Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Modern Email Threat: Morse Code Used in Phishing AttacksMicrosoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks. In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running. The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts. In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice. According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page. Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user. According to Microsoft 365 Defender Threat Intelligence Team, the malicious HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. “Some of these code segments are not even present in the attachment itself,” Microsoft 365 Defender Threat Intelligence Team said. “Instead, they reside in various open directories and are called by encoded scripts. In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.” Morse CodeNamed after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes. According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments. The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters. When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”. “The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string,” Abrams said. “This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page. These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.” According to the Microsoft 365 Defender Threat Intelligence Team, Morse code was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves. In the February phishing campaign, the Team said links to the JavaScript files were encoded using ASCII then in Morse code. In May, the Team added that the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code. Cybersecurity Best PracticesThe changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:
To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today. Email-Borne Threats Still Bypass Current Security System, Study ShowsDespite the advancement in current email security systems, a new study reveals that these security systems still miss a significant number of email-borne threats. In the 3rd quarter of 2018, Mimecastretested 80 million emails that were considered “safe” by current email security systems. The Mimecast study found that out of the 80 million emails deemed to be “safe”, 42,350 emails were found to be impersonation attacks, 17,403 contained malicious software (malware) attachments, 16,581 emails contained dangerous file types and 205,363 malicious URLs were found. Impersonation attacks refer to emails that attempt to impersonate a trusted individual or company in order to gain access to corporate finances or data. Dangerous files, meanwhile, refer to files such as .jsp, .exe, .dll and .src – files that allow a program to run on a computer, exposing the computer to further cyber attacks. According to Mimecast, dangerous files bypassed current email security systems at an increased rate, showing a 25% increase from the last quarterly test. How Prevalent Are Email-Borne Threats?In the first half of 2018, over half-a-billion emails were analyzed by FireEye. It found that less than a third or 32% of email traffic was considered “clean” and delivered to an inbox. FireEye’s analysis found that 1 in every 101 emails had malicious intent. FireEye further found that majority or 90% of the blocked emails contained no malware – 81% of which considered as phishing attacks and 19% considered as impersonation attacks. Cyber criminals see the advantages of leveraging emails as a means to wage cyber-attacks as emails continue to be the preferred form of communication worldwide despite the growth of other technologies such as social networking, instant messaging and chat. Email also maintains its dominance as it’s an integral part of the overall internet experience. An email address is required if you want to use a social networking site or for your bank’s online service. According to The Radicati Group(PDF), over half of the world population uses email in 2018, with the number of worldwide email users expected to top 3.8 billion in 2018 and expected to grow to over 4.2 billion by the end of 2022. The following trends in email-borne threats were observed by FireEye and The Radicati Group: Blended AttacksThe most common form of email-borne threat is the blended attack – a form of attack that combines an email and web access to deliver a malware to an organization’s internal network. In blended attack, the email itself doesn’t contain a malware. The email only facilitates the delivery of the malware as it contains a link that when clicked goes directly to a malicious website and from there the malware is downloaded, then infecting the organization’s internal network. Impersonation Attacks Have Gone MainstreamThe cyber-attack called “business email compromise”, also known as BEC or CEO fraud, is an example of an impersonation attack. In impersonation or BEC attack, an attacker or attackers send a bogus email purportedly from the CEO to a targeted employee, typically one who has access to company finances. Through the bogus email, the attackers request the targeted employee to make an urgent money transfer, usually to a trusted vendor’s new bank account. Many profit and nonprofit organizations had been duped by BEC scammers in recent years. According to the Federal Bureau of Investigation (FBI), BEC scammers, between October 2013 and May 2018, defrauded different organizations worldwide of almost $12.5 million. Email Attack ScheduleMalware-based attacks most likely occur during Mondays and Wednesdays. During Thursdays, malware-less attacks most likely happen. Impersonation attacks, meanwhile, most likely occur during Fridays. One example of the malware-less email is the impersonation email, an email that spoofs domains or uses lookalike domains. Another example of a malware-less malicious email is the blended email, whereby the email contains a link to a malicious URL. An additional example of a malware-less malicious email is one that contains a dangerous file such as an .exe file. One explanation why impersonation emails are sent during Fridays is that impersonation emails typically are bogus emails from an organization’s CEO. During Fridays, especially late Friday afternoon, it’s typically difficult to call or talk in person with the boss – a situation favored by scammers to buy time to trick a targeted employee. How to Prevent Email Attacks?Here are some security measures in order to block or detect email-borne threats: Staff TrainingIn email-based attack, it only takes one click to infect your organization’s internal network. And your weakest link for this particular type of cyber-attack is your staff. Staff training isn’t just a one-shot deal. It needs to be continuous as well as effective. It’s particularly important to train executives and employees dealing with finances to be vigilant against email-borne threats as they’re targeted by criminals, especially in BEC attacks. One way to train your organization's staff is by sending test emails to check their resilience against email-borne threats. Use an Advanced Email Security ToolsTraditional email security tools only block emails that contain malware. An advanced email security tool, in addition to blocking emails laden with malware, blocks malicious emails containing spoofs domains, lookalike domains, emails containing malicious URLs and emails containing dangerous files. Contact us today if you need assistance in protecting your organization’s network from email-borne threats. Helpful ResourcesMajor Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies. British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack. Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system. “In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.” The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016. “Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.” “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.” Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said. By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack. Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident. On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.” What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer. Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks. The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes. Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication. Contact us today if you need further protection for your organization’s internal email system. Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier. The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time. “There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said. The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC). What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams. "Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC." According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident. How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target. Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule. Tools Used: Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices. Second, attackers establish a relationship with a target employee. When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers. Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer. For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account. Fourth, money sent is drained to different accounts. In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money. How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request. “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo. Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”. 2. Use an email intrusion detection system. This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com. You have a backdoor to your business, and it's Email
Email is the most widely used form of business communication today. It’s inexpensive and fast. This form of communication, however, exposes businesses to cyber criminals.
Malicious cyber criminals consider the email as businesses’ backdoor – a vulnerable feature of a computer system that calls for exploitation. Failing to protect your business emails is like fortifying your house with the latest alarm systems and then leaving your backdoor wide open. Symantec in its 2016 Internet Security Threat Report estimated that nearly 190 billion emails were in circulation each day in 2015 alone, with an average of 42 emails sent and received by each business user every day – a growing number of users reading their emails on their mobile devices. Symantec reported that in 2015, email spam rate increased by 53%; phishing rate at one in 1,846 emails; and malware rate in one in 220 emails. “For cybercriminals who want to reach the largest number of people electronically, email is still the favored way to do it,” Symantec said. 3 Ways Cyber Criminals Exploit the Vulnerabilities of Emails
Cyber criminals exploit the vulnerabilities of emails in a number of ways. Here are 3 ways cyber criminals exploit emails:
1. Business Email Compromise (BEC) Scams
The cyber threat called business email compromise (BEC) relies on the oldest trick of con artists: deception. In BEC, con artists zero in employees who have access to company’s finances, deceiving them into making wire transfers to bank accounts thought to belong to business partners – when in fact, the money ends up in the accounts of cyber criminals.
BEC is one form of phishing – a form of identity theft that tricks people to reveal their Social Security numbers, bank account numbers and other valuable details – by making an email looks like it came from a legitimate source such as a bank, a partner company or government agency. The Federal Bureau of Investigation (FBI) reported that since 2013, organized crime groups, employing the business email compromise scam, have targeted small and large organizations and companies in every U.S. state and more than 100 countries around the world. According to the FBI, since January 2015, there has been a 1,300 percent increase in BEC, with losses now totaling over $3 billion. Tech giants such as Google and Facebook are not spared by BEC scammers. In March 2017, the FBI arrested Evaldas Rimasauskas for scamming multinational internet companies of over $100 million via email compromise scheme. While the FBI didn’t name the companies, a Fortune investigation revealed that the multinational internet companies referred by the FBI as victims of Rimasauskas were tech giants Google and Facebook. In the Rimasauskas case, Google and Facebook thought they were communicating via email with a legitimate staff of Quanta – supplier of the tech giants’ computer servers. Business Email Compromise (BEC) Scams Prevention
BEC scams can be prevented in the following manner:
Phishing Scams Prevention
Here are some of the ways to prevent phishing scams in general:
2. Malware Spread
Email is one of the oldest ways to spread malware – short for “malicious software” – software designed to damage or infiltrate computers without the users’ consent. In May 2000, the malware called “ILOVEYOU” infiltrated millions of computers. The ILOVEYOU malware comes in a form of an email from someone the receiver know, with a subject "ILOVEYOU" and the body of the message reads "kindly check the attached LOVELETTER coming from me."
An enormous number of people – probably out of the universal need to be loved – opened the ILOVEYOU email and downloaded the attached file. Once run, the malware overwrites all computer files and then send an identical email to all the contacts of a victim's Outlook address book. As a result of the ILOVEYOU malware, a number of mail systems worldwide were overloaded causing a meltdown of electronic communication among businesses and governments. Malware Spread Prevention
Here are some of the ways to combat the spread of malware sent via emails:
3. Denial of Service (DoS) Attack
A denial-of-service (DoS) attack is an attempt by cyber criminals to prevent legitimate users from accessing online services like email. Spam email messages can be used by attackers to prevent your customers from emailing your company.
Email accounts, whether supplied by a paid service or free services such as Yahoo or Gmail, are assigned a specific quota. This quota limits the number of emails that your business account can receive at a given period of time. When attackers bombard your business account with too many or large email messages, this can consume your quota and prevents your company from receiving legitimate messages. DoS Attack Prevention
To prevent DoS attack.
When you have questions, connect with us and get the answers you need.
|
AuthorSteve E. Driz, I.S.P., ITCP Archives
November 2024
Categories
All
|
8/22/2021
0 Comments