Thought leadership. Threat analysis. Cybersecurity news and alerts.
What Is Phishing-As-A-Service and How to Protect Your Organization
Microsoft 365 Defender Threat Intelligence Team recently published their findings on a large-scale phishing-as-a-service operation called “BulletProofLink.”
What Is Phishing-as-a-Service?
Phishing-as-a-service follows the software-as-a-service model in which cybercriminals pay an operator to launch an email-based phishing campaign.
In an email-based phishing campaign, the target receives an email from a seemingly legitimate origin. The email, however, is a malicious one, masquerading as coming from a legitimate source. Clicking a link on this malicious email will lead to a compromised or fake website. The login details entered by the target who believes he or she is logging into a legitimate website will then be harvested for criminal activities.
BulletProofLink, also known as BulletProftLink and Anthrax, is an example of a phishing-as-a-service. This phishing-as-a-service was first reported by OSINT Fans in October 2020. According to OSINT Fans, the phishing campaign launched by BulletProofLink started with a phishing email impersonating a Sydney-based accounting firm. The email looked legitimate, with no sign of broken English or a spoofed email sender.
Inside this email is the Remittance Advice receipts.pdf link. Clinking this link, OSINT Fans said, leads to a pixel-perfect clone of the Microsoft 365 login page. “If a victim enters their password on this page, the login credentials are sent straight to the criminals rather than Microsoft,” OSINT Fans said.
In the blog post “Catching the big fish: Analyzing a large-scale phishing-as-a-service operation,” Microsoft 365 Defender Threat Intelligence Team said BulletProofLink offers phishing-as-a-service at a relatively low cost, offering a wide range of services, including email templates, site templates, email delivery, site hosting, credential theft, credential redistribution, and "fully undetected" links/logs.
Microsoft 365 Defender Threat Intelligence Team said BulletProofLink has over 100 available phishing templates that mimic known brands and services. The BulletProofLink operation, the Team said, is responsible for many of the phishing campaigns that impact enterprises today.
The Team also reported that BulletProofLink used a rather high volume of newly created and unique subdomains – over 300,000 in a single run. The Team added that BulletProofLink is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for BulletProofLink’s operators.
BulletProofLink’s monthly service costs as much as $800, while the one-time hosting link costs about $50 dollars. The common mode of payment is Bitcoin.
Infinite Subdomain Abuse
According to Microsoft 365 Defender Threat Intelligence Team, the operators behind BulletProofLink use the technique, which the Team calls “infinite subdomain abuse.” The Team said infinite subdomain abuse happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains.
Microsoft 365 Defender Threat Intelligence Team said infinite subdomain abuse is gaining popularity among attackers for the following reasons:
“It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.
“It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.
“The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.”
Microsoft 365 Defender Threat Intelligence Team said that BulletProofLink's phishing-as-a-service is reminiscent of the ransomware-as-a-service model. Today’s ransomware attacks involve, not just data encryption, but exfiltrating or stealing data as well. In a ransomware-as-a-service scenario, the ransomware operator doesn’t necessarily delete the stolen data even if the ransom has already been paid.
In both ransomware and phishing, Microsoft 365 Defender Threat Intelligence Team said that operators supplying resources to facilitate attacks maximize monetization by assuring stolen data are put to use in as many ways as possible. Victims’ credentials, the Team said, are likely to end up in the underground economy. “For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes,” Microsoft 365 Defender Threat Intelligence Team said.
Cybersecurity Best Practices
To protect Microsoft 365 users from phishing-as-a-service operations, Microsoft 365 Defender Threat Intelligence Team recommends the following cybersecurity best practices:
As a large number of the world’s workforce shifted to working from home, attackers have turned their attention to this new group of remote workforce by leveraging the cyberattack called “consent phishing” to gain access to valuable data in cloud services.
What Is Consent Phishing?
Consent phishing is a cyberattack in which an attacker lures a victim to click on a malicious app. This malicious app masquerades as a legitimate app, tricking the victim to give consent to such malicious app and giving the attacker access to the victim’s sensitive data or other resources.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing," Agnieszka Girling, Partner Group PM Manager at Microsoft warned about consent phishing. While each consent phishing attack tends to vary, Girling said, the basic steps typically follow these steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory.
Second, the malicious app is developed in such a way that it appears, at first glance, as legitimate through the use of the name and logo of a popular product.
Third, the attacker tricks a victim to click on a malicious link. The malicious link is delivered by email, website, or other techniques.
Fourth, the victim clicks the malicious link and is asked to grant the malicious app permissions.
Fifth, once the victim grants the malicious app permissions, the malicious app gets an authorization code which it redeems for an access token, and potentially a refresh token.
Sixth, the access token is then used to access a cloud service on behalf of the victim.
Consent phishing is also known as OAuth phishing as this type of cyberattack abuses the OAuth protocol – an authentication protocol that allows websites and applications to request limited access to a user's cloud account without the need for a password. With OAuth, instead of a password, an authorization token is used to authenticate.
Real-Life Example of Consent Phishing Attack
PhishLabs reported that an attacker used a malicious Microsoft 365 app to gain access to a victim’s legitimate Microsoft 365 account. According to PhishLabs, the attacker presented the link of the malicious Microsoft 365 app via a traditional phishing message impersonating an internal SharePoint and OneDrive file-share.
PhishLabs said that the link provided led to a Microsoft 365 legitimate login page. After the victim logged in or if previously logged in, the victim was then presented with the Microsoft 365 access permissions request. Access approval granted the attacker full control of the victim’s Microsoft 365 account.
According to PhishLabs, the Microsoft 365 app was created using the information of a legitimate organization. “This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app,” PhishLabs said.
Cybersecurity Best Practices Against Consent Phishing
In consent phishing attacks, the typical remediation steps such as resetting passwords or requiring Multi-Factor Authentication (MFA) on accounts aren’t effective as the malicious apps are external to the organization.
According to Microsoft, consent phishing attacks “leverage an interaction model which presumes the entity that is calling the information is automation and not a human.”
Microsoft recommends the following measures to detect and remediate consent phishing attacks targeting your organization’s Microsoft cloud environment:
Detect Malicious Apps Using Alerts
OAuth policies can be set automatically to send notifications when an OAuth app meets certain criteria. For instance, an OAuth policy can be set to send a notification when an OAuth app requires high permissions and was authorized by more than 50 users.
Detect Malicious Apps by Hunting
In detecting malicious apps by hunting, OAuth apps are reviewed based on suspicious name or suspicious publisher.
“Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app,” Microsoft said. “Misleading publisher names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as an app coming from a known and trusted publisher.”
Once it’s determined that the OAuth app is malicious, the following remediations can be undertaken:
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
What Is Consent Phishing and How to Prevent Such Attack
SANS Institute, the largest provider of cybersecurity training and certification to professionals, recently admitted that it fell victim to consent phishing attack, leading to the theft of 28,000 records of personally identifiable information.
This recent successful consent phishing attack on SANS Institute highlights the growth of this type of cyberattack.
What Is Consent Phishing?
Consent phishing is a type of cyberattack that tricks victims into getting their permission via a malicious app to access legitimate cloud services such as Microsoft 365, formerly known as Office 365.
In a conventional phishing attack, an attacker attempts to obtain sensitive information or data by disguising oneself as a trustworthy individual or entity. The traditional way of launching a phishing attack is via email.
In leveraging an email for a conventional phishing attack, an attacker sends a malicious email to the target. This email masquerades as coming from a trusted individual or entity. Clicking on the link or attachment provided in the phishing email could lead to the installation and running of a malicious software (malware) on the email receiver's computer.
According to SANS Institute, the consent phishing attack was discovered last August 6th as part of a systematic review of email configuration and rules. SANS's internal investigation of the incident showed that the company's email configuration and rules werechanged, allowing the forwarding of emails to an external email address.
The change of the email forwarding configuration and rules allowed the forwarding of 513 emails to a suspicious external email address. Approximately 28,000 records of personally identifiable information were forwarded to a suspicious external email address, SANS said in its Data Incident 2020 report.
The information sent to the suspicious external email address includesemail address, work title, first name and last name, work phone, company name, industry, address and country of residence.
How the Consent Phishing Attack Unfolded?
In its Data Incident 2020 – Indicators of Compromise, SANS Institute reported that on July 24, 2020, several of its employees received an email with the subject “Copy of sans July Bonus 24JUL2020.xls”. The recipients of the email were enticed to click on the “Open” button to read the purported "Bonus" document in the Enabler4Excel 365 format – the new version of the popular Enabler4Excel add-in built to work on Microsoft Excel 2016 or higher and Microsoft Excel Online.
Clicking on the Open button, however, initiates the installation of a malicious Microsoft 365 app. Once installed, the malicious app changes the affected email’s forwarding rule and forwarding emails with the following keywords to an external email address: Bank, bic, capital call, cash, Contribution, dividend, fund, iban, Payment, purchase, shares, swift, transfer, Wire and wiring info.
According to SANS Institute, only one employee's email account was impacted in the consent phishing attack.
Consent Phishing: An Application-Based Threat
Consent phishing is an application-based threat in which an attacker seeks the target's permission for an attacker-controlled app to access valuable data stored in a cloud service.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing", Agnieszka Girling, Partner Group PM Manager at Microsoft said that consent phishing is another threat vector that organizations must be aware of. Girling said that consent phishing typically follows the following steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth 2.0 is an industry-standard protocol for authorization, granting users of websites or applications access to other websites without the need of passwords.
Second, the malicious app is designed in such as a way that makes it seem trustworthy, such as using the name of a popular product used in the same IT environment.
Third, the attacker presents a link in front of the target via conventional email-based phishing, by compromising a legitimate website, or other techniques.
Fourth, the target clicks the link and is shown an authentic-looking consent button asking the target to grant the malicious app permission to access data in a particular cloud service.
Fifth, once the target clicks on the consent button, the malicious app is then granted access to sensitive data stored in a cloud service such as Microsoft 365. The consent button is so powerful as it unwitting grants the attacker access to the target's Microsoft 365 account contents, including email, forwarding rules, files, contacts, profile and materials stored in the target's OneDrive cloud storage space and corporate SharePoint document management and storage system.
Cybersecurity Best Practices Against Consent Phishing
On the part of Microsoft, the company said that it filed legal actions against criminals who deployed consent phishing designed to compromise Microsoft customer accounts. The company said its Digital Crimes Unit (DCU) first observed in December 2019 cybercriminals deploying consent phishing calling it “a sophisticated, new phishing scheme”.
Here are some cybersecurity best practices in order to prevent or mitigate the effects of consent phishing:
Twitter recently shed a light on the cyberattack that compromised the accounts of a number of its high-profile customer base.
In the blog post “An update on our security incident”, Twitter said that the cyber incident that happened on July 15, 2020 targeted a small number of employees through a “phone spear phishing attack”. Twitter didn’t give details about how the attackers carried out the phone spear phishing attack.
Twitter, however, described the aftermath of the phone spear phishing attack. The company said that while not all of the Twitter employees that were targeted by the phone spear phishing attack had permissions to use Twitter’s account management tools, the “attackers” used the credentials gathered from the phone spear phishing attack to access the company’s internal systems and gain information about its processes.
Knowledge of the company’s internal systems and processes, Twitter said, enabled the attackers to target additional employees who did have access to the platform’s account support tools. Armed with credentials from employees that had access to the platform’s account support tools, Twitter said, the attackers targeted 130 Twitter accounts. Out of the 130 Twitter accounts, the company said, the attackers tweeted from 45 accounts, accessed the Direct Message (DM) inbox of 36 accounts, and downloaded the Twitter data of 7 accounts.
The phone spear phishing attack on Twitter compromised multiple high-profile verified accounts of personalities, including that of Bill Gates, Elon Musk and Jeff Bezos. Verified accounts of tech giants such as Apple and Uber as well as verified accounts of cryptocurrency exchanges such as Binance and Coinbase were also compromised.
Compromised verified accounts were made part of a cryptocurrency scam in which readers were called on to send bitcoin to a particular address with the promise that twice the amount of bitcoin would be returned. As of August 3, 2020, a total of 399 transferees sent bitcoin to the address mentioned in the compromised Twitter accounts. The total amount sent reached nearly 12.87 bitcoin (equivalent to USD 144,213).
As of July 30, 2020 (date of a case filed by the U.S. Department of Justice against one of the alleged perpetrators of the Twitter hack), not one of those that sent bitcoin to the above-mentioned address got their bitcoin doubled nor their bitcoin returned. Last July 31st, the U.S. Department of Justice announced that 3 cases had been filed against 3 individuals for their alleged roles in the Twitter hack.
Details of the alleged phone spear phishing attack are still not available despite the cases filed as the alleged mastermind of the Twitter hack is a minor. In the U.S., cases against minors aren’t available to the public.
Phone spear phishing attack isn’t something new. Phishing attack, in general, refers to a cyberattack that tricks victims into giving information to criminals. Spear phishing, meanwhile, refers to a phishing campaign that targets specific individuals or specific organizations.
Traditionally, spear phishing attacks are conducted via emails. With the adoption of the Voice over Internet Protocol (VoIP) – a technology that allows users to make voice calls over the internet instead of a regular (or analog) phone line, phone phishing, also known as vishing, proliferate.
It’s rare to hear about phone phishing because such are reported under the category of phishing which includes traditional email phishing. In a typical email phishing, an attacker sends a target an email that masquerades as coming from a legitimate source.
This malicious email contains a malicious link or attachment. Clicking on this malicious link or attachment could lead to the compromise of the user’s computer or stealing of sensitive data.
In the early 2000s, the Federal Bureau of Investigation (FBI) cited two examples of vishing. In one version of a vishing scam, a target receives a typical email, similar to the traditional email phishing scam. But instead of directing the target to a malicious link, the target is given a phone number (a VoIP account) to call and ask to provide certain information over the given phone number.
The phone number is usually that of a fake customer service. The target that calls the customer service is then directed to a series of voice-prompted menus that ask for passwords and other sensitive information.
According to the FBI, another version of vishing directly contacts the target by phone (VoIP account as well) instead of an initial email. The call can come from a recorded message directing the target to take action to protect his or her account. In this case, the attacker already has some personal information about the target. This gives the target a false sense of security.
Vishing via VoIP, the FBI said, has some advantages over traditional phishing tricks due to the following reasons:
Preventive and Mitigating Measures Against Vishing
Always treat a phone call asking for sensitive information with a healthy dose of skepticism. Verify whether the call is legitimate by hanging up the phone and calling the customer service using the number provided by the organization.
Another Canadian City Falls Victim to Phishing Email, Loses Half a Million Dollars as a Result
The City of Burlington, Ontario recently revealed that it fell victim to a phishing email, resulting in the loss of the City’s funds worth half a million dollars.
In a statement, the City of Burlingtonsaid that phishing email was sent to City staff requesting for the change of the banking account information of an established City vendor. As a result of the phishing email, the City said, a single wire transfer of funds worth approximately half a million dollars was sent to the bank account controlled by an unknown attacker or attackers last May 16.
The City said it only discovered it was a victim of fraud last May 23. The cyber incident has been reported to authorities and criminal investigations are underway by the appropriate authorities, the City said.
What Is Phishing Email?
Phishing emails are malicious emails used by cyber-attackers to launch attacks against their victims. Traditional phishing email contains a malicious attachment, that is, when clicked, downloads and installs malware into the victim’s computer. Traditional phishing email may also contain a malicious link, that is, when clicked leads to a malicious website that hosts malware and from there, the malware is downloaded and installed into the victim’s computer.
In recent years, cyber-attackers have weaponized the emails to commit fraud, known as Business Email Compromise (BEC). BEC attackers target small, medium and large organizations, as well as individuals. Prior to sending the phishing emails, BEC attackers monitor and study their selected victims.
Targeted organizations and individuals are those that regularly perform wire transfer payments. In a BEC attack, an email address of a high-level employee or an executive involved with wire transfer payments are either spoofed or compromised, resulting in the loss of funds.
According to the Federal Bureau of Investigation (FBI), as of July 12, 2018, BEC became a 12 billion dollar scam. The FBI said that from October 2013 to May 2018, a total of 78,617 BEC incidents were reported worldwide, with loss to this scam amounting to US$12.5 billion.
In April this year, another Canadian city, the City of Ottawa, revealed that it fell victim to a similar attack. Based on the report released by the Office of the Auditor General of the City of Ottawa, on July 6, 2018, the City Treasurer received an email which appeared to be from the City Manager.
This email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day the spoofed email was received, with the City Treasurer’s approval, US$97,797.20 was sent to the bank account controlled by malicious actors.
The said amount was transferred from one bank account to another, with a portion of the amount ending up in one of the bank accounts monitored by the U.S. Secret Service. The City of Ottawa was contacted by the U.S. Secret Service that the funds had been seized. The City of Ottawa, through its City Solicitor, filed a petition before the U.S. Government, asserting the City’s claim on the seized funds. It’s still unclear how much would the City of Ottawa eventually recover.
Spoofed and Compromised Emails
BEC attackers trick their victims into wiring funds into bank accounts they control by spoofing or compromising email accounts belonging to persons in authority, in particular, those in charge of approving the release of funds. Email spoofing refers to the sending of an email which is made to appear as though it was sent by someone other than the actual sender.
Many BEC attackers purchase a domain name similar to the target organization’s domain in order to own an email address that closely resembles the target organization, for instance, “xocompany.com” is similar to “xoc0mpany.com”. Attackers send this spoofed email hoping that the receiver wouldn’t notice the wrong email address.
Email spoofing can also be achieved by an attacker by manipulating the visible email header. Each email contains two headers, one visible and the other one that isn’t readily visible. The visible header shows the typical "From" which contains the email address of the sender.
This visible header can be changed by the attackers, that is, it can show a correctly-spelled email address that’s familiar to the email receiver. If the email receiver checks the not readily visible header, also known as “SMTP envelope”, the real email address of the malicious sender can be seen.
BEC attackers also launch their phishing emails by compromising legitimate emails, for instance, an email address of the organization’s CEO. BEC is also known as “CEO scam” because of the growing spoofing and compromised of CEO emails.
In a compromised email, the attackers gain total access to a legitimate email account. One way an attacker gains unauthorized access to a legitimate email is through another phishing email, tricking the victim to click on the malicious attachment or link, resulting in the installation of malware into the victim’s computer.
An example of malware is the keylogger – a type of malware that records every keystroke made by a computer user, capturing information such as usernames and passwords to emails and sending these data remotely to the attackers. Armed with these stolen login details, attackers can then access the victim’s email. From this compromised email, attackers can send an email ordering a lower-ranked employee in charge of releasing funds to proceed with the bogus wire transfer.
When you need assistance protecting your business from phishing attacks, help is a phone call away. Connect with ustoday and take a step forward to better cybersecurity posture.
Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection
Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.
This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.
According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.
Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.
AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.
Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.
“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”
History of AutoHotkey
AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.
The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.
An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.
Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.
In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.
In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.
As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.
One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.
Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.
Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.
Why Nonprofits Are Easy Targets for Phishing Attacks
Cybersecurity was once low on the list of priorities of nonprofit organizations. Times are, however, changing. In recent years, nonprofit organizations have become an easy target for phishing attacks.
In a 2018 study that was drawn from a data set of more than 6 million users, KnowBe4found that nonprofit organizations have the highest percentage of “phish-prone” employees in large organizations (1,000 or more employees) category. The phish-prone percentage is determined by KnowBe4 by the number of employees that open a malicious attachment or click a malicious link in a simulated phishing email.
What Is Phishing Attack?
Phishing attack is a type of cyberattack that uses a fraudulent email as a weapon. An email used for a phishing attack appears to come from a reputable source. This email, however, is a fraudulent one.
A phishing email comes with a malicious attachment or malicious link. When the malicious attachment in a phishing email is downloaded, it installs a malicious software (malware) into the email receiver’s computer. In case the malicious link in a phishing email is clicked, this leads the email receiver to a fake website coaxing the receiver to reveal confidential information or this scam site could be used to download malware into the victim’s computer.
Why Nonprofit Organizations Are Targeted?
Nonprofit organizations are repositories of critical data, including benefactors’ names, addresses and credit card details, as well as critical data of clients and proprietary information as in the case of nonprofit research organizations.
Aside from donations from individuals, nonprofits are entrusted by governments with significant financial and social responsibilities. In some local governments, some of the top contractors are nonprofits with contracts worth millions.
Holding said critical information and funds make nonprofit organizations attractive to cybercriminals.
While nonprofit organizations face the same security risks as for-profit organizations, nonprofits generally lag behind for-profit organizations in terms of implementing policies and practices necessary in securing their IT systems. Cybercriminals have come to realize that nonprofits lack the resources in implementing cybersecurity best practices, making them easy targets for phishing attacks.
How Phishing Attacks Impact Nonprofits?
Here are two ways by which phishing attacks impact nonprofit organizations:
1. Ransomware Attacks
Ransomware is a type of malware that denies victims access to their computer files until a ransom is paid. Ransomware is often spread through phishing emails.
In March 2016, four computers at the Ottawa Hospital, a nonprofit, public university teaching hospital, were infected with the ransomware called “WinPlock”. Kate Eggins, the institution’s director of media relations, told IT World Canadathat four staff at the institution each clicked a phishing email which resulted in the installation of the WinPlock ransomware.
According to Microsoft, WinPlock ransomware encrypts files, denying users access to their files. After encrypting the computer files, this ransomware displays a ransom note that asks for one Bitcoin as ransom payment.
2. Business Email Compromise (BEC) Attacks
Business Email Compromise (BEC), also known as CEO fraud, is a form of a phishing attack where an attacker impersonates an executive of an organization, oftentimes the CEO, thus the name CEO fraud, and attempts to trick an employee authorized to make payments into paying a fake invoice or making an unauthorized money transfer from the organization’s bank account to the fraudster’s bank account.
Nonprofit organization Save the Childrenin its 2017 tax report revealed that in April 2017, an unknown cyber attacker or attackers impersonating as an employee of the institution tricked the institution into transferring money worth $997,400 to a fraudulent organization in Japan on the belief that the money would be used to purchase solar panels for health centers in Pakistan.
Save the Children said that by the time the scam was found out in May 2017, the transferred funds could no longer be recovered. Save the Children told the Boston Globethat the attackers deceived the institution into transferring nearly $1 million to a fraudulent organization in Japan by breaking into an email account of an employee of the institution and by creating false invoices and other documents.
The U.S. Federal Bureau of Investigation (FBI)reported that between the period of October 2013 to May 2016, BEC attackers pocketed nearly USD $3.1 billion from 22,143 victims worldwide. The FBI said that in addition to compromising legitimate emails, attackers carry out BEC attacks by using spoofed emails – those that closely mimic legitimate emails, for instance, using the spoofed email abc-company.com based on a
legitimate email of abc_company.com.
How Can Non-profits Prevent Phishing Attacks?
Here are some cybersecurity measures in order to protect your organization from phishing attacks:
And Finally, Alert Your Staff About Phishing Attacks
Phishing scammers are constantly changing their tactics. During your organization’s regular cybersecurity training, include tips on how to spot the latest phishing schemes.
For instance, one typical characteristic of a phishing email is it gives an urgent vibe, pressuring the email receiver via the email subject to act now or something negative will happen.
When you need help with raising awareness and protecting your digital assets, speak with one of our cybersecurity and IT risk experts. Contact ustoday and subscribe to the newsletterto receive cybersecurity tips and important alerts.
Latest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' Computers
Thousands of Icelanders have been targeted in the latest phishing campaign that attempts to install the Remcos remote access tool into the victims' computers, this according to the recent report by Cyren.
While the actual victims may seem low, Cyren said, this could be the largest cyberattack to hit Iceland, a country with just close to 350,000 population.
Latest Phishing Attack Modus Operandi
Magni Reynir Sigurðsson, senior threat analyst at Cyren, reported that the phishing campaign targeting Icelanders, which has been observed since October 6th, begins with an email impersonating the Lögreglan – Icelandic police. The email requests the recipient to come to the police station for questioning. The email also threatens the recipient that an arrest warrant may be issued in case of non-compliance.
The attackers registered the domain name www[dot]logregian[dot]is. This domain name, on the first glance, is very similar to the official domain name of the Icelandic police www[dot]logreglan[dot]is. The only difference is that the “l” in the official site is changed to “i”. Buying this similarly named domain enables the attackers to send emails with sender address ending in “logregian[dot]is”, which on the first glance, closely resembles the emails from the official Icelandic police ending in “logreglan[dot]is”.
The link provided in the phishing email that purportedly leads to additional information about the case leads to the phishing site www[dot]logregian[dot]is that strikingly resembles the official site of the Icelandic police www[dot]logreglan[dot]is.
In the phishing site, the victim is asked to provide an Icelandic social security number. Unlike other phishing sites which can be fooled by entering wrong data, this phishing site knows whether the victim is entering the wrong social security number or not. When a wrong number is entered, an error alert is shown, and when the number entered is correct, this leads to a new phishing webpage that displays the victim's actual name. Sigurðsson hypothesized that the phishers used a database, containing Icelanders’ social security numbers and actual names, that was leaked years ago.
Being able to match the social security number with actual name further give credence to this phishing campaign. To give further credence to this campaign, the attackers ask the victim to enter the authentication number contained in the email that was sent to him.
Entering the authentication number leads the victim to another phishing webpage that automatically downloads a .rar file that purportedly contains additional document about the case. When this .rar file is extracted, a .scr file (Windows Screensaver) disguised as a Word document with file name “Boðun í skýrslutöku LRH 30 Óktóber.scr”, roughly translated to English as “Called in for questioning by the police on October 30th” is shown.
When this disguised Word document is executed, a file called “Yfirvold.exe” and “Yfirvold.vbs” are dropped into the victim's computer. Sigurðsson said that the Yfirvold.vbs file is placed in the Windows Startup folder so that in case the victim reboots his computer the .vbs script will execute Yfirvold.exe – a malware that uses the code and components from a known remote access tool called “REMCOS”.
What Is REMCOS?
REMCOS stands for Remote Control & Surveillance Software. This software is sold online by the company called “Breaking Security”. Remcos’ price ranges from €58 to €389. Buyers of Remcos can also pay using a variety of cryptocurrencies.
Breaking Security markets Remcos as a legitimate software that allows users to remotely control and monitor Windows operating system, from Windows XP and all versions thereafter, including server editions. In addition to selling Remcos, Breaking Security also offers Octopus Protector, keylogger and mass mailer. Octopus Protector encrypts a file laden with malware on the disk, allowing it to bypass several antivirus protections. Keylogger records and sends the keystrokes made on a computer, while a mass mailer sends large volumes of emails.
In the case of the phishing attack targeted against thousands of Icelanders, according to Sigurðsson, the Remcos that’s installed into the victims’ computers comes with keylogging capability, collecting input from the victims’ keyboards and storing them in logs and then uploading them to the command and controller servers controlled by the attackers. These servers, Sigurðsson said, are located in Germany and Holland.
The Remcos that’s installed into the victims’ computers in the Iceland phishing attack also comes with a fact checker that checks if the victims are accessing the largest online banks in Iceland. According to security researcher MalwareHunterTeam, this fact-checking capability is a selective keylogger feature of Remcos.
According to researchers at Cisco Talos, Remcos was also used to attack international news agencies, diesel equipment manufacturers operating within the maritime and energy sector, and HVAC service providers operating within the energy sector.
"Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems,” researchers at Cisco Talos said.
Similar to the phishing attack targetting Icelanders, the cyberattacks mentioned by Cisco Talos started with a phishing email, purportedly coming from a government agency and comes with an attached document.
Embedded into the attached document is a small executable. “The extracted executable is simple and functions as the downloader for the Remcos malware,” Cisco Talos researchers said. “It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.”
While the company behind Remcos claims that its software is meant for legitimate use, data in the wild, including the cyber incidents reported by Cyren and Cisco Talos demonstrate that Remcos is being used by malicious actors.
Remcos is a powerful remote access tool that’s being regularly modified to include new functionalities to remotely control and monitor any Windows operating system.
Make sure that your organization is implementing security measures to combat Remcos and another phishing modus operandi.
When you need help, we are a phone call away. Connect with ustoday and protect your business.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
Steve E. Driz, I.S.P., ITCP