The IT Nerd

Mike Britton, CISO from Abnormal Security, has released the firm’s newest research report which delves into the state of cyber attacks on state and local governments ahead of major elections.

According to the report, “Between May 2023 and May 2024, public sector organizations experienced an astounding 360% growth in phishing attacks. While phishing tends to consistently increase each year and regularly accounts for the majority of advanced threats, this level of growth is extraordinary.”

The report can be found here: https://abnormalsecurity.com/blog/state-and-local-government-email-attack-trends

Abnormal Security has released a new blog revealing how attackers attempt to steal payment information by posing as UPS and FedEx and sending false shipment notifications about an upcoming delivery. Mike Britton, the CISO of Abnormal Security, will walk you through both UPS and FedEx impersonation attacks, why this phishing attack is noteworthy, and what makes these attacks challenging to detect. 

Within their investigations, Abnormal Security found that shipping service providers were the third most imitated types of attacks. This attack used a remarkable level of detail and impersonation, which made the emails and the accompanying phishing sites especially convincing.

The emails sent out to victims, impersonating UPS, claimed that the package has an unclear transit status and that the recipient must verify info using the provided link. The fake FedEx notification uses a similar tactic stating that delivery was attempted but failed and the recipient must confirm their address through the provided link. In both cases, victims are encouraged to click on a link that unknowingly leads to a detailed, multi-step phishing site.

You can read the blog post here.

Abnormal Security, the leader in AI-native human behavior security, today announced the launch of a new research report—the 2024 State of Cloud Account Takeover Attacks. The report reveals how security stakeholders view the growing threat of account takeovers, how they are currently approaching prevention, and what they are looking for in next-generation defenses against these attacks. 

Based on a survey of over 300 security professionals across a variety of global industries and organization sizes, Abnormal’s research found that 77% of security leaders cited account takeover attacks as one of their top four most concerning cyber threats. Combined, this makes account takeovers the leading worry for security leaders—even ahead of news-headlining attacks like ransomware and spear phishing. 

These worries are justified, given that 83% of survey participants reported that their organization had been impacted by an account takeover attack at least once over the past year. Worse still, nearly half of organizations (45.5%) were impacted by account takeover attacks more than five times over the past year, while nearly one in five had experienced more than 10 significant account takeover attacks.

The cloud applications that security stakeholders are most concerned about being compromised include file storage and sharing services, such as Dropbox and Box, and cloud infrastructure services, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Also near the top of the list are business email accounts, such as Microsoft Outlook and Gmail, and document and contract management software like Docusign. Each of these applications have the potential to expose troves of sensitive company data, while a compromised cloud infrastructure application can also enable lateral movement across the corporate network. 

Despite their concerns, the majority of security stakeholders appear unprepared to protect against account takeovers. Commonly used strategies to protect against this threat include implementing fraud detection mechanisms such as multi-factor authentication (MFA) and strong password use. Yet, the majority of survey participants are skeptical of both MFA (63%) and single sign on (65%) as effective tools to prevent account takeover attacks. 

Other frequently mentioned solutions included identity and access management (IAM), cloud access security brokers (CASB), and web application firewalls (WAF), which were all cited by more than 50% of respondents, but none of which are explicitly designed to counter the account takeover threat. Similarly, many survey participants (87%) expect their individual cloud services to supply native protections against account takeovers. But most application providers aren’t security companies, and while they may offer some security features, these tend to be safeguards against misconfiguration or elevated privileges rather than real-time protection against account takeover.   

Security stakeholders are eager for alternative solutions, and 99% believe implementing a solution for detecting and automatically remediating compromised accounts in cloud services would greatly improve their defenses. Reiser continued, “It’s clear that there is a need for a new approach to not only detect account takeovers but also remediate them automatically before attackers have a chance to exfiltrate sensitive data or infiltrate connected applications. Cross-platform visibility and automated remediation capabilities, with uniform coverage for all the applications that enterprises use, will be critical as organizations seek to protect their entire attack surface.”

• Download 2024 State of Cloud Account Takeover Attacks here. 
• Learn more about Abnormal Security’s unified Account Takeover Protection solution.

Abnormal Security today announced that it is expanding its Account Takeover Protection product line beyond email to provide visibility into cross-platform user behavior and centralize compromised account detection and remediation across identity, collaboration, and cloud infrastructure applications. In addition, the company is launching AI Security Mailbox, which provides a new AI-powered coworker that promotes security awareness through real-time conversations between employees and an AI security analyst, while also automating the triage and remediation of user-reported emails. 

Enhancing Visibility and Control with More Cloud Account Integrations 

Recent research from Abnormal shows that nearly 70% of security leaders view cross-platform account takeover threats as the greatest concern to their organizations—even ahead of headlining threats like ransomware and phishing. Additionally, 83% of these organizations have been impacted by an account takeover in the last year, and nearly one-fifth have been impacted more than 10 times.  

To protect against this threat, Abnormal now integrates with more cloud accounts, enabling the platform to analyze a greater volume of signals to better understand human behavior, while empowering customers with more cross-platform visibility and control. These visibility and control features are available starting today in the following applications: 

• Email: Microsoft 365, Google Workspace
• Identity: Azure Active Directory, Okta, Ping 
• SaaS/Collaboration: Atlassian, Box, DocuSign, Dropbox, Google Drive, Salesforce, ServiceNow, Slack, Workday, Zendesk, Zoom
• Cloud Infrastructure: Amazon Web Services, Microsoft Azure, Google Cloud Platform

Starting today, any customer can integrate their cloud applications directly via API to the Abnormal AI platform in under five minutes and at no cost. As Abnormal begins ingesting data and signals, SOC teams are provided with a consolidated view of all account activity within each connected platform. If malicious activity is found, administrators can remediate compromised accounts with a one-click “Identity Disconnect” button, which will terminate sessions, reset passwords and block access across platforms—drastically expanding the scope of protection. 

Expanding Account Takeover Protection to Cloud Applications

For customers who would rather automatically detect and remediate compromised accounts through the power of AI, Abnormal is expanding its Account Takeover Protection product line beyond email. Once integrated, the Abnormal AI platform ingests a large set of signals, including sign-in events, typical geolocations and VPN details, to build a behavioral baseline for each user across all integrated applications. Autonomous AI models then analyze risky events based on deviations from this baseline, which are correlated across other platforms accessed by that user. Compromised account detections deemed to be high-risk are automatically remediated—adding superhuman capabilities to the SOC team and providing automated cross-platform security for organizations. 

General availability for unified Account Takeover Protection will be announced later this year and Abnormal will also provide this cross-platform capability across other product lines. In 2025, customers can expect an expansion of Security Posture Management, which enables customers to discover and fix key security configuration risks across cloud email, to multiple cloud platforms. 

Increasing Customers’ AI Capabilities with AI Security Mailbox

In addition to expanding visibility and control, Abnormal is also enabling customers to succeed in today’s AI-focused security landscape.

To enable security teams to use more autonomous AI solutions, Abnormal is also launching AI Security Mailbox—an AI coworker for every security team. Now when an employee reports an attack, the Abnormal platform will serve as their personal AI cyber assistant by providing  a personalized response explaining if the email was deemed malicious, safe, or spam and how a determination was made. Users can then converse directly with the AI security analyst, which delights them with real-time feedback as it teaches them better security practices. 

With intrinsic autopilot capabilities, AI Security Mailbox comes pre-trained with enterprise security best practices automatically tailored for each customer environment. To enable further customization, each organization can give the conversational AI agent a name and choose its tone of voice, ranging from formal to humorous to empathic to pirate mode. This capability is available for free to all customers in AI Security Mailbox, formerly known as Abuse Mailbox Automation. 

Resources

• Learn more about Abnormal’s new products in this blog from CEO Evan Reiser.
• Discover more about unified Account Takeover Protection or AI Security Mailbox.
• See a demo here or by visiting Booth #860 at RSA Conference 2024. 

The COVID-19 pandemic led to a massive rise in the use of video conferencing platforms like Zoom. However, this surge in popularity also drew the attention of cybercriminals, who aimed to exploit the platform’s expanding user base for their malicious activities.

Abnormal Security has released its latest blog, looking at the methods used to obtain stolen Zoom accounts, the platforms where they are traded, and the motivations behind this illicit market. While cybercriminals use a variety of methods to obtain stolen Zoom accounts, phishing remains the predominant tactic. 

You can read the blog post here.

Abnormal Security today revealed a concerning trend: the automotive industry has experienced a shocking 70% surge in business email compromise (BEC) attacks. 

Even more alarming, 63% of organizations in the automotive sector face at least one vendor email compromise (VEC) attack every week. 

The research blog is now live at https://abnormalsecurity.com/blog/automotive-industry-bec-vec-attacks. 

Abnormal Security has published new research about the growth of BEC/VEC attacks in the energy and infrastructure industry. 

The energy and infrastructure industry is a top target for VEC attacks, with 65% of Abnormal customers experiencing a VEC attempt between February 2023 and January 2024. 

BEC attacks increased by 18% in the following six months, reaching a weekly average of 0.63 attacks per 1,000 mailboxes.

Despite flatlining over the Christmas holiday, the number of weekly attacks experienced by energy and infrastructure organizations jumped in the new year, peaking at 1.41 per 1,000 mailboxes in the second week of January.

You can read the research here.

Credential phishing is the number one email attack by volume, responsible for over 70% of all advanced attacks targeting Abnormal customers- utilizing deceptive social engineering tactics to trick recipients into rendering their credentials for various accounts, including email, banking, and social media.

Abnormal Security has revealed its latest research analyzing the top five phishing attacks that had the highest click rates in 2023, categorized based on the words included in the subject line. These top engaging phishing attacks ranged from invoice payments designed to trick recipients into believing that they owe or are receiving money all the way to account notices stating that an account has been suspended and is in need of urgent attention.

You can read this research here: https://abnormalsecurity.com/blog/most-popular-phishing-themes

 Abnormal Security, the leading AI-native cloud email security platform, today released its H1 2024 Email Threat Report, revealing how QR code attacks, or “quishing” attacks, have emerged as a popular tactic among cybercriminals, with no signs of slowing down. 

Although phishing emails have grown in sophistication over time, the end goal has stayed the same: trick targets into divulging sensitive information. QR code attacks are the latest evolution of traditional phishing, where threat actors use social engineering to manipulate targets into interacting with malicious QR codes. In doing so, they may unknowingly provide details that enable the attacker to compromise accounts and launch further attacks.

Targeted QR Code Attacks On the Rise

Examining data collected during the second half of 2023, Abnormal identified attackers’ preferred quishing targets. While every employee is at risk, C-Suite executives were 42 times more likely to receive QR code attacks than the average employee. 

Cybercriminals also seem to have a favorite industry to target, with the construction and engineering industry experiencing quishing attacks at a rate 19 times higher than any other vertical. Further, small organizations with 500 or fewer mailboxes also experience these attacks at a rate 19 times higher than any other size company. 

In the research report, Abnormal also identified key themes that cybercriminals are using to execute QR code phishing attacks. The most popular are related to multi-factor authentication and access to shared documents—approaches that accounted for 27% and 21% of all QR code attacks respectively. In each of these instances, threat actors attempt to compel recipients to scan a QR code within a fraudulent email, which is linked to a seemingly legitimate website that then prompts the victim to enter login credentials or other sensitive details. The perpetrator can then use the credentials provided to compromise the target’s account and steal data, launch additional attacks, or move laterally to connected applications.

BEC and VEC Attacks Continue to Grow

The report also revealed that business email compromise (BEC) and vendor email compromise (VEC) attacks have grown substantially, with BEC doubling in frequency and VEC jumping 50% year-over-year. Additional findings from the Abnormal team include:

• BEC attacks increased by 108% from 2022 to 2023. The rate of these attacks peaked in October with a monthly average of 14.57 attacks per 1,000 mailboxes.
• Larger organizations have the highest probability of BEC attacks. Organizations with more than 50,000 employees have a nearly 100% chance of experiencing at least one BEC attack every week. However, organizations of all sizes are at risk—even organizations with fewer than 1,000 employees have a 70% probability of receiving at least one BEC attack per week.
• The construction and retail industries are most targeted by VEC. Seventy-six percent of organizations in the construction and engineering industry received at least one VEC attack in the second half of 2023, while 66% of retailers and consumer goods manufacturers were targeted during that same period.
• The percentage of organizations targeted by VEC each month in 2023 never dropped below 32%, indicating that threat actors are continuing to see success impersonating third parties in advanced attacks.

You can download the full H1 2024 Email Threat Report, “Phishing Frenzy: C-Suite Receives 42x More QR Code Attacks Than Average Employee”, here. 

You can learn more about how Abnormal Security stops QR code attacks here.

Abnormal Security has released a new report revealing a significant spike in email compromise attacks against the financial services sector and how to defend financial services organizations against sophisticated email-based attacks. 

Abnormal Security’s findings reveal that Vendor Email Compromise (VEC) attacks against financial services increased by 137% in 2023. The new research also demonstrates that the financial services industry experienced a 71% increase in Business Email Compromise (BEC) attacks. 

According to Abnormal data, the financial services industry receives approximately 200 advanced attacks per 1,000 mailboxes weekly—making it one of the most attacked industries tracked. Peaks in attacks occurred in January, with 258 weekly, in September, with 282, and in mid-December, with 272.

You can read the report here.