Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

Morgan Stanley Warns Against Recent “Brushing Scam”

Morgan Stanley has outlined several common scams everyone should be on the lookout for during the holiday season. The first involves phony delivery notifications. These scams are common year-round, but they’re particularly relevant during the holidays.

“A popular scam involves receiving a text or email that asks you to click on a link for a number of phony reasons, such as to get an update about the delivery date, track the package location, give your payment preferences, provide delivery instructions or pay a shipping fee,” Morgan Stanley says.

“You may also be given a phone number to call for more information about your delivery. Since fraudsters want you to act without thinking, they may convey a sense of urgency in their message. While some of these communications are obviously fraudulent—perhaps containing multiple misspellings or other errors—many are carefully crafted, even replicating a shipping company’s logo or email format in some cases.”

Brushing Scams

Morgan Stanley also describes “brushing,” which is a way for scammers or dishonest sellers to boost their products with phony positive reviews.

“You’ll receive a package you didn’t order bought from an online marketplace that allows customers to post reviews of their purchase,” Morgan Stanley says. “The item is typically cheap and lightweight. Since it’s the holiday season, you might think it’s just a gift from a stranger looking to pay it forward.

In reality, it’s likely from someone who sells products on online marketplaces who wants to create fake, positive reviews. But, in order to post a review, the marketplace requires that a transaction be verified with a legitimate tracking number that shows a successful delivery. And that’s where your mystery package comes into play. That purchase creates a tracking number.

So, after the package is delivered, your fake gift giver can write the review.” New-school security awareness training helps your employees to recognize these types of scams.

Blog post with links:  https://blog.knowbe4.com/morgan-stanley-warns-against-brushing-scam

Ingenious New Attack Technique Uses Windows Store to Install Malware

Just when you thought threat actors couldn’t find another way to launch a dropper, a new method has surfaced that takes advantage of native functionality found in Windows 10.

If you’ve been following phishing attacks at all over the last few years, you’re very aware of threat actors using methods like Office app macros to launch a malware dropper or installer, or leveraging a PDF to run a script, etc.

But a new technique has been identified by security researchers at Sophos that invokes the Windows App Installer from within Windows 10 to be the catalyst for infecting a machine with malware.

According to Sophos, the email targeted Sophos employees purporting to be from another Sophos employee, linking to a PDF within the email asking “Why didn’t you inform us about the Customer Complaint on you?” and requesting that the recipient call them back now. Because there is no phone number to call, the logical next step is to click the link and see the complaint.

The link takes victims to a windows[dot]net site with a “Preview PDF” button and, when clicked, the really trick stuff starts. As you can see pointed out in the screenshot, the preview button includes a link that begins with ms-appinstaller: that will trigger the Windows Store application, AppInstaller [dot]exe, to download and run whatever’s on the other end of that link.

Simply brilliant.

The installer is made to look like an Adobe PDF “component” in the hopes that users will see it as being benign (and that, possibly, the downloading of the complaint “PDF” simply triggered an update, etc.). What’s actually installed is the BazarBackdoor malware.

This is a pretty ingenious way to trick users into installing malware on a few fronts. It seems the cybercriminals are stepping up their game – which means you need to as well with security awareness training to educate users to not engage such emails in the first place; anything unexpected should be interpreted as being potentially hostile.

Blog post with links and screenshot:

Cybersecurity: Increase your protection by using the open-source tool YARA

YARA won’t replace antivirus software, but it can help you detect problems much more efficiently and allows more customization. Here’s how to install YARA on Mac, Windows and Linux.

Insider threats: How trustworthy are your employees?

While we often worry about outside threats to our business data, insider threats are a growing problem. Here’s how to secure your business.

The Return of America’s Celebrity Inventor

In a new book, Smithsonian historian Eric S. Hintz traces the rise and fall, and rise again, of the maverick inventor.  Think Elon Musk and Jeff Bezos, among others

CISA Releases Guidance on Protecting Organization-Run Social Media Accounts

Original release date: December 9, 2021

CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accounts—including accounts used by federal agencies—could spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram.

CISA encourages social media account administrators to implement the protection measures described in CEG: Social Media Account Protection:

  • Establish and maintain a social media policy
  • Implement credential management
  • Enforce multi-factor authentication (MFA)
  • Manage account privacy settings
  • Use trusted devices
  • Vet third-party vendors
  • Maintain situational awareness of cybersecurity threats
  • Establish an incident response plan

Note: although CISA created the CEG primarily for federal agencies, the guidance is applicable to all organizations.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.