The Week in Breach: 3 Phishing Threats Right Under Every Employee’s Nose

Make sure to add us or contact us for the latest news

Real-Time Service Alerts



These 3 Phishing Threats Lurk Where You Least Expect Them


Phishing is the number one data breach risk and a plague on businesses. Every day, employees are inundated with dangerous messages, and some are harder for employees to spot than others, opening their employers up to trouble if a tricky message slips through. 97% of employees are unable to detect a sophisticated phishing message. Cybercriminals are more than happy to press their advantage by crafting sophisticated messages that can easily slip under an employee’s radar like these 3 threats.


Consent Phishing


An alternative to credential phishing (the more common type of phishing) is consent phishing. In a consent phishing scenario instead of attackers aiming to capture passwords with phishing login pages and other ruses, the bad guys utilize another tool: OAuth permissions. They use those requests to lure victims into a false sense of security because it isn’t an expected phishing tool. Bad actors send requests to their victims, and when the victims accept, the bad actor is granted access tokens that give the attacker account data from connected apps. In this scenario, sign-in is handled by an identity provider, like Microsoft or Google, rather than the end-user. That gives the bad guys an advantage: despite lacking a password, they can still take action to enable future cyberattacks on the victim by doing things like do setting a rule to forward emails from a target to an attacker-controlled email account.

Microsoft sounded the alarm on Twitter this week to warn businesses that a consent phishing scam is making the rounds. In the thread, Microsoft cautions that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a sham app. When they do, the attackers can read and write emails on the victim’s account. Microsoft Security Intelligence disclosed that the malicious app is named “Upgrade”. When installed, it asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items and the victim’s contacts. The company said that hundreds of O365 customers have been sent the initial phishing message. Earlier this year, Microsoft noted in its blog that consent phishing emails or “illicit consent grants” that abuse OAuth requests have steadily increased in the last few years.

Reconnaissance Attacks/Bait Phishing


Reconnaissance attacks or bait phishing is another sophisticated threat that is currently making the rounds. A reconnaissance attack is heavily based on social engineering. In this scenario, the attackers attempt to bypass security by creating a highly believable message. Employees (and security solutions) are on the lookout for the common signs of a phishing message like bad grammar or misspellings. But bait phishing messages are carefully crafted to avoid those red flags. The aim of these phishing messages is to lure the recipient into a false sense of security that will entice them to click a link or download a file by establishing a dialogue.

Bait phishing usually starts with a friendly, unobjectionable message that serves two purposes for the bad guys: testing and/or penetrating the intended recipient’s email security defenses and verifying that the email address is in active use. The initial message is usually devoid of malicious links or files. It also doesn’t solicit any action from the recipient beyond a response. The goal with the initial message is to start a conversation with a potential target to lull them into believing that the bad guys are on the level and determine which potential targets are likely to interact with future messages.

If the target responds to the first message it’s game on for the bad guys. They can start phishing in earnest. Further messages to the target capitalize on the attacker’s initial toehold by going after the victim’s credentials, transmitting malicious links or passing along unsafe attachments. Lately, the messages in this version of phishing have been originating from Gmail – 91% of cybercriminals engaged in bait phishing utilize Gmail, leveraging the fact that Gmail is a very common source for messages and it’s highly unlikely that their fresh Gmail addresses will ping immediate alarms or be on anyone’s blacklist.

Hidden Danger Phishing Schemes


Many employees have become more aware of phishing, and they’ve learned to use caution in the places where the bad guys commonly set their traps. Security awareness training works, and employees who have been trained know to be wary of clicking strange links or interacting with unexpected messages, even on social media. So the bad guys have had to get creative. In another hard-to-detect phishing scenario, bad actors take advantage of the collaborative nature of today’s workspaces to sneak malicious links into places that employees may not be expecting them, like the comments section of a Google Doc.

To kick off their phishing operation, a bad actor creates a seemingly harmless Google Doc. That bad actor then adds their victim to the document by @ commenting them in the comments feature. When the cybercriminal takes that action, the victim is automatically sent an email with a link to the Google Docs file. The email that the target receives displays the entire contents of the comment, including the bad link and other enticing text added by the attacker. This scenario is so insidious because the victim never even has to interact with or open the document to be served the malicious link; it’s right there in the notification email, presented in a way that is likely to neatly bypass security. The same process can be used to kick off a phishing operation with most Google Workspace documents, giving bad actors plenty of choices and chances to lure in an unwary employee.

This phishing variant is practically tailor-made for companies that use Google Workspace in the course of everyday business, and it’s likely to be especially effective against remote workers and at large companies. The malicious message doesn’t contain the creator’s full email address, just their username. A savvy bad actor might even choose a username that would seem personally appealing and harmless to the recipient, like a colleague or family member’s name if they were focusing tightly on a particular target. It also capitalizes on both social engineering and the commonality of employees receiving and handling routine notifications every day. Employees constantly receive alerts that they’ve been mentioned in a comment on a document, making these dangerous messages a very slick way to phish.

This risk started gaining traction in late 2021 and kept picking up steam through the year’s end, prompting IT experts to put out warnings that this threat was becoming increasingly serious. By year’s end, that prediction came to fruition. Businesses have been faced with a wave of attacks that abused these commonly used productivity features included in Google Docs to send their employees potentially malicious content opening them up to danger.

These and Other Phishing Risks Deliver Danger to User Inboxes Daily


With risks like these around every corner, it’s easy to see why every company needs to make a powerful defense against phishing a top priority to avoid joining the ranks of the 60% of businesses that fold in the wake of a cyberattack.


Dark Web ID’s Top Threats This Week


Morley Companies Inc.

https://www.safetydetectives.com/news/business-services-provider-morley-discloses-ransomware-attack/

Exploit: Ransomware

Morley Companies Inc.: Business Services

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.507= Severe

Morley Companies, a business service provider to several Fortune 500 companies, announced that it had been hit with a ransomware attack that may have exposed sensitive information for more than 500,000 people.  In a statement, the company said that “a ransomware-type malware had prevented access to some data files on our system beginning August 1, 2021, and there was an unauthorized access to some files that contained personal information.”, chalking up the delay in notifying possible victims of this exposure to the complexities of the incident investigation.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.663= Severe

Morley Companies said the attack affected the information of “current employees, former employees and various clients.” The potentially compromised information leaked includes names, addresses, Social Security numbers, dates of birth, client identification numbers, medical diagnostic and treatment information and health insurance information. The company is offering credit monitoring and identity theft protection for victims.

Customers Impacted: 500,000

How It Could Affect Your  Business: Companies that store large quantities of personal or medical information are prime targets for the bad guys.

IntegraMSP to the Rescue: Cybersecurity horrors lurk around every corner, lying in wait for unwary organizations. Learn how to defeat them in our eBook Monsters of CybersecurityDOWNLOAD IT NOW>>


Civicom, Inc.

https://abcnews.go.com/International/wireStory/official-puerto-ricos-senate-targeted-cyberattack-82495236

Exploit: Misconfiguration

Civicom Inc.: Business Services

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.017 =Severe

Civicom is in hot water after leaving 8 TB of data exposed in an unsecured AWS S3 bucket. The New York-based company specializes in virtual conferencing facilitation, transcription and research services. With offices in the United States, the Philippines and the United Kingdom. Ultimately, Civicom exposed records containing more than 100,000 files including thousands of hours of audio and video recordings containing private conversations as well as written transcripts of meetings and calls by the company’s clients.

Individual Impact: No specifics about consumer/employee PII or financial data loss were available at press time.

Customers Impacted: Unknown

How It Could Affect Your Business This is not an uncommon mistake, but it’s always a problem and could be an expensive regulatory disaster in some industries

IntegraMSP to the Rescue: Share The Computer Security To-Do List with your clients to help them find vulnerabilities and you’ll start profitable conversations! DOWNLOAD IT>>


Wormhole

https://indianexpress.com/article/technology/crypto/hackers-steal-nearly-320-million-worth-of-crypto-assets-from-wormhole-7758034/

Exploit: Hacking

Wormhole: De Fi Platform

cybersecurity news gauge indicating extreme risk

Risk to Business: 1.227= Extreme

Hackers swooped in and snatched up more than $320 million from De Fi platform wormhole this week. The DeFi platform, a bridge between cryptocurrency Solana (SOL) and other blockchains, was exploited for approximately 120,000 wrapped Ethereum in what is thought to be the second-largest cryptocurrency hack to date. Wormhole’s parent company Jump Crypto pledged to replace the 120,000 ether Wormhole lost. The company was quick to note that the crypto was stolen through exploiting a vulnerability in the platform, not taken from an Ethereum address and it was taken in 3 separate transactions.

Individual Impact: No specifics about consumer/employee PII or financial data loss were available at press time.

Customers Impacted: Unknown

How It Could Affect Your  Business De Fi has been a hotbed of having activity as cybercriminals seek quick scores of cryptocurrency, and there’s no end to the danger in sight.

IntegraMSP to the Rescue:  Building cyber resilience helps insulate organizations from trouble like this. Learn more about why cyber resilience is the ticket to a safer future for your clients. GET THIS EBOOK>>


News Corp.

https://www.reuters.com/business/media-telecom/news-corp-says-one-its-network-systems-targeted-by-cyberattack-2022-02-04/

Exploit: Nation-State Cybercrime

News Corp.: Media & Publishing Company

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.071 = Severe

Major media company News Corp. has disclosed that it was the target of a cyberattack by suspected Chinese nation-state hackers. The attack came to light in late January and affected News Corp. business units, including The Wall Street Journal and its parent company Dow Jones, the New York Post, News U.K. and News Corp. Headquarters. The hack affected emails and documents of what it described as a limited number of employees, including journalists. The incident is under investigation.

Individual Impact: No specifics about consumer/employee PII or financial data loss were available at press time.

Customers Impacted: Unknown

How it Could Affect Your  Business Organizations should keep in mind the fact that the preferred weapon of nation-state cybercriminals is ransomware.

IntegraMSP to the Rescue: Help your clients stay safe from the most common delivery system for ransomware, a phishing message, with our Can You Spot the Phishing Email? infographic! DOWNLOAD IT>>


1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors relted to the assessed breach.