Additionally, a Data Breach Investigations Report from Verizon showed that web applications and email are the top two vectors for breaches. Because they’re often internet-facing, web apps and email can provide a useful avenue for attackers to try and slip through an organization’s perimeter – and their tricks are only growing more sophisticated.

So what can security teams and end users do to combat these increasingly sophisticated email threats? Here are a few tips on how to keep email attacks from getting through.

Watch out for evolving phishing attempts

Many successful email compromises can be attributed to phishing attacks becoming more advanced. Historically, BEC would entail a bad actor stealing a user’s alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don’t encounter multifactor authentication (MFA), which could remediate the attack.

However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user finally accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the entire authentication transaction and securing an authenticated session.

Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message’s legitimacy before carrying out an action that could be damaging to you or your organization.

Adopt a layered security approach

There is no magic bullet to cybersecurity; you can’t rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary to be effective. Should one layer fail, another will be there to pick up the slack.

Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of using signature-based detection) to identify malicious software and keep it from infecting computers and other devices.

Make sure to employ tools that can quickly identify and respond to attacks that slip through the cracks. Strong endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, as it remains the single best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.

Build a security-first culture

Most security professionals understand that no defense is perfect, especially with human behavior involved. They recognize the need for security awareness training since a successful attack is often the result of human error. The importance of training only grows as the methods for deceiving end users continue to evolve.

Security teams must continuously train users to be hyper-aware of business email compromise. Put a heavy emphasis on email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it’s important that users understand the entire range of threats.

Building a culture that promotes security awareness and in which users are comfortable coming to the IT team to flag an issue or suspicious activity is key. If a user is the victim of a phishing attempt, empower them to quickly notify IT so the threat can be addressed swiftly. Shaming them will only have negative consequences. You don’t want a user to hide a mistake they made, resulting in further risk of damage to the organization. Create a culture where users feel they are part of the security team and on the lookout for phishing attempts and malicious activity. More watchful eyes will create strength in numbers.

A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn’t always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.

When it comes to email or other messaging-based cybersecurity threats, the reality is you will never get the click rate down to zero. But your security team should focus on getting your click rate as low as possible so your technical controls can pick up the slack wherever it’s needed.

______________________________________________________________________________________________________________________________________

Trevor Collins, is a Network Security Engineer at WatchGuard Technologies.

The post Email Attacks are Evading Security Protections. Here’s How Security Teams Should Respond. appeared first on My TechDecisions.

While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks.

Related: Barracuda Launches New SASE Platform for Businesses, MSPs

Research from Barracuda’s 2023 spear-phishing trends report reveals the following:

• Spear phishing is widespread: 50% of organizations analyzed were victims of spear phishing in 2022, and a typical organizations received five highly personalized spear-phishing emails per day.
• These attacks are highly successful: Spear-phishing attacks make up only 0.1% of all e-mail based attacks, according to Barracuda data, but they are responsible for 66% of all breaches.
• Organizations are feeling the impact: 55% of respondents that experienced a spear-phishing attack reported machines infected with malware or viruses; 49% reported having sensitive data stolen; 48% reported having stolen login credentials; and 39% reported direct monetary loss.
• Threat detection and response remains a challenge: On average, organizations take nearly 100 hours to identify, respond to and remediate a post-deliver email threat — 43 hours to detect the attack and 56 hours to respond and remediate after the attack is detected.
• Remote work is increasing risks: Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce.
• Having more remote workers slows detection and response: Companies with more than a 50% remote workforce also reported that it takes longer to both detect and response to email security incidents — 55 hours to detect and 63 hours to response and mitigate, compared to an average of 36 hours and 51 hours respectively for organizations with fewer remote workers.

“Even though spear phishing is low volume, with its targeted and social engineering tactics, the technique leads to a disproportionate number of successful breaches, and the impact of just one successful attack can be devastating,” said Barracuda’s technology chief Fleming Shi, in a statement. “To help stay ahead of these highly effective attacks, businesses must invest in account takeover protection solutions with artificial intelligence capabilities. Such tools will have far greater efficacy than rule-based detection mechanisms. Improved efficacy in detection will help stop spear-phishing with reduced response needed during an attack.”

The post Barracuda: Half of Organizations Fell Victim to Spear Phishing in 2022 appeared first on My TechDecisions.

The report, the fourth such edition of Microsoft’s cybersecurity research report, finds cybercrime as a service targeting business email has skyrocketed, rising 38% between 2019 and 2022.

In addition, Microsoft says it detected and investigated a whopping 35 million business email compromise (BEC) attempts between April 2022 and April 2023, good for an adjusted average of 156,000 daily attempts to take over a business email account.

The company also cites the FBI’s Recovery Asset Team, which initiated the Financial Fraud Kill Chain on more than 2,800 BEC complaints involving domestic transactions, with potential losses of nearly $600 million.

Business email compromise attacks leveraging residential IP addresses

In the Cyber Signals report, Microsoft identifies a significant trend in attackers’ use of platforms like BulletProftLink, a popular platform for creating industrial-scale malicious email campaigns. The company defines BulletProftLink as and sells an end-to-end service that includes templates, hosting, and automated services for BEC.

Threat actors using that service receive credentials and the IP address of the victim, and they then purchase IP addresses from residential IP services to match the victim’s location creating residential IP proxies to mask their origin.

With localized address space to support their activities in addition to usernames and passwords, BEC attackers can further obscure their movements, circumvent “impossible travel” flags and open a gateway to conduct further attacks, Microsoft says.

“Impossible travel,” Microsoft says, is a detection used to indicate that a user account might be compromised by flagging physical restrictions that indicate a task if being performed in two locations without enough time to travel from one location to another.

This rising trend could escalate the use of residential IP addresses to evade detection, Microsoft says, as residential IP addresses mapped to locations at scale provide the ability and opportunity for hackers to gather large volumes of compromised credentials and access accounts.

According to Microsoft, threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks.

“One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second,” Microsoft says in the report.

Microsoft says BulletProftLink offers a decentralized gateway design that includes Internet Computer public blockchain nodes to host phishing and BEC sites, creating a sophisticated decentralized web offering that is difficult to disrupt. This is a notable shift from other phishing-as-a-service tools like Evil Proxy, Naked Pages and Caffeine that deploy phishing campaigns and obtain compromised credentials.

“Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex,” Microsoft says. “While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content.”

Business email compromise evasion tactics

According to Microsoft, business email compromise phishing emails typically target executives and other senior leaders, finance managers and human resources staff with access to sensitive employee information. However, all types of BEC attacks are on the rise, Microsoft says in the report.

A phishing lure email is the most common type of business email compromise phishing email (62%), followed by payroll (15%), invoice (8.29%), gift card (5%), business information (4.4%) and others.

Business email compromise attacks are typically designed to be relatively quiet, leveraging social engineering and deception rather then attacking unpatched vulnerabilities, malware or extortion messages.

“Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and inbox success rate of malicious messages,” Microsoft says.

On the residential IP address trend, Microsoft says these attacks can be rapidly scaled to make detection with traditional tools difficult, as variances in login locations are not inherently malicious. In the distributed work environment, a user could be logged into a business application via a Wi-FI connection and be signed into the same apps on their smartphone’s cellular network. This makes “impossible travel” flag policies difficult to design.

In addition, attackers are increasingly routing malicious mail and other activity through address space near their targets, Microsoft says.

How to protect against business email compromise 

To help organizations protect against business email compromise attacks, Microsoft offers several recommendations:

• Use a secure email solution that leverage AI capabilities and phishing protections.
• Configure email to flag messages sent from external users, enable notifications for unverified email senders, block suspicious senders and use reporting to flag suspicious emails.
• Use multi-factor authentication for email accounts.
• Educate employees on how to spot suspicious emails.
• Secure identities with Zero Trust tools to prohibit lateral movement.
• Use a secure payment platform to eliminate the threat of invoice-based phishing emails.
• Take extra steps to verify the authenticity of financial transactions via email.

The post Business Email Compromise is on the Rise appeared first on My TechDecisions.

According to the company, the new innovations further enhance its threat and information protection platforms, in addition to its newly formed Identity Threat Defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.

“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, executive vice president, cyber security strategy, Proofpoint in a statement. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”

Proofpoint’s Aegis Threat Protection Platform

Proofpoint Aegis Threat Protection Platform is an AI/ML-powered threat protection platform that disarms attacks, such as business email compromise (BEC), phishing, ransomware, supply chain threats. With flexible deployment options using both APIs and inline architecture, Aegis delivers AI-powered, cloud-based protection that complements native Microsoft 365 defenses, says Proofpoint.

By combining the company’s proprietary behavioral analytics and threat intelligence, Proofpoint is delivering new capabilities that provide visibility into account takeover-based attacks from both within an organization’s environment and outside suppliers.

Supplier Threat Protection

Supplier relationships are a growing attack vector: 69% of organizations experienced a supply chain attack within the past year, and CISOs rate it as one of their top concerns, according to Proofpoint research. With Proofpoint’s Supplier Threat Protection, organizations can detect compromised supplier accounts so that security teams can swiftly investigate and remediate.

This new product proactively monitors for and prioritizes known compromised third-party accounts, simplifies investigation with details on why the account is suspected compromised and which employees recently communicated with the account in question, enabling security teams to seamlessly defend against prevalent third-party attacks such as BEC and phishing.

Targeted Attack Prevention Account Takeover (TAP ATO)

Threat actors successfully override MFA in 30% of all targeted cloud and email account takeover attacks according to Proofpoint threat research. Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will.

Proofpoint TAP ATO, available at the end of Q2 2023, provides visibility across the entire email account takeover attack chain. It accelerates response investigation and remediates accounts, malicious mailbox rule changes, and manipulations of third-party apps and data exfiltration across email and cloud environments.

Identity Threat Defense (formerly known as Illusive)

From ransomware to APTs, 90% of attacks rely on compromised identities, says Proofpoint. The complexity of managing Active Directory (AD) has resulted in the presence of exploitable privileged identity risks in all organizations at a rate of one in six endpoints.

These identity risks include unmanaged local admins with stale passwords, misconfigured users with unnecessary privileges, cached credentials left exposed on endpoints and much more. When an attacker compromises an endpoint with these privileged identity risks, deploying malicious software and stealing data is easy. Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, most organizations are unaware of this risk – until they are attacked.

Leveraging new advanced identity risk analytics and automated detection, Proofpoint has further bolstered its Identity Threat Defense platform – undefeated in more than 150 red team exercises – to provide organizations with comprehensive identity risk protection and remediation:

 Spotlight Risk Analytics

The new advanced risk analytics in the Spotlight dashboard allows users to gain an executive view of an organization’s risk trends as well as exposure across various risk categories and risk exposure levels. It also provides recommendations for possible user admin action.

Spotlight Risk Analytics simplifies decision makers’ workload while ensuring organizational leaders can make informed decisions to remediate modern and sophisticated identity risks. With availability expected late Q2 2023, decision makers will also be able to follow risk trends to track their organization’s risk posture improvements over time.

Proofpoint Spotlight Cross Domain & Trust Visibility

For organizations with complex infrastructure, including multinational, multi-business and merging organizations, identity infrastructure is often stitched together without broader visibility.

Spotlight Cross Domain & Trust Visibility provides insight to understand where AD domains across companies have too much bi-directional trust, which can result in identity risk and lateral movement by attackers. Business leaders can gain a centralized view into the broadest organizational structure’s domains and trusts to better prevent identity risk exposure in a holistic fashion.

Sigma Information Protection Platform

Since its introduction in early 2020, Proofpoint’s information protection business has grown a remarkable 107%, making the company the second largest data loss prevention (DLP) vendor globally and by revenue according to Gartner. Driven by the accelerated adoption of work-from-anywhere practices, the Proofpoint Sigma Information Protection platform is now deployed to over 5,000 customers and 46 million users worldwide, analyzing 45 billion events each month, and trusted by nearly half of the Fortune 100.

Proofpoint’s Information Protection platform merges content inspection, threat telemetry and user behavior across channels in a unified, cloud-native interface.

Privacy by Design Data Loss Prevention

As international organizations work to meet new and changing local privacy and data sovereignty requirements, Proofpoint now hosts its Sigma Information Protection platform in regions such as the European Union, Japan, and Australia in addition to the U.S.

Proofpoint is also further investing in privacy-related capabilities so that organizations can mask sensitive data in the console to limit its exposure and create custom data access policies to address privacy and compliance needs. 

Additional features are available in beta, with general availability expected in Q3 2023, enabling organizations to anonymize identifying user information so analysts can investigate without bias and with better privacy for the user.

Administrators will also be able to set up metadata for anonymization and approval workflows for de-anonymizing the metadata during investigation.

The post Proofpoint Unveils New Innovations to Combat Increasingly Common Threats appeared first on My TechDecisions.

According to a news release from the U.S. Department of Justice, the Genesis Market’s website has been seized, and law enforcement is currently working to identity prolific users of the market who used those stolen access credentials to carry out cybercrimes. In addition, authorities have seized 11 domain names used to support Genesis Market’s infrastructure.

The DOJ says Genesis Market has since 2018 offered access to stolen data from over 1.5 million compromised devices around the world, containing over 80 million account access credentials. In addition to credentials, Genesis Market was “one of the most prolific initial access brokers” in the cybercrime world, authorities say, offering access often used by ransomware actors.

Authorities say the criminal marketplace was easy to use, giving users the ability to search for stolen credentials based on location and account type. The market also offered device fingerprints, unique combinaitons of device identifiers and browser cookies that circumvent anti-fraud detection systems used by many websites.

The combination of resources on Genesis Market allowed cybercriminals to essentially assume the identity of the victim, agencies say.

Cybersecurity company Trellix says it assisted in the investigation, helping law enforcement analyze and detect the malicious binaries linked to Genesis Market to render the market’s script and binaries useless.

In a blog, Trellix researchers say the market was the largest such resources for credentials, browser fingerprints and cookies. The market advertised on mostly Russian-speaking underground forums, and became a one-stop shop for account takeovers since its inception in 2018.

Genesis Market was largely used to target consumers, but Trellix says it has observed malicious detections across its enterprise sensors as well. The bulk of the malicious activity was detected in the Americas, with other activity in Europe and southeast Asia.

The marketplace has also been linked to malware families used to infect victims and populate the store, and they include common info-stealers such as AZORult, Raccoon, Redline and DanaBot, Trellix researchers say.

Credentials contained on Genesis Market have been provided to Have I Been Pwned, allowing people and organizations to assess whether their credentials have been available on the dark web marketplace.

The FBI is asking users of Genesis Market, those who were in contact with its administrators, or victims to contact the agency at FBIMW-Genesis@fbi.gov. In addition, Dutch Police have set up CheckYourHack to see if data was obtained and sold via the market.

Trellix also offers these recommendations for organizations and their IT and security administrators:

Train users in phishing and how to spot phishing – repeat training with test phishing emails for all users – users must be alert when it comes to links and attachments.

• Be very careful with password protected archives, as they will pass through most email scanning and web proxies.
• Check file extensions: a JPG, PDF or Document might not be what it looks like based on the icon! It can be an executable which disguises itself with its icon.

Implement web control and block access to any unknown/uncategorized websites.

Block or report any unknown application from communication to the/from the Internet – can be done by firewall solutions

Implement Adaptive Threat Protection (ATP) and configure Dynamic Application Containment (DAC) for unknown processes limiting what they can do.

Enable Exploit Prevention and enable signature for “Suspicious Double File Extension Execution” (Signature 413).

Protect session cookies with Exploit Prevention Expert rule.

Implement Expert rules which will trigger on any PowerShell or unknown / contained process accessing your session cookie?

• C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Network\**\*.*
• C:\Users\**\AppData\Roaming\Mozilla\Firefox\Profiles\**\*.*
• C:\Users\**\AppData\Local\Microsoft\Edge\User Data\Default\Network\**\*.*

Implement Endpoint Detection and Response. It could detect some of the techniques identified such as malicious use of web protocols, process injection and tool transfers.

Implement strong and deep email scanning.

Implement strong and deep web gateway and blocking of uncategorized web-sites and have a quick and trusted procedure to add more websites if needed.

Please apply the Identity and Access Management (IAM) best practices as outlined by CISA.

Review your current visibility and detection capability on credential theft and privilege abuse.

Read Trellix’s blog for more information, including indicators of compromise.

Editor’s note: This article was originally published April 6, 2023 but has been updated as of April 20, 2023. 

The post Check to See If Your Organization’s Credentials Were on Genesis Market appeared first on My TechDecisions.

In a new blog, the Microsoft Threat Intelligence Team dives into a threat actor it calls DEV-1101, a group that develops, supports and advertises several AiTM phishing kits that other threat actors can leverage in their attacks.

This specific AiTM phishing kit is an open-source kit that automates setting up and launching phishing activity, and the DEV-1101 group provides support services to attackers. Other cybercriminal groups have had access to the phishing kit since last year, and DEV-1101 has since made several improvements, including the ability to manage campaigns from a mobile device and evasion features like CAPTCHA pages.

Microsoft has since observed several high-volume phishing campaign from various actors using the AiTM kit from DEB-1101, and millions of phishing emails using the kit have been sent each day since the group began advertising the kit in spring 2022.

According to Microsoft, one of the more common phishing attacks leveraging the kit appears typical of phishing activity, with the email masquerading as a Microsoft document. The example given is from DEV-0928, one of the more prominent threat actors leveraging the phishing kit.

Microsoft security researchers say two different evasions might result from clicking the link in the phishing message. The DEV-1101 kit’s antibot functionality might trigger an href redirection to a benign page.

“The default redirection domain defined in the source code is example.com; however, any actor using the kit may define a different redirection domain,” researchers say.

The AiTM kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page, Microsoft researchers say.

After the evasion pages, the phishing landing page is presented to the target from an actor-controlled host through the phishing actor’s reverse proxy setup.

From there, the threat actor’s server will capture credentials entered by the user. If MFA is enabled, the AiTM kit continues to function as a proxy between the user and the user’s sign-in service, which allows the server to capture the resulting cookie session as the user completes an MFA sign-in. This allows an attacker to bypass MFA with the session cookie and the user’s stolen credentials.

While MFA can stop a wide variety of credential-based attacks, attackers are always finding new ways around security controls, including new MFA bypass techniques. According to Microsoft, MFA is the reason threat actors are pivoting to AiTM session cookie theft.

Microsoft advises organizations to set security defaults to improve identity security posture and evaluate sign-in requests using additional identity-drive signals such as group membership, IP location information and device status.

Other policies such as compliant devices or trusted IP address requirements can help protect users from attacks that leverage stolen credentials, researchers say. Organizations are also advised to invest in anti-phishing solutions that scan incoming emails and visited websites.

Microsoft also listed several capabilities of Microsoft 365 Defender that are designed to help protect from AiTM attacks. Read the blog for more information.

The post Microsoft Warns of Increasing Use of MFA Bypass Tools in Phishing Attacks appeared first on My TechDecisions.

That kind of extreme popularity, however, makes ChatGPT a tantalizing lure for phishing attacks, says cybersecurity firm Cyble.

The firm says its researchers have identified several instances where threat actors are using ChatGPT to distribute malware and conduct other attacks, including using a fraudulent OpenAI social media page to spread malware via phishing. In addition, other phishing websites are impersonating ChatGPT to steal credit card information.

Further, families of Android malware are OpenAI branding to mislead users into believing the are accessing authentic applications, leading to the theft of sensitive information from Android devices.

Cyble identified an unofficial ChatGPT Facebook page that has over 3,400 likes and followers that contains links to phishing pages that impersonate ChatGPT. The pages lure users into downloading malicious files.

Several posts on the page include links to typo-squatted domains that lead to a fake OpenAI website that instructs users to download files, which are actually information stealers. The malware families included in the campaigns include Lumma Stealer, Aurora Stealer, clipper malware and others.

In addition to a fraudulent ChatGPT-related payment page, Cyble has identified over 50 fake and malicious apps that are using ChatGPT branding to carry out activities and distribute malware.

Like other phishing campaigns, these seek to leverage the popularity of generative AI and ChatGPT to trick unsuspecting users into downloading malicious applications. For example, COVID-19-themed phishing attacks have been popular, and remain a favorite theme of cybercriminals.

Organizations allowing employees to use ChatGPT should ensure that users are only accessing ChatGPT through legitimate sources, such as OpenAI’s website. Administrators should also educate employees on these trends, including how to identify phishing attacks.

The post Beware of ChatGPT-Themed Phishing Attacks appeared first on My TechDecisions.

The Sunnyvale, Calif.-based company’s’ State of the Phish report finds that email-based phishing attacks remain a thorn in the side of IT and security professionals, with 84% of organizations surveyed saying they had at least one successful email-based phishing attack against them in 2022.

Those phishing attacks are impacting the bottom line, with the amount of organizations reporting financial losses as a direct result of phishing attacks increasing by 76% compared to 2021.

New phishing attack methods emerge

While phishing, ransomware, brand impersonation and cyber fraud remain major culprits, Proofpoint highlighted a range of emerging threats, including telephone-oriented attack delivery (TOAD) and multifactor authentication bypass such as adversary-in-the-middle (AiTM).

In the report, Proofpoint says those phishing methods “made waves” in the threat landscape.

The company defines a TOAD attack as one in which targets receive a message, typically containing a fake invoice or alert, that includes a phone number for customer service for questions. If the victim calls the number, they are connected directly to the attacker, who then tries to convince the victim to download malware, transfer money or enable remote access.

In addition, threat actors now have a range of methods to bypass MFA, and some phishing-as-a-service providers already include MFA bypass in their off-the-shelf phishing kits, the company says.

“Unknown to most users, these techniques gave cyber attackers a new advantage,” Proofpoint says in its report. “At their peak, TOAD and MFA bypass saw hundreds of thousands of attacks sent per day—ubiquitous enough to threaten most organizations.”

Specifically, attackers made about 400,000 telephone-based phishing attempts on average per day, with attacks peaking at 600,000 per day in August 2022.

While the report didn’t include data on the number of MFA bypass attacks, one recent case involving Uber spells out the danger. The rideshare giant disclosed in September 2022 that it was the target of a cyberattack.

According to Uber, an Uber external contractor’s account was compromised by an attacker, and the contractor’s corporate credentials were likely purchased on the dark web after the contractor’s personal device was infected with malware.

The attacker then tried to log in to the contractor’s Uber account several times, prompting a two-factor login approval request to be sent to the contractor’s device. Two-factor authentication worked in preventing unauthorized access, but the contractor eventually accepted a login approval request, opening the door for the threat actor.

Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack. This is how the attacker was able to communicate with Uber employees via Slack. With free reign, the attacker reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, according to the company.

Phishing still works really well

With these more sophisticated phishing methods and advanced social engineering, phishing attacks are still highly successful, according to Proofpoint.

Attackers are smart, and they know how to convince users to click on links and open attachments in emails. This includes impersonating trusted brands such as Microsoft, Amazon, DocuSign, Google and other companies that provide widely-used enterprise tools.

According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.

Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one users to lead to an organization-wide compromise, those statistics are alarming.

However, an even more successful phishing lure is COVID-19, with pandemic-themed phishing simulations leading to a 17% failure rate. COVID also appeared twice in the company’s list of “trickiest” themes, which is defined as attacks with the highest failure rate regardless of how many times the template was used.

Awareness still lacks

Despite renewed emphasis around end-user training and awareness, end users still struggle to understand basic cybersecurity concepts, regardless of the phishing methods used.

According to Proofpoint’s report, only 40% of users know what ransomware is, although that is a 9% jump from 2019. In addition, just 58% of users said they know what phishing is, which is a 5% increase from 2021 but a decrease of 3% from 2019.

In addition, users still struggle to spot phishing emails, with 21% saying they don’t know that an email can appear to be from someone other than the sender, 44% saying they don’t know that a familiar brand doesn’t mean the email is safe, and 63% saying they don’t know that aee mail link text might not match the website it goes to.

Nearly 30% of users are still reusing passwords for multiple work-related accounts, and 80% of home and work Wi-Fi users didn’t change the default admin password from their routers, which is slightly worse than 2021.

With organizations continuing to embrace remote and hybrid work, that lack of security awareness is alarming. This could lead to substantial risks for organizations and their data, says Alan Lefort, senior vice president and general manager of security awareness training at Proofpoint.

“As email remains the favored attack method for cyber criminals and they branch out to techniques much less familiar to employees, there is clear value in building a culture of security that spans the entire organization,” Lefort says.

The post Phishing Remains a Favorite Hacking Tool as New Methods Emerge appeared first on My TechDecisions.

The report is based on the 2022 Gone Phishing Tournament hosted by Terranova Security and co-sponsored by Microsoft, which evaluated how employees respond to phishing attacks. The 2022 Phishing Benchmark Global Report finds that all organizations need to continue to implement security awareness and training programs to educate end users on phishing attacks.

Over 250 organizations and 1.2 million users participated in the tournament, making it one of the largest phishing tournaments of its kind and a real-life example of how successful phishing attacks still are today.

According to the report, 7% of all end users at large enterprises who participated in the 2022 phishing simulation clicked on the link in the phishing email, and 3% failed to recognize the warning signs of the simulation’s webpage and entered their credentials on the malicious page.

While those phishing click rate totals are seemingly low, it only takes one privileged end user to click on a malicious link or enter their credentials for attackers to find their way into an organization’s network.

Additionally, this year’s form completion total is concerning, as 44% of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their credentials.

To put those numbers in perspective, an enterprise-level organization with 10,000 employees targeted with a phishing attack would have seen 700 of their employees lick n the phishing link, and over 300 of those would have entered their credentials.

“Given our reliance on online systems and data to conduct many business transactions and services, this is really concerning,” says Theo Zafirakos, chief information security officer at Terranova Security.

The report suggested that larger organizations need to ensure that end users are completing their training and awareness programs, as they fared the worst. In fact, phishing success rates consistently increase along with the size of the organization. Phishing click rates at organizations with under 100 employees was 3.6%, 4.9% at organizations with 100 to 499 employees, 5.6% at organizations with 500 to 2,999 employees and 6.3% at organizations with 3,000 to 9,000 employees.

When separated by industry, nonprofit, education, manufacturing, and food and agriculture had the worst phishing click rates, with all scoring over 6%. Meanwhile, public sector, energy and finance industries kept their phishing click rates under 3.5%

However, this report indicates that end users are becoming more aware, as only 3% of all recipients failed to recognize the phishing webpage and submitted their credentials, which is down from 14.4% in 2021.

“The results from this year’s Gone Phishing Tournament underscore the importance of taking a human-centric approach to security awareness training and content,” says Brand Koeller, principal product manager of Microsoft Defender, in a statement. “Technical safeguards alone can’t guarantee information security. Addressing the human risk factor should be a top priority for all organizations.”

The post Phishing Click Rates Mean More Training, Awareness are Needed appeared first on My TechDecisions.

The Switzerland-based firm’s report from its Cyber Protection Operation Center provides an in-depth analysis of the cyberthreat landscape including ransomware, phishing, malicious websites, software vulnerabilities and a security forecast for 2023, including how phishing emails and the cost of a data breach are on the rise.

According to Acronis’ report, phishing and malicious emails have increased by 60% in the third quarter of 2022, and social engineering attacks also jumped, accounting for 3% of all attacks. Continuing the theme of attacks on credentials and identities, Acronis says leaked for stolen credentials were the cause of almost half of all reported breaches in the first half of 2022.

Ransomware remains the largest threat

Ransomware remains the top threat to big and medium businesses, including government, healthcare and other critical organizations, Acronis’ report found. This comes despite ransomware volumes, samples and new families all decreasing in the second half of this year.

However, ransomware gangs were adding at least 200 new victims to their combined list in each month in the second half of 2022, according to Acronis. The top four ransomware operators were LockBit, Hive, BlackCat and Black Basta with a combined total of just over 1,600 compromised victims. As is regularly seen in the ransomware economy, those four families are largely the rebranding of former ransomware gangs such as REvil, BlackMatter and others.

Ransomware groups were far more active in the first half of 2022, with average ransomware detections per day at 368 for the first half of the year and 226 for the second half. Leading 2022 in ransomware detections was the United States, with regional ransomware detection percentages of at least 60% in all three quarters of 2022 studied.

Another alarming trend is the shift towards more data exfiltration and the targeting of macOS and Linux systems, with most of the larger ransomware groups also looking at cloud environments.

Phishing, malicious emails and social engineering

Attacks designed to steal credentials and compromise accounts have been a tried-and-true attack method, and these techniques are only growing in popularity and complexity, according to Acronis, which found that the proportion of phishing attacks between July and October 20222 rose by 1.3 times against malware attacks, reaching 76% of all email attacks. That figure is up from a 58% increase in the first half of 2022.

Social engineering threats are also on the rise over the last four months and now account for 3% of all attacks.

Phishing, meanwhile, continues to be a top threat facing organizations, with phishing activity rising by 130% between July and November 2022.

Specific industries were the most targeted with email threats, including construction, retail, real estate, professional services (such as computers and IT) and finance.

Unpatched vulnerabilities continue to wreak havoc

While phishing and social engineering remain a popular attack vector, Acronis’ report finds that unpatched vulnerabilities continue to be a gold mine for threat actors, with 475 out of nearly 13,000 reported vulnerabilities being actively exploited in the first half of 2022.

The company singled out Microsoft and Patch Tuesdays, and the report went through some of the more critical bugs in the IT giant’s systems discovered over the second half of 2022. However, Acronis also detailed critical vulnerabilities in products from Google, Adobe, Cisco and others.

“We know that ransomware attackers have taken advantage of more than 150 vulnerabilities during this same period, emphasizing once again how important it is to patch on time and have vulnerability assessment functionalities in place to protect businesses and home users,” the report says.

Acronis’ recommendations

The cybersecurity company’s recommendations in the report are largely best practices that IT security professionals have been echoing for years: password security, patching, phishing awareness, using a VPN and using comprehensive security tools.

However, the firm’s predictions for 2023 include more information about what cybercriminals will target next, including authentication and identity management systems, social engineering via texting and collaboration apps, attacks leveraging blockchains and the adoption of artificial intelligence and machine learning by threat actors.

Read the company’s report for more information.

The post Phishing, Ransomware Continue to Dominate as Cyberattacks Surge in 2022 appeared first on My TechDecisions.