Search This Blog

Showing posts with label Office 365. Show all posts

IRS Warned of an Ongoing IRS-Impersonation Scam


The Internal Revenue Service (IRS) has cautioned of ongoing phishing assaults impersonating the IRS and targeting educational establishments. The assaults focus around colleges staff and understudies with .edu email addresses and use tax refund payments as snare to lure clueless victims. The IRS said the phishing emails “appear to target university and college students from both public and private, profit and non-profit institutions.” 

It added that the suspect emails show the IRS logo and utilize different headlines, for example, "Tax Refund Payment" or "Recalculation of your tax refund payment." Clicking on a link takes victims to a phony site that requests individuals to submit a form to claim their refund. 

Abnormal Security researchers who detected these assaults in the wild, recently said that they circumvent Office 365 security and landed in the mailboxes of between 5,000 and 50,000 targets. "This impersonation is especially convincing as the attacker's landing page is identical to the IRS website including the popup alert that states' THIS US GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY', a statement that also appears on the legitimate IRS website," Abnormal Security revealed. 

 The phishing site requests taxpayers to provide their: 

• Social Security number
• First Name 
• Last Name 
• Date of Birth 
• Prior Year Annual Gross Income (AGI)
• Driver's License Number
• Current Address 
• City
• State/U.S. Territory 
• ZIP Code/Postal Code
• Electronic Filing PIN

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "At this time of year, attackers will pose as members of the IRS to socially engineer employees into sharing sensitive tax-related information such as social security numbers or bank account information." 

Schless adds, “Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture. These scams are most effective on mobile devices, and attackers know that and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. People access their work email on a smartphone or tablet just as much as they do on a computer. Any text, email, WhatsApp message, or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate it.”

SolarWinds CEO: “SolarWinds Orion Development Program was Exploited by the Hackers”


Sudhakar Ramakrishna, CEO of SolarWinds confirmed that ‘suspicious activity’ was spotted in its Office 365 environment which permitted threat actors to secure access and exploit the SolarWinds Orion development program. Threat actors secured access into the SolarWinds’s environment via flawed credentials and a third-party application that a zero-day susceptibility.

Threat actors secured access to the SolarWinds email account to programmatically access accounts of targeted SolarWinds employees in business and technical roles. 
Threat actors used the compromised credential of SolarWinds personnel as a doorway for securing access and exploit the development environment for the SolarWinds Orion network monitoring platform. Initially, Microsoft alerted SolarWinds regarding a breach into its Office 365 environment on December 13 – the same day news of the data breach went public.

Ramakrishna wrote in a blog post that “we’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”

“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products”, he further added.

Investigators of SolarWinds have not spotted a specific flaw in Office 365 that would have permitted the threat actors to enter the firm’s environment via Office 365. Ramakrishna believes that the Russian foreign intelligence service has played a significant role in the SolarWinds’s hack. SolarWinds is analyzing the data from various systems and logs, including from its Office 365 and Azure tenants.

Brandon Wales, acting director of the Cybersecurity and infrastructure Security agency told The Wall Street that SolarWinds has no direct link to the 30 percent of the private sectors and government victims of the massive hacking campaign but investigators failed to identify another company whose products were widely compromised. SolarWinds’s investigation will be continued for at least one month due to the flawless campaign by the threat actors to remove evidence of their actions.