Search This Blog

Showing posts with label Phishing emails. Show all posts

Pay Attention: These Unsubscribe Emails Only Lead to Further Spam

 

Scammers send out fake 'unsubscribe' spam emails to validate legitimate email addresses for future phishing and spam campaigns. 

Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don't specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient's email address is real and vulnerable to phishing scams and other nefarious activity. 

If they get the needed confirmation, they’ll bombard it with various spam emails. The campaign is simple in design - the victim will get a basic email with this call to action in it asking whether the consumer wants to unsubscribe or subscribe: 

“Please confirm your Subscribe (sic) or Unsubscribe. Confirm Subscribe me! Unsubscribe me! Thank you!” 

If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer. 

After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance. 

BleepingComputer created a new email account for testing purposes, which they never used on any website or service. When they responded to multiple confirmation emails received on another email account using the new email address. After sending unsubscribe/subscribe responses from the new account, their new account was bombarded with spam emails within a few days. 

This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds. 

It was also stated that these attacks aren't restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop. 

Consumers should never click any links they receive in an email unless they are fully certain of the sender's validity and the link's integrity, according to security experts. No credible company will ever send an email with only the alternatives to "Subscribe or Unsubscribe" and without any information.

Cyber Attackers Hijacked Google and Microsoft Services for Malicious Phishing Emails

 

Over recent months, the cybersecurity industry has seen a huge increase in malicious attackers exploiting the networks of Microsoft and Google to host and deliver threats through Office 365 and Azure. 

The actors who are at risk are quickly moving towards cloud-based business services during the pandemic by concealing themselves behind omnipresent, trustworthy services from Microsoft and Google to make their email phishing scams appear legitimate; and it works. 

In particular, during the first three months of the year 2021, researchers discovered that 7 million malicious e-mails were sent from Microsoft's 365, and also that 45 million were transported from Google's network. The Proofpoint team said that cyber-criminals had been able to send phishing e-mails and host attacks with Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase. 

“The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders,” the report, issued on Wednesday, explained. “This authenticity perception is essential, as email recently regained its status as the top vector for ransomware; and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials and siphon funds.” 

Proofpoint estimated that 95% of cloud account organizations had been attacked, and more than half of them succeeded. Additionally, more than 30% of those organizations were compromised. 

Once attackers have access to passwords, they can easily enter or exit several services and send out more, persuasive phishing emails. 

Proofpoint offered many examples of projects behind Microsoft and Google that tried to scam users to give up or deliver their details. 

Attackers exploited Gmail to host another operation throughout March, that provided them with the message of the fake benefits together with a Microsoft Excel attachment, that delivered The Trick Bank Trojan to steal credentials whenever macros were activated. 

Another Gmail-hosted February attack seeks to persuade users to use their passwords for accessing zip-on MS Word documents. Upon opening, Xorist ransomware has been delivered. 

The use of Gmail and Microsoft by attackers to give their emails a patina of credibility is part of a broader trend: threats are developing increasingly persuasive appeals. 

“Our research demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people, as they leverage popular cloud-collaboration tools,” the Proofpoint report added. “When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.”

Ransomware Attacks Growing at a Fast Rate

 

Ransomware has become a burning concern to every office in the world which wasn't even existing 30 years before. Probably there was never a danger of this kind. The fact that the ransomware gets stronger day by day, is the most profound concern. 

Current revelations show how diabolical the threat of ransomware is. In 2020, attacks rose by 715%, as opponents rejected the Covid-19 epidemic disruption to trap victims down with their guard. In addition to being more offensive, threat actors were much more reluctant to threaten the following: A patient was killed by a ransomware attack in the equipment gear that kept him alive in a German hospital and a California university was paying over $1 million to get back the IT online. In contrast to the unnamed impact on the country's economy, the Colonial Pipeline attack showed various weaknesses in US energy infrastructure. 

The whole strategy seems to work since the ransomware payments increased by 100% in 2020. There are no signs of ransomware attacks being curbed, as an Apple supplier also became a victim of a $50 million ransom demand. If ransomware was known to be alarming, it now took on a genuinely frightening character. And none of the organizations can find themselves as immune against it. 

This does not imply, that everyone has the same chance of a successful intrusion with ransomware. Indeed, that is what makes businesses most vulnerable – one that sees ransomware as unavoidable and unstoppable, one believes that the situation is bleak, instead of upgrading their security plan to keep up with developments in ransomware. 

At least throughout their early phases, the surge of attacks in 2020 seemed to be more like the attacks in the past years. Attackers would then use a phishing attempt to access an IT network and exploit certain known/unknown vulnerabilities. 

Following this initial violation, the automatic propagation methods were introduced gradually. Currently, however, a single goal is no longer enough. Ultimately, a change to operative human ransomware will occur that does not take small networks into account. 

Today's ransomware attacks travel across organizations by seeking information with high privileges. It aims at hitting the largest number of machines – i.e. maximizing damage. The safety department needs to prioritize the prevention of these lateral movements - and not just to spot them. Any ransomware attack might otherwise be cut so thoroughly that it is difficult to reverse. 

Instead of being dependent on malware to push the attack, ransomware managed by humankind is equipped with an operator to guide it towards the most effective goal possible through resistance mechanisms and protection. These attacks are more persistent, much more powerful, and more damaging. 

Spear phishing attacks are now the preferred method for the distribution of ransomware. Opponents choose a target and then tailor the email to sound as credible as possible. This dramatically contrasts with daily phishing, which means that large-scale e-mails are sent to vast lists of native contacts. Disputed users instead click on a connection or download an accessory that causes the infection of malware. 

Spear phishing operations are also becoming advanced: cybercriminals are sending spear-phishing email addresses that look just like licensed senders with domain spoofing techniques. 

In the face of this challenge, AV and EDR are destined to fail a cybersecurity plan. It may already be too late whenever these defenses kick in. This is the best advice: evolve or die. The only protection that succeeds is prevention. This means that one must follow a proactive cyber safety approach that focuses on zero trusts, reduces the attack surface, and, of course, moves goal protection.

Remote Access Trojans Target Aerospace and Travel Industries

 

Earlier this week, Microsoft Security Intelligence tweeted that somehow a remote access Trojan (RAT) campaign was being tracked by them which was aimed at the aerospace and travel sectors by emailing spear-phishes that spreads an actively created loader and then deliver RevengeRAT or AysncRAT. 

In the context of the exchange of tweets, it was pointed out that attackers use the RATs for theft of data, follow-up operation, and additional payloads, such as Agent Tesla. The loader is being developed and named Morphisec's Snip3. 

These campaigns are not surprising particularly when everyone leaves the lockdown and the people travel again making the travel and tourism industry rich, stated Netenrich's chief information security officer Chris Morales. 

“The level of targeting is also a reason why it’s so hard to detect attacks,” Morales added. “They change and are tailored. SecOps has to align to with threats targeting their organizations specifically and not look for generic threats.” 

New Net Technologies, vice president for security studies, Dirk Schrader, stated that he intends to see sectoral spear-phishing campaigns as everyone emerges from the pandemic. “Using familiar language and terminology can help in the effectiveness of a targeted campaign,” Schrader said. “It’s not shocking that attackers are targeting the transport sector as the sector is about to come back to life. Therefore, a well-crafted campaign addressing this situation is even better.” 

Roger Grimes, KnowBe4 Data-Driven Defense evangelist, adds that when attackers enter one industry company, they could read their emails and use this freshly infiltrated spot known as "cyber haven" to target their partners. 

The mails come from individuals who use the email topic threads in which they are involved and email addresses the new victims' trust. There would be a much higher risk of the new victims falling into fraud when the request to click on the connection or to open a document arrives suddenly. This is the reason why the staff has to understand that phishing emails will come through people they know and trust and also that depending on an email address is not sufficient whether or not the employees recognize it.

Grimes said security awareness training should educate users on the following features to beware of e-mails, which invites users to do something completely foreign. Also, emails that arrive unexpectedly and the behavior can be detrimental to their own best interest or their organization. 

“If any two of those traits are present, the recipient should slow down, stop, think and verify the request another way, like calling the person on a predefined phone number,” Grimes added.

IRS Warned of an Ongoing IRS-Impersonation Scam

 

The Internal Revenue Service (IRS) has cautioned of ongoing phishing assaults impersonating the IRS and targeting educational establishments. The assaults focus around colleges staff and understudies with .edu email addresses and use tax refund payments as snare to lure clueless victims. The IRS said the phishing emails “appear to target university and college students from both public and private, profit and non-profit institutions.” 

It added that the suspect emails show the IRS logo and utilize different headlines, for example, "Tax Refund Payment" or "Recalculation of your tax refund payment." Clicking on a link takes victims to a phony site that requests individuals to submit a form to claim their refund. 

Abnormal Security researchers who detected these assaults in the wild, recently said that they circumvent Office 365 security and landed in the mailboxes of between 5,000 and 50,000 targets. "This impersonation is especially convincing as the attacker's landing page is identical to the IRS website including the popup alert that states' THIS US GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY', a statement that also appears on the legitimate IRS website," Abnormal Security revealed. 

 The phishing site requests taxpayers to provide their: 

• Social Security number
• First Name 
• Last Name 
• Date of Birth 
• Prior Year Annual Gross Income (AGI)
• Driver's License Number
• Current Address 
• City
• State/U.S. Territory 
• ZIP Code/Postal Code
• Electronic Filing PIN

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "At this time of year, attackers will pose as members of the IRS to socially engineer employees into sharing sensitive tax-related information such as social security numbers or bank account information." 

Schless adds, “Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture. These scams are most effective on mobile devices, and attackers know that and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. People access their work email on a smartphone or tablet just as much as they do on a computer. Any text, email, WhatsApp message, or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate it.”

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers

 

LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and Pantheon.io, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.

Financial Conduct Authority of UK Hit by 2,40,000 Spam Mails, Some Contain Malware

 

Financial Regulator of UK was spammed by almost a quarter of a million (240,000) malicious emails in the Q4 of the year 2020. The FOI data gives important highlights about the tremendous pressure that big organizations are facing to protect their assets. Griffin Law, a litigation firm, has filed an FOI with an influential London-based agency, the FCA (Financial Conduct Authority). As per Gov.UK, "The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers." 

The firm says that FCA was spammed with around 240,000 malicious emails (also unsolicited) during the course of the last three months of 2020, an average of 80,000 emails per month. November observed the highest mails-84,723, whereas October had 81,799 and December 72,288. Most of the mails were listed as "spams" whereas more than 2400 mails had malware containing trojans, bugs, worms, and spyware, says the report. Fortunately, the FCA had blocked all the malicious emails that it received, however, the main threat isn't from these mails but from targeted spear-phishing campaigns. Tim Saddler, CEO, Tessian, emphasizes that phishing emails have become a persistent threat today because it is easy to target humans than to hack machines. 

Tim said, "cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable and sensitive information that FCA staff have access to, and they have nothing but time on their hands to figure out how to get it." He further says, "it just takes a bit of research, one convincing message or one cleverly worded email, and a distracted employee to successfully trick or manipulate someone into sharing company data or handing over account credentials." 

This is not the first time when the Regulator has sidelined its cybersecurity issue. In February last year, Regulator had to apologize on public forums when it accidentally posted personal information (including name and address) of the few users who had lodged complaints against the agency. The irony is, the data leak happened as a Regular's solution to an FOI request.

Remote Images Used by Hackers to Evade Email Filters

 

Phishing emails impersonating well-known brands like Microsoft or PayPal need visual content to be successful. From brand logos to colorful pictures, images give a visual cue to the recipient that the email is innocuous and authentic. However, pictures add a visual component of authenticity to in any case fake emails: they likewise make the work of filtering emails a lot harder. Image spam has consistently been a very mainstream strategy for evading an email's textual content analysis, as there is no important content that can be separated from the text email parts. 

On the off chance that the detection of identical images is moderately simple—thanks to signatures based on cryptographic hashing algorithms, for example, MD5—the detection of similar pictures requires complex and costly algorithms. Without a doubt, to evade detection, phishers manipulate the pictures marginally, changing the compression level, colorimetry, or geometry to bypass email filters. They will probably make each picture unique to evade signature-based technologies.

Remote pictures have emerged as the most recent filter bypassing method by hackers hoping to exploit shortcomings in email security technology. In contrast to embedded images, which can be analysed progressively by email filters, remote pictures are facilitated on the web and accordingly should be fetched prior to being analysed. In 2020, the utilization of remote image-based dangers surged. In November 2020 alone, Vade Secure broke down 26.2 million remote pictures and hindered 262 million emails highlighting noxious remote pictures. 

Analyzing a remote picture requires getting it over a network. Exploiting this shortcoming, cybercriminals utilize extra strategies to make the process more cumbersome for security scanners, such as:

 • Multiple redirections

 • Cloaking techniques

 • Abuse of high-reputation domains 

The way towards blocking picture-based threats requires Computer Vision, a scientific field that manages how PCs can acquire a high-level understanding of visual content. Vade Secure implemented the first Computer Vision technology dependent on Deep Learning models (VGG-16, ResNet) in mid-2020 to distinguish brand logos in emails and sites. The Deep Learning models have been trained on a combination of gathered pictures and artificially created pictures. 

The outcome is that large numbers of these emails go undetected. For clients, this regularly implies accepting a phishing email and reporting it, just to get it once more, and sometimes, on numerous occasions.

Singapore Witnessed a Sudden Surge in the Bank-Related Phishing Scam

 

Phishing emails are scams where the actors try to befool the user by sending emails that may concern the user. Generally, these emails are received in the name of a bank or some trusted company, that asks for your personal information. The entire process appears to be legitimate but it's designed to trick the user into extracting their personals information. 

We all buy or sell things online through various platforms and organizations that have our personal information stored in their database that is nevertheless safe until and unless the actors impersonate these organizations and befool users into submitting their OTP’s, passwords, etc. The user is safe from such phishing emails as long as they do not respond in the required condition to the mail. 

The city-state of Singapore has turned out to be a victim of extortion with phishing emails that have even agonized the government officials. On the 5th of January, the Singapore government officials stated that there have been bank-related phishing scams where the actors have been imitating to be Singapore Government officials and asking natives for their personal information.  Generally, the victims in such scams receive a call or email or even a message from some government agencies like the Ministry of Manpower, asserting some issues within the victim’s bank account. 

Furthermore, they ask to verify some personal details that should have stayed confidential – such as their NRIC numbers, password of bank account, log-in credentials, and much more. Following the aforesaid state of affairs, the actors then try to make illegitimate transactions of money from the victim’s account. 

The first six months of the year 2020 have reported some 900 cases of bank-related phishing scams and a more than 25-fold from the just 34 such cases for the same period in the year 2019, stated the Singapore Police. The amount of loss has been calculated to $ 3.6 million for the year 2020. 

The Singapore Police in charge of the case has requested the natives to ignore such calls and deny stipulating any information regarding the bank account or the log -in credentials and any private details. They clarified that no government agency in any situation would ask for any private information or bank account details over a phone call or via emails. Scammers or actors may mask their actual phone numbers and try to display a different profile using ID spoofing technology as further added by the police. 

After recording a significant surge in these cases Singapore government officials have asked for cooperation and support from the city natives, requesting them not to share their personal or internet banking details and OTP’s with anyone.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

Common Phishing Email Malware Attachments That You Need To Avoid

 




One of the most popular ways of distributing malware is via malicious email attachments poised as invoices, payment recipes, error pages. These emails include attachments to word and excel files, that when opened can install the malware in your system. 

Recognizing these email attachments used by phishing emails could make a big difference towards a safer cyber experience.

Before these files (Word and Excel) could make changes in your system or macros, Office requires you to click on the 'Enable Editing' or 'Enable Content' button which you should never do as it'll enable them to infect your system.

The miscreants trick users by displaying a document template that displays that there is an error in viewing or displaying and ask the user to 'Enable Editing' or 'Enable Content'.

 
Here are some common phishing attachments used by malware attackers that you need to avoid- 

BazarLoader

Malware developed by the TrickBot trojan group, they remotely access your computer to deploy the Ryuk ransomware to the whole network. 

  • BazarLoader usually has phishing attachments containing Word or Excel documents hosted on Google Docs and Google Sheets. 

  • These documents trick the user into downloading the executable file by displaying a template with the message that preview is not available or there were some problems and a link to download the file which then installs the BazaLoader malware.

Dridex 

A trojan said to be linked with WastedLocker used to fish passwords and login credentials. 

  •  It is easy to identify Dridex attachments as they are usually more stylized with company logos and letterheads and contains text that is difficult to read (either very small or obfuscated) and ask you to 'enable editing' to see better. 

  •  They could also be stylized templates copying Delivery or Shipping recipes. 

 Emotet 

The most common email phishing chain that steals your email to send out more spam emails. Emotnet uses warning templates instead of documents like Dridex, asking to enable content to read the document. 

  •  For Example, the 'Red Dawn' template says "This document is protected," and to enable content to read it. 

  •  Another of their template says that the document could not be opened correctly as it was created on 'iOS Device', or that the document on 'Windows 10 Mobile' which has been long discontinued.

  •  Some of the other templates they use are- "Protected View", "Accept Microsoft's license agreement" and "Microsoft Office Transformation Wizard." 

QakBot 

QakBot is a banking trojan partnered with ProLock ransomware, they have very stylized and legit looking templates. 

  •  Their famous template is the 'DocuSign', it looks like a form from DocuSign and asks to 'Enable Content and Editing'. 

 Executable Attachments 

 Files that ends with these - vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr are almost always malicious and executable files that further download codes and macros in the computer. 

 If you see an email attachments with these file types, never open them and delete them immediately as they are undoubtedly malicious.

Microsoft Office 365 Users Targeted By a New Phishing Campaign Using Fake Zoom Notifications



As people across the world struggle to survive the onslaught of the corona pandemic by switching to the work-from-home criteria, the usage and demand of cloud-based communication platform providing users with audio and videoconferencing services have seen a sudden upsurge.

Zoom is one such platform that has from the beginning of 2020 has seen an extremely high increase of new monthly active users after a huge number of employees have adopted remote working.

However recently Microsoft Office 365 users are being targeted by a brand new phishing campaign that utilizes fake Zoom notifications to caution the users who work in corporate environments that their Zoom accounts have been suspended, with the ultimate goal of stealing Office 365 logins.

Reports are as such that those targeted by this campaign are all the more ready to believe in such emails during this time since the number of remote workers participating in daily online meetings through video conferencing platforms, as Zoom has definitely increased because of stay-at-home orders or lockdowns brought about by the pandemic.

 As of now the phishing campaign mimicking automated Zoom account suspension alerts has received by more than 50,000 mailboxes based on details given by researchers as email security company Abnormal Security who recognized these continuous attacks.

The phishing messages spoof an official Zoom email address and are intended to imitate a real automated Zoom notification.

Utilizing a spoofed email address and an email body practically free from any grammar blunders or typos (other than a self-evident 'zoom' rather than 'Zoom account') makes these phishing messages all the more persuading and conceivably more viable.

The utilization of a lively "Happy Zooming!" toward the end of the email could raise a few cautions however, as it doesn't exactly fit with the rest of the message's tone.




As soon as the users click the "Activate Account" button, they are redirected to a fake Microsoft login page through 'an intermediary hijacked site'.

On the phishing landing page, they are asked to include their Outlook credentials in a form intended to exfiltrate their account subtleties to attacked controlled servers.

On the off chance that they succumb to the attackers' tricks, the victims' Microsoft credentials will be utilized to assume full control for their accounts and all their data will be ready for the picking, later to be utilized as a part of identity theft and fraud schemes like the Business Email Compromise (BEC) attacks.

Despite the fact that the US Federal Bureau of Investigation (FBI) had warned of BEC abusing popular cloud email services, like Microsoft Office 365 and Google G Suite through Private Industry Notifications issued in March and in April.

Even after this, Office 365 users are continuously targeted by phishing campaigns with the ultimate objective of reaping their credentials.

Regardless Microsoft has warned of phishers' ongoing movement to new types of phishing strategies, like consent phishing, other than conventional email phishing and credential theft attacks.

Microsoft Partner Group PM Manager Agnieszka Girling says, "While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,"

The company additionally has made a legal move to destroy some portion of the attack infrastructure used to host malignant 365 OAuth apps utilized in consent phishing to seize victims' Office 365 accounts.

Email Phishing Scam: Scammers Impersonate LogMeIn to Mine Users' Account Credentials


A Boston, Massachusetts based company, LogMeIn that provides software as a service and cloud-based remote connectivity services for collaboration, IT management and customer engagement has fallen prey to the scammers targeting companies' work from home schemes set up due to the ongoing pandemic, the campaign impersonates the remote access tool (RAT) LogMeIn and mines the unsuspecting users' account credentials.

As the number of people working from home increased rapidly, scammers saw it as a golden opportunity to carry out impersonations of remote tools such as Zoom and LogMeIn more blatantly than ever; the first incident being spotted in the month of May confirms the attributions made by the researchers in regard to COVID-19.

In this particular attack, the phishing email appears to be coming from LogMeIn, cautioning the user at the receiving end, of a zero-day exploit present in the LogMeIn Central and LogMeIn Pro- two of the company's products. It goes unsaid that in reality there exists no such vulnerability and victims' are made to follow a link that claims to be LogMein URL but takes the user to a phishing page where they would enter the credentials that would be obtained by the scammers behind the attack. Additionally, the threat actors are also exploiting the security issues that already existed in remote access platforms as a part of this phishing campaign.

While giving further insights, Abnormal Security said “Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic,”

“Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”

In order to avoid being scammed by such phishing campaigns, Ken Liao, vice president of Cybersecurity Strategy at Abnormal, alerted users, "Many of the recent attacks have masqueraded as updates--even more specifically--security updates,"

"As always, users should default to updating applications via the application itself and not via links in emails to prevent not only credential loss but the potential introduction of malware onto their machines."

BazarBackdoor: A Malware similar to Trickbot, targets Corporates


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization's network. It is a necessary measure to have a back door for hackers to gain entry access and control the company's network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.


According to several reports, the attack was first discovered two weeks ago. The malware is called "BazarBackdoor" or simply "backdoor" by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise's network. Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.

About BazarBackdoor 

The attacks first start in the form of phishing campaigns that try to lure victims through click baits like 'coronavirus relief funds,' 'customer complaints,' 'COVID reports' or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can't be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a 'preview' title. Windows don't have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.

Attack linked to Trickbot 

According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.

Google Is All Set To Fight The Coronavirus Themed Phishing Attacks and Scams


These days of lock-down have left cyber-criminals feeling pretty antsy about “working from home”. Not that it has mattered because apparently, that is why the number of cyber-crime cases has only hiked especially the Phishing attacks.

This has gotten Google working on its machine-learning models to bolster the security of Gmail to create a stronger security front against cyber-criminals.

Given the current conditions, the attackers seem to have a morbid sense when it comes to the themes of the Phishing attacks, i.e. COVID-19. Reportedly, 18 Million such attacks were blocked in a single week. Which amount up to 2.5% of the 100 Million phishing attacks it allegedly dodges every day.

Google, per sources, is also occupied with jamming around 240 Million spam messages on a daily basis. These phishing attacks and spams at such a worrisome time have impelled Google and Microsoft to modify their products’ mechanisms for creating a better security structure.

Reportedly, the number of phishing attacks, in general, hasn’t risen but in the already existing number of attacks, the use of COVID-19 or Coronavirus seems to have been used a lot.

Malware and phishing attacks, especially the ones related to COVID-19 are being pre-emptively monitored. Because being resourceful as the cyber-criminals are the existing campaigns are now being employed with little upgradations to fit the current situation.


A few of the annoying phishing emails include, ones pretending to be from the World Health Organization (WHO) to fool victims into making donations for VICTIMS to a falsified account.

Per the intelligence teams of Microsoft, the Coronavirus themed phishing attacks and scams are just the remodeled versions of the previous attacks.

The attackers are extremely adaptive to the things and issues that their victims might easily get attracted to. Hence a wide variety of baits could be noticed from time to time.

During the lock-down period of the pandemic, health-related and humanitarian organizations have been extensively mentioned in the scams and phishing emails.

Per sources, the Advanced Protection Program (APP) lately acquired new malware protections by enabling Google Play Protect On Android devices to some specifically enrolled accounts.

Allegedly, users trying to join the program with default security keys were suspended, while the ones with physical security keys were still allowed to be enrolled.

All the bettered security provisions of Google shall be turned on by default so that the users can continue to live a safe and secure life amidst the pandemic.

Coronavirus Themed Phishing Attacks Continue to Rise


New data by researchers has demonstrated that cybercriminals are preying on people's concerns regarding the COVID-19 pandemic and carrying out sophisticated phishing, malware and email attacks. The sudden upsurge in the related attacks imply that attackers were quick to adapt to the new global health crisis environment and exploit it in their favor.

As per Barracuda Networks, an American IT security company, the number of email attacks associated with the new Coronavirus has seen a steady surge since January, the type of attack has recorded a 667% spike by the end of February. As per the data, January recorded a total of 137 attacks only, while in the month of February the number spiked to a whopping 1,188 and between March 1st to 23rd, there were as many as 9,116 email attacks in the regard.

Another notable kind of attack is the one where victims are receiving malicious emails with the promises of offering financial relief during the COVID-19 pandemic, researchers warned. Users are being tricked into believing that they will be receiving payments from global institutions, businesses and governments working with a common objective of providing economic aid to common people during the ongoing pandemic, as soon as the user clicks on the links or proceed to download files, the attacker gets illicit access to his credentials, card data, and other sensitive information.

One such campaign is found to be specifically attacking U.S. healthcare, IT sector and higher-education organizations, the emails sent in relation to this campaign contain a message titled "General Payroll!"

"The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” it says.

“All staff/faculty & employee include students are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.” The message further reads.

Users receiving the email are asked to access a malicious link that will direct them to a phishing page in order to verify their email account, they will be required to enter their usernames, email addresses, and passwords linked with their employee benefits. By doing so, the user will provide his personal data to the page controlled by the attackers.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers told.

Why Hackers are Taking Advantage of COVID-19?


Cybersecurity threats have seen a massive upsurge since the outbreak of the COVID-19 pandemic that forced a majority of people to work from home which now is leading to attacks on remote workforces. Amid the anxiety it created, hackers have devised multiple ways to take advantage of the coronavirus and continued to exploit the fear amongst people in a number of ways, one being the distribution malware in the facade of Covid-19 or Corona related emails.

The threat posed by the Coronavirus has been seen to be scaling beyond human health, job losses and the collapsing global economy as it also set the stage for hackers to scam people for monetary and other gains. The urgency revolving around the novel biological virus robbed tech vendors and corporate systems of their ability to effectively tackle the risks. Scammers are well aware of the overwhelmed state of cybersecurity groups that led to a dramatic rise in phishing attempts and cyberattacks. Notably, hackers are exploiting the Covid-19 charged environment in various ways such as malicious infiltration of organizations, voice phishing, WhatsApp phishing, email phishing, social media, fake apps, and websites. As per the warnings given by WHO, criminals are also acting as WHO officials in order to scam people for financial gains or sensitive data.

Problems Arising with Security Operation Centers (SOC)? 

Security Operation Center is a centralized function set up across a company's IT infrastructure. The objective of the security operation team here is to detect and then respond to cybersecurity risks in order to safeguard important assets such as business systems, employee data, and intellectual property. Upon detecting a confirm threat, the SOC immediately isolates endpoints in an attempt to terminate harmful actions such as execution or deletion. It does do while ensuring no disruption is faced by the business continuity or lessening the impact to the best of its ability.

However, as the process of strengthening an organization's security requires sophisticated infrastructure (SIEM system), coordinated efforts and continuous monitoring by people and technology-with limited staff and people made to work from home, it has become difficult to prevent, detect, analyze and respond to cybersecurity incidents.

The SOC relies upon cybersecurity tools whose operations require complete understanding and expertise making the overall workflow complex, therefore the prevention and security can not take place whilst being at home.

Adverse Impact on IT Sector

IT sector is the lifeline of almost every global economy, it plays a vital role in the functioning of nearly every other major sector including human resources, manufacturing, finance, security, and health care. It's a well-known fact how heavily IT organizations rely on manpower to function, however, due to the lockdowns, quarantine periods and stringent curbs in the movement of people, many businesses are being shut down as the global supply chains of manufacturing are being heavily disrupted. IT professionals are not able to deliver on the projects, as a result of which production dropped by a significant margin and is expected to drop even further.

The coronavirus situation worsens with the security vendors not being paid timely and as a result of halted work, gates are being left unmanned providing potential hackers with an opening. Companies are advised to stay prepared for security breaches and individuals should consider sticking to strong passwords and keeping their systems updated as the number of scams is expected to rise amid the tremendous uncertainty of the crisis.

Insider data breaches : a big concern say 97% of IT leaders


According to a survey by Egress, a shocking 97% of IT leaders said insider breach is a big concern. 78% think employees have put the company's data in jeopardy accidentally while 75% think they (employees) put data at risk intentionally. And asking about the consequences and implication of these risk, 45% said financial damage would be the greatest.


Egress surveyed more than 500 IT leaders and 5000 employees from UK, US and Benelux regions. The survey showed serious incompetence of IT sector in handling data and their own security as well as employee confusion about data ownership and responsibility.

On the question of how they manage insider data breach and security measures they use, half of IT leaders said they use antivirus software to detect phishing attacks, 48% use email encryption and 47% use secure collaboration tools. And 58% , that is more than half relied on employee reporting than any breach detecting system.

Egress CEO, Tony Pepper says that the report shows the ignorance of IT leaders towards insider breaches and the lack of risk management on their part.
 “While they acknowledge the sustained risk of insider data breaches, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable. “The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”

Misdirected and phishing emails are top cause of insider data breaches- 

Misdirected and phishing emails are top cause of accidental insider data breaches as 41% of employees who leaked data said they did it because of phishing emails and 31% said they sent the information to the wrong individual by email.

 Tony Pepper adds;
“Incidents of people accidentally sharing data with incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organizations and security teams have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter. 
“However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organizations need to tune into these advances to truly be able to make email safe.”

Phishing Scam: Puerto Rico Government Loses More than $2.6 million



Puerto Rico's government fell for an email phishing scam and unintentionally lost over $2.6 million to cyber-criminals behind the scam, as per a senior Puerto Rico official. It is a government-owned agency whose mission is to drive economic development on the island while working with local as well as foreign investors.

These days, scammers launch thousands of phishing scams like these which resulted in it being a top reported crime to the Federal Bureau of Investigation (FBI), in the past year, as per the IC3 annual report released recently. Some top victims of a similar kind of attack from last year include a Texas school district being scammed for $2.3m, a British community housing non-profit being scammed for $1.2m and Nikkei for a whopping $29m.

On Wednesday a complaint was filed to police, in which Rubén Rivera, finance director of the island's Industrial Development Company confirmed that the money has been sent to a fraudulent account by an unsuspecting employee from Puerto Rico's Industrial Development Company. The officials discovered the incident earlier this week and it was immediately reported to the FBI, according to the statements given by the executive director of the agency, Manuel Laboy to the Associated Press.

However, Laboy did not comment on how the officials came to know about the phishing scam and the aftermath of the incident involving employees being dismissed or how this incident affected the overall operations when the funds went missing. He further told that an internal investigation has been instigated to find out if someone disregarded the set standards and were negligent about the laid out procedures, he also added that the officials at the corporation are attempting to recover the lost funds.

The agency received a fraudulent email claiming that the bank account used by them for remittance payments should not be used anymore for that purpose and it also told the agency that they should transfer the money to a new account that belonged to the criminals operating the scam which agency was oblivious to.

Acknowledging the seriousness of the matter and addressing the criticism from the Puerto Ricans Laboy told, “This is a very serious situation, extremely serious, we want it to be investigated until the last consequences,” “I cannot speculate about how these things might happen,” “It’s a big responsibility.”

New Hacking Group Deploying Backdoors and Ransomware in Windows via Word docs


Researchers from Proofpoint have detected a scheme of malware campaigns from a new hacking group called TA2101, that's targeting various organizations from Germany and Italy, creating backdoor malware into their security systems. These attackers also trick people by impersonating the United States Postal Service and tax entities and distributing 'Maze Ransomware' as well as banking Trojans. The research group noted that these attackers use legal and licensed penetration tools like Cobalt Strike and Metasploit after entering the network. These tools are used by organizations to secure their network by analyzing loopholes and vulnerabilities, meanwhile, adversaries like Cobalt Group, APT32, and APT19 exploit this software by installing backdoors.

Deploying Backdoors in Windows via Word Docs 

These malicious actors have been tricking victims into clicking through phishing emails that contain ransomware and even banking trojans- by sending email alerts that require immediate action, like emails from the German Federal Ministry of Finance, United States Postal Service, law enforcement and finance firms. But, what's happening behind the curtains is them deploying ransomware in your windows via a word document, that opens when you open the attachment.

Proofpoint researchers have been observing these impersonators from October 16 until November 12, 2019, their collected data gave a clear sight of the attacker's target, how they operate by sending spams to companies, IT units from Germany, Italy, and United States. “Researchers also Observed a consistent set of TTP (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.

Among the samples, the emails contained attached weaponized word documents which when opened, made the system perform a series of commands- that is turning on PowerShell script, which eventually downloads and installs the Maze ransomware. In targets related to Healthcare Vertical and companies, the emails and word documents installed IcedID payload trojan into the system.