Archive for Avanan

Hackers Amplify Phishing Attacks By Creating Multiple Profiles From Compromised Accounts And Use Auto-Delete To Cover Their Tracks: Avanan

Posted in Commentary with tags on September 22, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors using stolen credentials to create more user profiles to send credential harvesting emails. By doing so, hackers are able to multiply the effect of credential harvesting scams.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are compromising accounts, creating more user profiles to send out more attacks, then auto-deleting email trails. 

The campaign presents users with an email from Microsoft’s Office 365 notifying them that a form has been shared. Clicking on the link to the form directs users to a malicious site where credentials are stolen. The hacker, now with access to the account, creates more user profiles within the larger admin and sends out phishing emails to over 4,000 addresses. The emails are then set to be auto-deleted from the compromised accounts to cover their tracks. 

You can read the attack brief here.

Hackers Leverage Facebook’s Ads Manager to Send Credential Harvesting Links in Phishing Campaign: Avanan

Posted in Commentary with tags on September 13, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors using Facebook’s Ads manager to create a lead generation form where users can enter their email addresses and other information to obtain personal assets. As a result of this discover, Avanan has published its newest attack brief analyzing hackers using the legitimacy of Facebook to steal credentials and critical personal information using static expressway techniques to target end users. 

This campaign sends emails from what appears to be from Facebook’s (Meta’s) ad manager team claiming that an ad doesn’t comply with their policies. Thus the ad account is disabled, prompting users to create an appeal using the provided link to a lead generation form to rectify the issue.

You can read the brief here.

New Business Email Attack Spoofs CFOs To Lure Finance Employees Into Transfering Money: Avanan

Posted in Commentary with tags on August 25, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors are spoofing CFOs in order to get finance employees to send money back to hackers. And they have a report analyzing a Business Email Compromise (BEC) attack where hackers spoof domains to impersonate the CFO of a major sports corporation.

This campaign presents employees with an email from the CFO of a major corporation requesting the employee to make a payment to West Bend Mutual, a legitimate insurance company via ACH transfer or Wire Transfer.

Seeing as I have come across businesses losing tens or hundreds of thousands of dollars in scams like these, this report is worth your time to read. It can be found here.

New Attack Exploits AWS to Build Personalized Phishing Page and Send Fake Auto-Filled Password Reset: Avanan

Posted in Commentary with tags on August 18, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors are using the legitimacy of Amazon Web Services (AWS) to create phishing websites that bypass scanners and get users to steal credentials. The attack brief that Avanan has put out looks at how hackers are creating phishing pages utilizing AWS applications via email for credential harvesting, using static expressway techniques to target victims. 

Avanan’s cybersecurity research uncovered that this new attack is exploiting a legitimate AWS app domain to build sites and send them as fraudulent password expiration notifications via email to victims prompting them to click on the page to conduct a credential reset.

This campaign is prompting vulnerable users to click on the password reset page, which shows the targeted victim’s company domain filled in at the URL bar, company logo, and pre-populated email address, so all the user needs to do is enter their password.

The attack brief can be found here: https://www.avanan.com/blog/hackers-build-phishing-pages-using-aws-apps

Best Buy Spoofed as Hackers Use Google Storage To Launch Email Phishing Campaign: Avanan

Posted in Commentary with tags on August 11, 2022 by itnerd

Avanan, A Check Point Company, released this week’s Attack Brief: Best Buy Spoof Uses Google Storage to Launch Phishing Attack in which hackers are spoofing Best Buy, yet another popularly impersonated brand. 

The most interesting piece about this attack is that the threat actors use Google Storage to host websites, which enable the hackers to deploy the phishing campaign and enable them to gain access into the victim’s email inboxes. 

You can find the report here: https://www.avanan.com/blog/best-buy-spoof-uses-google-storage-to-launch-phishing-attack. Given that I have come across other Best Buy scams in the past, this attack brief is worth reading so that you don’t become a victim.

New Attack Uses APT Group Techniques, Mirrors Legit Landing Pages For Convincing Credential Harvesting

Posted in Commentary with tags on July 28, 2022 by itnerd

Avanan has published its newest research, discovering threat actors using ever-changing obfuscation methods, previously seen in attacks led by the APT group SPAM-EGY to mirror images of an organization’s landing page and fool users into handing over their credentials. 

This attack presents users with a typical looking password expiration reminder email. By clicking on the provided URL, victims are directed to a fake page that mirrors the actual company website displaying identical images of the organization’s login page that users are accustomed to seeing. 

 Jeremy Fuchs, Cybersecurity Research Analyst at Avanan Had this to say:

The information the attackers are after is primarily credentials–usernames and passwords. They are after them because they are incredibly valuable. Passwords are keys to the kingdom. They can open up financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their finger-tips

We’ve seen this off and on for about two years and it’s quite simple. One of the groups that does this, SPAM-EGY, claims “10,000% access to the inbox.” In that regard, they’re doing quite well.

Like with most phishing attacks, there are some telltale signs. It’s important to remind employees to take two seconds and do two quick things–look at the sender address and the URL of the page. The sender address is often amiss; that’s clue one that something is off. The URL will also likely be off; that’s clue two. Infusing that into everything employees do is critical.

Phishers take what works and amplify it. If something works, they’ll keep at it. Given that many of these attacks are available as downloadable “kits”, the barrier to entry is far lower. That means we’ll see a continued proliferation of these types of attacks, only spread by various groups, both APT and non-APT alike.

You can read the full report here.

New PayPal Phishing Attack: Hackers Trick Victims, Send Emails via The Invoice Expressway

Posted in Commentary with tags on July 21, 2022 by itnerd

Last month, researchers at Avanan released their findings on the QuickBooks phishing scam, where hackers send spoofed invoices from a legitimate QuickBooks account to get into user inboxes and steal credentials and money. 

Researchers at Avanan have now observed hackers using this same technique, only now using the legitimacy of PayPal to bypass email scanners and successfully deliver fake invoices. 

Like the previous attack, hackers present an invoice, encouraging victims to call with any questions. Users are asked to provide credit card details to cancel the transaction when calling the number provided.

Jeremy Fuchs, Cybersecurity Research Analyst at Avanan had this to say:

“This is yet another example of hackers taking advantage of static Allow Lists. PayPal is a trusted site, so security solutions are likely to trust content coming from the site. This is an effective way for hackers to land in the users’ inbox. Plus, since the email comes from PayPal, it looks more convincing. When looking at the message, end-users should be encouraged to not call unfamiliar phone numbers and to do a Google search of any phone numbers to see if it is legitimate.”

You can read the report here.

Spike In Amazon Gift Card Scams Anticipated As Prime Day 2022 Approaches: Avanan

Posted in Commentary with tags on July 11, 2022 by itnerd

Cybersecurity researchers at Avanan have observed an uptick in spoofed Amazon attacks as hackers are exploiting the brand, offering fraudulent gift cards, and manipulating users into giving up their credentials for hackers to get their hands on. This is detailed in a new research report which reveals how hackers are taking advantage of the large brand name to send credential harvesting emails promising an Amazon gift card if the user takes a survey. Unfortunately, victims are tricked into clicking on a malicious link provided in a phishing email attack.

With Amazon Prime Day 2022 kicking off next week – July 12 and13 – Avanan anticipates these types of phishing attacks to spread like wildfire and continue to dramatically increase as one of the biggest shopping holidays approaches. Not only is it two days of lightning deals, which have already begun with early access, but it’s also a lucrative time for cybercriminals to prey on vulnerable shoppers. 

You can view the report here.

UPDATE: I have received commentary from three sources on this. The first is from Dr. Darren Williams, CEO and Founder of BlackFog:

     “Phishing emails are also used to trigger payload downloads of ransomware which is not at an all-time high for 2022. BlackFog recorded increases in attacks on Education, Government and Manufacturing of 33%, 25% and 24% respectively during June which correlates with these increased phishing rates (https://www.blackfog.com/the-state-of-ransomware-in-2022/).”

Aimei Wei, CTO and Co-founder of Stellar Cyber is next with a comment:

     “Corporations usually employ some email security products to detect bad URLs and brand impersonation and can therefore block the emails. Amazon consumer users usually use personal emails that lack advanced email security protection, so users must be even more cautious about handling personal emails with simple methods such as checking the sender or hovering over the links before clicking on them.” 

Finally, I have Artur Kane, VP of Product of GoodAccess:

     “While companies have many ways of layering their security to prevent phishing as well as to detect it and mitigate impacts, email security, DNS filtering, antiviruses, multi factor authentication or zero trust access, DLP etc., consumers are much more susceptible to attacks. Consumers rely heavily on the inbuilt protection in their operating system and email services providers. Attackers are fully aware of this, and they can find ways to evade filters, i.e. sending emails from a reputable IP address. The pillar of lowering the number of attacks remains education. Attackers often disguise themselves as trustworthy suppliers, in this case Amazon. They try to build a sense of urgency to make the victim act without much caution and often build on one or more of the following emotions: joy, charity, caution, trust, duty and fear. Typical types of fraudulent emails are invoices, bills, taxes, orders or job applications. Ideally, public education system should prepare all students for 21st century problems like phishing, but until that’s the case, users should follow these simple rules:

  • Stay alert, check all emails requiring you to take any action, especially from known brands for spelling mistakes, misrepresented domains, shortened links, validity of the request, especially when email are unsolicited. 
  • Don’t click on any links and do not open any emails that you didn’t expect or asked for. 
  • If you are unsure about the sender, verify them first, hover over every link to check the actual destination and report any potentially fraudulent messages.”

New Phishing Attack Exploits Real Quickbooks Email Domain Using Dark Web Double Spear Techniques: Avanan

Posted in Commentary with tags on June 23, 2022 by itnerd

Avanan has released its newest attack brief that reveals its cybersecurity researchers have observed a new phishing campaign in which hackers are creating email accounts using legitimate QuickBooks domains to send malicious invoices via requesting payments directly from the service. 

In this attack, the hacker spoofed brands including Norton and Office 365 in the body of the message. Between built-in legitimacy of actual Quickbooks email to what hackers on the dark web call a double spear, this new attack represents a particularly deceptive and compelling phishing campaign by manipulating the victims into calling a number and paying an invoice to harvest not only credentials but also their telephone numbers for future attacks, whether it’s via text message or WhatsApp.   

Avanan’s new research analyzes how hackers leverage legitimate and popular websites to get into inboxes and steal credentials and money. You can read the report here.

New Attack Spoofs PayPal to Obtain Banking Info: Avanan 

Posted in Commentary with tags on June 16, 2022 by itnerd

Avanan researchers have seen an uptick in attacks spoofing PayPal in an attempt to steal banking information utilizing an order confirmation letter to induce end-users to call a customer support number. Previously, Avanan discovered a similar attack that spoofs an Amazon order notification to obtain payment information.

Avanan’s cybersecurity research uncovered a new email campaign leveraging PayPal like the Amazon email. In this attack, threat actors send what looks like a PayPal confirmation notice, notifying the user that they bought hundreds of dollars of cryptocurrency. The only recourse to cancel the order is to reach customer service by phone.

The number listed on the email is a Hawaii-based number linked to scams asking for a credit card number and CVV to cancel the charge. This attack also works because there are no links in the email body. When there is a link, the email security solution can check whether it’s malicious. Without connections, it becomes more complicated.

With the combination of social engineering in the form of what looks like a fraudulent payment, and no malicious links or otherwise malicious text, this is a tricky attack that has proven hard to stop.

You can review the report by Avanan here so that you can protect yourself from this novel attack.