Friday Phish Fry

Phishing Email Alerts

Catch of the Day:  Password Phishing Site

Chef’s Special:  Email Vishing

Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.

I would be delighted to accept suspicious phishing examples from you.  Please forward your email to phish@wyzguys.com.

My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox.  If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.


Behold, a password phishing site that can trick even savvy users

Just when you thought you’d seen every phishing trick out there, BitB comes along.

When we teach people how to avoid falling victim to phishing sites, we usually advise closely inspecting the address bar to make sure it does contain HTTPS and that it doesn’t contain suspicious domains such as google.evildomain.com or substitute letters such as g00gle.com. But what if someone found a way to phish passwords using a malicious site that didn’t contain these telltale signs?

One researcher has devised a technique to do just that. He calls it a BitB, short for “browser in the browser.” It uses a fake browser window inside a real browser window to spoof an OAuth page. Hundreds of thousands of sites use the OAuth protocol to let visitors login using their existing accounts with companies like Google, Facebook, or Apple. Instead of having to create an account on the new site, visitors can use an account that they already have—and the magic of OAuth does the rest.  More…

A fellow security researcher was impressed enough by the demonstration to create a YouTube video that more vividly shows what the technique looks like. It also explains how the technique works and how easy it is to carry out.


Email-Based Vishing Attacks Skyrocket 554% as Phishing, Social Media, and Malware Attacks Are All on the Rise

A new analysis of attacks in 2021 shows massive increases across the board, painting a very concerning picture for 2022 cyberattacks of all types.

Mid-year reports of cyberthreats are informative but do not age well, and still require that organizations take a look at longer data trends to understand where to place their focus, efforts, and budget.

New data from security vendor PhishLabs in their Quarterly Threat Trends & Intelligence Report, covering all of 2021 provides a better sense of what last year’s state of cyberattacks looked like, and unveils that the increases in efforts by cybercriminals that we saw throughout 2021 looks like they’re here to stay for the time-being.

According to the report:

  • Phishing attacks grew 28%
  • Social Media-based threats grew by 103%
  • Attacks with malware nearly tripled
  • Vishing attacks (like the Amazon attack I’ve covered previously) that begin with a phishing email jumped 554%
  • 52% of phishing attacks focused on credential theft
  • 38% of phishing attacks are response-based (e.g., job scams, tech support, BEC)
  • Only 10% focused on malware delivery

The overarching theme here is email is the delivery mechanism of choice – because it works. So, it’s imperative that organizations put layered security measures in place to specifically stop email-based attacks – keeping in mind that with only 10% of attacks focused on malware delivery (and a portion of those using malicious links instead of attachments), some percentage of malicious phishing emails will make their way to your user’s Inbox.

This means that user must also participate in your organization’s security strategy, interacting with emails with a sense of vigilance and skepticism should an email seem unexpected, suspicious, out of the norm, etc.

This can be taught with security awareness training, where users see themselves as a part of your organization’s layered security, helping to stop attacks before they do damage.

Blog post with links:
https://blog.knowbe4.com/email-based-vishing-attacks-skyrocket-554-percent


A New Way of Social Engineering Through Your Website Contact Forms

Email is the familiar form of phishing, but there’s an ongoing criminal campaign that follows a different, arguably subtler avenue of approach: the corporate contact form. Abnormal Security has found that the BazarBackdoor is being distributed through this social engineering technique that succeeds in bypassing email filters.

Instead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate communication. BleepingComputer describes how the process works:

“For example, in one of the cases seen by Abnormal’s analysts, the threat actors posed as employees at a Canadian construction company who submitted a request for a product supply quote.

“After the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the negotiation.

“Since sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like TransferNow and WeTransfer as automated email screening improves (and the improvements have been significant) criminals will adapt and move to new vectors.”

Abnormal Security, who’s been tracking this trend, describes the advantages the criminals see in this approach. “There are two primary purposes for choosing this method for initial communication.

  • “It disguises the communication as a request that could be reasonably expected to be received through an online request form.
  • “It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content.”

The backdoor being deployed by the threat actor is typically used to deploy BazarLoader malware against the victims, and that suggests who’s responsible. “Based on our analysis,” Abnormal Security writes, “we determined that these attacks were attempting to deploy BazarLoader malware. BazarLoader is most closely associated with the cybercrime group known as Wizard Spider, credited with developing the Trickbot banking trojan and Conti ransomware.”

As automated email filtering gets better at screening for phishing attempts, criminals respond by looking for attack techniques that evade those tools. Abuse of corporate contact forms is one such technique. Train your users!

Blog post with links
https://blog.knowbe4.com/social-engineering-through-contact-form


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.