Increase in Phishing Emails Using .Com File Extensions

The anti-phishing solution supplier Cofense, formerly PhishMe, has informed a noticeable rise in phishing campaigns utilizing files with the .com extension. The .com extension is utilized for text files with executable bytecode. The code can be performed on Microsoft NT-kernel-based and DOS operating systems.

The campaigns recognized through Cofense Intelligence are mainly being transmitted to financial facility divisions and are utilized to download a range of malevolent payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.

Some of the electronic mails in the campaigns clarify the user must open a .iso file attached to the electronic mail to see information linked to the electronic mail notification. The .iso file contains the .com executable. One such electronic mail announced to be from a firm that had received payment, however, had no outstanding bills. The electronic mail requested the receiver check the payment with the finance division to decide if a mistake had been made. The attachment seemed to be a credit notification from the bank.

The subject lines utilized in the phishing campaigns are different and include shipping information notices, price requests, remittance advice, bank information, and bills, even though the two most usual subjects contained a reference to ‘payment’ or a ‘purchase order’.

The payment themed electronic mails were utilized with the AzoRult information stealer and the purchase order subject lines were utilized with Loki Bot and Hawkeye.

Most of the campaigns utilized the .com file as an electronic mail attachment, even though some variations utilized an intermediate dropper and downloaded the .com file through a malevolent macro or exploit. The latter is becoming more usual as IT safety teams are prepared to the direct delivery method. Most of the malware variations used in these campaigns interconnected with domains hosted on Cloudflare. Nevertheless, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is utilized as a domain front as Cloudflare is often entrusted by companies and is for that reason less likely to arouse doubt.

Cofense expects there will be an increase in the use of .com attachments in phishing campaigns and suggests companies to include the file extension in their anti-phishing training programs and phishing electronic mail simulations to main users when attacks happen.

Z Services Selects TitanHQ to Provide New Cloud-Based Security

The Dubai-based managed facility supplier Z Services has increased its partnership with TitanHQ and is now offering cloud-based web filtering and in-country electronic mail archiving as a facility to clients all over the MENA region.

Cybersecurity is a crucial business concern all over the MENA region and businesses are increasingly looking to managed facility suppliers to provide solutions to improve their safety posture. It makes much more intelligence to have cybersecurity as an operational expenditure rather than a capital expenditure, which is achieved through cloud-based facilities instead of appliance-based solutions. Z Services has been increasing its customer base by supplying these solutions to SMEs through ISPs.

Z Services increased its cybersecurity facilities earlier this year with a new partnership with TitanHQ. The managed facility supplier began offering a new cloud-based anti-spam facility – Z Services Anti-Spam SaaS – which was powered by TitanHQ’s SpamTitan technology. The facility obstructs nuisance spam electronic mail and delivers safety against ransomware, malware, and phishing attacks.

The fame of the facility has encouraged Z Facilities to increase its partnership with TitanHQ and begin offering a new web filtering and electronic mail archiving facility to companies in the region via their ISPs. Its Internet security-as-a-service offering is powered by WebTitan and the in-country electronic mail archiving facility is powered by ArcTitan. TitanHQ provided its solutions in white label form letting Z Services to rebrand the solutions and generate its MERALE SaaS offering – An economical, auto-provisioned, Internet safety and compliance facility.

Through MERALE, SMEs are able to obstruct web-based dangers such as phishing and avoid ransomware and malware downloads while cautiously monitoring the online content workers can access. In addition to improving Internet safety, companies benefit from output gains through the obstructing of types of web content such as dating, gambling, and social media sites. An extensive reporting suite gives companies all the information they require on the online activities of the staff. The in-country electronic mail archiving facility assists companies abide by the government, state, and industry rules meet eDiscovery requirements.

“We trust that MERALE will be a game-changer in how small and medium companies in the region make sure their safety, and as a subscription-based facility, it removes the need for heavy investments and long-term commitments,” said, Nidal Taha, President – Middle East and North Africa, Z Services.

U.S. Treasury Probing $700,000 Loss to Phishing Scam

In July 2018, the Washington D.C. government fell for an electronic mail cheat that led to wire transfers totaling approximately $700,000 being sent to a scammer’s account.

The scammer mimicked a seller used by the city and demanded unsettled bills for construction work be paid. The seller had been hired to work on a design and build the project on a permanent supportive lodging facility.

The electronic mails demanded the payment method be altered from check to bank transfer, and particulars of a Bank of America account was specified where the payments needed to be directed. Three separate payments were made adding up $690,912.75.

The account details provided were for an account managed by the scammer. By the time the cheat was exposed, the money had already been drawn from the account and might not be recovered. As per a Washington Post inquiry, the scammer had mimicked the company Winmar Construction.

The electronic mails were transmitted from a domain that had been listed by the scammer that imitated that of the construction company. The domain was same except two letters which had been transferred. The scammer then generated an electronic mail address using that domain which was utilized to request payment of the bills.

As per the Washington Post, before this cheat, the D.C. government was targeted with several phishing electronic mails, even though Mike Rupert, a representative for the city’s chief technology officer, said those phishing attacks were not fruitful and were not linked to the wire transfer cheat.

These cheats are usual. They frequently involve an electronic mail account compromise which lets the scammers identify sellers and get details of remaining payments. David Umansky, a spokesman for the city’s chief financial officer stated the Washington Post that the attacker had gotten the information required to pull off the scam from the seller’s system and that D.C. officers failed to identify the fake domain and electronic mail.

After noticing the fake wire transfers, the D.C. government got in touch with law enforcement and steps have been taken to trace the scammers. Extra safety controls have now been implemented to avoid similar cheats from succeeding in the future, including the requirement for extra confirmation to take place to verify the genuineness of any request to alter bank information or payment methods.

The U.S Treasury Division has now started an inquiry into the breach, as bank scam is a central offense. That inquiry is continuing.

Cofense Expands 24/7 Global Phishing Defense

Cofense has declared that it has expanded its 24/7 Phishing Defense Facility to deliver even greater help to clients beyond business hours and make sure that phishing dangers are identified in the shortest possible time.

The Cofense Phishing Defense Center (PDC) was introduced to ease the load on IT safety teams by letting them offload some of the load of searching through electronic mails informed by their end users and analyzing those electronic mails to identify the actual threats.

When workers report doubtful electronic mails – through Cofense Reporter for example – the electronic mails are transmitted to Cofense Triage for scrutiny. The malware and danger experts in the Cofense PDC team carry out an in-depth study of the reported dangers and send complete information back to clients’ incident responders that let them take action to alleviate the threat. The quicker a threat can be identified, the lower the possibility of a worker reacting to the danger.

The Phishing Defense Service saves companies a substantial amount of time and effort and lets dangers to be identified and alleviated much more quickly. With the volume of phishing dangers rising, occurrence responders can easily get caught up identifying dangers in the hundreds of electronic mails that are informed as ‘suspicious’ by their workers. Data from Cofense indicates that usually, just 10%-15% of reported electronic mails are malevolent, however, all messages must be tested and evaluated.

The Cofense PDC team already works round-the-clock to evaluate active phishing dangers, nevertheless, the growth of the facility makes sure that irrespective of the time of day or night, new dangers are recognized in the shortest possible time frame. This is particularly vital for firms that have offices in several countries and time zones. Those businesses must not have to wait until business hours for dangers to be identified. They need to be identified day or night.

“Since threat actors do not sleep, neither should your defense capabilities,” clarified Josh Nicholson, Senior VP of Professional Services at Cofense. “Our improved, round-the-clock phishing defense facility puts clients at ease by offering expert analysis and reaction for any informed doubtful electronic mail, any day, any time, in a matter of minutes.”

The expansion will make sure that malware experts are always on hand to evaluate informed phishing attempts and assist clients to alleviate new phishing attempts much more quickly.

75% of Workers Lack Security Awareness

MediaPro has published its 2018 State of Secrecy and Safety Consciousness Report which evaluates the level of safety consciousness of workers across various industry sectors. The report is based on the replies to surveys sent to 1,024 workers throughout the United States that investigated their knowledge of real-world dangers and safety best practices.

This is the third year that MediaPro has carried out the survey, which classifies respondents in one of three groups –Risk, Novice, or Hero – based on their knowledge of safety dangers and understanding of best practices that will keep them and their company safe.

In 2016, when the survey was first carried out, 16% of respondents rated a risk, 72% were rated beginners, and 12% were rated as champions. Each year, the proportion of beginners has decreased and the proportion of champions has increased. Unluckily, the proportion of workers ranked as a danger to their company has also enhanced year-over-year.

In this year’s State of Secrecy and Safety Consciousness Report, 75% of all experts were rated as either a moderate or severe threat to their organization. 30% of respondents were considered to be a danger to the company, 45% were beginners, and 25% were champions. 77% of respondents in management ranks demonstrated a lack of safety consciousness, which is of specific concern as they are often targeted by phishers.

The main concerns were an incapability to identify the indications of a malware infection and a phishing attempt. There was also a weak understanding of social media dangers. When asked queries linked to malware, nearly 20% of workers failed to identify at least one sign of a malware infected computer. Given the rise in cryptomining attacks, it was a concern that a sluggish computer was the most usually ignored indication of a malware infection.

Phishing attacks carry on to increase but phishing awareness is much worse than last year. 14% of respondents failed to recognize all indications of a phishing electronic mail compared to just 8% previous year. The most usually neglected phishing attempt was the proposition of a hot stock tip, which was failed by 20% of respondents. There was also poor knowledge of Business Email Compromise (BEC) cheats.

It was a similar account for social media security, with about 20% of respondents making bad conclusions on social media sites – conclusions that might create problems for their business such as disclosing confidential information or replying to possibly defamatory comments by colleagues.

An analysis of scores by industrial sectors disclosed the financial facilities performed the worst of the seven industrial sectors represented in the study. 85% of respondents in the financial facilities had a lack of safety consciousness to some degree.

“These levels of riskiness are shocking. It just takes one individual to click on the incorrect electronic mail that allows in the malware that exfiltrates your business’s data. Without everyone being more cautious, people and business data will carry on to be at risk,” said Tom Pendergast, chief safety and secrecy planner at MediaPRO.

Brands Most Usually Spoofed by Phishers Exposed

Vade Secure has issued a new report describing the brands most usually targeted by phishers in North America. The Phishers’ Favorites Top 25 list discloses the most usually spoofed brands in phishing electronic mails found in Q3, 2018.

For the latest report, Vade Security followed 86 brands and rated them based on the number of phishing attacks in which they were mimicked. Those 86 brands account for 95% of all brands deceiving attacks in Q3, 2018. Vade Secure notices that there has been a 20.4% rise in phishing attacks in Q3.

As was the case the preceding quarter, Microsoft is the most targeted brand. Phishers are trying to gain access to Azure, Office 365, and OneDrive identifications. If any of those login identifications can be acquired, the attackers can raid accounts and steal private information, and in the case of Office 365, use the electronic mail accounts to carry out more attacks on people within the same company or use contact information for outer spear phishing attacks. Vade Secure has noted a 23.7% increase in Microsoft phishing URLs in Q3.

The level to which Microsoft is targeted is shown in the graph below:

In second place is PayPal, the prominent deceived brand in the financial facilities. Here the goal is simple. To gain access to PayPal accounts to make transferals to accounts managed by crooks. There has been a 29.9% increase in PayPal phishing URLs in Q3, 2018.

Netflix phishing cheats have risen substantially in Q3, 2018. Vade Secure records there has been a 61.9% increase in the number of Netflix phishing URLs. The goal of these campaigns is to gain access to clients’ credit card particulars, through dangers of account closures that need confirmation using credit card details, for instance. The rise in Netflix phishing attacks saw the brand rise to third place in Q3.

Bank of America and Wells Fargo cheats make up for the top five, which had 57.4% and 21.5% phishing URL rises respectively. While down in 7th place overall, Chase bank phishing cheats are notable because of the huge increase in phishing attacks targeting the bank. Q3 saw a 352.2% rise in Chase bank phishing URLs, with a similar increase – 359.4% – in phishing attacks deceiving Comcast. The maximum growth in phishing URLs was for CIBC. Vade Security informs there was a 622.4% rise in spotted phishing URLs, which lifted the Canadian Imperial Bank of Commerce up 14 spots in the ranking to 25th place.

The report also demonstrates that phishers prefer Tuesdays and Thursdays for attacks targeting company users, while Netflix phishing cheats most usually take place on a Sunday. Vade Secure’s research also disclosed phishers are now using each phishing URL for a briefer period of time to evade having their electronic mails obstructed by electronic mail safety solutions.

As a consequence, more electronic mails are delivered to inboxes, emphasizing the significance of increasing safety awareness of the staff.

KnowBe4 Starts ‘Domain Doppelgänger’ Bogus Domain Identification Tool

A new tool has been announced by the safety consciousness training and phishing simulation platform supplier KnowBe4 that can assist firms to identify ‘evil twin domains’ – lookalike deceived domains that are usually used by cybercriminals for phishing and spreading malware.

An evil twin domain is very similar to a real website that is used by a firm. It might contain an additional letter such as faceboook.com, have lost letters such as welsfargo.com, contain altered letters such as faecbook.com to catch out uncaring typists, or use substitute TLDs such as a.co.uk or .ca in place of a .com.

Evil twin domains are exceptionally common.  A study carried out by Farsight Security between Oct. 17, 2017 and Jan. 10, 2018 found 116,000 domains that deceived well-known products. The study disclosed that for each real domain there were 20 duplicate domains and 90% of those domains tried to deceive visitors into thinking they were the actual domain used by the firm that was being deceived.

These duplicate domains can be used to get login identifications to the sites they imitate. Mail servers are set up using the domains for transmitting spam and phishing electronic mails to clients and workers, or for a range of other evil purposes. Checking for these bogus domains is therefore in the interest of all firms, from SMBs to big enterprises.

The tool – named Domain Doppelgänger – lets businesses to easily check for domains that might be deceiving their brand, letting them take action to take down the domains and warn clients and workers of the danger.

The free web-based tool will search for duplicate domains and will send back a detailed PDF report describing the number of private domains found, whether the domains have an active mail server, whether there is an active web server and the risk level linked with those domains.

“In place of using several methods to search for at-risk domains, IT experts can use KnowBe4’sDomain Doppelgänger tool as a one-stop shop to find, aggregate, examine and evaluate these domains,” said Stu Sjouwerman, CEO, KnowBe4. “By learning the duplicate domains that might impact your product, you can better safeguard your company from cybercrime.”

Cofense Looks Closely at Healthcare Phishing Attacks

Cofense, the prominent supplier of human-based phishing threat management solutions, has issued new research that demonstrates the healthcare industry lags behind other industrial sectors for phishing protections and is consistently attacked by cybercriminals who often succeed in gaining access to secret patient health data.

The Division of Health and Human Services’ Office for Civil Rights issued a synopsis of data breaches informed by healthcare companies that have involved over 500 records. Each week, many electronic mail breaches are registered on the portal.

The Cofense report examines deeper into these attacks and demonstrates that a third of all data breaches happen at healthcare companies.

There are several instances of how simple phishing attacks have led to attackers gaining access to secret data, some of which have led to the theft of enormous volumes of data. The phishing attack on Augusta University healthcare system, informed in August 2018, led to the health data of 417,000 patients being breached.

Cofense did a cross-industry comparison of 20 verticals including healthcare, the financial facilities, technology, manufacturing, and the energy sectors to decide how vulnerability and resiliency to phishing attacks differ by industrial sectors. The report compared electronic mail reporting against phishing vulnerability and demonstrated that healthcare has a resiliency rate of only 1.34, compared to 1.79 rate for all industries, 2.52 for the financial facilities, and 4.01 for the energy sector.

One of the main causes for the low healthcare score has been past underinvestment in cybersecurity, although the industry is greatly controlled and healthcare companies are required by law to provide safety consciousness training to workers and should implement a variety of controls to safeguard patient data.

The high cost of data breaches – $408 per record for healthcare companies compared to a cross-industry average of $148 per record – has implied that healthcare companies have had to invest more in cybersecurity. Although still worse than other industries, the enhanced investment has seen improvements made even though there is still plenty of room for improvement.

Source: Cofense

By studying replies to simulated phishing electronic mails transmitted through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based firm was able to recognize the phishing electronic mails that are most usually clicked by healthcare workers. The top clicked messages were bill requests, manager assessments, package delivery electronic mails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data assists healthcare companies to address the biggest dangers. The report also details how, through training and phishing simulations, vulnerability to phishing attacks can be radically decreased.

The report contains a case study that demonstrates how by using the Cofense platform, one healthcare company was able to halt a phishing attack within just 19 minutes. It is not unusual for breaches to take more than 100 days to identify.

The Cofense Healthcare Phishing Report can be downloaded here (PDF)

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

Phishing Accounts for 50% of All Online Scams

An examination of existing cyber scam dangers by network safety company RSA demonstrates that phishing attacks have risen by 70% since Q2 and currently account for 50% of all online scam attacks experienced by companies.

Phishing attacks are widespread since they are easy to carry out and have a high achievement rate. An attacker can set up a webpage that impersonates a famous brand such as Microsoft or Google that appeals login details. Electronic mails are then transmitted having hyperlinks to the site together with a legal reason for clicking. As per a research carried out by Verizon, 12% of users click hyperlinks in phishing electronic mails.

RSA notes that the bulk of phishing attacks are carried out in the United States, Canada, and the Netherlands, which account for 69% of all attacks.

RSA has also drawn attention to a particular variation of phishing named vishing. Instead of using electronic mail, vishing attacks happen over the phone. A typical instance involves a scammer pretending to be from the target’s bank. Although the call is unwanted, the scammer pretends that there is a safety problem that requires to be settled and requests confidential information such as bank account information, passwords, and security questions and answers. Vishing accounts for 1% of all scam attempts even though it is a serious danger.

A new variation of vishing has even greater possibility to attain the desired result. Instead of the attacker calling a target, the attacks work in opposite with users calling the scammer. This is being done through search engine killing – Getting malevolent websites listed in the organic search engine results. Other variations include wrong information mailed on social media sites and help media.

14% of spam attacks involve brand misuse: Deceptive posts on social media that deceive a famous brand. 12% of scam attacks involved Trojan horses – malware which is fitted under wrong pretexts. As soon as installed, the malware harvests confidential information such as banking identifications. 2% of scam attacks involve the use of rogue mobile apps. 9,329 rogue moveable apps were identified by RSA in Q3, 2018.

Scam through moveable browsers accounted for the bulk of scam dealings (73%) in Q3 – A rise of 27% since this time last year.

APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

A new spear-phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government agencies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first known in late October.

The campaign is being carried out through spam electronic mail and uses weaponized Word document to deliver two malware variations. The first, the Zebrocy Trojan, has been used by APT28 in earlier campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It serves as a downloader and backdoor and is used to send more malevolent payloads to systems of interest to the group.

Unit 42 scientists also identified a second Trojan. A new malware variation named the Cannon Trojan. Although Zebrocy uses HTTP/HTTPS for its C2 communications, the Cannon Trojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The Cannon Trojan is used to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of importance, the Cannon Trojan can download extra malevolent code.

One of the electronic mail campaigns uses the current Lion Air plane accident as the attraction to get users to open the malevolent Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

Upon opening the document, the user is presented with a message stating the document has been generated using an earlier type of Word. The user should click on Enable Content to show the matters of the file. The macro will only be loaded if a link to its C2 exists. If no link is available, the macro will not run.

Provided there is a C2 link, the macro is launched. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign uses the AutoClose function to delay the complete execution of the malevolent code. It’s only when the user closes the document that the macro will complete and the payload will be downloaded.

The CannonTrojan initially sends a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam then communicates with two additional attacker-controlled electronic mail accounts over POP3S, through which it gets its commands. Because of the level of encryption delivered by both SMTPS and POP3S, the C2 channel is tough to obstruct.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

2018 Safety Awareness Training Figures

A new study carried out by Mimecast has produced some interesting security mindfulness training figures for 2018. The survey shows a lot of companies are taking substantial risks by not providing sufficient training to their workers on cybersecurity.

Question the IT department what is the greatest cybersecurity danger and several will say end users. IT teams put a considerable amount of effort into applying and maintaining cybersecurity fortifications, only for employees to take actions that introduce malware or lead to an electronic mail breach. It is understandable that they are annoyed with employees. Most cyberattacks start with end users. By compromising one appliance, an attacker gains a footing in the system which can be utilized as a Launchpad for more attacks on the business.

However, it doesn’t need to be like that. Businesses can create a strong last line of protection by providing safety awareness training to employees to help them identify threats and to prepare them how to respond and report difficulties to their IT group. The difficulty is that a lot of businesses are failing to do that. Even when cybersecurity teaching is provided, it is often insufficient or not obligatory. That means it is just partly effective.

Mimecast’s security awareness training figures show that just 45% of firms provide workers with recommended safety awareness teaching that is obligatory for all employees. 10% of firms have training programs available, however, they are only voluntary.

Explore deeper into these safety awareness training statistics and they are not quite as they appear. Certainly, 45% of firms provide obligatory cybersecurity training but, in many cases, it falls short of what is needed.

For example, only 6% of firms provide monthly training and 4% do so three-monthly. For that reason, just 10% of the 45% are providing training regularly and are adhering to acceptable industry standards for safety. 9% of the 45% only provide safety awareness training when an employee joins the company.

The training processes used proposed safety awareness training, for a lot of businesses, is more of a checkbox item. 33% provide printed lists of cybersecurity guidelines or electronic mail instructions even though several employees will simply neglectthose messages and handouts.

30% issue prompts concerning possibly risky links, in spite of that little is done stop employees actually clicking those links. Businesses are in its place relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack suitable skills. Only 28% are using interactive training videos that involve users.

These safety awareness training figures show that firms clearly need to do more. As Mimecast proposes, effective safety awareness training means making training obligatory. Training must also be a continuous process and simply handing out advices is not sufficient.

You must involve workers and make the training more enjoyable and ideally, amusing.  “The easiest way to lose your audience is by making the training dull, unconnected,and worst of all, unmemorable.”

New Office 365 Phishing Attack Detected

The latest Office 365 phishing attack has been identified that uses warnings concerning message delivery failures to attract unsuspecting users to a website where they are requested to provide their Office 365 account particulars.

The new cheat was found by safety scientist Xavier Mertens during an examination of electronic mail honeypot data. The electronic mails closely resemble formal messages transmitted by Microsoft to warn Office 365 users to message distribution failures.

The phishing electronic mails contain Office 365 branding and warn the user that action should be taken to make sure the delivery of messages. The text notifies the user that Microsoft has found a number of undelivered messages which have not been delivered because of server jamming.

The user is informed the failed messages should be resent by manually re-entering the receivers’ electronic mail addresses or by clicking the handy “Send Again” button in the message body. Users are supposed to click the button instead of manually re-entering a number of electronic mail addresses.

If the user clicks the Send Again button, the browser will be started and the user will be presented with a webpage that appears precisely like the official Office 365 web page, complete with a login prompt where they are requested to type their password. The login box already has the user’s electronic mail address so only a password is needed.

If the password is typed, it will be seized by the attacker together with the paired electronic mail address, and the user will be redirected to the official Office 365 website and might not be conscious that electronic mail identifications have been seized.

Official non-delivery alerts from Microsoft seem very similar, but don’t have a link that users can click to resend the electronic mails. Nevertheless, as the messages have the correct branding and use a similar format, it is likely that a lot of receivers will click the link and reveal their identifications.

Contrary to several phishing campaigns, the messages are well written and don’t include any spelling errors, just a missing capital letter in the warning.  The trap is believable, but there is one clear indication that this is a cheat. The domain to which the user is directed is obviously not one used by Microsoft. That said, a lot of people don’t always check the domain they are on if the website appears official.

This Office 365 phishing attack emphasizes just how important it is to cautiously check the domain before any confidential information is disclosed and to halt and think before taking any action advised in an unsolicited electronic mail, even if the electronic mail appears official.

Sophisticated Phishing Attack Inserts Malware into Existing Email Conversation Threads

A new sophisticated phishing method has been identified that includes a malevolent actor gaining access to an electronic mail account, observing a conversation thread, and then putting in malware in response to a continuing discussion.

The cheat is a variation of a Business Email Compromise (BEC) attack. BEC attacks usually involve using a compromised electronic mail account to transmit messages to accounts or payroll workers to get them to make fake bank transfers to accounts managed by the attacker.

In this instance, the aim is to fit a banking Trojan named Ursnif. Ursnif is among the most commonly used banking Trojans and is a variation of Gozi malware. Ursnif not only steals information via web injection but also downloads and fits the Tor client and links to the Tor network for communication with its C2 servers. Once installed, the malware hunts for and steals electronic mail identifications, cookies and credentials.

The attacks have so far been focused in Europe and North America, chiefly on companies in the power sector, fiscal services, and education, even though the attacks are far from confined to those regions and verticals.

In order to carry out this campaign, the attacker has to first gain access to an electronic mail account, which might be accomplished through a normal phishing cheat or buying breached identifications through darknet marketplaces.

Contrary to most phishing scams which include an out-of-the-blue message, this attack method is expected to have a much higher success ratio because the messages are part of a continuing conversation. As the messages come from inside a company and are transmitted from a real account and involve no deceiving of electronic mail addresses, they can be difficult to identify.

Identifying a fake reply to a continuing conversation needs watchfulness on the part of workers. There are likely to be differences in the electronic mails, such as a modification in the language used in the electronic mails, strange replies that are more general than would be expected and out of keeping with the chat, changes to electronic mail signatures or, in the case of one campaign in Canada, an abrupt change from French to English.

The scam was disclosed by scientists at Trend Micro who noted a similarity with a campaign identified by the Cisco Talos team that spread Gozi malware and involved computers that had earlier been hijacked and were part of the Dark Cloud botnet. Trend Micro proposes that the latest campaigns might be a growth of the group’s attack method.

The campaign utilizes Word attachments having malevolent PowerShell code which downloads the latest type of Ursnif. Trend Micro considers the messages are dispatched from the US and notes that the malware will only run on Windows Vista and above and will not infect users in China or Russia.

The campaign demonstrates how advanced phishing attacks are becoming, and that the usual cybersecurity best practice of never opening attachments or clicking links in electronic mails from strange senders is not adequate to avoid malware from being installed.

Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be identified as such.

Cofense Study Reveals Extensive Misuse of Zoho Email by Keyloggers

Latest research from Cofense has shown there has been a substantial increase in keylogger activity in 2018 which backs up research carried out by Microsoft that indicated the revival of a keylogger known as Hawkeye.

Keyloggers are information-stealing malware that record keystrokes on a computer and other input from human interface devices (HUDs) such as microphones and webcams. A lot of modern keyloggers are also capable to copy information from the clipboard and take screenshots. Their purpose is to get login identifications, passwords, and other confidential information.

That information is recorded but should then be transmitted back to the attackers without being noticed. There are different methods that can be used to get the thieved data. The information can be conveyed to an IP, Domain, or URL, but one of the most usual ways keyloggers exfiltrate data is through electronic mail.

The people that use keyloggers register free electronic mail accounts to receive the thieved information, and Cofense has found that the biggest single electronic mail provider used to get keylogger data is Zoho, the Indian supplier of online office suite software. After reviewing the terminus of information thieved by keyloggers, Cofense found that 39% of electronic mails went to Zoho accounts, compared to 7% that were sent to Yandex accounts, the second most usually misused electronic mail platform.

The purpose why keyloggers are using Zoho is not abundantly obvious, even though Cofense scientists propose it is the lack of safety controls that make the electronic mail facility popular. For example, 2-factor verification is available for Zoho electronic mail accounts, but it is not compulsory. Electronic mail accounts can be opened free of charge and there are comparatively few controls over who can open an account. Cofense notes that the account registration procedure would be easy to automate with an easy script and that there is no requirement to use a mobile phone for confirmation.

The statement is more bad news for Zoho, which was lately provisionally taken offline by its registrar after reports that one of its facilities was being exploited and used for phishing producing an outage for its 30 million+ users.

Zoho has now replied to the report and has announced that it is taking measures to avoid misuse of its electronic mail facility and will soon need all new accounts to include a mobile phone number for confirmation, including its free accounts. Zoho will also boost its efforts to check outgoing SMTP and will be looking for doubtful login patterns and will stop users who seem to be misusing its facility.

“We are also narrowing our rules for all users. We have lately reviewed and improved our policy around SPF (sender policy framework) and applied DKIM (domain key identified mail) for our domain. This will bring about a solid DMARC policy that we will also publish,” said Sridhar Vembu, creator and CEO of Zoho.

Vembu also clarified that it’s not the only cloud facility supplier that is aimed in this way, “ Unluckily, phishing has become one of the bad side-effects of Zoho’s fast progress, particularly the progress of our mail facility. Since Zoho Mail offers the most generous free accounts, this gets worsened as more malevolent actors take benefit of this huge customer value. However, we are clamping down on this severely.”