Embrava Blynclights (stop those drive-by requests with this "busy light" for your desk.)

Find out now if your email server is configured correctly, many are not! Try to Spoof Me!
Financial Phishing on the Rise

Attacks on financial institutions may have fallen off from the first quarter of 2018, decreasing by 8.22%, but the financial sector still remains the criminal underworld's preferred phishing hole.

And a relatively new social engineering scam has taken its place alongside traditional phishing email: fraudulent cryptocurrency offers.

Kaspersky Lab's report on spam and phishing for the second quarter of 2018 showed that 35.7% of observed attempts were against financial. Customers were targeted through fraudulent banking or payment services as criminals harvested such sensitive personal information as names, passwords, email addresses, phone numbers, credit card numbers, and PIN codes.

The quarter was a busy one, with some 107 million attempts tracked. 21.1% of the attacks targeted banks, 8.17% targeted e-shops, and 6.43% went after payment services.

Nadezhda Demidova, lead content analyst at Kaspersky Lab, noted that the prevalence of such attacks reflects the fact that more people are using electronic transactions. Many of those users are unaware of their potential risks, which leaves them an attractive target for social engineering.

Alongside traditional phishing, cyber criminals increasingly try to induce their victims to transfer cryptocurrency into a fraudulent wallet. These attempts often include offers of free distributions of cryptocurrencies, or they seek to exploit the allure surrounding the names of new initial coin offerings (ICO).

Kaspersky estimates that more than 2.3 million dollars have been stolen this way during the second quarter. Brazil topped the list of phishing attacks at 15.51%, followed by China and Georgia, both at 14.44%, Kirghizstan at 13.6%, and Russia at 13.27%. China was the largest producer of spam.

The lesson to be drawn from this, of course, is that social engineering remains a leading form of criminal activity. Organizations would do well to inoculate their employees by stepping them through new-school security awareness training. Threatpost has the story:
New Report: 2018 Phishing by Industry Benchmarking

As a security leader, you’re faced with a tough choice. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods. However, there’s an often overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

In this report, brand-new research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Do you know how your organization compares to your peers of similar size? Download this whitepaper to find out!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Art, freedom and creativity will change society faster than politics." - Victor Pinchuk

"I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it." - Thomas Jefferson, (1743-1826) Principal author of the Declaration of Independence and 3rd President of the USA

Thanks for reading CyberheistNews
Security News
SamSam Ransomware Copycat Strain "Dharma" Rears Ugly Head

A new variant of Dharma Ransomware was recently discovered. The new version, described by researchers Michael Gillespie and Jakub Kroustek, attaches a [dot]cmb extension to encrypted files, hence its name: Dharma Cmb.

There is at present no decryptor available for Dharma Cmb. The Dharma Ransomware family has generally been manually installed by attackers exploiting an RDP (Remote Desktop Protocol) service. They scan the Internet for computers running RDP and attempt to gain access through brute force password discovery.

Once they've succeeded, the attackers encrypt the initial victim machine and pivot through the network to do the same to other vulnerable devices. Dharma Cmb encrypts mapped network drives, shared virtual machine host drives, and unwrapped network shares.

So you need to lock down network shares, allowing access only to users who need it. Once installed, Dharma Cmb starts automatically when Windows is initiated, encrypting any new files created since its installation.

Two different ransomware notes are created on infected machines. One, an INFO.HTA file, launches via autorun when a user logs on. The other, FILESENCRYPTED.txt is found on the desktop. Both contain instructions for payment.

Good safe computing habits and security software will protect you from Dharma and its variants. Be sure your network is properly locked down to prevent access through RDP. Having lockout policies in place makes it difficult to brute force entry remotely.

Finally remember to practice good online security habits. These are some of the points an organization should make to its users through policy and regular, interactive awareness training:
  • Never open attachments to an email if you're not confident you know the sender and expect the attachment. Confirm with the sender that they sent the file or link before you open or click.
  • Use security software that will scan attachments.
  • Keep Windows and other frequently-used software patched and up-to-date.
  • Use strong passwords with 20-25 characters, and never reuse the same password on multiple sites.
  • If you do use RDP, allow access only through a VPN.
Such policies and habits, reinforced through new-school training, contribute to your organization's culture of security. Bleeping Computer has the story:
FBI Warns Against Hacking River Transportation. Huh? Yep, That's a Thing.

The FBI has recently warned of cyber threats to river transportation. The inland water transportation infrastructure in the US includes the rivers, canals, dams, locks, and intermodal facilities that handle much of the traffic in the country.

The problem isn't confined to barge operators, either. It's an intermodal problem. There's a great deal of ship and barge traffic on US rivers, especially in the Mississippi basin, and disruption to that traffic would have an intermodal ripple effect on road, rail, and air transportation.

What's particularly interesting about the FBI's warning is the attack vector and the motive the Bureau singles out. One might think first of terrorism, and that's a risk, to be sure. But the FBI makes special mention of business email compromise as the sort of attack most to be expected on river transportation infrastructure operators.

The most common goal is theft by fraudulent wire transfer. "Every time that we have a vessel that travels up or down the Mississippi River there’s a vulnerability: that that vessel or persons on those vessels may in fact be doing harm to our systems," Eric Rommal, Special Agent in Charge of the FBI's New Orleans Field Office told the Associated Press.

"And that affects the national economy and affects the entire United States." Amid all the technical considerations that surround critical infrastructure protection, the human factor can't be ignored. The business email compromise the FBI is warning the water transportation sector about is a widespread form of social engineering.

Any organization in that sector, or indeed in any other sector, would do well to build a culture of security. Interactive, new-school awareness training for employees can help do just that. The AP has the story:
Copy, Paste and Post Is No Way to Get a Better Facebook Experience

Copy, Paste and Post Is No Way to Get a Better Facebook Experience The old chain letter nuisance has assumed a digital form. Facebook users are being fooled into believing that they are able to see a whole new group of posts on their newsfeed just by copying, pasting and posting a message to their timeline.

They are being tricked into believing that this simple action will override a non-existent Facebook algorithm, which is said to limit how many people's posts one can see.

This Facebook hoax has gone viral. However, posts from family and friends, both real and virtual, can be viewed without this senseless copy-paste-and-post scam. In February Facebook clarified that there was no truth to the claim that users were limited to twenty-five or twenty-six friends.

Despite Facebook’s statements, the rumor continues to make its way to the top of news feeds. There's even a version of the message claiming that the rumor-checking site Snopes has confirmed the claims. This isn't true either. The problem that continues to plague Facebook is its users' belief that posting something on their timeline will affect how Facebook works for them.

Copy-and-paste doesn't change any of the ways Facebook or the algorithms it uses interact with anyone's account. This current hoax is similar to a previous one that promised you could prevent Facebook from using your online photos simply by copying and pasting a message.

These hoaxes offer no way around Facebook's consistent application of its terms of service. Both Snopes and Facebook have discredited these hoaxes. However, interacting with posts helps them go viral. You can help diminish the impact these posts have by simply ignoring them and encouraging others to do the same.

It's always important to think before you click, especially when clicking can lend credibility to a bogus story. Those who'd like to see less fake news and fewer hoaxes in their social media feeds could benefit from heightened awareness of this low-grade form of social engineering.

Naked Security has the story:
Phishing Down Under for Credit Card Numbers

Scammers attempting to collect credit card numbers are using e-mails claiming to be from Optus, a major Australian telecommunication company. The Australian Communication and Media authority (ACMA) said the emails are masquerading as unpaid invoices in need of a new credit card number.

ACMA stated that the phony emails are hard to detect since they use a web address similar to the real Optus website. Once on the site, the visitor is prompted to click on a link “pay your bill” which opens up a fraudulent page where the credit card information is collected.

The ACMA noted the importance of checking the legitimacy of email links as a way of safeguarding personal information. They advised anyone receiving one of the “We are unable to process your last payment” email messages to immediately delete them.

The Optus scam isn't unfortunately unique. Last month the Australian government issued warnings about an email scam claiming to be from Medicare. In that case the criminals asked their marks to update their wire transfer information so they could properly receive their benefits. The sort of information requested could be used, of course, to make fraudulent electronic withdrawals.

The lesson learned here is to check the credentials of emails carefully before you click on any links they contain and never give personal information. Never volunteer personal details over email. And always remember to think before you click.

There's another lesson here for organizations, too. If your practices and policies allow you ask your employees or clients for sensitive information by email, especially account credentials, you're probably training them to take this particular kind of phishbait. A review of your practices isn't a bad idea, and could itself be the subject of some new-school interactive security awareness training. CRN has the story:
What KnowBe4 Customers Say

"The product is exceeding expectations! We haven’t had a chance to implement training programs yet, but the creation and implementation of campaigns is incredibly efficient, the template library is robust and diverse, and the reporting is clean and easily digestible for our executives.

"I can’t find anything to complain about, which is probably a first for me. I greatly appreciate everything you guys are doing over at KnowBe4, and thank you for reaching out to check-in. Keep kicking butt!" - M.J., Security Analyst

"Hey Stu, we’re actually blown away by how effective training has been for our users. We can’t get them to click a single phishing test in our last three spear phishing campaigns. We’re rolling out the annual training module next month and we expect a minimal number of people to drag their feet.

"Our test group of IT users have each learned at least one useful tip that they didn’t know before. Also, thanks for the book! I haven’t gotten a chance to start it, but it’s been a nice conversation topic for anyone that sees it on my desk. Thank you." M.R., Data Recovery Analyst

PS, If you want to see KnowBe4 compared to other products in an objective, vetted platform that makes sure the reviews are fully legit, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Russian Military Spy Software is on Hundreds of Thousands of Home Routers:

    2. Trump Pulls Gloves Off on Offensive Cyber Actions:

    3. 2.6 billion records exposed in 2,300 disclosed breaches so far this year:

    4. KnowBe4 was featured on this list of 10 companies to watch in 2018 on Cybersecurity Ventures:

    5. Cybersecurity Training Sees Flood Of M&A. Our industry analyzed in Forbes MergerMarket:

    6. Indian Bank Hit in 13.5M Cyberheist After FBI ATM Cashout Warning:

    7. Just say no: Wi-Fi-enabled appliance botnet could bring power grid to its knees:

    8. Exploring, Exploiting Active Directory Admin Flaws:

    9. Vulnerability Could Allow Insider to Bypass CEO's Multi-Factor Authentication:

    10. What is phishing? How this cyber attack works and how to prevent it:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews