You need to know about a new phishing attack vector reported by our friends at Barkly. It utilizes a new technique that’s just plain nasty.
This week, users at one of their customers began receiving emails from known contacts they had at another organization. In the screenshot below, you can see that at least one of the emails appeared to be a reply to an existing email thread, where users at the two organizations had been emailing back and forth.
The new message was noticeably short — “Morning, please see attached and confirm” (you probably see where this is going) — but in the context of the email chain it was very convincing. The email appears to come from a person at a company the receiver has been emailing with, and this message appears to be a reply to a legit email chain. Yikes. Here is a picture of how it looks:
The aim was to have the user open the Word attachment, and follow instructions to enable macros.
Technical background of the attack
The user on the other end had been infected with a new variant of Ursnif, one of the most active and widespread banking Trojans in the world.
Investigation showed that the Word doc the user downloaded contained a macro that, when activated, launched PowerShell script designed to download the Ursnif payload.
Ursnif is a powerful trojan with a lot of features like stealing victim credentials in a variety of ways via man-in-the-browser attacks, keylogging, screenshot capture, etc.
It looks like the evil masterminds behind Ursnif are now taking it one step further and use the compromised email accounts of its victims to spread the infection like a worm.
It’s turning infected workstations into spam factories
What makes this social engineering attack so tricky is that the email pictured above wasn’t just coming from an organization the recipient knew and had been emailing with, it came as a reply to an existing email chain. That is a hard one for a user not to fall for, they really need to be on their toes to catch this one.
Ursnif isn’t the only trojan we’ve seen hijacking victim email accounts. In July, we saw the Emotet trojan doing something similar.
Now, compromised accounts have been a thing since email has been around, so getting a infected email from a trusted source is nothing new, but if this is becoming a larger trend it is even more important to mitigate before your own network starts spewing out malicious attacks and your mail server gets on blacklists.
What You Can Do About It
Here are some suggestions how to counter attacks like this using as many layers of your defense-in-depth as possible:
- Disable MS Office macros network-wide if possible
- Check your firewall rules to make sure this type of attachment is at least flagged as potentially dangerous or quarantined
- Configure your email servers/filters to block attachments containing VBA/Macro code
- Configure the endpoint security software on the workstation to catch malicious attachments
- Install a (complimentary) Phish Alert button in Outlook, so users can simply click on that, delete the email and forward it to your Incident Response team: https://info.knowbe4.com/phish-alert-chn
- Step your users through new-school security awareness training and send them simulated phishing attacks with Word docs that have Macros, to inoculate them against attacks like this when (not if) your filters do not catch them
Spy vs. Spy? Wikileaks Says CIA Impersonated Kaspersky Lab
Wow, the plot thickens. Attribution indeed is a very murky business.
According to Wikileaks, its analysis revealed that by using fake certificates, the CIA made it look like data was being exfiltrated by one of the impersonated entities – in this case Kaspersky Lab.
“We have investigated the claims made in the Vault 8 report published on November 9 and can confirm the certificates in our name are fake,” Kaspersky Lab told SecurityWeek. “Our private keys, services and customers are all safe and unaffected.”
The news that the CIA may have impersonated Kaspersky Lab in its operations has led some to believe that the U.S. may have actually used such tools to falsely pin cyberattacks on Russia. More at SecurityWeek:
Google: Our Hunt for Hackers Reveals Phishing Is Far Deadlier Than Data Breaches
The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect.
Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches.
Hardly a week goes by without a new data breach being discovered, exposing victims to account hijacking if they used the same username and password on multiple online accounts.
While data breaches are bad news for internet users, Google’s study finds that phishing is a much more dangerous threat to its users in terms of account hijacking. More at the KnowBe4 blog:
Don’t Miss My Live Webinar: Phishing and Social Engineering in 2018
Here is your invite for this once-a-year Live Webinar: Phishing and Social Engineering in 2018: Is the Worst Yet to Come?
Ransomware has tipped the 1 billion mark and damages are expected to be around 5 billion before the year is out. Use of ransomware has evolved throughout the year with a 600% rise in URL emails delivering malware in just Q3 2017. CEO fraud (aka Business Email Compromise) has cost another 5 billion according to the FBI as of May 2017.
What’s next and how can you protect your organization?
Join CyberheistNews Editor-in-Chief and KnowBe4 CEO Stu Sjouwerman for this 30-minute webinar:
“Phishing and Social Engineering in 2018: Is the Worst Yet to Come?” Stu will discuss some of the latest trends in cybercrime and give you an insider perspective on what to expect for 2018 and how to prepare for it.
Key topics covered in this webinar:
- Understanding the current threat landscape
- What scary new threats will be on the rise for 2018
- Next innovations of ransomware, phishing and social engineering
- What you can do to make your organization a harder target for cybercrime
- How to create your “human firewall”
Date/Time: Thursday, November 16th at 2:00 pm EST for 30 minutes
Let’s stay safe out there.
Founder and CEO
Addendum from Richard: Disaster Recovery(DR) will protect you from all types of Phishing and other intrusions. With the advent of affordable desktop and cloud-based DR solutions, everyone can afford to protect themselves from cyber criminals. Don’t wait until disaster strikes to implement a DR plan. We can assist you by answering your questions and get you started in the right direction. Phone (425) 367-9025 and take action today.