Researchers have identified a recent cyber espionage campaign by a China-linked threat actor dubbed "UNK_SweetSpecter," which aims to harvest generative artificial intelligence (AI) secrets from experts in the United States. The threat actor targets AI experts using a remote access trojan (RAT) malware called SugarGh0st.  SugarGh0st infiltrates the systems of a highly selective list of AI experts from different verticals such as tech companies, government agencies and academic institutions. The SugarGh0st RAT was originally reported in November 2023 but was observed in only a limited number of campaigns. It is a custom variant of the Gh0st RAT, a tool that was first publicly attributed to a Chinese threat group in 2008. Researchers suspect that the threat actor UNK_SweetSpecter is likely of Chinese origin.

Spear-Phishing SugarGh0st Campaign Targets AI Experts

Proofpoint researchers discovered that the targets of this campaign were all connected to a leading US-based AI organization and were lured with distinct AI-themed emails. The infection chain began with a seemingly innocuous email from a free account, claiming to seek technical assistance with an AI tool. The attached zip file contained a shortcut file (LNK) that deployed a JavaScript dropper upon access. This dropper included a decoy document, an ActiveX tool for sideloading, and an encrypted binary, all encoded in base64. The infection chain ended with SugarGh0st RAT being deployed on the victim's system and communication being established with the attacker's command and control server. Analysis of the attack stages revealed that the group had shifted their C2 communications from an earlier domain to a new one, indicating their detection evasion motives. While the malware itself is relatively unsophisticated in it's attack chain, the targeted nature of AI the campaign makes it significant, the researchers noted. The SugarGh0st RAT was previously used in targeted campaigns in Central and East Asia.

Potential Motivations, Attribution and Context

Although direct attribution to a specific nation-state is challenging, researchers concluded the presence of Chinese language artifacts and the precise targeting of AI experts suggest a possible link to China-linked threat actors. The campaign also coincides with the U.S. government's efforts to restrict Chinese access to generative AI technologies. The new regulations established by the Biden administration would likely restrict the export of AI models, and their data to countries it deemed hostile to U.S. interests, such as Russia, China, North Korea and Iran. The Chinese Embassy labeled the action as economic coercion and unilateral bullying. Earlier in February, Microsoft reported observing Chinese, Russian, North Korean and Iranian threat actors' attempting to leverage AI tools from big tech AI companies like OpenAI for their campaigns. The report indicated that Chinese threat actors used AI tools to boost their technical prowess such as the development of tools and phishing content, while the Russian threat actors were observed researching  satellite and radar technologies possibly related to the war in Ukraine. With the regulatory efforts aimed at restricting proprietary/closed-source AI models, researchers theorize that this campaign is likely an attempt by a China-affiliated actor to harvest generative AI secrets via cyber theft before the policies are enacted. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers can find templates for DocuSign and other companies for their phishing campaigns on dark web marketplaces for as little as $10.

The post Hackers Use Fake DocuSign Templates to Scam Organizations appeared first on Security Boulevard.

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us.

A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now.

It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing.

The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site.

Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings.

Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link.  Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams.

How to protect yourself from authentication-in-the-middle attacks

• Keep your wits about you. Being aware of how scammers work is the first step to avoiding them. Don’t assume sponsored search results are legit, and trust that if something seems suspicious then it probably is.
• Use security software. Many security programs block known phishing sites, although domains are often short-lived and get rotated quickly. Malwarebytes Browser Guard can help protect you.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
• Consider passkeys. Multi-factor authentication is still super-important to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys won’t allow the cybercriminals to login to your account in this way. Many services have already begun using passkeys and they’re no doubt here to stay.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Phishing School

I’ll Make You Great at Phishing or Your Money Back

I am already making you better at phishing.

Right now.

How could that be possible? Please, don’t worry about specifics right now. Just trust that I am making you better at phishing.

Why would I be so selfless to boost your phishing skills free of charge? Again, you don’t need to know. Just know that this is our agreement: you keep reading my words, and I will make you better at phishing. Nay. Great at phishing! It will only hurt a little, but the pain will be well worth it. Sounds like a bargain? Then welcome to my school of phish! Now please open your textbooks to lesson number 1…

Don’t Give Up Before You Start!

If you’ve done penetration testing for any extended length of time, you’ll regularly hear the phrase, “no one likes phishing” in regards to client requests to perform social engineering as part of a penetration test or red team operation.

For many, this request always seems to entail the mind-numbingly banal task of setting up phishing infrastructure, choosing a pretext scenario, testing the scenario, and crossing your frustrated fingers in the hopes that you’ll dupe someone into clicking a malicious link. The overall approach is blunt, half-hearted, and can leave you feeling either guilty for ruining someone else’s day or just downright bored.

Here are some other general gripes I’ve heard from my fellow pen-testers regarding phishing:

• One Phish — Phishing is a total crapshoot, especially since you can’t consistently replicate your results
• No Phish — Since impact happens in post-exploitation, the phishing portion of the assessment is nothing but a waste of time
• Gross Phish — Social engineering can make red teamers feel icky about themselves, so they prefer to avoid it entirely
• Eventual Phish — If we follow the concept of “assume breach”, phishing seems pointless because something is inevitably bound to work and infiltrate the environment
• Struggle Phish — My client just wants me to flounder (pun intended)

These are all valid points, and I’ve probably used each of these arguments myself on multiple occasions to either explain to my boss or client why we shouldn’t do phishing. However, I would like to challenge you with a simple question:

Let’s assume your phishing attempt is actually successful. Some poor unsuspecting target clicked your link or file, you delivered a payload that called home and you just got the alert that you have a shell. On a scale from, “Ugh. This is so boring! I’ll just take my lunch break and deal with this later…” to, “Holy crap! It worked! I’m going to dance around the office and look for someone to high five!”, how do you feel?

If an outside observer saw your reaction to getting an “organic” shell, they might be fooled into thinking you really like phishing. They may even think you …love… it?

If you are in the right industry, you love shells, and you better be honest with me that you feel like a beast when you cede access for yourself. So…does everyone hate phishing? Not really! In fact, most of us may like it a thousand times more than we think we do! When we say we “hate phishing,” that’s only because we don’t want to admit something else:

What we actually hate is losing!

Penetration testing isn’t a game, but it can still “feel” like it is and it’s extremely hard to let go of that feeling. We also want to do a good job and if our phish fries and dies versus catching the target hook, line, and sinker; it can feel like we’ve done a bad job. And here’s the worst part: I know it hurts to hear, but if you “hate phishing”, it’s most likely because your phishing campaigns suck. That may sting a little, but please just let that sink in for a minute. Let’s use that feeling as motivation to improve.

If you are completely new to penetration testing, a dead in the water phishing attempt may not even be your fault. You were likely thrown into the deep end without any formal training (or worse: had a bad teacher and only learned some bad or outdated techniques). However, in a field of highly curious self-learners, I think that “I’m a complete guppy at this” has limited reach. At some point, we need to face the fact that most phishing campaigns don’t work because we don’t put the same level of effort into them as we do post-exploitation. If you’re still with me at this point, let’s talk about how we as a “grouper” can do better.

“Phishing is Hard”

Yes, winning at phishing is hard, but it’s a lot easier than evading the latest ERD/XRD/AI endpoint defenses; so don’t kid yourself into thinking you can’t do it. As red teamers, we bypass endpoint defense products every day and many of the same methodologies and techniques we use to bypass those products can be applied to bypass email security as well.

Often, it’s the unknowns that bug us the most when it comes to failed phishing attempts. There are multiple steps that all have to go right to have a successful phishing campaign. To give ourselves the best chance of success, we need to identify potential failure points and address each one. Let’s drag all of these lurking failure points out into the light where we can see and analyze them:

• Bad Email List (“Sparse Waters”) — You can’t find good contacts to target
• Sender Reputation Block (“Smelling Phishy”) — Before the mail server even lets you send a message, they might not trust you; this could be because your IP or domain have a bad reputation or no reputation at all
• Content Block (“Bad Bait”) — You try sending any reference to “Nigeria” and “prince” in the same message; in other words, the computer thinks you’re phishy
• Link Filter (“Tough Net”) — Some products scrub links with hrefs to untrusted domains and may even block the entire message
• User Ignores Email (“Nothing’s Biting”) — The email either looks phishy to the user or they aren’t motivated to click your link
• Link Crawler (“Throw ‘er Back”) — The user clicks your link but a bot checks the link first and blocks the user from visiting your site
• DNS / Web Proxy Block (“Hitting a Dam”) — The web proxy looks at your reputation, IP, or URL and blocks the user from visiting your site
• Proxy / Browser Blocks Payload (“Phish Stays in the Barrel”) — The user can view the site, but the proxy doesn’t allow the user to download .exe files or whatever payload type you are using
• Endpoint Control Blocks Payload (“Recognized Bait”) — Either the MOTW, modified default application settings, app whitelisting, or AV catches your RAT.
• C2 Callback is Blocked (“Broken Reel”) — The RAT runs, but can’t reach home 🙁

I find it helpful to conceptualize these common failures by grouping them into the following buckets:

Message Inbound → User Outbound → Payload Inbound → C2 Outbound

It’s hard to deliver payloads and collect sensitive data using nothing but email. In most cases, you’ll need to entice our phish out into open waters where we have the advantage. You then have a great deal of flexibility in how you exploit your target, but you need to ensure each link in the chain succeeds; otherwise, it’s just bad bait.

The overall probability of the success of a phishing campaign is the product of each of the probabilities of success of each of these steps:

Good User% × Reputation% × Content% × Click Through Rate% × Link Allowed% × …

The Bad News:

Unfortunately, this means a low probability on a single item could completely wreck your overall probability rate if the target organization is doing even the bare minimum for that control. If you fail to take into account one of these controls, you’re likely to be doomed with bad phishing success rates (and may need to do a little “fine tuna-ing” to get another bite).

The Good News:

Conversely, if you look at the list, and realize you have not even been attempting to circumvent a particular control, then applying any best-guess approach to boosting your probability in that one area will likely drastically improve the overall probabilities of success for all of your phishing campaigns compared to your current approach. If you then actually test and measure the effectiveness of your control bypasses, you can achieve high probabilities in all areas.

Getting to Know the Unknowns: Better Logging, Duh!

Steps 2 through 5 are often, but not always, a black hole from our perspective. We don’t know the email hit an inbox until our phishing links generate some visible traffic. Even then, it could just be a bot checking the link before delivering the message to a target. However, we can get hints about which steps succeeded and which failed if we collect the right data.

• Remote CSS loads — Can indicate a user previewed the email
• Tracking Image loads — Usually a clear sign a user has “enabled content” on the email
• Immediate visit (within seconds of receiving) — Likely a bot checking it out
• Two back-to-back visits — Likely user and then a bot
• We actually correspond with a target — Must be getting through
• SMTP logs — Error messages can be very informative! Are you reading them?
• Bounce messages — Clearly not getting through, but does your phishing toolkit receive bounces for you to know?

When looking at the task from this perspective, it should hopefully look less daunting. If I challenged any seasoned red teamer to bypass any individual control/issue on the list, they would likely solve it within hours and possibly in multiple ways. If we then find bypasses that work well for us, we can weaponize and streamline the deployment of our techniques. This is no different than collecting known bypasses for various endpoint protections.

For now, follow me in the next blog where we will dive in to Message Inbound Controls with how to collect a good targets list:

Plenty of Phish in the Sea

---

Phish Sticks; Hate the Smell, Love the Taste was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Phish Sticks; Hate the Smell, Love the Taste appeared first on Security Boulevard.

Phishing School

How to Find the Right Phishing Targets

A weapon is useless unless you have something to aim it at. When we weaponize social engineering, our targets are the humans who have the ability to give us access to the systems and data we want to compromise. In this post, we’ll explore ways to find target users for our phishing campaigns. We’ll then talk about what makes a “good” target vs. a “bad” target.

When looking for the “right” targets, our general approach will be to collect as many potential contacts as possible and then pair down the list based on what we can learn about each individual.

Casting a Wider Net

Before diving into contact collection, we want to make sure that we have a clear picture of the available attack surface. I’ve seen many pentesters take only the main domain the client supplied, run it through theHarvester, linkedInt, maltego, etc. and call the output a targets list. In doing so, these pentesters completely overlooked valuable attack surfaces associated with the target organization’s other domains. We can do better. Here are some of my favorite ways to find our target’s other domains:

WHOIS Data — Whoxy and WhoisXML

When you register a domain, you have to fill out some basic contact information like the organization name and “abuse email” for the WHOIS service. While you can technically put anything you want, and most registrars offer a WHOIS anonymizing service, many organizations still fill out the form with identifiable information. This means that we can often cross-reference WHOIS contact information and find associated domains.

Unfortunately, the WHOIS protocol was never intended to allow lookups based on contact information; however, there are paid APIs like Whoxy and WhoisXML that have indexed millions of WHOIS records and made them searchable. Whoxy is a nice quick check because its API credits are insanely cheap; however, its search functionality is case sensitive and they do not have the same coverage as WhoisXML.

Of course, the WHOIS protocol is a very simple, text-based, call-and-response protocol. With a little scripting and distributed computing, we could pretty easily mine and index our own data as well. If you decide to go this route, keep in mind that many WHOIS providers expressly forbid data mining. You’ve been warned!

O365 Mining (All the Phish in a Barrel)

If your target organization uses AzureAD, then you can use the autodiscover service to get a list of all of their tenant’s domains. Dr. Nestori Syynimaa released a great tool and blog post that covers this method:

Just looking: Azure Active Directory reconnaissance as an outsider

Backlinks

When organizations set up a website on a domain, they will often add a link back to their main domain somewhere on the website. In the SEO world, these are referred to as “backlinks”. You can use free SEO tools online to enumerate these links and look for any domains you missed with other methods. You will also often see backlinks from other organizations that do business with your target organization. Take note of these as you find them, as we might be able to abuse an implicit trust between these organizations when crafting our campaigns.

Sanity Check

Once we have a list of associated domains, we should do a quick sanity check to find out which ones have a published MX record. There is no use enumerating email addresses for a domain that doesn’t even have a mail server. This is to make sure we don’t waste time or API credits during email collection:

dig mx -f domains.txt | grep ANSWER -A 1 | grep MX

Hi-Ho (Hi-Ho. Let’s grab a net and go!)

Now that we have a list of associated domains, we can search for contacts at (@) each one. In the next sections, we are going to cover a range of contact collection methods starting with the well-known and simple (little phish) and working up to the more obscure and difficult (bigger phish).

While most of these methods are focused on obtaining email addresses, some of them will also give you phone numbers and mailing addresses. Don’t overlook this extra data! You can call phone numbers to see if they are direct lines and check if the target is still employed at the organization. We can also deliver payloads over the phone or even via snail mail if we have to. Likewise, if your data source includes information like job titles, grab this information too. It could be useful when pairing down our list.

The Classics

Read the website: This is a (hopefully) obvious first step, but you might be surprised by the number of times I’ve seen pentesters skip it. On more than one occasion, I’ve found an employee directory on the main website after hearing co-workers complain about “not finding any email addresses” with OSINT tools.

Google dorks: Along the same lines, it’s worth a quick Google search to see if there are any employee listings that are not hosted on the main website. There are plenty of OSINT tools that can even automate some common dorks for you. Try using Google to find some ;)

theHarvester/Skiddy Scripts: While I haven’t used theHarvester in a while now, I was pleasantly surprised to see that it is still being actively maintained as of 1/1/24. The reason I don’t currently use it is because I tend to view tools like this as just a wrapper for their data sources. If you like using a particular email mining OSINT tool, by all means keep using it. Though I would challenge you to at least peek under the hood to see how your favorite scripts work, and familiarize yourself with where the data comes from.

LinkedIn Mining: LinkedIn (LI) is a great source for employee names, positions, departments, and other useful target data we can collect in a variety of ways. If you’ve never built your own LinkedIn miner, I would highly recommend it as an exercise. The skills you learn can be applied to mining other OSINT sources as well:

LI Mining (Beginner): Go to the target organization, click on their employees, and copy-pasta each page. Next, grep/cut/sed foo to get your results. Taking this a step further, you can write a JavaScript one-liner to select the elements you want to mine and print them to the developer console and speed up the process significantly.

LI Mining (Intermediate): Use BurpSuite or Zap Proxy to intercept your traffic while navigating LI. Next, write a script to replicate the API calls used to retrieve user records. Conversely, just use one of the many existing tools that already do the same thing (LinkedInt, AttackSurfaceMapper, etc.).

LI Mining (Advanced): Use a framework like Puppeteer to write a bot that mines each page for you. Keep in mind that when you navigate to a page of employees, there will only be a few on the page until you scroll down. Scrolling to the bottom of the page triggers an AJAX request to grab the rest of the user records for that page. Then have the bot wait a second or two for the results to populate and inject some JavaScript (possibly from your ‘beginner’ script above) to mine the useful data. While this may seem like a lot of work, the overall advantage is that, when done correctly, you can build a bot that mimics a human using the site and potentially extend the useful life of your account. Obvious attempts to mine data can result in having your account locked. If you would like to take this approach, keep in mind that Puppeteer (and other automation frameworks) default settings include things like an obvious user agent string that will definitely get you burned, so do your research.

Note on LI Connections: For any of these methods to be fruitful, you will need first and second connections with your targets. It’s worthwhile to log into your OSINT account and connect with various users at your target organization well in advance of your test. If you have the budget, another option is to pay for “LinkedIn Sales Navigator” to skip all the organic connections and get unfettered access to search your targets.

Lesser Known

Hunter.io and Zoominfo: These websites are all about finding marketing leads at companies. If you think about it, cold emailing is basically the exact same thing as phishing. Online marketing is all about finding the right people in the target organization to interact with your message. Online marketers face many of the same challenges as we do, and therefore, good marketing tools can be extremely useful for setting up phishing campaigns. Both of these sites will give you a few free search results and also have paid search APIs. One of the things I love about Hunter.io is that you get the URL where each contact was found on the Internet. This will often lead you directly to employee directories where you can mine more contacts.

phonebook.cz: This is a tool with a great free tier that is meant to highlight the power of intelx.io’s database. The service used to be completely open, but now requires you to register an account to limit abuse. The search is still completely free.

Dehashed: This tool is a searchable aggregation of a large number of public data breaches. If employees of your target organization used their work email for any of these breached services, you get their work email address at a minimum, and frequently get passwords, full names, usernames, and other potentially useful data. It’s a paid API, but the pricing is quite reasonable. I’ve had a few engagements where social engineering was not even necessary because we found valid passwords credential stuffing with Dehashed results.

Industry Specific Data

It’s generally a good idea to learn a little bit about your target organization’s industry and if there are any data sources you can mine that might have names and contacts for potential targets. Here’s just a few examples.

Rate My Professor — If you happen to be pentesting a client in higher education, you can often get a good list of current employees from Rate My Professor. The API is simple and easy to mine. Students crowdsource the data and keep it up-to-date.

Nationwide Multistate Licensing System (NMLS) — If your client is a bank, credit union, or other financial institution, you can often find contact information for loan officers through the NMLS. You also have the added benefit of identifying a sub-group within the organization that might respond well to certain pretexts pertaining to loans.

CPAVerify — Most large organizations have full-time accounting staff and many of them are certified! When CPAs renew their license each year, they have to fill out contact information including their current employer. There are free sites to “verify” CPA licenses and many of them support searching company names. If you really want to ruffle some feathers, send a phish to the CPAs saying they might be losing their license just before tax season. I know this works well because an overzealous pentest team did it to my previous employer (a large accounting firm), and got themselves fired for causing too much of a disruption.

Hard Mode

Call them and ask for a directory!: Social engineering, when done well, is often an iterative process. You get some access, mine some useful data, and use it to target another user with more access. If you’re struggling to find contacts, it’s worth a shot to just call anyone in the organization, impersonate a new employee, come up with a sob story about how you’re trying to reach people on your team but can’t find the employee directory, and see if they’ll email a copy to your Gmail account. While it might be an odd request, it likely won’t raise suspicion as much as asking them to tell you their password or go to some sketchy website, and most people will take the time to help out a fellow employee. This isn’t exactly “hard” as much as it is uncomfortable, but is well worth the payoff when it works.

Mine the internet yourself: If API limits are cramping your style, or the APIs you are searching don’t have the data in a format that works well for you, then why not just build your own OSINT database? CommonCrawl is a massive open source repository of web crawl data from a sizable portion of the web. Their website features lots of cool projects that showcase how to use the dataset to mine interesting stuff.

Common Crawl - Example Projects

You can mine emails and associated URLs from the dataset to build your own OSINT database. For example, you can modify the open source tool WARCannon to ‘grep the Internet’ for email addresses, and then use ElasticSearch to index your results:

GitHub - c6fc/warcannon: High speed/Low cost CommonCrawl RegExp in Node.js

If you want to take it a step further, you can use AWS Lambda for Rust to do the same thing on a very low budget. If you space out the processing a bit, you can even do it all on the free tier.

Stealer logs: A “stealer” is a form of malware used to continually harvest user data like email addresses, account names, and passwords from an infected host. Operators who write and distribute this type of malware often take an opportunistic approach and simply try to infect as many systems as possible, amassing data from hundreds of thousands of systems. Some of these “stealer logs” have been leaked and contain a massive amount of user data. If an employee at your target organization happens to have been a victim of one of these trojans, then that data can be very useful on a pentest. Unfortunately, to make these breaches useful, you will have to normalize and index large volumes of loosely structured data yourself.

The Global Address List (GAL): If you happen to compromise access to a user’s o365 account, then you can use the GAL to pull contact information for everyone in the tenant. This can be done directly from the developer tab in the browser:

https://medium.com/media/7cff880f2402de320ee1e7aed48654fe/href

It’s not exactly a backdoor, but it does greatly increase your chances of gaining another foothold if your access is lost. Like asking for an employee directory, this is another technique we can use to perform iterative social engineering to go after more privileged access once we compromise a single user.

Choosing your Targets

Once we have a list of contacts, we should pair down the list into groups of targets that might be susceptible to various pretexts. This step is all about increasing our success rate as defined by the ratio of clicks to emails sent. Ideally, we would find a single, highly-susceptible target, and send a single email with a success rate of 100%. Of course, we have no way to measure susceptibility ahead of time, so we will have to make best guesses instead. We will do this based on some generic traits that we tend to see in common between “good” (high success rate) targets and avoid targets with traits commonly associated with low success rates.

Why not phish everyone?

If we just spent all this time mining contacts to maximize our potential blast radius, then why wouldn’t we just phish everyone? Wouldn’t that give us the highest chance of success?

If we only plan to send a single pretext, then the answer is yes. Exposing every target to the chosen pretext will maximize our chance of success, but there is a major flaw to this approach: If we want to phish everyone, then we are going to need an extremely generic pretext. These generic phishing messages will only work against the lowest common denominator (most susceptible) targets and will be easily recognized as a phish by everyone else. Compared to more targeted pretexts, generic pretexts have a very low click-through rate while overexposing the campaign to incident responders potentially discovering them.

Instead, I have found that we can more consistently craft scenarios with click-through rates over 50% when we take the approach of targeting either individuals or small groups of targets with similar job positions and interests. My goal is always to identify at least a few small groups of employees to target with specific pretexts. With a very convincing pretext, we may be able to obtain a foothold with only 3–5 total target interactions.

What makes a “good” target?

Online Presence — The more we know about a target, the more likely we will be able to come up with a pretext they will believe. Simply having a lot of available information online for a particular user makes them a potentially good candidate for spear phishing.

Bad Hygiene — When I see cases of employees using their company email as a personal contact or posting questions on forums with identifiable usernames, I know I have a good target. People who like to use their company email for “everything” frequently get personal emails on their work device. This opens up a whole new set of potential pretexts that often have a high success rate. You might also find cases of employees who like to “put themselves out there” online, which means these individuals are frequently responding to unsolicited emails from strangers.

Check-the-Box Worker — In my experience, it seems that there are a couple of workflow types that tend to leave certain workers susceptible to phishing more so than the average user. One of those types is what I’ll refer to as a “check-the-box” work style. Individuals whose main objective each day is to accomplish as many tasks as possible from their queue can often rush through tasks so quickly that they miss the telltales of a phish when a little social engineering is thrown into the mix.

Customer-Pleasing — If sales and customer support teams are taught that the “customer is always right” or similar rhetoric, they may be overly trusting of outside requests. While most of their interactions with customers are legitimate and benign, they could be tripped up when a malicious request comes in.

Guppies — New employees who have not yet been thoroughly trained on the company’s security policies and procedures, and have less knowledge of how a typical interaction or request is “supposed” to look, are inherently more susceptible to all forms of social engineering. Go look at your LinkedIn results to see how long each employee has been with your target organization.

What makes a “bad” target?

Now that we know how to identify good targets, we can also identify bad targets as ones that either lack “good” qualities, or exhibit an opposite trait:

Just an email — If we can’t mine any additional context about the human behind the address, we have no clue what types of pretexts might be useful against that target.

Rarely works with others — People who do most of their job solo tend to question any random request that is sent their way, whether it’s legitimate or not. Beware of being pushy with these skeptics.

Senior Executives and IT Staff (A.K.A. Whales) — While successfully phishing one of these users is typically going to get you privileged access right away, your overall chance of success is very low with this group. If you want to go whaling for the bragging rights, go right ahead, but just know that this is not a repeatable approach. When going after initial access, we will have more consistent success targeting other groups.

---

Plenty of Phish in the Sea was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Plenty of Phish in the Sea appeared first on Security Boulevard.

Source: securityaffairs.com – Author: Pierluigi Paganini Phorpiex botnet sent millions of phishing emails to deliver LockBit Black ransomware Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware. New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to […]

La entrada Phorpiex botnet sent millions of phishing emails to deliver LockBit Black ransomware – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Verizon’s 2024 DBIR shows that vulnerability exploitation increased three times and confirmed data breaches doubled compared to the previous year.

The post Verizon DBIR 2024 Shows Surge in Vulnerability Exploitation, Confirmed Data Breaches  appeared first on SecurityWeek.

A new phishing campaign abuses compromised email accounts and targets corporate users with PDF files hosted on Autodesk Drive.

The post Autodesk Drive Abused in Phishing Attacks  appeared first on SecurityWeek.

KnowBe4 boasts that the merger will create “the largest, advanced AI-driven cybersecurity platform for managing human risk.”

The post KnowBe4 Plans to Acquire Egress for Email Security Tech appeared first on SecurityWeek.

The U.S. government charged four Iranian nationals for their alleged involvement in multi-year hacking operations targeting several prominent entities including the U.S. Treasury and State departments, defense contractors, and two New York-based companies. These activities are purportedly conducted on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC).  The indicted individuals Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab are charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and wire fraud. They face significant penalties, including up to five years in prison for the computer fraud conspiracy charge and up to 20 years for each count of wire fraud and conspiracy to commit wire fraud, according to the U.S. Department of Justice.  “Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability,” said Attorney General Merrick Garland. “These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments.” 

US Treasury Imposed Sanctions While State Offers $10 million Reward

Owing to this, the U.S. Department of Treasury also imposed sweeping sanctions on the accused, while the State Department offered a reward of up to $10 million and potential relocation for any information leading to the apprehension of three of the suspects or the associated companies.  [caption id="attachment_64673" align="alignnone" width="1962"] Source: US Rewards for Justice[/caption] The Treasury Department said that all four individuals have ties to IRGC front companies, namely Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), which were allegedly used in orchestrating various aspects of the attacks.  “Today’s charges pull back the curtain on an Iran-based company that purported to provide ‘cybersecurity services’ while in actuality scheming to compromise U.S. private and public sector computer systems, including through spearphishing and social engineering attacks,” said Assistant Attorney General Matthew Olsen of the Department of Justice’s National Security Division.  Of the four, Harooni was allegedly responsible for procuring, administering, and managing the online network infrastructure, including computer servers and customized software used to facilitate the computer intrusions. He faces additional charges of knowingly damaging a protected computer, which could result in a further 10-year prison term.   Harooni, Salmani, and Nasab are also accused of aggravated identity theft, carrying a mandatory consecutive two-year prison sentence, according to the Justice Department. 

The Deeper Dive Into the Multi-year Hacking Operations

The group is alleged to have engaged in "a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions" from 2016 through at least April 2021. The hackers employed spearphishing, targeting employees via deceptive emails, infecting over 200,000 accounts in one campaign and 2,000 in another. They used an undisclosed custom application to organize and execute these attacks efficiently, as per the Justice Department.   By compromising an administrator email of a Defense Contractor, they created unauthorized accounts to launch spearphishing campaigns against employees of other contractors and consulting firms. They also employed social engineering tactics including women impersonations, to gain victims' trust and deploy malware, further compromising devices and accounts, the Justice Department said.  Their primary targets were cleared defense contractors, entities authorized to access, receive, and store classified information for the U.S. Department of Defense.  In addition to defense contractors, the group also reportedly targeted a New York-based accounting firm and a New York-based hospitality company. Overall, they are accused of targeting over a dozen U.S. companies, in addition to the Treasury and State departments, according to the State Department's reward offer.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), has previously warned that the IRGC and its affiliated cyber actors have been targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs), that are especially used in various critical infrastructure sites.  Other than hacking, Iran has also resorted to influence operations to achieve its geopolitical aims, combining offensive cyber operations in a multi-pronged approach.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

…if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

LabHost, a major phishing-as-a-service platform, has been shut down as part of a major law enforcement operation. 

The post Phishing Platform LabHost Shut Down by Law Enforcement appeared first on SecurityWeek.

Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,” and (2) it only changed the link’s appearance (anchortext), not the underlying URL. So if you were a clever phisher and registered fedetwitter.com, people would see the link as fedex.com, but it would send people to fedetwitter.com.

Thankfully, the problem has been fixed.

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”

Original story:

The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.

A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.

The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered space-twitter.com, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.

Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).

Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.

“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these multi-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Skater brand Vans emailed customers last week to tell them about a recent “data incident.”

On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:

• Email address
• Full name
• Phone number
• Billing address
• Shipping address

In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.

The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.

The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death.  It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.

Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.

Data breach tips

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.