There’s A Sophisticated Phishing Attack Out There That’s Targeting Meta Business Accounts According to Fortra

Posted in Commentary with tags on March 27, 2024 by itnerd

While the recent Meta outages have grabbed headlines, the latest research from Fortra analysts reveals a chilling development in the cyber threat landscape: a large-scale phishing attack aimed at compromising Meta Business Accounts

The campaign incorporates several atypical tactics to carry out the attack, including expertly crafted phishing emails, deceptive live support chats, and manipulation of Google notifications and QR codes. Fortra analysts have so far detected thousands of phishing emails associated with this campaign targeting a broad range of industries.

The targeting of Meta for Business brings into focus the high value compromised businesses on social channels hold for cybercriminals. While individual accounts often bear the brunt of such attacks, the ramifications of a breach in a business context are far-reaching, with potentially devastating consequences for both reputation and financial security.

I sent some questions over to Michael Tyler, Senior Director of Security Operations for Fortra to get some more insight on this campaign. Here’s what he said:

Can you describe the campaign and who the targets are?

  • Meta Business Suite, also known as Meta for Business, is a set of tools around managing a business’ presence on the Facebook and Instagram platforms.  Access to Meta Business Suite is granted through an underlying Facebook or Instagram account.   This campaign is leveraging a sophisticated phishing attack in order to obtain access to accounts with access to Meta Business Suite.   Targets are organizations of every size.   Fortra observed and blocked thousands of threats matching this campaign targeting several dozen organizations over a period of several weeks.   In some cases, the phishing emails were sent specifically to members of the marketing team at the organization, indicating that the adversary had done research to know which employees were most likely to have the target credentials.

How novel is the attack that is used by the threat actor(s)?

  • The concept of phishing itself is nothing new.  However, this campaign had several notable points.
    • The first is the impersonation of Meta for Business, combined with the tailored recipient list noticed at some organizations.  While not novel in and of itself it indicates that the adversary launching this campaign went to at least some degree of effort to deliver a targeted attack, as opposed to a shotgun style approach typically seen in low-complexity phishing attacks.   The hypothesis that this was a tailored attack is also supported by the phishing website itself, which is the next novel point.
    • The phishing site itself was very advanced and contained several unusual features.  Chief among these was that the phish was interactive. . . upon providing your username you would be placed in a live chat with a purported member of Meta’s “Security Team”.  In reality, the phishing site was initiating a connection to a Telegram channel controlled by the adversary, who was able to communicate with the victim in real time.  Part way through the interaction, the “live chat” would freeze and the victim would be required to provide their password to “reauthenticate”, whereupon the victim would be prompted by the security team members for any MFA codes or access authorizations that may be required to gain control over the account.  This is a particularly devious social engineering technique; by delaying request for the password until after the victim is already invested in a conversation with the fake support agent, it greatly increases the chance that the victim will provide this information so that they can complete the interaction they’ve already started.

What do you believe is the end goal of the campaign?

  • It’s difficult to say exactly what the end goal of a particular campaign is.  What is clear is that Meta for business accounts have specific value to adversaries.   Fortra has observed several adversary behaviors that could be end goals of a campaign such as this.
    • The simplest is resell.  The adversary launching this campaign could simply intend to sell access to any captured accounts on the dark web.  The buyer would then use the account for their own purposes, which might include one of the below endgames.
    • An adversary might use the account to impersonate the organization.  This could take several forms, from attempting to use DMs or other on-platform features to pivot into even more valuable accounts, or using the account to post disinformation for some purpose (perhaps motivated by geopolitical, financial, or hacktivism factors).  Additionally, if your Meta Business account is based off of a Facebook account, an adversary could impersonate you on any program using the “Login with Facebook” authentication method.
    • An adversary could lock the original owner out of the account, and then attempt to ransom access to the account back to the original owner.   This tactic can be particularly effective when employed against organizations who use social media as their primary marketing channel.
    • An adversary may also attempt to use the account to post ads for counterfeit goods.  As social media companies have continued to refine their targeting algorithms, more and more goods purchases are initiated over a social media ad.  Counterfeiters have taken notice; Fortra has observed a large increase in the advertisement of counterfeit goods via social media platforms over the past several years.  By using an already verified business account, adversaries can bypass some of the social media platform’s fraud controls and have a generally higher success rate.  If the account has payment methods established, the adversary can use the victim’s funds to launch their ads as well.

What can businesses do to mitigate this attack?

  • Best practices around Email Security and end-user Security Awareness Training are paramount.  By using a multi-layered email security solution that can block malicious emails from being delivered to end users and educating end users on how to identify and report suspicious emails that evade security you greatly decrease the risk of having your credentials compromised
  • Additionally, businesses should take care to secure their Meta for business account using the most advanced identity features available to them (MFA, Security Keys, and unrecognized device alerts as of this writing).  They should also limit access to account credentials to those individuals who absolutely require them.  An even more secure implementation is to consider having different individuals control different authentication factors.  For example, have the main user of the account own the password, but a separate individual own the device which receives MFA codes.   This may not be feasible in some organizations, but forcing multiple individuals to be involved in a login attempt gives more opportunity for someone to recognize a scam.

Leave a comment »

Sekoia Details A MFA-Bypass Phishing Kit That Targets MS 365 & Gmail Users

Posted in Commentary with tags on March 27, 2024 by itnerd

The latest version of the AiTM phishing kit “Tycoon 2FA” has become one of the most widespread AiTM phishing kits over the last few months, leveraging more than 1,100 domain names as tracked from late October 2023 through February 2024.  This new phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Gmail accounts.

The most recent version that appeared in February “enhances its obfuscation and anti-detection capabilities and changes network traffic patterns”, bypassing 2FA protection using an adversary-in-the-middle (AitM) attackto steal session cookies.

Discovered by Sekoia researchers in October 2023,  Tycoon 2FA was found to have been active since August 2023, when was offered for sale on private Telegram channels.

“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies”, allowing the attacker to replay the session, bypassing MFA,

Sekoia outlined six stages of the attack:

  • Stage 0 – Spreading phishing pages: Customers of the Tycoon 2FA PhaaS distribute their phishing pages using redirections from URLs and QR code.
  • Stage 1 – Cloudflare Turnstile challenge: User clicking on the phishing URL are redirected to a page embedding a Cloudflare Turnstile challenge to prevent unwanted traffic. 
  • Stage 2 – Email extractor: a JavaScript code is executed in the background and redirects the user to another page depending on the presence of an email address.
  • Stage 3 – Redirection page redirects to another web page of the phishing domain.
  • Stage 4 – Fake Microsoft authentication login page and sockets: Embeds a deobfuscation function and obfuscated HTML code, which is the fake Microsoft authentication page.
  • Stage 5 – 2FA relaying: Code builds and displays the Microsoft 2FA page.
  • Stage 6 – Final redirection: Redirects the user to a legitimate URL so they don’t realize the previous page was malicious.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “While Multi-Factor Authentication (MFA) increases security compared to single-factor authentication, sophisticated attacks involving Adversary-in-the-Middle (AiTM) techniques exemplified by the “Tycoon 2FA” phishing kit, can easily bypass most MFA protections. Some forms of MFA are more resistant to phishing attacks than others. Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process. 

   “Certificate pinning is effective against attackers attempting to intercept or manipulate secure connections by presenting a fraudulent certificate. However, it does not prevent phishing attacks where the user is tricked into entering credentials into a malicious website or application.”

A move towards a passwordless solution would also help as it would likely take away this attack vector as well. Which once again shows that the world needs to shift towards solutions that provide protections from increasingly aggressive threat actors who will stop at nothing to achieve their aims.

Leave a comment »

Netcraft Discovers New Chinese-Language PhaaS Text Message Phishing Attack Platform

Posted in Commentary with tags on March 27, 2024 by itnerd

Netcraft has revealed that its discovered darcula, a new sophisticated Chinese-language Phishing-as-a-Service (PhaaS) platform, used on over 19,000 phishing domains,  offering easy deployment of phishing sites with hundreds of templates targeting worldwide brands.

Unlike typical phishing kits, darcula can update in place to add new features and anti-detection measures functionality. Netcraft observed a recent update that changed the kit to make malicious content available via a specific path rather than the front page to disguise the attack location. 

Netcraft detected darcula infrastructure domains across 11,000 IP addresses based in 100+ countries, and since the start of 2024, an average of 120 new domains have hosted phishing pages each day. Like other PhaaS threat actors, this group also offers a paid monthly subscription to other criminals. 

This new report unveils Netcraft researchers have observed darcula phishing attacks targeting DHL, Evri, USPS, Bulgarian, Australia, and Singapore Posts; anti-monitoring redirecting site crawlers to a cat breed; and Rich Communication Services (RCS)/iMessage on Apple and Android devices and package scams. 

The darcula platform targets industries that rely heavily on consumer trust, including postal services, public and private utilities, financial institutions, government bodies (tax departments), airlines, and telecommunication organizations, underscoring the potential impact of the PhaaS threat actors attacks.  

Netcraft examines in detail how darcula works, how its campaigns differ from conventional smishing, and why these campaigns offer a uniquely practical approach to extracting critical data from victims, including RCS and iMessage used for phishing lures. 

You can read the report here.

Leave a comment »

CISA & FBI Issue alert Urging Tech Manufacturers To Eliminate “Unforgivable” SQL Injection Vulnerabilities 

Posted in Commentary with tags , on March 27, 2024 by itnerd

On Monday the CISA and the FBI published a “secure-by-design” alert urging technology manufacturers to eliminate the “unforgivable” class of vulnerabilities known as SQL injection.

It states that threat actors were able to exploit just such a vulnerability in MOVEit file transfer software last year to devastating effect – data exfiltration from thousands of MOVEit corporate clients impacting the personal details of tens of millions of customers. 

   “Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

   “CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products,” the alert noted.

The alert offered the following guidelines for technology manufacturers:

  • Take Ownership of Customer Security Outcomes
  • Embrace Radical Transparency and Accountability
  • Build Organizational Structure and Leadership to Achieve These Goals

Emily Phelps, Director, Cyware:

   “This CISA and FBI initiative, particularly in eliminating SQL injection vulnerabilities, is important. It highlights the need for proactive cybersecurity measures to protect sensitive data from well-known threats. This effort is not just about improving security; it’s about building a foundation of trust between technology providers and their users, ensuring that privacy and safety are prioritized.

   “Collaboration between the private and public sectors is crucial. By working together, these sectors can share knowledge, tools, and strategies, making it much harder for cyber threats to penetrate their defenses.”

It’s 2024 and SQL Injection vulnerabilities should be a thing of the past. I’m not sure why this has to be constantly deemed to be unacceptable. But hopefully everyone gets the message and does something to relegate them to the history books.

Leave a comment »

Cisco Study Reveals Very Few Organizations In Canada Prepared To Defend Against Today’s Rapidly Evolving Threat Landscape

Posted in Commentary with tags on March 27, 2024 by itnerd

 Only one per cent of organizations in Canada have the ‘Mature’ level of readiness needed to be resilient against modern cybersecurity risks, according to Cisco’s 2024 Cybersecurity Readiness Index.

The 2024 Cisco Cybersecurity Readiness Index was developed in an era defined by hyperconnectivity and a rapidly evolving threat landscape. Companies today continue to be targeted with a variety of techniques that range from phishing and ransomware to supply chain and social engineering attacks. And while they are building defenses against these attacks, they still struggle to defend against them, slowed down by their own overly complex security postures that are dominated by multiple point solutions.

These challenges are compounded in today’s distributed working environments where data can be spread across limitless services, devices, applications, and users. However, 78 per cent of Canadian companies still feel moderately to very confident in their ability to defend against a cyberattack with their current infrastructure. This disparity between confidence and readiness suggests that companies may have misplaced confidence in their ability to navigate the threat landscape and may not be properly assessing the true scale of the challenges they face.

2024 Cisco Cybersecurity Readiness Index: Underprepared and Overconfident Companies Tackle an Evolving Threat Landscape

The Index assesses the readiness of companies on five key pillars: Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and AI Fortification, which are comprised of 31 corresponding solutions and capabilities. It is based on a double-blind survey of more than 8,000 private sector security and business leaders across 30 global markets conducted by an independent third party. The respondents were asked to indicate which of these solutions and capabilities they had deployed and the stage of deployment. Companies were then classified into four stages of increasing readiness: Beginner, Formative, Progressive and Mature.

Findings

Overall, the study found that only one per cent of companies in Canada are ready to tackle today’s threats, with 78 per cent of organizations falling into the Beginner or Formative stages of readiness. Globally, 3 per cent of companies are at a Mature stage. Further:

  • Future Cyber Incidents Expected: 63 per cent of respondents said they expect a cybersecurity incident to disrupt their business in the next 12 to 24 months. The cost of being unprepared can be substantial, as 43 per cent of respondents said they experienced a cybersecurity incident in the last 12 months, and 46 per cent of those affected said it cost them at least US$300,000.
  • Point Solution Overload: The traditional approach of adopting multiple cybersecurity point solutions has not delivered effective results, as 72 per cent of respondents admitted that having multiple point solutions slowed down their team’s ability to detect, respond and recover from incidents. This raises significant concerns as 62 per cent of organizations said they have deployed ten or more point solutions in their security stacks, while 17 per cent said they have 30 or more.​
  • Unsecure and Unmanaged Devices Add Complexity: 78 per cent of companies said their employees access company platforms from unmanaged devices​, and 33 per cent of those spend one-fifth (20 per cent) of their time logged onto company networks from unmanaged devices. ​Additionally, 20 per cent reported that their employees hop between at least six networks over a week.
  • The Cyber Talent Gap Persists: Progress is being further hampered by critical talent shortages, with 83 per cent of companies highlighting it as an issue. In fact, 35 per cent of companies said they had more than ten roles related to cybersecurity unfilled in their organization at the time of the survey.
  • Future Cyber Investments Ramping Up: Companies are aware of the challenge and are ramping up their defenses with 40 per cent planning to significantly upgrade their IT infrastructure in the next 12 to 24 months. This is a marked increase from just 25 per cent who planned to do so last year. Most prominently, organizations plan to upgrade existing solutions (67 per cent), deploy new solutions (53 per cent), and invest in AI-driven technologies (50 per cent). Further, 96 per cent of companies expect to increase their cybersecurity budget in the next 12 months, and 78 per cent of respondents say their budgets will increase by 10 per cent or more.

To overcome the challenges of today’s threat landscape, companies must accelerate meaningful investments in security, including adoption of innovative security measures and a security platform approach, strengthen their network resilience, establish meaningful use of generative AI, and ramp up recruitment to bridge the cybersecurity skills gap.

Additional Resources:

Leave a comment »

Obsidian Discovers Expansive Identity Security Risk Impacting HR Systems Used Widely By The Global 2000

Posted in Commentary with tags on March 27, 2024 by itnerd

The threat research team of SaaS security company Obsidian has found a potentially expansive identity security risk that involves the fintech startup Argyle, an integration service for verifying income and employment data. 

In February, Obsidian detected a risk for organizations who are linked to Argyle through integrations with HR Management (HRM) systems widely used by the Global 2000. Argyle’s service poses serious security implications to these organizations because it prompts their employees to input corporate identity credentials  through “permissioned payroll connections” into the Argyle platform – providing a pathway for unauthorized access and data compromise. 

Argyle collects data that is used by the mortgage, background check, personal lending and banking industries as well as the gig economy.

Based on what Obsidian is seeing in its customer environments, it has reason to believe that many companies are at risk of credential harvesting, session cookie leakage, unauthorized access to other systems, and even falling afoul of U.S. hacking laws. The patterns that Obsidian is seeing resemble common identity theft threats, such as those for initial access from an access broker such as Okta, or fully executed payroll theft after an account takeover. 

You can read the details here.

Leave a comment »

It’s Been Over A Year Since Rogers/Yahoo Broke Email For Some Rogers Customers

Posted in Commentary with tags on March 26, 2024 by itnerd

I apologize in advance if this comes across as a bit of a rant. But honestly, I am not only in disbelief that this is still an ongoing issue a year later, but I share the frustrations of my clients who are caught up in this. More on them in a bit. But the main point of this post that it was pointed out to me by a reader that it’s been over a year since the following chain of events started:

  • I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th of 2023.  
  • While this issue dragged on, there was a workaround involving using webmail. But that workaround is sub optimal to say the least. And as this issue dragged on into April of 2023, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as their email provider.
  • By mid April 2023, Rogers has sort of admitted that there is an issue.
  • Fast forward to August 2023. It then seemed that Rogers or more accurately Yahoo who is the company behind Rogers email was rolling out OAuth to replace the need to generate app specific passwords. But the catch was that not all email clients support OAuth. To date, only the Outlook 365 email client supports this (if you have that client, this will help you to set up your Rogers email account). Which means that Rogers users using many other email clients, or those who weren’t willing to pay Microsoft every month for Office 365 were still stuck.
  • In October 2023, Rogers started to shift the blame for their email issues to Microsoft. But in January of this year, Rogers then started to blame Yahoo.

Needless to say that this is a train wreck next to a dumpster fire. And over a year later I still have a list of nine clients who can’t use the email client of their choice with Rogers email. Nine clients who have the following in common. They are all seniors who don’t feel that they are capable of being comfortable with a switch to another ISP (Bell or Teksavvy for example) or being comfortable with a switch to a Gmail or an Outlook.com. Nor are they comfortable with making the switch to Office365 as an email client because that’s going to cost them money on a monthly basis, which matters to them as they are on a fixed incomes and every dollar matters. Webmail while tolerable to get their email is not a long term solution for them as they developed processes like creating folders to file email locally before this happened. And not having that leaves them all a bit lost and confused. Thus they’re all frustrated that Rogers seemingly can’t or won’t fix this for them.

Honestly, at this point Rogers needs to do better. A company the size of Rogers simply can’t have something like this go on this long and not do its level best to make people whole again. And it doesn’t matter if it is one person, nine in my case, or a thousand. One person who can’t get their email in the manner that they want is one too many. That makes me wonder if Rogers along with Yahoo will ever fix this, or have they simply checked out and don’t care. I really hope it’s not the latter as that would reflect poorly on Rogers and Yahoo.

I’ll continue to watch this for developments and I will still be trying stuff on my end in order to make my clients whole. But frankly, given the inaction of Rogers and Yahoo, I am not holding my breath that either will come to the rescue of these people.

2 Comments »

Trend Micro Outlines The Top Four IRS Tax Scams In 2024

Posted in Commentary with tags on March 26, 2024 by itnerd

In 2023, fraud cost U.S. consumers more than $8 billion. With tax season underway, so are tax phishing scams. Recently, global cybersecurity firm, Trend Micro, published a blog on the Top Four IRS Tax Scams in 2024. These include:  

  1. IRS Tax Refund Scams 
  2. IRS “Offer in Compromise” Scam 
  3. Fake Tax Assistance Program 
  4. Fake 2023 Unpaid Taxes Notification 

With AI enabling more and more sophisticated tax and financial scams, consumers need to be leery of divulging personal information to avoid financial loss and potential identity theft. Once your personal information is in the hands of bad actors, your risk of identity theft is increased. A whopping 47% of Americans have experienced financial identity theft. 

This blog is very worth reading so that you can protect yourself.

Leave a comment »

Inversion6 Welcomes Tom Siu as New Chief Information Security Officer

Posted in Commentary with tags on March 26, 2024 by itnerd

 Inversion6, a cybersecurity company, announces today that longtime Chief Information Security Officer (CISO), Tom Siu, has joined their CISO practice. As a part of the team, he will collaborate directly with the firm’s clients to develop and manage their cybersecurity programs.

Siu will use his expertise to advise clients on operational security processes and assist clients with developing cybersecurity leadership capabilities.

The expansion of the CISO practice enables Inversion6 to continue accelerating their evolution of tailored security solutions for clients, large and small, across numerous verticals.

Siu strives to enable organizational success through relationship building with world-class IT and business leaders, strategic planning and intent-based leadership with IT teams. He is a recognized industry expert in information security with an emphasis focused on building and mentoring other leaders.

Siu’s recent CISO roles include acclaimed universities, Michigan State and Case Western Reserve, as well as a Virtual CISO with a veteran-owned managed security services provider. During these experiences he developed an information security program, directed an information security office staff and supported global customers with their cybersecurity strategy and product development.

Founded more than 30 years ago in Cleveland, Inversion6 has been helping build custom cybersecurity solutions for their clients and helping them stay ahead of the ever-changing threat landscape.

Leave a comment »

So There’s An “Unfixable” Bug In Apple Silicon… What Does That Mean For You?

Posted in Commentary with tags on March 26, 2024 by itnerd

Last week ARS Technica published a report of an “unfixable” bug in Apple M series processors. While I do encourage you to read the report, I’ll give you the TL:DR here:

The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

Here’s the translation:  The threat allows someone to extract security keys from these chips, breaking encryption as a result. And it can’t be fixed because doing so will make these insanely fast processors slower. In short, this is really bad. But to be fair, and before those who don’t like Macs and instead support PCs and Windows all the things chime in, Intel and AMD have had their share of similar issues. This one and this one come to mind. While there are mitigations that Apple could take such as trying to shuffle encryption tasks away from the performance cores of M series processors to the efficiency cores of said processors, like I said earlier, this flaw is basically not patchable. It also means that much like when Intel and AMD had issues like these, researchers and threat actors will start poking around M series processors to see if they can find any other flaws.

So, what can you as a Mac user do to protect yourself? Well, other than keeping your software up to date, not much really. Everything that I have read on this doesn’t point to any proof of concept code or any easy to execute attack. So this isn’t a today problem for Mac users at the moment. But that doesn’t mean it won’t become a problem later. Thus you might want to just keep an eye on this to see if new information pops up about this.

Leave a comment »

« Older Entries
Newer Entries »