The IT Nerd

Avanan, a Check Point Software company has a dive deep on their blog which analyzes an attack that spoofed a reputable energy company in France, TotalEnergies, to steal funds.  

In this attack, hackers change the reply-to address to send emails from what appears to be a reputable company, however it is a spoofed account. The email is asking for a quotation surrounding the purchase of a centrifuge and a document is attached that has all the requested information. The hackers’ ultimate goal is for users to steal victims’ money at the end of the attack. 

You can read the deep dive here.

Researchers at Avanan, a Check Point Software Company, have released its newest research discussing how hackers are creating realistic messages to report unusual activity to Microsoft. Instead of sending the message to a legitimate source, the hacker has created a “Mail-to” link that will automatically open up a new email, with the recipient being the hacker. 

In this email, hackers are sending what looks like an “Unusual sign in activity” alert, a common notification that Microsoft sends out when an account has an unusual sign-in. The email encourages the end-user to “report” this activity. Clicking on “Report the User” will open up a new email with the sender address, subject and body already populated. The hacker will reply to the sent message, asking the end-user for log-in information.

You can read the research here.

Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, A Check Point Software Company, will uncover how hackers are using the threat of deleting personal files to get money and credentials from end users. 

In this attack, hackers try to convince users to give over their credit card information to add more storage to their cloud storage account by sending a notice that the storage limit of cloud files has been reached; but if users act now, they’ll get 50GB for free. 

However, the link does not go to any cloud file storage site as it redirects a SendGrid URL to a malicious page. The only way to “validate” that it’s your account is to enter your credit card number, but of course, that won’t validate anything – it’ll just charge your card. 

You can read the report here.

Last week, researchers at Avanan, a Check Point Software company wrote about BEC 2.0, a variant of BEC attacks that remains a significant problem for security services and companies. This week, Avanan will discuss BEC 3.0, a variant of these scams using legitimate services to unleash an attack.

Avanan’s latest research discusses how hackers are utilizing Google’s services within comments on Google Workspace documents to redirect users to a fake cryptocurrency site. This attack, still ongoing, has been targeted at nearly 1,000 companies in the last two weeks. 

In this attack, hackers utilize the comments feature in Google Workspace (ex: Google Sheets or Google Docs) to send out legitimate Google emails, however, containing malicious redirects using a legitimate Google Scripts URL, a coding platform hosted by Google. Clicking on the provided link redirects users to a fake cryptocurrency page. 

You can read the follow up research here.

Avanan, A Check Point Software Company, has published a new report on tracking the rise and continuous evolution of Business Email Compromise (BEC) attacks as researchers observe different variants.

According to Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, there’s BEC 1.0, where hackers pose as your boss and ask you to get a gift card; BEC 2.0, leveraging compromised accounts at the organization to unleash attacks within legit emails; and BEC 3.0, a third tier researchers are seeing develop.

Conversation Hijacking: In this attack brief, the hacker takes over an account and inserts themselves into a legitimate conversation, posing as the employee of which the account has been compromised (i.e., someone took over my account and started replying as me – the end-user would have no way of knowing.)

The research is live here: https://www.avanan.com/blog/business-email-compromise-scam-tries-to-trick-company-into-payment. 

Avanan, a Check Point Software Company, has revealed a new attack brief on how threat actors use Evernote’s legitimacy, an online note-taking and task management application, to help make their Business Email Compromise (BEC) attacks even more convincing.  

In this phishing attack, hackers use Evernote links to host malicious messages sent in BEC phishing attacks on users by compromising a company executive, in this case, the organization’s president, to send out emails with an attached “secure” message to the victims. 

The recipients have an unread email in their inbox encouraging them to click on the provided link to view the message, which directs them to an Evernote page. Susceptible, vulnerable employees, to their dismay, are led to a fake login page the attackers exploit and leverage to steal credentials. 

You can read the attack brief here.

In July 2022, researchers at Avanan, a Check Point Software Company, wrote about a new campaign where hackers are sending phishing emails and malicious invoices directly from PayPal. Avanan has released its latest blog discussing how threat actors are continuing to take advantage of PayPal in a variety of ways to send malicious invoices directly to users. 

In this attack, victims are presented with emails, coming directly from PayPal, regarding fraudulent charges or renewal notifications. These notifications encourage users to take action by calling the provided number to reverse the charges. They are then prompted to provide personal information in which hackers save and use for future attacks. 

You can read the blog here.

Geotargeting, the ability to tailor advertising to the recipient’s location, has become a popular way to deliver content to visitors based on their location. Hackers are jumping on the opportunity to geo-target websites to advance their phishing schemes. 

Researchers at Avanan, a Check Point Software Company have revealed their latest blog analyzing how hackers redirect users via Geo Targetly, a geo-targeting platform, and provide them with customized, localized phishing pages.

In this attack, recipients are presented with an email in the language corresponding to the country they are from. The email notifies users about a local traffic ordinance and encourages them to click on the provided link. Using the Geo Targetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one.  

You can read the research here.

Avanan, a Check Point Software Company, has released its latest research that analyzes how hackers bypass security services by leveraging ClickFunnels, an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses. 

In this attack, recipients are presented with an email that they have a file ready to be reviewed, and encourages them to click on the provided link to view the document. However, clicking on the “Document Review” link redirects them to a malicious download that introduces them to a malicious credential harvesting document. 

You can read Avanan’s research here.

Researchers at Avanan, a Check Point Software Company, have taken a deep dive into their latest analysis on how hackers dangle fake money-making opportunities at students in exchange for harvested credentials. 

In the newest phishing campaign, emails from legitimate accounts that hackers took over were sent to students offering a remote, part-time job with an enticing salary. Students were encouraged to click on the provided link, which ultimately redirected them to a credential-harvesting page.

You can read this research here. And I’d be passing this along to anyone within the hackers target group so that they can protect themselves.