Gmail Bug Allows Phishing Emails to Be Transmitted Anonymously

A Gmail bug has been found that lets electronic mails to be transmitted anonymously with no information contained in the sender field. The bug might easily be abused by cybercriminals for use in phishing attacks.

Phishers often hide the sender of an electronic mail in phishing campaigns to deceive the receiver into believing the electronic mail is genuine. The sender’s electronic mail address can be deceived so the shown name seems to be a known contact or well-known organization. Nevertheless, if there is no information in the from field, several end users might be deceived into thinking the electronic mail has come from a genuine source.

The vulnerability was found by software developer Tim Cotton. It is the second Gmail vulnerability he has found in the past few days. The first Gmail vulnerability would let an attacker send a message directly to a user’s sent folder, possibly bypassing inbox anti-spam safeguards. The vulnerability might be abused to make a user think that they have earlier transmitted a message.

The vulnerability is present in how Gmail categorizes electronic mails. If the account holder’s name is in the from field, the message will be automatically sent to the sent folder. If an attacker was then to send a normal electronic mail to the same user, which referred to an earlier message they had received, the user might be enticed into checking the message in the sent folder and might open an attachment or click on an embedded hyperlink.

The latest Gmail vulnerability is similar to the first. Cotton found that if a receiver’s name is paired with a random tag such as <img> or <object> that contained a distorted image, the sender name would remain blank. Using this method, even if the receiver clicks on reply, no sender’s name will show.  Even using the Show Original function, the sender’s name was not shown.

As per Cotton, “It was the blend of the quoted alias, a preceding word, space and the long base64, [and] poorly encoded img tag.” While the header was conserved and described, the Gmail UX might not handle it and returned a blank field.

Both vulnerabilities have been informed to Google, but thus far, they have not been rectified.

Trump Spam Dominates Electronic mail Subject Lines in Run up to Mid-Terms

Donald Trump is well recognized for his claims to be the largest and best and now he can make a new demand, having been called by Proofpoint as the most usually used keyword in election-related spam.

The name Trump highlighting in 53% of election-related spam electronic mail subject lines, defeating the nearest opponent “Obama” who had a trifling 6%. The nearest keyword word to Trump was “Democrat” with 11% of spam volume, after that “election” on 10% and “republican” on 7%.

A search for the names of all contenders running for Congress generated insignificant results for all except two candidates. Although there were several well-liked, nationally-recognized names up for election, just Cruz and Pelosi had prominent spam electronic mail volumes, although at a low level. The name Cruz was present in 4% of subject lines and Pelosi was in 2%.

Proofpoint notices that in the run-up to the polls, higher spam volumes related with positive results for the contenders in the United States, UK, France, and Germany. In the run-up to the 2016 U.S. election, Trump spam was nine times as common as Clinton spam.

For the mid-terms, the results are not so obvious even though the higher number of “democrat” spam electronic mails compared to “republican” spam electronic mails did correspond with the outcomes for the House of Representatives with the Democrats acquiring a majority.

The examination of the election-related spam landscape emphasized a usual tendency in phishing and spamming. The use of effective brand names to generate clicks on hyperlinks inserted in electronic mails. The strongest brands are commonly used by spammers to creäte more clicks.

“Whether these brands are trendy or polarizing, spammers include them in subject lines, electronic mail bodies, URL landing pages, social media remarks, and more to drive clicks and eyeballs, even though the actual spam or associated pages are totally unconnected to politics,” notes Proofpoint.

Z Services Selects TitanHQ to Provide New Cloud-Based Security

The Dubai-based managed facility supplier Z Services has increased its partnership with TitanHQ and is now offering cloud-based web filtering and in-country electronic mail archiving as a facility to clients all over the MENA region.

Cybersecurity is a crucial business concern all over the MENA region and businesses are increasingly looking to managed facility suppliers to provide solutions to improve their safety posture. It makes much more intelligence to have cybersecurity as an operational expenditure rather than a capital expenditure, which is achieved through cloud-based facilities instead of appliance-based solutions. Z Services has been increasing its customer base by supplying these solutions to SMEs through ISPs.

Z Services increased its cybersecurity facilities earlier this year with a new partnership with TitanHQ. The managed facility supplier began offering a new cloud-based anti-spam facility – Z Services Anti-Spam SaaS – which was powered by TitanHQ’s SpamTitan technology. The facility obstructs nuisance spam electronic mail and delivers safety against ransomware, malware, and phishing attacks.

The fame of the facility has encouraged Z Facilities to increase its partnership with TitanHQ and begin offering a new web filtering and electronic mail archiving facility to companies in the region via their ISPs. Its Internet security-as-a-service offering is powered by WebTitan and the in-country electronic mail archiving facility is powered by ArcTitan. TitanHQ provided its solutions in white label form letting Z Services to rebrand the solutions and generate its MERALE SaaS offering – An economical, auto-provisioned, Internet safety and compliance facility.

Through MERALE, SMEs are able to obstruct web-based dangers such as phishing and avoid ransomware and malware downloads while cautiously monitoring the online content workers can access. In addition to improving Internet safety, companies benefit from output gains through the obstructing of types of web content such as dating, gambling, and social media sites. An extensive reporting suite gives companies all the information they require on the online activities of the staff. The in-country electronic mail archiving facility assists companies abide by the government, state, and industry rules meet eDiscovery requirements.

“We trust that MERALE will be a game-changer in how small and medium companies in the region make sure their safety, and as a subscription-based facility, it removes the need for heavy investments and long-term commitments,” said, Nidal Taha, President – Middle East and North Africa, Z Services.

Brands Most Usually Spoofed by Phishers Exposed

Vade Secure has issued a new report describing the brands most usually targeted by phishers in North America. The Phishers’ Favorites Top 25 list discloses the most usually spoofed brands in phishing electronic mails found in Q3, 2018.

For the latest report, Vade Security followed 86 brands and rated them based on the number of phishing attacks in which they were mimicked. Those 86 brands account for 95% of all brands deceiving attacks in Q3, 2018. Vade Secure notices that there has been a 20.4% rise in phishing attacks in Q3.

As was the case the preceding quarter, Microsoft is the most targeted brand. Phishers are trying to gain access to Azure, Office 365, and OneDrive identifications. If any of those login identifications can be acquired, the attackers can raid accounts and steal private information, and in the case of Office 365, use the electronic mail accounts to carry out more attacks on people within the same company or use contact information for outer spear phishing attacks. Vade Secure has noted a 23.7% increase in Microsoft phishing URLs in Q3.

The level to which Microsoft is targeted is shown in the graph below:

In second place is PayPal, the prominent deceived brand in the financial facilities. Here the goal is simple. To gain access to PayPal accounts to make transferals to accounts managed by crooks. There has been a 29.9% increase in PayPal phishing URLs in Q3, 2018.

Netflix phishing cheats have risen substantially in Q3, 2018. Vade Secure records there has been a 61.9% increase in the number of Netflix phishing URLs. The goal of these campaigns is to gain access to clients’ credit card particulars, through dangers of account closures that need confirmation using credit card details, for instance. The rise in Netflix phishing attacks saw the brand rise to third place in Q3.

Bank of America and Wells Fargo cheats make up for the top five, which had 57.4% and 21.5% phishing URL rises respectively. While down in 7th place overall, Chase bank phishing cheats are notable because of the huge increase in phishing attacks targeting the bank. Q3 saw a 352.2% rise in Chase bank phishing URLs, with a similar increase – 359.4% – in phishing attacks deceiving Comcast. The maximum growth in phishing URLs was for CIBC. Vade Security informs there was a 622.4% rise in spotted phishing URLs, which lifted the Canadian Imperial Bank of Commerce up 14 spots in the ranking to 25th place.

The report also demonstrates that phishers prefer Tuesdays and Thursdays for attacks targeting company users, while Netflix phishing cheats most usually take place on a Sunday. Vade Secure’s research also disclosed phishers are now using each phishing URL for a briefer period of time to evade having their electronic mails obstructed by electronic mail safety solutions.

As a consequence, more electronic mails are delivered to inboxes, emphasizing the significance of increasing safety awareness of the staff.

KnowBe4 Starts ‘Domain Doppelgänger’ Bogus Domain Identification Tool

A new tool has been announced by the safety consciousness training and phishing simulation platform supplier KnowBe4 that can assist firms to identify ‘evil twin domains’ – lookalike deceived domains that are usually used by cybercriminals for phishing and spreading malware.

An evil twin domain is very similar to a real website that is used by a firm. It might contain an additional letter such as faceboook.com, have lost letters such as welsfargo.com, contain altered letters such as faecbook.com to catch out uncaring typists, or use substitute TLDs such as a.co.uk or .ca in place of a .com.

Evil twin domains are exceptionally common.  A study carried out by Farsight Security between Oct. 17, 2017 and Jan. 10, 2018 found 116,000 domains that deceived well-known products. The study disclosed that for each real domain there were 20 duplicate domains and 90% of those domains tried to deceive visitors into thinking they were the actual domain used by the firm that was being deceived.

These duplicate domains can be used to get login identifications to the sites they imitate. Mail servers are set up using the domains for transmitting spam and phishing electronic mails to clients and workers, or for a range of other evil purposes. Checking for these bogus domains is therefore in the interest of all firms, from SMBs to big enterprises.

The tool – named Domain Doppelgänger – lets businesses to easily check for domains that might be deceiving their brand, letting them take action to take down the domains and warn clients and workers of the danger.

The free web-based tool will search for duplicate domains and will send back a detailed PDF report describing the number of private domains found, whether the domains have an active mail server, whether there is an active web server and the risk level linked with those domains.

“In place of using several methods to search for at-risk domains, IT experts can use KnowBe4’sDomain Doppelgänger tool as a one-stop shop to find, aggregate, examine and evaluate these domains,” said Stu Sjouwerman, CEO, KnowBe4. “By learning the duplicate domains that might impact your product, you can better safeguard your company from cybercrime.”

2018 Has Seen a Noticeable Surge in Email Impersonation Attacks

The September Email Danger Report circulated by cybersecurity firm FireEye has cast light on the latest methods being used by cybercriminals to dupe end-users into disclosing confidential information such as login identifications to online bank accounts and electronic mail facilities.

Phishing attacks continue to control the dangerous landscape and cybercriminals have been improving their methods to achieve a higher success rate. Standard phishing electronic mails, sent in massive batches to random receivers, require no earlier research on a person or business and can be effective if they reach an inbox. Nevertheless, spam sieving solutions are now much better at identifying these ‘spray and pray’ electronic mail attacks and end users can identify these electronic mails as malevolent with comparative ease if they do reach an inbox. A lot of phishers are now spending more time examining targets and are carrying out much more sophisticated attacks to enhance their success rate.

Among the most usual pieces of advice given to workers in safety awareness training sessions is never to click on a link or open an electronic mail attachment that has been received from a strange sender. If an electronic mail is received from a known individual, it is much more likely to be reliable. It is also much tougher for spam sieving solutions to identify these electronic mails as malevolent.

These imitation attacks involve the attacker imitating to be a known contact, such as the CEO or a coworker. In order to pull off a cheat such as this, the firm should be examined to identify a person within the firm and to find out their electronic mail address. That person’s electronic mail address is then spoofed to make it appear like the electronic mail has been sent from that person’s electronic mail account.

Better still, if an electronic mail account of a worker can be compromised, it can be used to send phishing electronic mails to coworkers from within the business. These Business Email Compromise (BEC) attacks are even tougher to recognize as malevolent, and if the CEO or CFO’s electronic mail account can be compromised, workers are much more likely to reply and open a malevolent attachment or click an embedded hyperlink.

Instead of having to create a message for one target, if access to an electronic mail account is gained, it becomes much easier to deceive large numbers of people with general phishing electronic mails. “By including a phishing link in the impersonation electronic mail, cybercriminals understood they could send out a vaguer electronic mail to a larger amount of people while still seeing a similar open rate,” wrote FireEye in the report.

This method works well if the electronic mail account has been compromised, however, it is also effective if the display name is deceived to demonstrate a person’s actual name instead of just the electronic mail address. Similarly, if the display name is modified to show a real electronic mail address used by the firm, many workers will trust the messages have come from that person and will not carry out additional checks to decide whether the electronic mail is genuine. An alternative method is to register a domain name that is extremely similar to the one used by a firm – with two letters transposed for example – which can be sufficient to fool numerous workers.

These kinds of impersonation attacks are known as friendly name deceiving and are often effective. FireEye notes that there has been a major increase in these kinds of phishing attacks in the first half of the year. Further, a lot of these electronic mails are being delivered – 32% as per the FireEye report.

The study demonstrates not only how important it is to apply an advanced spam sieving solution to block these electronic mails, but also how important it is for workers to receive safety consciousness training to assist them to recognize attacks such as these and to condition workers to carry out additional checks on the actual sender of an electronic mail before taking any action.

Cofense Looks Closely at Healthcare Phishing Attacks

Cofense, the prominent supplier of human-based phishing threat management solutions, has issued new research that demonstrates the healthcare industry lags behind other industrial sectors for phishing protections and is consistently attacked by cybercriminals who often succeed in gaining access to secret patient health data.

The Division of Health and Human Services’ Office for Civil Rights issued a synopsis of data breaches informed by healthcare companies that have involved over 500 records. Each week, many electronic mail breaches are registered on the portal.

The Cofense report examines deeper into these attacks and demonstrates that a third of all data breaches happen at healthcare companies.

There are several instances of how simple phishing attacks have led to attackers gaining access to secret data, some of which have led to the theft of enormous volumes of data. The phishing attack on Augusta University healthcare system, informed in August 2018, led to the health data of 417,000 patients being breached.

Cofense did a cross-industry comparison of 20 verticals including healthcare, the financial facilities, technology, manufacturing, and the energy sectors to decide how vulnerability and resiliency to phishing attacks differ by industrial sectors. The report compared electronic mail reporting against phishing vulnerability and demonstrated that healthcare has a resiliency rate of only 1.34, compared to 1.79 rate for all industries, 2.52 for the financial facilities, and 4.01 for the energy sector.

One of the main causes for the low healthcare score has been past underinvestment in cybersecurity, although the industry is greatly controlled and healthcare companies are required by law to provide safety consciousness training to workers and should implement a variety of controls to safeguard patient data.

The high cost of data breaches – $408 per record for healthcare companies compared to a cross-industry average of $148 per record – has implied that healthcare companies have had to invest more in cybersecurity. Although still worse than other industries, the enhanced investment has seen improvements made even though there is still plenty of room for improvement.

Source: Cofense

By studying replies to simulated phishing electronic mails transmitted through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based firm was able to recognize the phishing electronic mails that are most usually clicked by healthcare workers. The top clicked messages were bill requests, manager assessments, package delivery electronic mails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data assists healthcare companies to address the biggest dangers. The report also details how, through training and phishing simulations, vulnerability to phishing attacks can be radically decreased.

The report contains a case study that demonstrates how by using the Cofense platform, one healthcare company was able to halt a phishing attack within just 19 minutes. It is not unusual for breaches to take more than 100 days to identify.

Pegasus Spyware Campaigns Gather Speed: Infections Identified in 45 Countries

Pegasus spyware is a genuine surveillance device that has been accredited to the Israeli cyber-intelligence company NSO Group. The spyware functions on both Android smartphones and iPhones to permit safety services to interrupt text messages, trail telephone calls, trail a telephone’s location and get passwords and data from apps connected to an infected appliance.

Since at least 2016, NSO Group has been offering Pegasus spyware to nation-state actors, as per the Citizen Lab, which has carried out an in-depth analysis into the use of the spyware.

The analysis into Pegasus spyware has been going on for two years, during which time the scientists have seen a major increase in the number of operators using the malware. In 2016, there were only 200 known servers linked with Pegasus spyware; nevertheless, by 2018 the number had risen to over 600 servers. There are currently 36 operators known to be using Pegasus Spyware. Infections have been identified in 45 countries and there are 10 operators with infections in another country.

Upsettingly, The Citizen Lab’s research shows that there are six operators in states that have a track record of using spyware on inhabitants targeting civil rights, namely the United Arab Emirates, Kazakhstan, Morocco, Saudi Arabia, Mexico, and Bahrain. The Citizen Lab declares that the spyware has been used by Gulf Cooperation Council states to trail dissidents, especially a UAE activist in 2016 and an Amnesty International staffer in Saudi Arabia this year. In a latest blog post, The Citizen Lab wrote: “Our conclusions paint a grim picture of the human-rights dangers of NSO’s worldwide propagation.”

The complete list of states where Pegasus spyware has been noticed is: Algeria, Bahrain, Uzbekistan, the United States, the United Kingdom, Uganda, the UAE, Turkey, Tunisia, Thailand, Togo, Switzerland, Tajikistan, Singapore, South Africa, Rwanda, Saudi Arabia, Poland, Qatar, Pakistan, Palestine, the Netherlands, Oman, Mexico, Morocco, Lebanon, Libya, Kyrgyzstan, Latvia, Kenya, Kuwait, Jordan, Kazakhstan, Iraq, Israel, Greece, India, Egypt, France, Canada, Cote d’Ivoire, Bangladesh, Brazil, Yemen and Zambia.

Although the spyware has been noticed in those states, NSO Group has criticized The Citizen Lab’s research claiming that it hasn’t supplied the spyware to several of the states in the list, and that it only provides its product in a limited number of states that have been permitted under its Business Ethics Framework. The Citizen Lab stands by its research and maintains that grave suspicions have been raised concerning “the usefulness of [NSO Group’s] internal mechanism if it exists at all.”

New Brazilian Banking Trojan Hides in Plain Sight

An advanced new Brazilian banking Trojan has been found by safety scientists at IBM X-Force. The Trojan has been titled CamuBot because of its use of concealment to fool workers into running the installer for the malware. Like with other banking Trojans, its aim is to get bank account identifications, even though its method of doing so is different from most of the banking Trojans presently used by threat actors in Brazil.

Most banking Trojans are silent. They are silently connected out of sight, oftentimes through PowerShell scripts or Word macros in malevolent electronic mail attachments. In contrast, CamuBot is very visible.

The cheat begins with the attackers doing some reconnaissance to identify companies that use a particular bank. Workers are then identified who are likely to have access to the firm’s bank account particulars. Those people are got in touch with by telephone and the attacker pretends to be a worker at their bank carrying out a regular safety check.

The workers are directed to visit a specific URL and a scan is carried out to decide whether they have the latest security module installed on their computer. The fake scan returns a result that they have out-of-date safety software and they are told to download a new safety module to make sure all online banking dealings remain safe.

When the safety module is downloaded and executed, a standard installer is shown. The installer contains the bank’s logos and accurate imaging to make it seem genuine. The user is directed to shut down all running programs on their computer and run the installer, which directs them through the installation procedure. During that procedure, the installer generates two files in the %Program Data% folder, determines a proxy module, and adds itself to firewall regulations and antivirus software as a confidential application.

The SSH-based SOCKS proxy is then loaded and establishes port forwarding to generate a tunnel linking the appliance to the attacker’s server. As per IBM X-Force, “The tunnel permits attackers to direct their own traffic via the infected machine and use the victim’s IP address when accessing the compromised bank account.”

The installer then leaves and a popup screen is opened which guides the user to what seems to be the bank’s online portal where they are required to enter their banking identifications. Nevertheless, the site they are directed to is a phishing website that transmits the account details to the attacker.

As soon as the banking identifications have been obtained and their account can be accessed, the attacker verifies that the installation has been successful and ends the call. The victims will be unaware that they have given complete control of their bank account to the attacker.

Some users will have additional verification controls in place, such as an appliance linked to their computer that is required in order for account access to be allowed. In such instances, the attacker will advise the end user that an additional software installation is needed. The malware used in the attack can fetch and connect a driver for that appliance. The attacker tells the end user to run an additional program. When that procedure is finished, the attacker is able to intercept one-time codes sent to that appliance from the bank as part of the verification procedure.

A transaction is then tried, which is tunneled through the user’s IP address to make the transaction seem genuine to the bank. IBM X-Force notes that this attack method also permits the attackers to evade the biometric verification procedure.

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Over 50 Accounts Compromised in San Diego School District Data Breach

A major data breach has been informed by the San Diego School District that has possibly led to the theft of the personal information of over half a million present and former staff and students. The data disclosed as a consequence of the breach date back to the 2008/2009 school year.

The breach was noticed after reports from district staff of a flood of phishing electronic mails. The electronic mails were highly credible and deceived users into visiting a web page where they were required to enter their login identifications. Doing so passed the identifications to the attacker.

The attacker succeeded in compromising over 50 accounts, which permitted access login to the school district’s network which comprised the district database having staff and student information.

A wide variety of confidential information was saved in the database including names, birth dates, deduction information, salary information, savings and flexible spending account details, dependent identity information, tax information, payroll information, legal notices, enrollment information, emergency contact details, Social Security numbers, health data, attendance records, the names of banks, routing numbers, and account numbers for direct deposits.

The break was noticed in October 2018 but was determined to date back January 2018. When a data breach is noticed, the first step that is commonly taken is to shut down access to all undermined accounts. Doing so would obviously forewarn the attacker that the breach has been noticed.

In this situation, the San Diego Unified Police was notified about the breach and the decision was taken to probe the breach before ending access. By taking this measure, the police division was able to identify a person who is supposed to be behind the attack.

All compromised identifications have now been reset and illegal access is no more possible. Additional safety controls have now been applied to avoid similar attacks in the future.

Notices have now been issued to all affected people. Those notices were delayed to allow the police to probe the breach without tipping off the attacker.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

Actively Exploited Internet Explorer Vulnerability Patched by Microsoft

Microsoft has issued an out of band update for Internet Explorer to rectify a vulnerability that is being actively exploited. The Internet Explorer vulnerability was found by Clement Lecigne at Google’s Threat Analysis Group, who informed Microsoft of the vulnerability.

The remote code execution vulnerability, tracked as CVE-2018-8653, is in the Internet Explorer scripting engine, which manages memory objects. If the vulnerability is abused, an attacker might corrupt the memory in a way that lets the implementation of arbitrary code with the same level of rights as the existing user.

If the attack happens while a user is logged in that has administrative privileges, an attacker would be able to take complete control of the user’s appliance and connect programs, modify or erase data, or create new accounts with complete admin privileges.

For the vulnerability to be exploited, a user would need to visit a specifically created web page having the exploit code. This might be achieved through malvertising – malevolent advertisements that redirect users to the malevolent webpages – or by sending electronic mails having a hyperlink to the malevolent web page.

Updates have been issued for:

  • Internet Explorer 11 on Windows 10
  • Windows 8.1
  • Windows 7 SP1
  • Internet Explorer 10 on Windows Server 2012
  • Internet Explorer 9 on Windows Server 2008

Obviously, the updates must be applied as soon as possible, even though temporary measures can be taken until the update is applied to defend against attack. Microsoft proposes rights to the jscript.dll file for the Everyone group must be removed. This will not have any unfavorable effects for users of Internet Explorer 9, 10, or 11, which use the jscript9.dll file by default.

To modify rights on 32-bit systems, enter the following command at an admin command prompt:

cacls %windir%\system32\jscript.dll /E /P everyone:N

On 64-bit systems, enter the following command:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

No details have been issued to date on present attacks that are abusing this vulnerability. Google has yet to provide that information to Microsoft.

90% of Malware Delivered Through Spam Email

Cybercriminals use a range of methods to gain access to business networks to install malware, even though by far the most usual method of dispersing malware is spam electronic mail. As per the latest study by F-Secure, in 2018, 90% of malware was distributed through spam electronic mail.
The most usual kinds of malware distributed via spam electronic mail are bots, downloaders, and backdoors, which jointly comprise 52% of all infections. Banking Trojans comprise 42% and Emotet, Trickbot, and Panda banking Trojans are most usual. Although 2018 has seen several ransomware attacks on companies, ransomware comprises just 6% of spam-delivered malware. F-Secure notices that all through 2018, email-based ransomware attacks have decreased.
Analysis of spam electronic mails has indicated that among the most effective and most used appeals is a failed delivery notice, particularly during the holiday period. At this time of the year, users are likely to be anticipating package deliveries.
During the holiday period, a lot of users let their guard down and reply to messages that they would identify as doubtful at other times of the year. This was shown by F-Secure through replicated Black Friday and Cyber Monday themed phishing attacks. The campaign observed a 39% surge in people replying to the phishing messages than at other times of the year.
F-Secure’s study showed 69% of spam electronic mails try to get users to visit a malevolent URL. The hyperlinks in the messages lead users to phishing websites where they are requested to enter confidential information such as credit card numbers, Office 365 logins, or other identifications. Hyperlinks also guide users to sites hosting exploit kits that probe computers for vulnerabilities and quietly download malware or trick users into downloading apparently benign files that have malevolent scripts. 31% of spam messages have malevolent attachments – often macros and other scripts that download malevolent software.
In years gone, spam electronic mails were comparatively easy to identify; nevertheless, lots of the spam and phishing electronic mails now being sent are much more sophisticated. Cybercriminals are using well-tried social engineering ways to receivers to disclose confidential information or install malware. Many spam electronic mails are almost the same as those sent by real companies, complete with proper branding and logos.
With more users opening malevolent electronic mail attachments and clicking hyperlinks in electronic mails at this time of year, companies confront a higher danger of malware infections, electronic mail account breaches, and theft of confidential information.
Obviously, an advanced spam filtering solution should be applied to avoid malevolent messages from being delivered to inboxes. Web sieving technology can be applied to avoid workers from visiting malevolent websites. Though, as good as technological solutions are at obstructing spam, phishing, and malware downloads, it’s important not to disregard the last line of protection: Workers.
Safety consciousness training must be provided to all workers to teach them cybersecurity best ways and how to identify malevolent electronic mails. Through continuous training, the vulnerability of workers to phishing attacks can be substantially decreased. As per Cofense, training and phishing simulation exercises can decrease worker vulnerability to phishing attacks by over 90%.

TA505 APT Group Dispersing tRat Malware in New Spam Campaigns

The abounding APT group TA505 is carrying out spam electronic mail campaigns dispersing a new, modular malware variation called tRAT. tRAT malware is a distant accessTrojan capable of downloading extra modules. Besides adding infected users to a botnet, the danger actors have the option of vending access to various elements of the malware to other danger groups for use in different attacks.

Threat scientists at Proofpoint interrupted two separate electronic mail campaigns dispersing tRAT malware this fall, one of which was a typical spam electronic mail campaign using social engineering methods to get electronic mail receivers to open an attached Word document and allow macros. Allowing macros caused the download of the tRAT payload.

One electronic mail variation deceived AV brand Norton. The attachment contained Norton by Symantec branding and text claiming the document had been safeguarded by the AV solution. One more electronic mail variation fooled TripAdvisor and claimedthat in order to see the embedded video content, users needed to enablecontent.

The second campaign, identified on October 11, was attributed to the TA505 threat group. This campaign was more stylish, used a blend of Word Documents and Microsoft Publisher files, and targeted commercial banking organizations. Many different electronic mail templates were used, and the electronic mails came from many electronic mail accounts. Subjects included bogus bills and reports of call notifications. TA505, in the same way, used macros to download the tRAT payload.

tRAT attains perseverance by copying the binary to C:\Users\<user>\AppData\Roaming\Adobe\FlashPlayer\Services\FrameHost\fhost.exe and generating an LNK file to run the binary on startup.

At this phase, Proofpoint is still studying tRAT and the complete functionality of the malware is not yet known. Neither are the intentions of the attackers nor the additional modules that may be downloaded. Proofpoint has proposed that tRAT is presently being trialed by the TA505 APT group based on the scale of the campaign. TA505 is best recognized for carrying out large-scale campaigns –such as mass Locky ransomware attacks in 2016 and 2017 and large-scale spam campaigns distributing the Dridex banking Trojan.TheTA505 danger group has been known to carry out tests of new malware variations, some of which are adopted while others are discarded. Whether TA505 will continue with tRAT remains to be seen, even though this new malware definitely does havethe capacity to become the main danger.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

2018 Safety Awareness Training Figures

A new study carried out by Mimecast has produced some interesting security mindfulness training figures for 2018. The survey shows a lot of companies are taking substantial risks by not providing sufficient training to their workers on cybersecurity.

Question the IT department what is the greatest cybersecurity danger and several will say end users. IT teams put a considerable amount of effort into applying and maintaining cybersecurity fortifications, only for employees to take actions that introduce malware or lead to an electronic mail breach. It is understandable that they are annoyed with employees. Most cyberattacks start with end users. By compromising one appliance, an attacker gains a footing in the system which can be utilized as a Launchpad for more attacks on the business.

However, it doesn’t need to be like that. Businesses can create a strong last line of protection by providing safety awareness training to employees to help them identify threats and to prepare them how to respond and report difficulties to their IT group. The difficulty is that a lot of businesses are failing to do that. Even when cybersecurity teaching is provided, it is often insufficient or not obligatory. That means it is just partly effective.

Mimecast’s security awareness training figures show that just 45% of firms provide workers with recommended safety awareness teaching that is obligatory for all employees. 10% of firms have training programs available, however, they are only voluntary.

Explore deeper into these safety awareness training statistics and they are not quite as they appear. Certainly, 45% of firms provide obligatory cybersecurity training but, in many cases, it falls short of what is needed.

For example, only 6% of firms provide monthly training and 4% do so three-monthly. For that reason, just 10% of the 45% are providing training regularly and are adhering to acceptable industry standards for safety. 9% of the 45% only provide safety awareness training when an employee joins the company.

The training processes used proposed safety awareness training, for a lot of businesses, is more of a checkbox item. 33% provide printed lists of cybersecurity guidelines or electronic mail instructions even though several employees will simply neglectthose messages and handouts.

30% issue prompts concerning possibly risky links, in spite of that little is done stop employees actually clicking those links. Businesses are in its place relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack suitable skills. Only 28% are using interactive training videos that involve users.

These safety awareness training figures show that firms clearly need to do more. As Mimecast proposes, effective safety awareness training means making training obligatory. Training must also be a continuous process and simply handing out advices is not sufficient.

You must involve workers and make the training more enjoyable and ideally, amusing.  “The easiest way to lose your audience is by making the training dull, unconnected,and worst of all, unmemorable.”

New Office 365 Phishing Attack Detected

The latest Office 365 phishing attack has been identified that uses warnings concerning message delivery failures to attract unsuspecting users to a website where they are requested to provide their Office 365 account particulars.

The new cheat was found by safety scientist Xavier Mertens during an examination of electronic mail honeypot data. The electronic mails closely resemble formal messages transmitted by Microsoft to warn Office 365 users to message distribution failures.

The phishing electronic mails contain Office 365 branding and warn the user that action should be taken to make sure the delivery of messages. The text notifies the user that Microsoft has found a number of undelivered messages which have not been delivered because of server jamming.

The user is informed the failed messages should be resent by manually re-entering the receivers’ electronic mail addresses or by clicking the handy “Send Again” button in the message body. Users are supposed to click the button instead of manually re-entering a number of electronic mail addresses.

If the user clicks the Send Again button, the browser will be started and the user will be presented with a webpage that appears precisely like the official Office 365 web page, complete with a login prompt where they are requested to type their password. The login box already has the user’s electronic mail address so only a password is needed.

If the password is typed, it will be seized by the attacker together with the paired electronic mail address, and the user will be redirected to the official Office 365 website and might not be conscious that electronic mail identifications have been seized.

Official non-delivery alerts from Microsoft seem very similar, but don’t have a link that users can click to resend the electronic mails. Nevertheless, as the messages have the correct branding and use a similar format, it is likely that a lot of receivers will click the link and reveal their identifications.

Contrary to several phishing campaigns, the messages are well written and don’t include any spelling errors, just a missing capital letter in the warning.  The trap is believable, but there is one clear indication that this is a cheat. The domain to which the user is directed is obviously not one used by Microsoft. That said, a lot of people don’t always check the domain they are on if the website appears official.

This Office 365 phishing attack emphasizes just how important it is to cautiously check the domain before any confidential information is disclosed and to halt and think before taking any action advised in an unsolicited electronic mail, even if the electronic mail appears official.

Sophisticated Phishing Attack Inserts Malware into Existing Email Conversation Threads

A new sophisticated phishing method has been identified that includes a malevolent actor gaining access to an electronic mail account, observing a conversation thread, and then putting in malware in response to a continuing discussion.

The cheat is a variation of a Business Email Compromise (BEC) attack. BEC attacks usually involve using a compromised electronic mail account to transmit messages to accounts or payroll workers to get them to make fake bank transfers to accounts managed by the attacker.

In this instance, the aim is to fit a banking Trojan named Ursnif. Ursnif is among the most commonly used banking Trojans and is a variation of Gozi malware. Ursnif not only steals information via web injection but also downloads and fits the Tor client and links to the Tor network for communication with its C2 servers. Once installed, the malware hunts for and steals electronic mail identifications, cookies and credentials.

The attacks have so far been focused in Europe and North America, chiefly on companies in the power sector, fiscal services, and education, even though the attacks are far from confined to those regions and verticals.

In order to carry out this campaign, the attacker has to first gain access to an electronic mail account, which might be accomplished through a normal phishing cheat or buying breached identifications through darknet marketplaces.

Contrary to most phishing scams which include an out-of-the-blue message, this attack method is expected to have a much higher success ratio because the messages are part of a continuing conversation. As the messages come from inside a company and are transmitted from a real account and involve no deceiving of electronic mail addresses, they can be difficult to identify.

Identifying a fake reply to a continuing conversation needs watchfulness on the part of workers. There are likely to be differences in the electronic mails, such as a modification in the language used in the electronic mails, strange replies that are more general than would be expected and out of keeping with the chat, changes to electronic mail signatures or, in the case of one campaign in Canada, an abrupt change from French to English.

The scam was disclosed by scientists at Trend Micro who noted a similarity with a campaign identified by the Cisco Talos team that spread Gozi malware and involved computers that had earlier been hijacked and were part of the Dark Cloud botnet. Trend Micro proposes that the latest campaigns might be a growth of the group’s attack method.

The campaign utilizes Word attachments having malevolent PowerShell code which downloads the latest type of Ursnif. Trend Micro considers the messages are dispatched from the US and notes that the malware will only run on Windows Vista and above and will not infect users in China or Russia.

The campaign demonstrates how advanced phishing attacks are becoming, and that the usual cybersecurity best practice of never opening attachments or clicking links in electronic mails from strange senders is not adequate to avoid malware from being installed.

Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be identified as such.