The IT Nerd

Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, A Check Point Software Company, will uncover how hackers are using the threat of deleting personal files to get money and credentials from end users. 

In this attack, hackers try to convince users to give over their credit card information to add more storage to their cloud storage account by sending a notice that the storage limit of cloud files has been reached; but if users act now, they’ll get 50GB for free. 

However, the link does not go to any cloud file storage site as it redirects a SendGrid URL to a malicious page. The only way to “validate” that it’s your account is to enter your credit card number, but of course, that won’t validate anything – it’ll just charge your card. 

You can read the report here.

Last week, researchers at Avanan, a Check Point Software company wrote about BEC 2.0, a variant of BEC attacks that remains a significant problem for security services and companies. This week, Avanan will discuss BEC 3.0, a variant of these scams using legitimate services to unleash an attack.

Avanan’s latest research discusses how hackers are utilizing Google’s services within comments on Google Workspace documents to redirect users to a fake cryptocurrency site. This attack, still ongoing, has been targeted at nearly 1,000 companies in the last two weeks. 

In this attack, hackers utilize the comments feature in Google Workspace (ex: Google Sheets or Google Docs) to send out legitimate Google emails, however, containing malicious redirects using a legitimate Google Scripts URL, a coding platform hosted by Google. Clicking on the provided link redirects users to a fake cryptocurrency page. 

You can read the follow up research here.

Avanan, A Check Point Software Company, has published a new report on tracking the rise and continuous evolution of Business Email Compromise (BEC) attacks as researchers observe different variants.

According to Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, there’s BEC 1.0, where hackers pose as your boss and ask you to get a gift card; BEC 2.0, leveraging compromised accounts at the organization to unleash attacks within legit emails; and BEC 3.0, a third tier researchers are seeing develop.

Conversation Hijacking: In this attack brief, the hacker takes over an account and inserts themselves into a legitimate conversation, posing as the employee of which the account has been compromised (i.e., someone took over my account and started replying as me – the end-user would have no way of knowing.)

The research is live here: https://www.avanan.com/blog/business-email-compromise-scam-tries-to-trick-company-into-payment. 

Avanan, a Check Point Software Company, has revealed a new attack brief on how threat actors use Evernote’s legitimacy, an online note-taking and task management application, to help make their Business Email Compromise (BEC) attacks even more convincing.  

In this phishing attack, hackers use Evernote links to host malicious messages sent in BEC phishing attacks on users by compromising a company executive, in this case, the organization’s president, to send out emails with an attached “secure” message to the victims. 

The recipients have an unread email in their inbox encouraging them to click on the provided link to view the message, which directs them to an Evernote page. Susceptible, vulnerable employees, to their dismay, are led to a fake login page the attackers exploit and leverage to steal credentials. 

You can read the attack brief here.

In July 2022, researchers at Avanan, a Check Point Software Company, wrote about a new campaign where hackers are sending phishing emails and malicious invoices directly from PayPal. Avanan has released its latest blog discussing how threat actors are continuing to take advantage of PayPal in a variety of ways to send malicious invoices directly to users. 

In this attack, victims are presented with emails, coming directly from PayPal, regarding fraudulent charges or renewal notifications. These notifications encourage users to take action by calling the provided number to reverse the charges. They are then prompted to provide personal information in which hackers save and use for future attacks. 

You can read the blog here.

Geotargeting, the ability to tailor advertising to the recipient’s location, has become a popular way to deliver content to visitors based on their location. Hackers are jumping on the opportunity to geo-target websites to advance their phishing schemes. 

Researchers at Avanan, a Check Point Software Company have revealed their latest blog analyzing how hackers redirect users via Geo Targetly, a geo-targeting platform, and provide them with customized, localized phishing pages.

In this attack, recipients are presented with an email in the language corresponding to the country they are from. The email notifies users about a local traffic ordinance and encourages them to click on the provided link. Using the Geo Targetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one.  

You can read the research here.

Avanan, a Check Point Software Company, has released its latest research that analyzes how hackers bypass security services by leveraging ClickFunnels, an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses. 

In this attack, recipients are presented with an email that they have a file ready to be reviewed, and encourages them to click on the provided link to view the document. However, clicking on the “Document Review” link redirects them to a malicious download that introduces them to a malicious credential harvesting document. 

You can read Avanan’s research here.

Researchers at Avanan, a Check Point Software Company, have taken a deep dive into their latest analysis on how hackers dangle fake money-making opportunities at students in exchange for harvested credentials. 

In the newest phishing campaign, emails from legitimate accounts that hackers took over were sent to students offering a remote, part-time job with an enticing salary. Students were encouraged to click on the provided link, which ultimately redirected them to a credential-harvesting page.

You can read this research here. And I’d be passing this along to anyone within the hackers target group so that they can protect themselves.

Researchers at Avanan, A Check Point Company, have revealed its latest research analyzing how hackers hide malicious content inside “blank images,” creating automatic redirects that bypass anti-malware checks. 

• This technique adds a layer of sophistication to malicious HTML attachments with the <meta> tag, obfuscating the URL to evade link analysis and redirect to a compromised domain. 
• This email campaign starts with what appears to be a document from DocuSign, requesting the user to review and sign the document. 
• The document provides an HTM attachment containing an empty SVG image; clicking on the image within the document automatically redirects visitors to a malicious URL.

Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan had this comment:

“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target. HTM attachments aren’t new, nor are using Base64 trickery. What is new and unique is using an empty image with active content inside–a javascript image–which redirects to a malicious URL. It’s essentially using a dangerous image, with active content inside that traditional services like VirusTotal don’t detect.” 

You can read the full report here. It also has defence strategies in the report that you will find useful as well.

A few months ago, researchers at Avanan, a Check Point Software Company, wrote about how hackers are utilizing Microsoft’s Dynamics 365 Customer Voice platform to send phishing links.

Avanan has released its latest blog on how hackers are changing up their tactics with a new variation of this attack that continues to leverage Microsoft Voice.

This email campaign starts with what appears to be a new document (a fax notification) sent from SharePoint alerting the user that the document contains “particularly sensitive or confidential information.” and will expire in 14 days. Following the prompts directed end-users to a OneDrive look-alike page where login credentials are entered and stolen. 

You can read about the evolution of this attack here.