Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →

ATO/BEC

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover

ATO/BEC
Everything You Need to Know About Tax Day Scams 2022
By Maddie Rosenthal
23 March 2022
Only two things are certain in life, death and taxes. As the 2022 Tax Day rolls around, making a payment to the IRS isn’t the only thing you need to be worried about.    These phishing attacks can take many different forms. In the US, these attacks will use the deadline of Monday, 18 April to file your income tax returns as bait. Meanwhile in the UK, these attacks will use your potential tax refund as bait.    But we’re here to help. Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like?   As is the case with other phishing and spear phishing attacks, bad actors will be impersonating trusted brands and authorities and will be, in some way, motivating you to act.   In this article, we’re exploring Tax Day scams that arrive via email. You may also receive phone calls or text messages from bad actors, claiming that you’re being investigated for tax fraud or have an overdue bill. They may also simply request more information from you, like your name and address, or bank account details. You shouldn’t give any of this information away over the phone. Government organizations will never call you or use recorded messages to demand payment. Now, let’s take a closer look at some real scam examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will always contain the top-level domain “.gov” There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain the company name (Fast Tax), the top level domain name (.as) is unusual The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. These are called malicious websites. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the top-level domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place This examples demonstrates the importance of having policies in place to verify clients beyond email. And remember, there’s nothing wrong with being extra cautious this time of year. Example 5: CEO Impersonation
What’s wrong with this email? The the sender’s email address (@supplier-xyz.com) is inconsistent with the recipient’s email address (@supplierxyz.com) The attacker is impersonating the CEO, hoping that the target will be less likely to question the request; this is a common social engineering tactic  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam
Who will be targeted by Tax Day scams?    From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each. Here’s what you should look out for.   Taxpayers  Attackers will be impersonating trusted government agencies like the IRS and HMRC and third-parties like tax professionals and tax software vendors  Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act  Many phishing emails contain a payload; this could be in the form of a malicious link or attachment   Tax Professionals  Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending they need help with their tax return or tax refund  Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act  Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses  Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information  Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.   
What do I do if I’m targeted by a Tax Day scam? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.    First and foremost, always, always, always check the sender. Confirm that the domain is legitimate and that the Display Name matches the email address. Be wary of any emails that aren’t from a “.gov” address.  If anything seems unusual, do not follow or click links or download attachments  Check for spelling errors or formatting issues. Be scrupulous! If anything feels off, proceed cautiously. (See below.  If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread  If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC Looking for more advice about scams? Sign-up to our newsletter below to get articles just like this, straight to your inbox. 
ATO/BEC
What is Email Impersonation? Everything You Need to Know
16 March 2022
Email impersonation might not be the most sophisticated phishing method, but it’s simple, it’s widespread, and it can be devastating. Here’s why…     Email impersonation vs. email spoofing vs. account takeover   First, we need to describe “email impersonation” and distinguish it from some closely-related concepts.   Email impersonation: The attacker sets up an email address that looks like a legitimate email address (e.g. bill.gates@micr0soft.com – note the zero instead of an o in the domain name). Email spoofing: A technical process where the attacker modifies an email’s headers so the receiving email client displays a false email address (the sender’s email address is “fraudster@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox) Account takeover: The attacker gains access to another person’s account (using hacking or stolen credentials) and uses it to send phishing emails.   Email spoofing and account takeover require some technical ability (or, at least, access to the dark web). With email impersonation, though, the attacker just needs to secure a domain that looks like it could belong to a legitimate business.   This is easy (and cheap!) with domain registrars like GoDaddy. We explore different types of impersonation techniques below.   Phishing methods that use email impersonation   Cybercriminals can use email impersonation to facilitate any type of email-based phishing attack. There are some types of phishing in which email impersonation is particularly common, including:   Business Email Compromise (BEC) — Impersonating a business CEO fraud — Impersonating a company executive and targeting one of their employees Whaling — Targeting a company executive   These are all among the more sophisticated and targeted types of phishing attacks. These types of attacks must employ email impersonation, email spoofing, or account takeover to be successful.   Types of email impersonation   Now we’ll look at the various ways a cybercriminal can impersonate an email address. To understand these, you’ll need to know about the different parts of an email address:
Each of these elements of an email address is relevant to a different type of email impersonation.   Root domain-based email impersonation   A company’s root domain is usually the most distinctive part of its email address. It’s the part immediately before the top-level domain (e.g. “.com”) — the “Amazon” in “info@amazon.com”.   Root domain impersonation involves creating a root domain using replacement characters, so it looks like an email has arrived from a legitimate company. Here’s an example:
In this root domain impersonation, the attacker has replaced the “l” in “external” and “supplier” with a “1”. At first glance, the recipient might not notice this, and they might treat the email as though it has come from “External Supplier.”   Top-level domain-based email impersonation   The top-level domain is the part after the root domain: e.g., “.com”, “.jp”, or “.net”. The top-level domain usually denotes a country or a type of organization. For example:   .com — Commercial organizations .uk — Internet country code for the UK .gov — US government agency   Sometimes, a second-level domain accompanies a top-level domain:   .co.uk — Commercial organization from the UK .ac.jp — Higher education institution from Japan .waw.pl — Organization from Warsaw, Poland   Using top-level domain impersonation, a cybercriminal can create an authentic-looking email address that the recipient might assume belongs to a legitimate organization (if they even notice it).   Here’s an example:
Here we have “externalsupplier.io” imitating “externalsupplier.com”. The top-level domain “.io” is actually registered to British Indian Ocean Territory (BIOT), but Google recognizes it as “generic” because many non-BIOT organizations use it.   Subdomain-based email impersonation   A subdomain appears after the “@” sign, but before the root domain. For example, in “info@mail.amazon.com”, the subdomain is “mail”. Most email addresses don’t have a subdomain.   An attacker can use subdomains to impersonate a legitimate company in two main ways:   Using a company’s name as a subdomain to the attacker’s domain. For example, in “info@amazon.mailerinfo.com”, “amazon” is the subdomain and “mailerinfo” is the domain. Splitting a company’s name across a subdomain and domain.   Here’s an example of the second type of subdomain impersonation:
Display name impersonation   A display name is how an email client shows a sender’s name. You can choose your display name when you sign up for an email account. We explore display name impersonation in more detail in this article: How to Impersonate a Display Name.   Display name impersonation exploits a bad habit of mobile email clients. On mobile, common email clients like Outlook and Gmail only display a sender’s display name by default. They don’t display the sender’s email address.    So, even an email address like “cybercriminal@phishing.com” might show as “Amazon Customer Services” in your mobile email client — if that’s the display name that the attacker selected when setting up the account.   But this isn’t a mobile-only problem. According to new research, just 54% of employees even look at the email address of a sender before responding or actioning a request. This is good news for attackers, and bad news for businesses.      Username impersonation   The username is the part of the email address that appears before the “@” symbol. For example, in “bill.gates@microsoft.com”, the username is “bill.gates”.   Username impersonation is the least sophisticated form of email impersonation, but it can still work on an unsuspecting target. This technique is sometimes called “freemail impersonation,” because scammers can register false usernames with Gmail or Yahoo.    With this technique, they can create accounts that look like they could belong to your CEO, CFO, or another trusted person in your network.  Here’s an example:
More resources on email impersonation   Now you know the basic techniques behind email impersonation, read our articles on preventing email impersonation, CEO fraud, and Business Email Compromise to find out how to protect your business from these cyberattacks.   You can also learn how Tessian detects and prevents advanced impersonation attacks by reading our customer stories or booking a demo. Not quite ready for that? Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.
ATO/BEC
Why Enterprises Are Replacing Their SEGs With Microsoft and Tessian
By John Filitz
14 March 2022
The advancing sophistication of cybersecurity threat campaigns have brought legacy cybersecurity tools into sharp focus. Built for an on-premise world, these manual, rule-based approaches to cybersecurity are unable to ward off adaptive and increasingly intelligent attack methods.   On the other side of the coin are security leaders who are overwhelmed and overworked. This is largely due to the proliferation of threats, juxtaposed against managing their IT environments from a tooling and staff resource perspective.    Tool sprawl is reaching excessive levels that are simply impossible to manage. The average enterprise now has in excess of 45 cybersecurity tools deployed. Research shows excessive tools deployed leads to a decline of security effectiveness.    The bottom line: Increasing complexity warrants tool rationalization.    Keep reading to learn:   Why Secure Email Gateways (SEGs) have become redundant The powerful capabilities (and shortcomings) of Microsoft  The benefits of replacing your SEG with Tessian + Microsoft
SEG redundancy   The effectiveness of legacy Secure Email Gateway (SEG) solutions is starting to receive due attention as email related breaches continue to snowball. Depending on the statistic cited, the email threat vector accounts for anywhere between 80-96% of cybersecurity attacks.   Replacing SEGs represents a high return, low risk optimization opportunity, due to declining security effectiveness and the high degree of redundancy in the enterprise.     SEG security effectiveness is declining for two reasons:    The majority of enterprises have adopted cloud hosted productivity suites such as Microsoft 365, which natively provide SEG capabilities including malware, phishing and URL protection.  SEGs rely on static, rule-based approaches that are ineffective in safeguarding  email users and data from advanced threats.    Once a threat actor is able to bypass the SEG, they effectively have unmitigated access to carry out their threat campaign. This can (and often does) include Account Takeover (ATO), deploying exploit kits or more damagingly, delivering ransomware. And little protection is offered against insider threats – a growing concern.  
The powerful capabilities (and shortcomings) of Microsoft    Microsoft 365, which includes Exchange Online Protection (EOP) and Microsoft 365 Defender, provides a reasonable degree of email security that effectively makes the legacy SEG redundant.   M365 on E5 licensing provides the following capabilities:   Anti-malware protection Anti-phishing protection Anti-spam protection Insider risk management  Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments) Message encryption via issued PKI Audit logging Quarantine Exchange archiving
Microsoft alone, however, does not guarantee against advanced email threats. Significant gaps remain in Microsoft’s ability to protect against advanced social engineering campaigns that can result in business email  compromise (BEC), ATO, or zero day exploitation. And this is why these shortcomings are also reflected in Microsoft’s Service Level Agreement (SLA) exclusions, for example excluding guarantees against zero day exploits and phishing in non-English languages.    Microsoft + Tessian = Comprehensive security   This is where a next-gen behavioral cybersecurity solution like Tessian comes into play, providing advanced automated email threat detection and prevention capability.   With Tessian, no mail exchange (MX) records need to be changed. Tessian is able to construct a historical user email pattern map of all email behavior in the organization. The best-in-class algorithm is then able to detect and prevent threats that Microsoft or SEGs have failed to detect within 5 days of deployment.    This dynamic protection improves with each threat that is prevented, and unlike the in-line static nature of SEGs, it ensures 24/7 real time protection against all attack vectors, including insider threats. That is why the leading enterprises are opting for displacing their legacy SEG and augmenting Microsoft’s native security capabilities with Tessian.   
Tessian Defender’s capabilities include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover Invoice FraudBulk Remediation Automated Quarantine  Threat Intelligence
No black box threat visibility and intelligent risk mitigation   Beyond the cost and resource optimization realized by removing SEGs, Tessian clients see significant efficiency gains in the SOC due to the high degree of automating triage and the enablement of a distilled view on the threats that matter  –  finding that needle in the haystack, in real time and in context.    For example, with one-click, SOC analysts can bulk remediate high volume phishing campaigns (aka burst attacks) that are targeting the organization as they happen. Suspicious emails are also automatically quarantined, with threat remediation context provided.    The platform provides a single pane of glass, giving security and risk leaders visibility of how cybersecurity risk is trending in their organization and the types of threats thwarted, down to individual employee-level risk scoring.
Context aware security awareness training  The context-aware security capability of Tessian extends to providing in-the-moment security awareness training to employees. The real-time security notifications flag suspicious and malicious emails received, offer a clear explanation, and provide education to employees in real time. Most enterprises experience a 30% click through rate (CTR) on simulated phishing exercises – including our clients prior to deployment. Tessian clients see simulated phishing exercises returning a less than 5% CTR after deployment – illustrating the effectiveness of Tessian’s security awareness training.
Stopping threats, reducing complexity    Tessian enables security teams to focus on mission critical tasks rather than manually and retroactively triaging already occurred security events. Legacy email security approaches relying on SEGs simply no longer have a place in an increasingly crowded cybersecurity stack. By leveraging Microsoft 365’s native capability together with Tessian, presents an opportunity for security leaders to improve security while reducing complexity.
This is why according to a Tessian commissioned Forrester study, 58% of cybersecurity leaders are reevaluating legacy email security tools and approaches, and why 56% will be investing in behavioral email security solutions with automated detection capabilities.
ATO/BEC Integrated Cloud Email Security
Nation-States – License to Hack?
By Andrew Webb
10 March 2022
Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.
How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.
What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.
Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.
Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.
As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 
The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 
Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 
What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.
How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
ATO/BEC
18 Examples of Ransomware Attacks
04 March 2022
The ransomware crisis is getting out of control. With recent attacks on critical infrastructure, supply chain IT companies, and hospitals, the world is waking up to how serious this type of cyberattack can be.   IT leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many businesses are finding their computers locked, their files encrypted, or their customers’ personal data stolen.   From the widespread chaos caused by2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations—these 12 ransomware examples will help you understand what you’re up against.   Want to learn more about what ransomware is and how it’s delivered? Check out this article instead. 
Nvidia attempts “hack-back” after ransomware gang steals source code   After Nvidia fell victim to ransomware in late February 2022, the semiconductor giant didn’t take the attack lying down. Instead, Nvidia installed ransomware on the perpetrator’s own machines—but appeared not to solve its problem by doing so.   Nvidia was targeted by the ransomware group known as Lapus$, which stole the company’s source code, including a proprietary hash rate limiter that reduces the usefulness of Nvidia’s chips for cryptocurrency mining.   In an attempt to safeguard its intellectual property, Nvidia hired security experts to locate the attackers’ infrastructure and target it with a retaliatory ransomware strike.   While the revenge attack succeeded in infecting Lapus$’ computers—an act which, perhaps ironically, led the group to label Nvidia “criminals”—-Nvidia failed to retrieve its data as the group had backed it up.   In exchange for keeping Nvidia’s data private, Lapus$ demanded the company publish its GPU drivers as open source—in addition to paying a cryptocurrency ransom, of course.   Oil pipeline ransomware attack forces supply re-route   The BlackCat ransomware group launched a ransomware attack affecting 233 German gas stations on Jan. 29, 2022, causing disruption that forced oil company Shell to re-route supplies to different depots.   The attack is believed to have leveraged vulnerabilities in two software applications, Microsoft Exchange and Zoho AdShelf Service Plus1, enabling the attackers to exfiltrate “business secrets and intellectual property,” according to the German intelligence services.   The agency also said it feared the attackers might have infiltrated “the networks of customers or service providers” as part of the attack. In addition to rerouting supplies to avoid affected fuel depots, Shell said it may have to run some previously automated processes manually.   The attack has been attributed to BlackCat, a cybercrime group that mainly targets US organizations but has extended its operations into Europe.
Flights disrupted after ransomware hits Swiss airport   Airport operator Swissport was hit by a ransomware attack on Feb 3, 2022, resulting in grounded planes and flight delays at Zurich international airport.   The attack on Swissport—which provides air cargo operations and ground services—resulted in the delay of 22 flights. Swissport managed to contain the ransomware threat relatively quickly and most critical systems appear to have remained unaffected.   But because the attack came a week after the series of ransomware attacks on European oil services (detailed above), researchers suspect that the Swissport attack may have been part of a coordinated effort to destabilize European infrastructure.     Attack on Puma exposes nearly half of workforce’s personal information   Sportswear giant Puma lost control of around half of its employees’ personal information in February 2022, after ransomware actors hit the company’s cloud provider, Kronos Private Cloud (KPC).   Puma was forced to provide notification of the data breach to the affected employees and to Attorney General offices in multiple states. News website Republic World reported that the breach lead to the theft of data about 6,632 people.   Puma said no customer data had been leaked as a result of the attack, but that it had to resort to using “pencil and paper” to carry out certain business operations.
Ransomware strike on UK snack company threatens nation’s chips and nuts supply   A ransomware attack on UK food company KP Snacks made headlines in February 2022 after reports that it could lead to shortages of some of the nation’s favorite crisps (potato chips) and roasted nuts.   Following the incident, the snack firm wrote to stores warning them to expect significant disruption to supplies with deliveries expected to be delayed and cancelled until “the end of March at the earliest.” The company said it could not “safely process orders” until it had contained the attack.   News website Bleeping Computer reported that Cybercrime group Conti featured KP Snacks on its “data leak page,” showing examples of “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements, and other sensitive documents” that the group had allegedly stolen from the company.     Ransomware attacks on Ukraine deemed a “decoy” for other cyber threats   Ukraine was hit by a variety of cyberattacks in the run-up to Russia’s invasion of the country in February 2022, including massive distributed-denial-of-service (DDoS), data wiper and ransomware attacks.   Wiper attacks hit Ukranian (and seemingly Lithuanian) servers on the morning of February 24, shortly before the Russian military launched an all-out war on the country. The wiper malware makes any device it infects unusable.   Researchers at Symantec said some ransomware attacks were also detected—but it’s possible that ransomware was used as a “decoy or distraction” from these other attacks.   In this case, ransomware’s disruptive nature made it the perfect distraction from the other cyberattacks that preceded Russia’s invasion.   Ransomware on candy manufacturer spoils Halloween   In October 2021, Ferrara—a candy manufacturer responsible for culinary delights such as SweeTarts, Nerds, Redhots, and Pixy Stix—announced a ransomware attack that could cause delays to production and affect Halloween deliveries.   The confectioner declined to reveal the extent of the damage caused by the attack but said it appreciated its customers’ “patience and understanding.”   Viewed in light of the hospitals, gas pipelines, and border agencies that have been hit by ransomware over the past year, Ferrara’s plight might seem insignificant—unless, perhaps, if America’s trick-or-treaters start coming home with empty baskets.
Sinclair Broadcast Group: Ransomware shuts down TV stations   US TV company Sinclair Broadcast Group was hit with ransomware in October 2021. The company operates over 600 channels, and this ransomware attack reportedly caused chaos within Sinclair’s internal and external operations.   The attack broke Sinclair’s email and phone systems and left the company unable to air certain ads and TV shows. Sinclair’s share price also dropped 3% on the day it announced the attack.   Several days after the incident, the company was still reportedly in disarray, with an anonymous source inside the company telling Vice that the attacker had “done a very good job… either by accident or by design.”   That last part is important. Once ransomware starts spreading, it takes on a life of its own—and it can quickly get out of control, causing more damage than even the attackers might have anticipated.   Vice’s source also condemned Sinclair’s alleged lack of preparedness for the incident, reportedly asking of their bosses: “Did you not have a plan? Did you not think this was a possibility? (…) In 2021, how could you not have a plan?”     Olympus hit by ransomware twice in five weeks   Japanese medical tech firm Olympus was hit hard by ransomware on September 8, 2021. The attackers encrypted Olympus’ network, disrupting the company’s EMEA operations. But just as the med-tech firm was recovering, it was attacked again on October 10, 2021—just one month after the first incident. This time, the attack impacted Olympus’ operations in the Americas.   We don’t know much about these two incidents, except that they are suspected to have been carried out by the Evil Corp ransomware gang. The attackers also reportedly used “Macaw Locker”—a new communications tool designed to evade US sanctions rules that had previously prevented victims from entering into negotiations with the group.   Ransomware actors have been known to strike the same victims multiple times—either because they have found a vulnerability they can exploit or because they know that the target is likely to pay up.     Weir Group faces $55m lost profits following ransomware attack   Scottish multinational engineering company Weir Group used its Q3 trading update to announce that it had been hit by ransomware—and that it expected profits to shrink by around 40 million GBP (55 million USD) as a result.   According to Weir Group’s statement, the incident—which occurred in early September 2021—forced the company to shut down its IT systems, enterprise resource planning operations, and engineering applications. Weir Group also said it expected the impact of the attack to continue into Q4 2021.   As a result of the ransomware incident, Weir Group said it had experienced 5 million GBP (6.8 million USD) in direct losses. But the company also said that the disruption indirectly caused by the incident was likely to cost nearly ten times that amount.   A $55 million loss would be a substantial blow for a company that expects its yearly profits to be around $316 million to $336 million—and a stark reminder of how destructive ransomware can be.      
Attack on Italian government agency exposes celebrities’ personal data   Ransomware isn’t just a cybersecurity threat—it can harm people’s privacy, too. In October 2021, an Italian public body responsible for safeguarding intellectual property rights—the Società Italiana degli Autori ed Editori (SIAE)—lost over 60 GB of data to the Everest ransomware group.   BleepingComputer later found this data—which reportedly included “national ID and driver’s license scans and documents relevant to contract agreements between SIAE and its members”—publicly available on Everest’s “extortion portal.”   The group appears to be selling the data for $500,000 after the SIAE failed to pay its ransom—a reminder that ransomware gangs will follow through on their threats. Italy’s data protection authority, the Garante per la Protezione dei Dati Personali (GPDP), is investigating the matter.     2017 WannaCry attack: The world’s first taste of how bad ransomware can get   Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously.   The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers.   How could WannaCry infect so many computers?   The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.   From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows.   Wannacry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack.   The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars.     Colonial Pipeline attack: ransomware affects critical infrastructure   On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process.   Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web.   The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.   Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency.   Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences.
Fake invoice leads to Ryuk ransomware infection   Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.   An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.   The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware.   The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access.   Kaseya supply chain attack impacts 1,500 companies   The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.   Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency.   The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack.   A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million.   The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which. while it did not involve ransomware, exposed the vulnerability of supply chains.   UK health service warns of Avaddon phishing attacks   In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.”   Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout. As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom.   What makes this double extortion method particularly harmful? Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved.   But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect people’s personal data.   Stolen credentials lead to $4.4 million DarkSide attack   The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems.   The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published.   So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web.   Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns. For more information, see What is Credential Phishing?     COVID-19 testing delayed after Irish hospitals hit by ransomware   When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were cancelled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money.   The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom.   After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.
ATO/BEC Threat Intel
Analysis of a Microsoft Credential Phishing Attack
By Charles Brook
25 February 2022
Credential harvesting via phishing remains a significant threat to organizations. In early February 2022, we detected a credential harvesting campaign leveraging a fake Microsoft Outlook login page. Although Secure Email Gateways (SEGS) have URL rewriting protection capability, these types of phishing efforts typically go undetected through the usage of obfuscation techniques such as using superscript tags hiding the malicious code.
Summary of the attack   An email impersonating Microsoft was sent using Amazon Simple Email Service targeting multiple individuals at a specific organization. The email informed recipients their password was due to expire and they needed to follow a link to reset it.   The link in the email followed multiple redirects before landing on a credential phishing site impersonating the Microsoft Outlook login page. Analysis of this attack reveals it to be related to known phishing as a service (PhaaS) site where anyone can purchase tools and services for phishing.   Email Content   Below is a screenshot of the malicious email with a malicious link to reset the password. Note the usage of language (albeit with typos) expressing urgency around changing the end user’s password.
The threat actor sent the target recipients a request to change their Microsoft password that included a malicious link that would redirect to a credential harvesting website. Tailored to specific targets, the emails also appeared to be sent from an AWS Apps server using the Amazon Simple Email Service and passed security checks including SPF, DKIM and DMARC, meaning it is unlikely to be flagged as malicious.    Given the email appears to have been sent via Amazon SES, there is a chance the attacker may have compromised an AWS account. Alternatively they could have registered an account for the sole purpose of sending these emails and passing security checks since Amazon will be seen as a reputable sender.
Email body   When viewed from a mailreader these emails are fairly easy for the trained eye to spot. The main indicators being the grammatical errors that are common amongst phishing emails, as well as the suspicious link clickable from the button.   But underneath the message displayed was further evidence of the attacker going to great lengths through common phishing obfuscation techniques to make these emails difficult to detect.   The email body was base64 encoded which is not that uncommon for emails but still a technique attackers use to obfuscate the content of an email. Decoding this revealed the HTML used to construct the email. When focusing on the email body we find the attacker has added a series of HTML elements distributed randomly between the letters in the message.
Specifically the attacker has used superscript HTML tags to obfuscate the email body against common email security tools like SEGs.   <sup style=”display: none;”>YYCZPYYCZP</sup>   The attacker has added “display: none;” styling to each tag meaning the content of the element won’t appear in the displayed email. This means the recipient will only see the intended message displayed to them in a mail reader while making it difficult for legacy email security tools to pick up on any of the keywords that would indicate this as a phishing email.
By removing the superscript tags from the code we can more clearly see the message left behind that was displayed to the recipient.   Phishing URL   The email contained a phishing URL with the recipient address auto-populated at the end. The URL was added to a button labeled “Keep My Password”. Phishing link embedded in HTML email body        
The phishing link also contained a second URL nested in the query component of the first. The attacker is abusing an open redirect function in a well-known affiliate marketing network called Awin to redirect victims to the malicious site.   Phishing link from email:  hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr#<recipient>@<domain>[.]com Which redirects to: hxxps://pcbmwc[.]org/fr#<recipient>@<domain>[.]com   The redirects are incorporated to bypass initial URL security checks common in legacy email security tools. Most security tools scanning URLs are likely to focus on the domain from the initial URL ‘awin1[.]com’ and recognise it as safe.   The domain in the nested URL ‘pcbmwc[.]org’ appears to belong to a buddhist monastery based in Patiya, Bangladesh. The site appears to be fairly basic and low budget, it is likely the attacker compromised this site and is using it to host part of their malicious infrastructure – an increasingly common tactic for phishing attacks.   The initial URL leads you to an apparently blank page. The source code reveals there is a script checking to make sure there is still an email address present at the end of the URL after the ‘#’. This is intended to be the target’s email address.  
If there isn’t an email address appended to the end of the URL then nothing will happen and you will stay on the blank page. If there is an email address included at the end, then the script redirects the target to the final landing page for the phishing site with that email address still included in the URL.   Link to the final phishing site:   hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html#<recipient>@<domain>[.]com
Phishing Site Clicking the link from the original email will lead to the page below with the target’s email captured in the URL. The site is designed to resemble the Microsoft Outlook login page where you are prompted to enter your password. Looking at the source code for this site, it appears to be based on a previously seen template also used for Microsoft credential harvesting but with a few alterations.
To look as legitimate as possible, the site borrows graphics and styling directly from Microsoft owned CDNs. Entering a password into the box provided and clicking ‘Sign in’ would result in the email address from the URL and the password being captured and submitted through an AJAX post request to a php file hosted on a separate server.   PHP file:   hxxps://moliere[.]ma/aX3.php   The domain in the link to the PHP script appears to belong to a consulting firm based in Casablanca. If legitimate, then it too has likely been compromised by the attacker to host malicious infrastructure.   This script will most likely be what the attacker uses to harvest the credentials. It will either send the credentials to the attacker directly or store them in a location accessible by the attacker.    The source code of the site includes some jQuery scripts to perform a number of actions with the aim of making the site look and feel legitimate. This includes sections to provide feedback to the victim such as error messages and progress bars. One section checks to make sure the password entered isn’t blank and is more than one character long. Another section displays a fake progress bar after clicking sign in to give the illusion of a genuine login taking place.    If the credentials are submitted successfully then the victim is redirected to a genuine Microsoft login page and presented with the login screen again. The victim will assume that they entered their credentials incorrectly the first time and just carry on.   Another observation from the source code is that whoever wrote or borrowed the code has replaced most of the variable names and tag IDs with strings of seemingly random characters.    At closer inspection these random strings appear to be composed of various keyboard walk patterns. A keyboard walk is when you type a series of characters in the order they appear on the keyboard, for example ‘qwerty’ or ‘asdfg’. Often done by dragging a finger across the keyboard.   This has been done deliberately to make the code more difficult to read and follow without clearly labeled variables.
Phishing as a Service (PhaaS) The primary features and indicators from this phishing attack point to it being related to the BulletProofLink (aka BulletProftLink) phishing as a service site, which was detected and analyzed by Microsoft in late 2021.   This site offers phishing kits for sale to anyone and also offers infrastructure to host and run  malicious campaigns from. Phish kits or services will typically be available for sale for around $200.
Although there were some differences for the specific campaign analyzed here, the attack chain observed is virtually identical to that mapped out by Microsoft.  
This credential harvesting attempt is a good example of what is becoming a particularly common modus operandi to compromise an organization’s credentials and information system. The unfortunate reality is that such attempts have a high success rate of bypassing legacy and native email security controls. Threat actors are able to achieve this success through the use of obfuscation techniques that are tried and tested repeatedly against static, rule-based email security controls, until the desired outcome is achieved.   
With continuously advancing sophistication of phishing attacks, it becomes a matter of when, and not if, an organization’s legacy email security controls will be circumvented.  Behavioral cybersecurity solutions like Tessian are increasingly seen as a gamechanger and a necessity to ward off advanced social engineering-based attacks. Tessian detects and prevents phishing attacks as the one discussed on a daily basis for our clients. It does this by scanning not only the URL links, but all of the fields contained in an email and contrasts this against a historical mapping of the email ecosystem to determine using machine learning, whether the email is malicious or safe. End-users then receive in-the-moment security warnings prompting them towards safer action.
Appendix: Indicators Email Body (decoded) <sup style=”display: none;”>YYCZPYYCZP</sup>   URLs hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr# hxxps://pcbmwc[.]org/fr# hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html# hxxps://moliere[.]ma/aX3.php   Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred based on analysis of the email and the phishing site that was active at the time of receipt.   TA0043: Reconnaissance  T1589: Gather Victim Identity Information T1589.002: Email Addresses T15905: Active Scanning   The attacker will have gathered email addresses to target either from data breaches dumped on the Internet or by scanning the target organizations’ public facing website for addresses, which will have most likely been found on their people page.   TA0042: Resource Development T1584: Compromise infrastructure T1584.004: Server T1588: Obtain Capabilities T1608: Stage Capabilities T1608.005: Link Target   The attacker will either have developed or obtained the scripts and pages used to construct their malicious email through a phishing as a service site. It also appears they may have compromised vulnerable web-servers to host some of their malicious infrastructure used for harvesting credentials including the redirection page, the malicious login page and the PHP script to collect the credentials. This could also have been provided as part of a PhaaS package.   TA0001: Initial Access T1566: Phishing T1566.002: Spear Phishing Link   The attacker sent emails impersonating Microsoft containing a phishing link aimed at harvesting credentials. These emails were sent from an AWS Apps server via Amazon SES. Meaning the attacker may have compromised an existing AWS account or set one up for this campaign.   TA0005: Defense Evasion   A number of techniques were employed to evade detection. The first is the use of Amazon SES to make emails appear reputable and pass security checks. The attacker also obfuscated the message in the email by placing hidden HTML elements at random intervals, making it difficult for security tools to pick up on keywords.   An open redirect was also used in the phishing URL to send the recipient to the malicious site via a trusted one first. Security tools and the recipient will often see the domain for the trusted site and assume the URL is safe.
ATO/BEC Integrated Cloud Email Security
Playing Russian Roulette with Email Security: Why URL Link Rewriting Isn’t Effective
By John Filitz
18 February 2022
Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.
How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.
Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.
ATO/BEC
Phishing 101: What is Phishing?
17 February 2022
First things first: let’s answer the question at hand.
That’s the short and sweet definition. But, there’s more you need to know. Phishing is a common type of social engineering attack that cybercriminals have been conducting for decades. In this article, we’ll take a look at some different types of phishing, how these differ from “traditional” phishing, and how phishing attacks work. Wondering what social engineering is? Check out this article, which includes plenty of real-world examples.   Definitions of phishing If you look at the definition above, you’ll notice we made an important distinction in the last sentence. “Phishing is typically bulk in nature and not personalized for an individual target.” But, oftentimes, you’ll hear the word “phishing” used as an umbrella term to cover many types of online social engineering attacks, including:   Spear phishing: A phishing attack targeting a specific individual Whaling: A phishing attack targeting a company executive Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or VoIP software What links all these types of attacks? They all involve some form of “impersonation” — the attacker pretends to be a person or institution that the target is likely to trust. But, in this article, we’ll focus on traditional “spray and pray” phishing attacks. It’s one of the most straightforward types of online social engineering attacks.   Importantly, this “old-school” form of cybercrime is distinct from all the examples above because:   Unlike smishing or vishing, phishing attacks occur via email. Unlike spear phishing and whaling, traditional phishing isn’t targeted. Attackers send phishing emails indiscriminately, rather than emailing a specific individual. If you’re scratching your head trying to figure out how phishing is different from spam, we’ve answered all your questions in this article: Spam vs. Phishing: The Difference Between Spam and Phishing.   How phishing works   Let’s take a real-life example of a phishing attack to see how this type of cybercrime works. It appears to comes from a brand most of us know and trust: Netflix.
So, what makes it a phishing email? The “UPDATE ACCOUNT NOW” button leads to a malicious website (not Netflix’s genuine website) designed to steal payment information. But, the average person wouldn’t know that.   The email arrived from “info@mailer.netflix.com” — a person could reasonably believe this was a genuine Netflix email address The “Help Center” and “Communications Settings” links lead to Netflix’s actual website The Netflix logo and branding look authentic But look a little closer, and you’ll notice a few giveaways.   The greeting is generic (“Hello ,”). This suggests that this is a bulk email sent to many recipients. The email asks for payment details. Netflix will never request payment information via email. There’s a typo (“We re here if you need it”). Typos are increasingly rare in phishing emails, but they should always raise a red flag.   This is not your typical “Nigerian prince” scam and it’s easy to see why so many people – both consumers and employees – fall for these scams. If you’re looking for statistics to back this up, check out this article: Must-Know Phishing Statistics (Updated 2021).   Note that this scam appears to use “email impersonation”: the sender address (mailer.netflix.com) looks like it could be an authentic Netflix domain, but Netflix doesn’t own that domain at all. Hackers can also use account takeover and email spoofing for more advanced phishing attacks.   What is phishing for?   We’ve looked at how criminals use different methods to conduct phishing scams and target different types of people. But why do they do it? Attackers use phishing scams to target different types of resources. For example: Credentials. Cybercriminals steal usernames and passwords to sell them on the dark web, access company data, or conduct account take-over attacks. Personal information. Addresses, social security numbers — even lists of names associated with a particular platform can be valuable to cybercriminals, who can use them to target spear phishing attacks. Money. Phishing attacks aiming to trick the target into transferring money to the attacker are common, but they’re normally reserved for more sophisticated types of phishing such as Business Email Compromise (BEC), which the FBI calls “the $26 billion scam.” Want to know which of these resources hackers target the most frequently? Download this infographic.   How common is phishing?   Phishing has become a huge criminal industry, and there’s no sign of it getting smaller. Here are some of the latest statistics:   The FBI’s Internet Crime Complaint Centre (IC3) 2020 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. Phishing complaints more than doubled between 2019 and 2020. According to Verizon’s 2020 data breach report, 96% of phishing attacks arrive by email (smishing and vishing account for 3% and 1% of attacks, respectively). Phishing is on the rise. Microsoft’s 2021 Future of Work report shows that 80% of organizations experienced an increase in security threats in 2020 — and of these, 62% said phishing showed the most significant increase. As a major cause of data breaches, phishing is a considerable business expense. According to IBM, the average cost of a data breach in 2020 was $3.86 million.   Want more of the most up-to-date figures on phishing? Subscribe to our newsletter for monthly updates, straight to your inbox.  Now you know what “phishing” means, how common it is, and how much damage it can cause. If you want to learn how to protect yourself from phishing, check out our guidance on how to avoid falling for phishing attacks.
ATO/BEC Threat Intel
Spear Phishing Attack Impersonating C-Suite Targets Junior Employees at Law Firm
By Charles Brook
10 February 2022
In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.
Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).
The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.
Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.
This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.
The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.
In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.
Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.
Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  
ATO/BEC
It Started With a Click… Huge Rise in Romance Scams for Second Year Running
By Andrew Webb
10 February 2022
If you thought the end of lockdowns might mean a drop in romance fraud scams, well, prepare to be heart broken… Lonely hearts looking for love are highly attractive… to scammers that is. The number of people targeted by romance fraud scams has nearly doubled in 2021, according to our latest research.
By adopting a fake identity or even impersonating a celebrity online, cybercriminals will spin a story to trick and manipulate their victims into sharing money or information that could be used to later commit identity fraud. Oftentimes, they won’t ask for the money outright. They’ll build trust over time, building a relationship. These are tried and tested social engineering tactics that are designed to manipulate human emotions – and they sadly can work on anyone.   32% of respondents have received a romance fraud scam in the last 12 months – a significant increase from the 18% of people surveyed previously.  Isolating the US, 43% said they had received a romance fraud scam – up from 29% in 2021 – and in the UK, 14% said they had been targeted by romance scammers – up from 8% in 2021.    Why are scammers investing in this particular type of attack? Because vulnerable people make easy targets. Loneliness was a public health issue back in 2018, and COVID just made everything a lot worse. Which is why incidents of romance fraud have surged during the pandemic. What’s more, we’re now much more used to conducting all aspects of our lives online, often asynchronously, rather than face to face in real life.
How are romance scams delivered? Email remains – just – the most popular attack vector for romance scams. When we asked which platforms they had received ‘romance’ messages on, personal email ranked top with 51% of respondents saying they had received fraudulent phishing emails from ‘love interests’ via this channel. This was hotly followed by 50% of respondents, who said they had received messages via Facebook. 45% had been targeted over text messages. Of course this may be the ‘tip of the iceberg’, as many victims are too embarrassed to come forward.
The rise of the celebrity love interest   Worryingly, a number of stories of cybercriminals impersonating celebrities have been reported to the media in the last 12 months. One woman was duped by a scammer pretending to be Nicolas Cage, conning her out of nearly $14,000. The continuing rise in romance fraud shows just how cybercriminals continue to exploit people’s vulnerabilities as they did during the pandemic.
Tessian’s top tips for spotting a romance scam   • Here’s our advice to avoid falling for a romance scam:    • Question any requests for personal or financial information from individuals you do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call.   • Never send money or a gift online to someone who you haven’t met in person.   • Keep social media profiles and posts private. Scammers will trawl social media to discover their victims and find information that they can use to build a relationship with you.    • Don’t accept friend requests or DMs from people you don’t know personally.    • Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse.   • Be wary of any email you receive from someone you don’t know.    • Never click on a link or download an attachment from an unusual email address.   • Remember, if it sounds too good to be true, it probably is.   The FBI and Action Fraud has also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer. 
ATO/BEC Email DLP Integrated Cloud Email Security
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
By John Filitz
09 February 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
ATO/BEC
15 Examples of Real Social Engineering Attacks
07 February 2022
Social engineering attacks are one of the main ways bad actors can scam companies. Here’s 15 of the biggest attacks, and how they happened.
1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national, Evaldas Rimasauskas, against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.   The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.     2. Persuasive email phishing attack imitates US Department of Labor In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a noteworthy example of how convincing phishing attempts are becoming.   The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways.   The emails used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded.   On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us. The fake bidding site instructed users to enter their Office 365 credentials. The site even displayed an “error” message after the first input, ensuring the target would enter their credentials twice and thus reducing the possibility of mistyped credentials.   It’s easy to see how even a relatively scrupulous employee could fall for an attack like this—but the problem would not have arisen if the target organization had better email security measures in place.     3. Russian hacking group targets Ukraine with spear phishing As world leaders debate the best response to the increasingly tense situation between Russia and Ukraine, Microsoft warned in February 2022 of a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies and NGOs. The group—known as Gamaredon and tracked by Microsoft as ACTINIUM—has allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021. The initial phase of Gamaredon’s attack relies on spear phishing emails containing malware. The emails also contain a tracking pixel that informs the cybercriminals whether it has been opened. The case is an important reminder of how cybersecurity plays an increasingly central role in international conflicts—and how all organizations should be taking steps to improve their security posture and protect against social engineering attacks.
4. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.   This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, watch Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI.  
5. $60 Million CEO Fraud Lands CEO In Court   Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.   While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  
6. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works, and it’s actually pretty clever.   The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise.   Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials.   You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.   This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.     7. Singapore bank phishing saga like ‘fighting a war’   Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers.   The bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as like “fighting a war.”   OCBC customers were duped into giving up their account details after receiving phishing emails in December 2021. The situation escalated quickly despite the bank shutting down fraudulent domains and alerting customers of the scam.   Wong described how, once the phishing campaign had taken hold, the fraudsters had set up “mule” accounts to receive stolen funds. No matter how quickly the bank’s security team managed to shut down a mule account, the scammers would soon find another to take its place.   The CEO described her dilemma after getting the phishing campaign under control: reimbursing customers felt like the right thing to do, but Wong feared it could incentivize further attacks. So far over 200 customers have been compensated.   8. Ransomware gang hijacks victim’s email account   In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in.   The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data.   It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal.   The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.
9. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP).   BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files.   Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft.   But once again, cyber criminals have found a way to exploit the rule-based security approach.   To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email.   This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.”     10. Sacramento phishing attack exposes health information  Five employees at Sacramento County revealed their login credentials to cybercriminals after receiving phishing emails on June 22, 2021. The attack was discovered five months later, after an internal audit of workers’ email inboxes. The breach occurred after employees received phishing emails containing a link to a malicious website. The targets entered their usernames and passwords into a fake login page which were then harvested by cybercriminals. The attack resulted in a data breach exposing 2,096 records of health information and 816 records of “personal identification information.” The county notified the victims by email and offered free credit monitoring and identity theft services. It remains to be seen whether this proposed resolution by the county will be enough. Protection of health information is particularly tightly regulated in the US, under the Health Insurance Portability and Accountability Act (HIPAA), and data breaches involving health data have led to some hefty lawsuits in the past.
11. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here.   12. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.
13. $75 Million Belgian Bank Whaling Attack   Perhaps the most successful social engineering attack of all time was conducted against Belgian bank, Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.     14. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam   In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.   The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.   Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.   Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day.     15. Texas Attorney-General Warns of Delivery Company Smishing Scam   Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.   Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.   The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.   Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.     Prevent social engineering attacks in your organization   There’s one common thread through all of these attacks: they’re really, really hard to spot. That’s where Tessian comes in. Tessian is intelligent cloud email security that stops threats and builds smart security cultures in the modern enterprise.   Powered by machine learning, Tessian analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.   To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Page