The IT Nerd

In a recent report conducted by Avanan, A Check Point Company, researchers found that nearly 19% of phishing emails bypassed Microsoft Exchange Online Protection (EOP) and Defender and made it to a user’s inbox. This goes to show that even with a very strong security system, hackers’ tactics have become more complex and their ability to find their way into the inbox is stronger than ever.

In the 2022 Microsoft Defender Report, it highlights the significance of having an extra layer of security on top of default cloud email services. This represents not a decline in Microsoft effectiveness, but rather an increase in targeted attacks designed directly to bypass Microsoft. Hackers, in other words, have stepped up their game.

Key Findings:

• Microsoft Defender’s missed phishing rates have increased by 74%.
• Dumpster Diving Phenomen: Defender sends 7% of phishing messages to the Junk folder.
• Misses 42% of targeted financial-based phishing attacks specifically crafted to bypass Defender. 
• The missed phishing rate is higher in larger organizations, reaching 50-70% in two instances. 

You can read the report here.

A few weeks ago, researchers at Avanan observed how threat actors are using the Facebook Ad Manager to send credential harvesting links. Since then, Avanan has continued to see this campaign being used to get into the inbox and steal credentials. 

Similar to the previous attack, users of Facebook Ads get an email that they have violated the Terms of Service. In order to avoid losing permanent access to the account, users are encouraged to create an appeal by clicking on the link provided. Users are warned that if they do not complete the form within 24 hours, their account may be disabled. 

You can find the blog here which if you were interested in the original research that Avanan put out, you’ll be interested in this one as well. 

Researchers at Avanan, a Check Point Company, have discovered threat actors using stolen credentials to create more user profiles to send credential harvesting emails. By doing so, hackers are able to multiply the effect of credential harvesting scams.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are compromising accounts, creating more user profiles to send out more attacks, then auto-deleting email trails. 

The campaign presents users with an email from Microsoft’s Office 365 notifying them that a form has been shared. Clicking on the link to the form directs users to a malicious site where credentials are stolen. The hacker, now with access to the account, creates more user profiles within the larger admin and sends out phishing emails to over 4,000 addresses. The emails are then set to be auto-deleted from the compromised accounts to cover their tracks. 

You can read the attack brief here.

Researchers at Avanan, a Check Point Company, have discovered threat actors using Facebook’s Ads manager to create a lead generation form where users can enter their email addresses and other information to obtain personal assets. As a result of this discover, Avanan has published its newest attack brief analyzing hackers using the legitimacy of Facebook to steal credentials and critical personal information using static expressway techniques to target end users. 

This campaign sends emails from what appears to be from Facebook’s (Meta’s) ad manager team claiming that an ad doesn’t comply with their policies. Thus the ad account is disabled, prompting users to create an appeal using the provided link to a lead generation form to rectify the issue.

You can read the brief here.

Researchers at Avanan, a Check Point Company, have discovered threat actors are spoofing CFOs in order to get finance employees to send money back to hackers. And they have a report analyzing a Business Email Compromise (BEC) attack where hackers spoof domains to impersonate the CFO of a major sports corporation.

This campaign presents employees with an email from the CFO of a major corporation requesting the employee to make a payment to West Bend Mutual, a legitimate insurance company via ACH transfer or Wire Transfer.

Seeing as I have come across businesses losing tens or hundreds of thousands of dollars in scams like these, this report is worth your time to read. It can be found here.

Researchers at Avanan, a Check Point Company, have discovered threat actors are using the legitimacy of Amazon Web Services (AWS) to create phishing websites that bypass scanners and get users to steal credentials. The attack brief that Avanan has put out looks at how hackers are creating phishing pages utilizing AWS applications via email for credential harvesting, using static expressway techniques to target victims. 

Avanan’s cybersecurity research uncovered that this new attack is exploiting a legitimate AWS app domain to build sites and send them as fraudulent password expiration notifications via email to victims prompting them to click on the page to conduct a credential reset.

This campaign is prompting vulnerable users to click on the password reset page, which shows the targeted victim’s company domain filled in at the URL bar, company logo, and pre-populated email address, so all the user needs to do is enter their password.

The attack brief can be found here: https://www.avanan.com/blog/hackers-build-phishing-pages-using-aws-apps

Avanan, A Check Point Company, released this week’s Attack Brief: Best Buy Spoof Uses Google Storage to Launch Phishing Attack in which hackers are spoofing Best Buy, yet another popularly impersonated brand. 

The most interesting piece about this attack is that the threat actors use Google Storage to host websites, which enable the hackers to deploy the phishing campaign and enable them to gain access into the victim’s email inboxes. 

You can find the report here: https://www.avanan.com/blog/best-buy-spoof-uses-google-storage-to-launch-phishing-attack. Given that I have come across other Best Buy scams in the past, this attack brief is worth reading so that you don’t become a victim.

Avanan has published its newest research, discovering threat actors using ever-changing obfuscation methods, previously seen in attacks led by the APT group SPAM-EGY to mirror images of an organization’s landing page and fool users into handing over their credentials. 

This attack presents users with a typical looking password expiration reminder email. By clicking on the provided URL, victims are directed to a fake page that mirrors the actual company website displaying identical images of the organization’s login page that users are accustomed to seeing. 

 Jeremy Fuchs, Cybersecurity Research Analyst at Avanan Had this to say:

The information the attackers are after is primarily credentials–usernames and passwords. They are after them because they are incredibly valuable. Passwords are keys to the kingdom. They can open up financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their finger-tips

We’ve seen this off and on for about two years and it’s quite simple. One of the groups that does this, SPAM-EGY, claims “10,000% access to the inbox.” In that regard, they’re doing quite well.

Like with most phishing attacks, there are some telltale signs. It’s important to remind employees to take two seconds and do two quick things–look at the sender address and the URL of the page. The sender address is often amiss; that’s clue one that something is off. The URL will also likely be off; that’s clue two. Infusing that into everything employees do is critical.

Phishers take what works and amplify it. If something works, they’ll keep at it. Given that many of these attacks are available as downloadable “kits”, the barrier to entry is far lower. That means we’ll see a continued proliferation of these types of attacks, only spread by various groups, both APT and non-APT alike.

You can read the full report here.

Last month, researchers at Avanan released their findings on the QuickBooks phishing scam, where hackers send spoofed invoices from a legitimate QuickBooks account to get into user inboxes and steal credentials and money. 

Researchers at Avanan have now observed hackers using this same technique, only now using the legitimacy of PayPal to bypass email scanners and successfully deliver fake invoices. 

Like the previous attack, hackers present an invoice, encouraging victims to call with any questions. Users are asked to provide credit card details to cancel the transaction when calling the number provided.

Jeremy Fuchs, Cybersecurity Research Analyst at Avanan had this to say:

“This is yet another example of hackers taking advantage of static Allow Lists. PayPal is a trusted site, so security solutions are likely to trust content coming from the site. This is an effective way for hackers to land in the users’ inbox. Plus, since the email comes from PayPal, it looks more convincing. When looking at the message, end-users should be encouraged to not call unfamiliar phone numbers and to do a Google search of any phone numbers to see if it is legitimate.”

You can read the report here.

Cybersecurity researchers at Avanan have observed an uptick in spoofed Amazon attacks as hackers are exploiting the brand, offering fraudulent gift cards, and manipulating users into giving up their credentials for hackers to get their hands on. This is detailed in a new research report which reveals how hackers are taking advantage of the large brand name to send credential harvesting emails promising an Amazon gift card if the user takes a survey. Unfortunately, victims are tricked into clicking on a malicious link provided in a phishing email attack.

With Amazon Prime Day 2022 kicking off next week – July 12 and13 – Avanan anticipates these types of phishing attacks to spread like wildfire and continue to dramatically increase as one of the biggest shopping holidays approaches. Not only is it two days of lightning deals, which have already begun with early access, but it’s also a lucrative time for cybercriminals to prey on vulnerable shoppers. 

You can view the report here.

UPDATE: I have received commentary from three sources on this. The first is from Dr. Darren Williams, CEO and Founder of BlackFog:

     “Phishing emails are also used to trigger payload downloads of ransomware which is not at an all-time high for 2022. BlackFog recorded increases in attacks on Education, Government and Manufacturing of 33%, 25% and 24% respectively during June which correlates with these increased phishing rates (https://www.blackfog.com/the-state-of-ransomware-in-2022/).”

Aimei Wei, CTO and Co-founder of Stellar Cyber is next with a comment:

     “Corporations usually employ some email security products to detect bad URLs and brand impersonation and can therefore block the emails. Amazon consumer users usually use personal emails that lack advanced email security protection, so users must be even more cautious about handling personal emails with simple methods such as checking the sender or hovering over the links before clicking on them.” 

Finally, I have Artur Kane, VP of Product of GoodAccess:

     “While companies have many ways of layering their security to prevent phishing as well as to detect it and mitigate impacts, email security, DNS filtering, antiviruses, multi factor authentication or zero trust access, DLP etc., consumers are much more susceptible to attacks. Consumers rely heavily on the inbuilt protection in their operating system and email services providers. Attackers are fully aware of this, and they can find ways to evade filters, i.e. sending emails from a reputable IP address. The pillar of lowering the number of attacks remains education. Attackers often disguise themselves as trustworthy suppliers, in this case Amazon. They try to build a sense of urgency to make the victim act without much caution and often build on one or more of the following emotions: joy, charity, caution, trust, duty and fear. Typical types of fraudulent emails are invoices, bills, taxes, orders or job applications. Ideally, public education system should prepare all students for 21st century problems like phishing, but until that’s the case, users should follow these simple rules:

• Stay alert, check all emails requiring you to take any action, especially from known brands for spelling mistakes, misrepresented domains, shortened links, validity of the request, especially when email are unsolicited. 

• Don’t click on any links and do not open any emails that you didn’t expect or asked for. 

• If you are unsure about the sender, verify them first, hover over every link to check the actual destination and report any potentially fraudulent messages.”