KnowBe4 2022 Phishing Test Report Confirms Business-Related Emails Trend 

KnowBe4 has announced the results of its 2022 and Q4 2022 top-clicked phishing report. The results include the top email subjects clicked in phishing tests, top attack vector types, holiday phishing email subjects and more insightful information that reveal the most popular phishing email tactics.

Phishing emails continue to be one of the most common and effective methods to maliciously impact a variety of organisations around the world – everyone is a potential victim. Cybercriminals constantly refine their strategies to outsmart end users and organisations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.

Business phishing emails are lucrative and successful because of their potential to affect a user’s workday and routine. These include emails from HR, IT, managers and web services such as Google and Amazon. KnowBe4’s 2022 phishing test results reveal that for the year, nearly 50% of email subjects were HR related, while the other half were related to career development, IT and work project notifications. These types of emails bait recipients into opening them and are likely successful because they create a sense of urgency in users to act quickly, sometimes without thinking and taking the time to question the email’s legitimacy.

Additionally, this year’s phishing tests revealed the top vector for the year to be phishing links in the body of an email, which has stayed consistent for the last three consecutive quarters. The combination of these phishing tactics is clearly a working strategy for cybercriminals but detrimental to users and organisations as they can lead to cyber attacks such as business email compromise and ransomware.

Along with an increased utilisation of more business-related emails and links within emails, the Q4 2022 phishing test also shares the top holiday phishing email subjects. The holiday season is one of the busiest times of year for online activities and cybercriminals count on end users having their guards down when it comes to staying alert and spotting phishing emails. Like general phishing email subjects, holiday phishing email subjects consist of emails from HR and IT, however, they are also tailored to the holiday season and the festivities that typically happen during that time of the year by mentioning holiday parties, gifts, food and more.

“Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails,” said Stu Sjouwerman, CEO, KnowBe4. “This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. Phishing emails are a year-round threat and remain a challenge during the holiday season as well – holiday phishing emails are the one gift that no one wants to receive in their inbox. KnowBe4’s phishing test reports emphasise the importance of new-school security awareness training that educate users on the latest and most common cyber attacks and threats. A strong security culture and an educated workforce is an organisation’s best defence to remain vigilant and stay safe online from cybercriminals and their attempted threats.” 

To download a copy of the 2022 and the Q4 2022 KnowBe4 Phishing Infographics, visit here and here.

The post KnowBe4 2022 Phishing Test Report Confirms Business-Related Emails Trend  appeared first on IT Security Guru.

Microsoft Email Security Bypasses Instagram Credential Phishing Attacks

It has been reported that a credential phishing attack targeted 22,000 students at national educational institutions through a campaign where hackers impersonated Instagram.

The advisory was highlighted by security experts at Armorblox in an advisory released on the 17th November 2022.

The advisory says: “The subject of this email encouraged victims to open the message… The goal of this subject was to induce a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm.”

Seemingly, the email appeared to come from Instagram support. The sender’s name appeared as Instagram and the email address matched the social media site’s real credentials.

“This targeted email attack was socially engineered, containing information specific to the recipient – like his or her Instagram user handle – in order to instill a level of trust that this email was a legitimate email communication from Instagram.”

Once users clicked on a link in the email, they were taken to a fake landing page. There was a ‘This Wasn’t Me’ option which, when clicked, directed users to a second faux landing page specifically designed to obtain user credentials, including sensitive information.

The Armorblox advisory added: “The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks,” Armorblox explained.

Sami Elhini, biometrics specialist at Cerberus Sentinel, explained: “In this case, an email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com. Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take.”

He also added that verifying the origin of an email is a good start, however further scrutiny is required concerning which domain the email originated from.

Erich Kron, security awareness advocate at KnowBe4, added that being comfortable with user interfaces and being able to navigate technologies does not mean individuals fully understand the risks.

“In our modern digital world, it is very important to stay educated on how to spot these sorts of social engineering attacks.”

This comes after warning of increased phishing attacks across the web.

The post Microsoft Email Security Bypasses Instagram Credential Phishing Attacks appeared first on IT Security Guru.

Study highlights surge in identity theft and phishing attacks

A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched today and it highlights an alarming surge in phishing and identity theft attacks.

The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the U.S., the UK and Canada towards cybersecurity and revealed that nearly half (45%) of use are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.

Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.

When it comes to implementing cybersecurity best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.

Commenting on the study finding, Oz Alashe, CEO and Founder of CybSafe, said: “One of the biggest misconceptions is the belief that people are the weakest link in cybersecurity. The combination of evolving threats coupled with more people accessing the Internet daily for work and recreation means people-related cybersecurity risk must be reassessed. It also makes education and implementation of fundamental cybersecurity practices more important than ever before. MFA, password managers and other ‘basic’ cybersecurity best practices have been shown to be incredibly effective in thwarting cyber criminals, yet adoption continues to be a big problem. We need to find a way to break through the age-old misperceptions that these steps are annoying or cumbersome and replace them with the facts: these tools can significantly lower the chances of becoming a cybercrime victim.”

The post Study highlights surge in identity theft and phishing attacks appeared first on IT Security Guru.

New Microsoft Update To Let Office 365 Users Report Teams Phishing Messages

Earlier last week, Microsoft announced that they are working on updating Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization’s security team of any dodgy messages they receive.

As of now, Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations from malicious threats from email messages, links, and collaboration tools.

It appears that this in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites.

“End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails – to help the organization to protect itself from attacks via Microsoft Teams,” Microsoft explains on the Microsoft 365 roadmap.

In addition, Redmond is also working on updating Defender for Office 365’s Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on, according to the users’ reports.

Whilst it’s expected that the upgraded submission feature, could reach general availability next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide.

It seems that these new Defender for Office 365 capabilities build upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts.

This achievement was conducted by Microsoft extending Defender for Office 365 Safe Links protection to the Teams communication platform to help safeguard users from malicious URL-based phishing attacks.

In recent news, Microsoft explained that the “Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender.”

In efforts to speed up the process, Redmond also started rolling out Built-In Protection to Defender for Office 365 in November 2021, a new feature that automatically enables recommended settings and policies to ensure that all new and existing users get at least a basic level of protection.

The implementation of this new Built-In Protection has been designed to patch the gaps in enterprise protection coverage and is designed to improve the organization’s overall security posture by drastically reducing the risk of a breach.

It appears that this security upgrade targeted at all Office 365 customers was soon followed, in January 2022, by the addition of differentiated protection for priority enterprise accounts (i.e., critical accounts of high-profile employees such as executive-level managers, the ones who attackers most often target).

The post New Microsoft Update To Let Office 365 Users Report Teams Phishing Messages appeared first on IT Security Guru.

Android Banking Users Targeted With Fake Rewards Phishing Scam

Earlier today reports of an SMS-based phishing campaign were announced, targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application.

According to the Microsoft 365 Defender Research Team, the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank.

“The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions,” researchers Shivang Desai, Abhishek Pustakala, and Harshita Tripathi said.

In addition to this, the malware is equipped with the ability to steal SMSes, potentially enabling the attacker to swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts.

Similarly to other social engineering attacks, familiar brand logos and names are used in the smishing message as well as the rogue app in a bid to give an illusion of legitimacy and trick the users into installing the apps.

The attacks are recognised as a continuation of an ongoing campaign that has distributed similar rewards-themed apps for other Indian banks such as the State Bank of India (SBI) and Axis Bank in the past.

Once the fraudulent app has been installed, it not only asks for extensive permissions, but also requests users to enter their credit/debit card information as part of a supposed sign-in process, while the trojan waits for further instructions from the attacker.

The app commands allow the malware to harvest system metadata, call logs, intercept phone calls, as well as steal credentials for email accounts such as Gmail, Outlook, and Yahoo.

“This malware’s continuing evolution highlights the need to protect mobile devices,” the researchers said. “Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps.”

The post Android Banking Users Targeted With Fake Rewards Phishing Scam appeared first on IT Security Guru.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phish@paypal.com) and media relations teams.

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

Almost a third of untrained users will click a phishing link – KnowBe4 research

New research has revealed that one in three untrained employees will click on a phishing link, according to the 2022 Phishing by Industry Benchmarking Report from KnowBe4.

With ransomware payments averaging $580,000 in 2021 and business email compromise (BEC) losses topping $1.8 billion in 2020, a cyber attack can wreak havoc on an organisation. Yet, according to the baseline testing conducted for the report, without security training, across all industries globally, 32.4% of employees are likely to click on a suspicious link or comply with a fraudulent request. In some large category industries, such as Consulting, Energy & Utilities, and Healthcare & Pharmaceuticals, the percentage is over 50%.

The 2022 study analysed a data set of 9.5 million users across 30,173 organisations with over 23.4 million simulated phishing security tests. By examining the employee Phish-prone™ Percentages (PPP) by industry, KnowBe4 is able to deduce at-risk users that are susceptible to phishing or social engineering attacks. For those news to PPP, measures the percentage of employees in organisations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link or opened an infected attachment during testing.

“In critical industries like Health Services and Finance, where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” says Stu Sjouwerman, CEO, KnowBe4.

“With the steep cost of cyberattacks, this is deeply concerning. Given that most data breaches originate from social engineering, we cannot afford to omit the human element.

“Implementing security awareness training with simulated phishing testing will help to better protect organisations against cyber attacks and result in a more secure organisational culture.”

The 2022 Phishing by Industry Benchmarking Report underscores that fact that while technology plays an important role in preventing and recovering from an attack, organisations cannot afford to ignore the human factor.

The post Almost a third of untrained users will click a phishing link – KnowBe4 research appeared first on IT Security Guru.

$8million Worth of Ethereum Stolen in Large Scale Uniswap Phishing Campaign

During an attack earlier this week, Uniswap, a popular decentralised cryptocurrency exchange, lost close to $8million worth of Ethereum.

The cyberattack has impacted many investors in digital assets.

The threat actors used the lure of free UNI tokens (airdrops) to trick victims into approving a transaction that gave hackers full access to wallets.

The trap was a disguised “setApprovalForAll” function that assigns or revokes full approval rights to the operator. This essentially allows the attacker to redeem all Uniswap v3 LP tokens for ETH in the victim’s wallet.

In total, the threat actors siphoned 7,574 ETH to a wallet address under their control and quickly moved 7,500 to the Tornado Cash service for laundering.

73,399 users who held UNI tokens were airdropped an ERC20 token created by the phishing actors. The actors spent 8.5 ETH in TX fees for the high number of transactions.

The aim of the campaign was to re-direct the recipients to a scam website on the domain “uniswaplp[.]com” which impersonates the official Uniswap domain “uniswap.org.”

The operator appeared as “Uniswap V3: Position NFT” to the victims, tricking them into allowing approval rights.

Researchers at Check Point explain that the attackers polluted the emit function of the contract with false data tricking the block explorer into displaying Uniswap as the sender.

The post $8million Worth of Ethereum Stolen in Large Scale Uniswap Phishing Campaign appeared first on IT Security Guru.

New Callback Phishing Attacks Sees Hackers Impersonate Cybersecurity Firms

Hackers are impersonating well-known cybersecurity companies in callback phishing emails to gain initial access to corporate networks. CrowdStrike have been recently targeted.

Most phishing campaigns embed malicious links that lead to landing pages that steal login credentials or emails that include harmful attachments to install malware.

Over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known cybersecurity companies requesting victims to call a number to resolve a problem, cancel a subscription, or to discuss other issues.

When the target calls the number, the threat actors employ social engineering tactics to convince users to install remote access software on their devices. This provides the threat actors with access to corporate networks. This access is then used to compromise the whole Windows domain.

Focusing on social engineering, a new phishing campaign has surfaced recently, where hackers impersonating CrowdStrike try to warn recipients that a malicious network intruder has compromised their workstations and that an in-depth security audit is urgently required.

The email asks employees to ring them on an enclosed phone number to schedule the audit.

If called, the hackers will guide an employee through installing remote administration tools (RATs) that give the threat actor complete control over the workstation.

Further tools are then remotely installed by the threat actor which allows them to spread laterally through the network, potentially stealing data and deploying ransomware to encrypt devices.

CrowdStrike warns, “this is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.”

In March 2022, CrowdStrike’s analysts identified a similar campaign in which threat actors used AteraRMM to install Cobalt Strike and then move laterally across a victim’s network before deploying malware.

The post New Callback Phishing Attacks Sees Hackers Impersonate Cybersecurity Firms appeared first on IT Security Guru.