Tag Archives: phishing

Agari Turns the Table on ‘London Blue’ Hacking Campaign

A hacker group known as “London Blue” has compiled a list of 35,000 chief financial officers, including some at the world’s biggest banks and mortgage companies, with the intent to target them with bogus requests to transfer money.

CFO-Targeting Phishing Campaign

The “London Blue” hackers are the latest group to specialize in “business email compromise” (BEC) campaigns, according to the cyber threat detection company Agari, which found a list of 50,000 targets, mostly accounting department employees.

This past July the FBI warned that this type of scam, where a chief financial officer is rushed into transferring money to an unknown account, is on the rise and had cost companies more than $12 billion since 2013; with the total number of victims reaching over 78,000. Continue reading Agari Turns the Table on ‘London Blue’ Hacking Campaign

Gone Phishing? We Hope Not!

Training your employees to recognize a phishing campaign just got a whole lot harder. A new phishing attack targeting Microsoft’s popular Office 365 platform has impacted roughly 10 percent of its users globally … and that’s just an estimate. What makes it more problematic is that the attackers are harvesting usernames and passwords under the guise of document sharing via SharePoint.

Corporate Usernames and Passwords Are Valuable

As organizations move to cloud-based solutions, phishers are changing the way they attempt to steal credentials. Once stolen, corporate usernames and passwords allow attackers to:

  • carry out further phishing attacks against top executives;
  • deploy money transfer schemes to convince financial departments to fraudulently wire large sums of money (i.e. CEO impersonation);
  • scan the company’s email server for information that can be sold; and
  • deploy ransomware or other advanced threats through Remote Desktop Protocol.

Continue reading Gone Phishing? We Hope Not!

IRS Warns Tax Professionals of New Scam to Steal Passwords

[This alert highlights a new phishing email campaign targeting tax professionals during a vulnerable time of year – when many software providers issue upgrades and when tax professionals are pushing to meet the October 15 deadline for tax extensions.

This alert comes from the combined efforts of the IRS, state tax agencies, and the tax industry acting as the Security Summit.]

Security Summit Alert

The Internal Revenue Service, state tax agencies and the tax industry warned tax professionals to be alert to a new phishing email scam impersonating tax software providers and attempting to steal usernames and passwords.

This sophisticated scam yet again underscores the need for tax professionals to take strong security measures to protect their clients and protect their business. This is the time of year when many software providers issue software upgrades and when tax professionals are working to meet the Oct. 15 deadline for extension filers.

These types of phishing scams are why the IRS, state tax agencies and the tax industry, acting as the Security Summit, launched the 10-week Don’t Take the Bait campaign currently underway. This awareness effort highlights the many tactics of cybercriminals as well as the steps tax professionals can take to protect their clients and themselves.

This latest scam email variation comes with a subject line of “Software Support Update” and highlights an “Important Software System Upgrade.” It thanks recipients for continuing to trust the software provider to serve their tax preparation needs and mimics the software providers’ email templates.

The e-mail informs the recipients that due to a recent software upgrade, the preparer must revalidate their login credentials. It provides a link to a fictitious website that mirrors the software provider’s actual login page.

Instead of upgrading software, the tax professionals are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information.

The Security Summit reminds tax professionals that software providers do not embed links into emails asking them to validate passwords. Also, tax professionals and taxpayers should never open a link or an attachment from a suspicious email.

Tax professionals can review additional tips to protect clients and themselves at Protect Your Clients, Protect Yourself on IRS.gov.

Tax professionals who receive emails purportedly from their tax software providers seeking login credentials should send those scam emails to their tax software provider.

For Windows users, follow this process to help the investigation of these scam emails:

  1. Use “Save As” to save the scam. Under “save as type” in the drop-down menu, select “plain text” and save to the desktop. Do not click on any links.
  2. Open a new email and attach this saved email as a file.
  3. Send a new email containing the attachment to the tax software provider, as well as a copy to Phishing@IRS.gov.

Phishing Attack Results in $400,000 OCR Settlement

Phishing incidents continue to be a top cause of data breaches. A phishing incident at Metro Community Provider Network (MCPN) led to the most recent OCR settlement for $400,000.

Who is Metro Community Provider Network?

MCPN is a federally-qualified health center providing healthcare services to the greater Denver area. Services include primary medical care, dental care, pharmacies, social work, and behavior health care services. Most of their 43,000 annual patients are at or below the poverty level.

Phishing Incident

In January 2012, MCPN reported a data breach to the OCR stemming from a phishing incident.

A phishing scam allowed hackers to access MCPN employees’ email accounts and obtain ePHI of 3,200 individuals. OCR’s investigation found the provider took proper steps following the incident to mitigate the damage.

However, the investigation also revealed MCPN failed to conduct a risk assessment until February 2012 – one month after discovering the breach.

As prior OCR settlements have taught us, risk assessments are foundational to HIPAA compliance efforts. Without conducting a risk assessment, MCPN didn’t implement any risk management practices to address identified risks and vulnerabilities.

OCF also commented that once MCPN did finalize their risk assessment, it didn’t meet the requirements of HIPAA’s Security Rule.

Settlement & Corrective Action Plan

OCR agreed to settle with MCPN for a penalty of $400,000. In the press release, OCR noted the settlement amount took into consideration MCPN’s status as a federally-qualified health center and their financial situation to be able to continue providing patient care.

The corrective action plan includes a several tasks for MCPN to strengthen their security posture:

  • Conduct a comprehensive risk analysis of security risks and vulnerabilities to include all current facilities and equipment
  • Develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis
  • Review and revise current Security Rule policies and procedures based on findings from the risk analysis and implementation of the risk management plan
  • Provide updated training materials to MCPN workforce based on findings from the risk analysis and implementation of the risk management plan

Key Takeaways

There’s no reason to believe OCR is changing its mind about risk assessments anytime soon. They are foundational to HIPAA compliance efforts. The advice for healthcare organizations is simple: do your risk assessment, and do it right.

If you’re looking for recommendations during the risk assessment process, reach out to our team for advice at cyberteam@eplaceinc.com.

Email Scam Personally Targets UK Residents

Internet users are getting savvier … slowly but surely. Phishing emails littered with spelling mistakes and grammar errors are getting flagged more often.

However, phishers are still innovative and relentless. What happens when you’re greeted by an email that knows your name and address? Despite the suspicions, the personalized touch grabs your attention.

Here are the kinds of emails UK residents are noticing in their inboxes recently:

Here’s another…

Phishing Email Details

The sample phishing emails have some curious characteristics to note.

Let’s start with the obvious… terrible grammar. These emails read like they were part of the original Nigerian scams over a decade ago. While they seem like your classic phishing scam at its finest, the personal information sprinkled throughout the email seems to draw people in to the scam. The greeting uses your first name. The referenced file is labeled using your last or family name. Then, to add a shred of credibility, the email notes your home address and postcode.

It’s an interesting play by the phishers. There is suspicion with the phishy-ness of the email, but the personalized references make views wonder how dangerous it could be not to glance at the information in the file.

So What’s in the File?

Spoiler alert: it’s malware!

Victims who open the attachment are prompted for a password which the phishers include in their email. The random passwords really are necessary to open the file.

After entering the given password, the following screen comes up in Microsoft Word:

The thing to notice on this page is the Security Warning. How fitting!

The phishers need you to enable macros in the document for the malware to run. But many computer folk have caught on that macros can be dangerous. So instead of the traditional prompt to enable macros, the phishers have created this page to encourage victims to “Enable Content” and view the data.

This approach appears to be more effective. After all, you’re just agreeing to view the data inside the document. Harmless, right?

When you click on Enable Content, the macros are enabled and the malware starts running. The malware downloads a GIF file (common type of image file).

Once the contents are downloaded (GIF header and scrambled data), everything still looks benign. However,

the macro includes decryption tools that pulls out the malicious code, unscramble it, and write it to the %TEMP% folder.

SophosLabs wrote the blog highlighting the phishing scam. When they tested the attack, they found malware dubbed Troj/Agent AURH. This is a type of bot malware that connects the computer to the phishers’ command-and-control network for future tasks.

Sophos reminded that potential consequences of this type of malware:

  • The malware is flexible and can be changed according to the victim’s time zone, location, language settings, etc.
  • The instructions sent to infected computers (bots) can vary and include downloading additional malware

After all is said and done, the phishers wipe their hands of the scam with the following note to victims:

Key Takeaways

It’s natural to see an email like this and be unsure which parts are legitimate and which are scammy. There’s a sense of fear and urgency when the sender knows your personal information like last name and home address.

Most likely, the phishers obtained the personal information as a result of one or more data breaches. However, pinpointing the source of the breach would prove difficult.

Here are a couple takeaways and best practices from the Sophos team in preventing these types of scams:

Don’t open unsolicited or unexpected attachments. Even if the document claims to e an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you.

Don’t turn off important security settings (i.e. macros!). As noted above, phishers are always trying new tricks to get you to click the bait. The Enable Content part was sneaky, but not impossible to notice. MS Word turned off macros by default a long time ago to improve security. Unless you’re intentionally using them, keep macros disabled.

2016: Record Year for Phishing Attacks

Phishing attacks gained a ton of traction through the course of 2016 – just think of all the ransomware and business email compromise attacks reported.

The Anti-Phishing Working Group (APWG) released their phishing trends report to recap the landscape from 2016.

Ransomware is a large driver for the huge spike in attacks throughout the past year. In fact, the FBI reported that 93% of all phishing emails contained ransomware. The total number of phishing attacks in 2016 was a whopping 1.2 million – 65% increase over 2015.

However, the APWG report doesn’t consider spear-phishing attacks. With business email compromise and CEO fraud also making headlines in the cyber world, this puts into perspective the massive uptick in the threats of phishing.

To take a 12-year recap, the 4th quarter of 2004 saw an average of 1,609 phishing attacks per month. The latest numbers for the 4th quarter of 2016… an average of 92,564 attacks per month. That’s a healthy 5,753% increase over the past decade.

RiskIQ Takeaways

RiskIQ – a digital threat management firm – provides insights to assist the APWG report. RiskIQ found that victims are not fooled by the address in the browser bar.

The company noted that a relatively low percentage of phishing websites targeting a specific brand attempt to spoof that brand in the domain name of their fraudulent web address – whether it’s at the second level of in the fully-qualified domain name.

This shows that phishers don’t need to get too creative with their deceptive domain names to trick their victims into visiting the malicious websites.

Instead, tricks that have been proven effective: using hyperlinks, URL shorteners, or brand names inserted in the URL.

IP Filters

IP filters was the other area of interest in the APWG report. The study found some fraud websites make extensive use of IP filters, and the technique was found in 29% of attacks.

This is a technique the allows the fraudsters to block people on IP addresses outside the target country. In other words, only the targeted victims will get to see the fraud sites.

The goal is to make the job more difficult for response teams at hosting providers outside the targeted jurisdiction to detect and prevent the fraudulent activity. It keeps them from noticing and fixing the problems.

Another way this technique is used is to block IPs of the targeted company. This keeps the company’s security team from noticing the fraud, and makes them think the fraud site is taken down.

Employee Training

The best way to prevent phishing attacks from impacting your organization is through employee awareness and training. ePlace Solutions provides a series of training courses on Social Engineering, with specific courses on phishing, spear-phishing, and ransomware.

If you’re reading this, it’s likely your organization has access to these training programs through our cyber insurance policy. Reach out to mailto:cyberteam@eplaceinc.comto find out how to leverage the Social Engineering training courses for your workforce!

New Phishing Tricks to Watch For

A new phishing scam is tricking even the savviest Gmail users into giving up their account credentials. Here are the details:

Gmail Attack

Phishers start with a compromised Gmail account. They skim through recent emails targeting one with an attachment. Once they find an email that fits their criteria, they create a screenshot and include it in a reply email to the sender.

The original sender receives the reply with the same subject line, thinking it’s a normal response. The sender clicks on the image, expecting to get a preview of the attachment.

However, instead of a preview, a new tab opens and the user is prompted to sign into their Gmail account again on the new webpage. This fake page is a well-designed replica of Gmail’s login page.

To make it hard to identify as a phishing webpage, attackers include the accounts.google.com subdomain in the URL. This makes users think it’s a legitimate Google webpage. But looking at the address bar shows that before the https there’s a text string, ‘data:text/html…’ that opens the fake, but functional, Gmail login webpage.

If an attack is successful, and a victim enters their login credentials, attackers sign into the account and start the process over again with the new account and new contacts.

Dropbox Variant

Another twist on this type of phishing attack will direct users to click a link that will allow the document to be viewed through Dropbox. Similar to the fake Gmail login page, users are taken to a webpage that allows them to view the document after they’ve signed in using their email credentials.

Once they enter the email credentials, victims are shown a decoy PDF document to divert any attention away from the phishing attack.

Phishing Dangers

Obviously, this attack can lead to compromised Gmail accounts and provide a gateway to plenty of further attack methods. With the widespread reuse of password across multiple accounts, this type of attack can lead to enterprise emails becoming compromised.

If an attacker gets the login credentials to an executive’s Gmail account, chances are they can use the same password to access the executive’s corporate email account as well. Give the attacker a bit of time to gather information on the executive and their communication methods, and they will be conducting successful business email compromise attacks before you know it!

Email & Password Reuse

PhishLabs reports that phishing volume increased by 33% across the five most-targeted industries. The largest jump was seen in the phishing attacks directed towards cloud storage providers. Attackers are targeting these types of services in order to harvest their troves of email address and password pairs.

This ties back to the account reuse attacks with cyber criminals recycling those stolen credentials in the enterprise arena. Any organization relying on email addresses and passwords to authenticate users could be impacted by these indirect phishing attacks.

The common trend is the reliance on email addresses instead of unique usernames for authentication purposes. And due to the high frequency of password reuse, stolen credentials from a cloud service provider may inadvertently give attackers access to multiple accounts.

Key Takeaway

These types of phishing attacks demonstrate the importance of implementing two-factor authentication with online accounts. While the password is still the top choice for authenticating users online, having that extra layer of defense can be the difference to a compromised account.

W-2 Phishing Scams Are Back With New Tricks

It’s that time of year again to start thinking about taxes. At the very least, cyber criminals have tax time circled on their calendar once again. This is the perfect time for them to send their scam emails to HR departments posing as the CEO to request W-2 forms and information.

W-2 Phishing Scam

W-2 phishing attacks are typical during this time of year during tax season. W-2 forms and records have a treasure trove of information that cyber criminals dream about: names, addresses, Social Security numbers, wages, etc.

Cyber criminals use this information to commit tax fraud and file fake tax return requests to steal the victim’s refund. W-2 information also makes its way onto the dark web, usually selling for anywhere between $4 and $20 per record.

The typical scenario for this type of attack looks similar to the business email compromise or CEO fraud. Phishers will compromise or spoof the email of a company’s executive, most likely the CEO. They turn their attention over to the HR or payroll department to request W-2 data to be compiled in a file and emailed immediately.

The IRS shares some of the common language to beware of from these scam emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Victims of tax return fraud usually learn of the crime after having their returns rejected due to the fraudsters filing before them.

IRS Alert

The IRS issued an urgent alert regarding these types of scams, noting cyber criminals are starting to combine the W-2 phishing scam with wire transfer fraud.

From the criminal’s perspective … why not? Once the HR department sends over the W-2 data requested, the phishers will email the payroll or finance department asking for a wire transfer to be completed.

The IRS notes that the range of targets for these attacks is only increasing. Phishers are targeting school districts, healthcare organizations, chain restaurants, staffing agencies, and non-profits.

Best Practices

Organizations need to make special reminders and educate the HR department to be on the lookout for any requests for W-2 information or other fraudulent requests. If any employee suspects a fraudulent request, ensure they are reporting it to the proper person in your organization immediately.

The IRS asks that organizations receiving a W-2 scam email forward it to phishing@irs.gov and put ‘W2 Scam’ in the subject line.

From an administrative standpoint, organizations need to enforce policies against sharing sensitive data – including W-2 forms – via unencrypted email. Remind employees of these policies and that the CEO should never request this type of information via email. And lastly, before sending any W-2 information, make sure your employees verify the legitimacy of the email with the sender by phone call (to a known number) or in person.

City of El Paso Victimized in $3.2 Million Phishing Scam

Spear-phishing scams are more common than ever these days. The City of El Paso learned this the hard way when a phishing scam resulted in the theft of $3.2 million from the city’s coffers.

Two spear-phishing emails impersonating one of the city’s vendors were the cause of the theft. On September 28, $2.9 million in state funds were wired to the fake vendor of a project managed by the Camino Real Regional Mobility Authority (CRRMA). Then, on October 4, $312,000 in funds slated for city projects were wired to an imposter’s account. To date, $1.9 million of the funds have been recovered.

The City of El Paso has released some of the emails that were exchanged in the scam. The Mayor and Council requested that the city release the emails to increase community awareness on the issue and to reassure the public regarding the incident.

Phishing Scam Timeline

Here is a quick breakdown of the details of the incident:

Aug 22: Imposter Granite Construction Company exchanges a series of emails with CRRMA requesting payment. During these emails, “new” checking account information is submitted by the imposter to replace legitimate vendor Paso Del Norte Trackworks’ checking account information. The difference in vendor name is caught by a city Purchasing Department employee who brings it to the attention of the CRRMA. They reply to the Purchasing employee that the vendor is just changing their checking account and to process the change.

Sept 19: Imposter Granite Construction Company contacts CRRMA, the city’s Comptroller Office, and the city’s Purchasing Department to inquire about when the next payment will be processed. An accountant in the Comptroller’s Office questions the payment inquiry and brings it to the attention of the CRRMA. They respond to the Accountant and tell him that they have instructed Granite to contact the CRRMA directly regarding all payment inquiries.

Sept 29: The real Granite Construction Company contacts CRRMA to inform them that they have not been paid. CRRMA does not contact the Comptroller’s Office regarding this communication.

Oct 12: The Comptroller’s Office contacts the real Granite Construction Office and asks if they received the $2.9 million payments. When the Comptroller is informed by the real Granite Construction that they did not receive the payment, the Comptroller submits a request to Wells Fargo to recover the payment.

Key Takeaway

One way to avoid these types of wire transfer scams is to have a two-step verification procedure in place. For example, instead of transferring funds upon a simple email request, require that both an email and a confirming phone call be made to the finance department.

Other best practices include:

  • Closely check the sender email address – often times the spoofed email will be one letter off.
  • Stay current on vendors’ habits and confirm wire transfer requests with a phone call from a known number.
  • Verify any changes in vendor payment location by using a secondary sign-off by organization personnel.

Phishing Alert: Healthcare Entities Targeted With Fake OCR Emails

PHISHING Alert concept - white letters and triangle with exclamation mark

Healthcare entities should be on the lookout for new phishing emails impersonating the Department of Health and Human Services Office for Civil Rights (OCR). The OCR is the government agency that oversees HIPAA regulations for healthcare organizations.

Phishing Email Details

The phishing email is made to look legitimate by incorporating the HHS departmental letterhead along with the signature of OCR Director Jocelyn Samuels.

Email recipients are told they might be included in the HIPAA Audits that are currently in progress. The email instructs users to click a link that takes them to a website promoting cybersecurity services. OCR is not associated with the firm in the fake email in any way.

The email is sent from the email address: OSOCRAudit@hhs-gov.us. The URL in the email directs users to the website: www.hhs-gov.us. Both are slightly different than the actual email address and URL set up for the OCR audits.

Key Takeaway

The main targets for this scam are employees of Covered Entities and Business Associates. If your organization is covered under HIPAA regulations, make sure your workforce is aware of these potential phishing scams.