The widespread use of email is one possible explanation for this phenomenon. The aspect of human nature is another factor that has to be taken into account. Despite the fact that email may be used with relative simplicity, the majority of workers lack the expertise and experience required to recognize phishing emails and other types of harmful information. Cybercriminals are aware of this vulnerability, and they look for opportunities to take advantage of it whenever they can.

The most widespread danger nowadays is ransomware.

Even though phishing emails have been recognized as the most frequent first vector for such assaults, ransomware has continued to be one of the most prevalent dangers. Built-in email security protections are unable to thwart more sophisticated cyberattacks because thieves are becoming more creative and their methods are becoming more sophisticated.

This is due to the fact that fraudsters are able to reverse engineer the regulations that are supposed to restrict them by employing cutting-edge technologies to get access to employee inboxes. When this occurs, it is helpful to have an email security solution that is specialized to protecting emails since these solutions use complex security processes and several levels of protection. Your firm will be protected from sophisticated and targeted attacks if you use a comprehensive email solution.

The expense of ensuring the security of email communications is not sufficient to offset the cost of a data breach.

If your firm does not make investments in email security, you are probably not thinking about external factors that might have major repercussions for your company. Theft of private information is one possible consequence that might result from insecure data processing, and identity fraud is often the next step after that. When possible penalties for breaking a security or privacy rule are factored in, the cost of a breach may become much more financially burdensome than it already was. One thing, however, can be said with absolute certainty: the expenses of maintaining email security do not exceed the costs of a data breach.

Boost output without compromising safety

About ninety percent of the emails that companies get are deemed to be spam. That is, they aren’t requested, and there is a possibility that they have a malevolent intent. Because of the amount of time that is lost dealing with spam, the absence of an efficient antispam solution may have a substantial influence on the amount of work that is accomplished inside a business.

When the appropriate email security measures are in place, staff members have more time to devote to focusing on ways to enhance the service that is delivered to customers and partners. In addition, as was said before, data breaches can cause harm to the reputation and credibility of an organization. Depending on the gravity of the situation, it may be difficult and costly to win back the trust of both existing consumers and potential new business partners. Without a shadow of a doubt, the success of every company is directly proportional to the reliability and trustworthiness of its brand.

Email protection offers a competitive edge to businesses

When you examine the data that is gathered by companies, you will realize that the overwhelming majority of it consists of confidential or private information. Not just from employees inside your firm, but also from customers and friends outside of it. Nobody wants critical information like this to get into the wrong hands, and nobody wants it to happen.

At initially, it might be a nuisance for certain firms, but in the long term, they will benefit much from it. A company’s commitment to maintaining the confidentiality of its customers’ personal information may be gauged by how seriously it takes its security obligations. In addition to this, doing so will encourage greater trust in doing business with you, providing you an advantage over the other companies in the industry.

New risks of Cloud Email

Email has become a target for hackers due to the widespread usage of cloud computing, which has only made exploiting email simpler. Cybercriminals now have access to new attack vectors as a result of the increasing usage of cloud-based email and document sharing platforms like Google Drive and Microsoft 365. Examples of these solutions include:

Often, an attacker will send a phishing email pretending to be a shared document. When the victim clicks on the link, they will be requested to input their credentials for the service in order to see it. The attacker will get these credentials after the credentials have been entered. An attacker may use these stolen credentials to access sensitive data located anywhere inside the company’s cloud if the organization’s cloud architecture has not been configured to offer visibility into account use and apply access control.

Email is one of the most prevalent attack vectors used by cybercriminals, and the typical security solutions for email are not sufficient to guard against this danger. It is necessary for businesses to have an email security solution that has the following essential capabilities:

1. Protection Against Phishing and Other Forms of Malware
2. Protection Against Data Loss and Account Tapping Protection Against Account Hacking

The fact that email is so essential to running a business makes it the most susceptible communication channel for any company. Fraudsters continue to take advantage of the open nature of email and enhance their strategies for getting into companies. As a result, businesses need to evaluate the best ways to defend their staff from the threats hidden in the inbox.

The post 6 reasons to secure your email in 2023 without investing much appeared first on Information Security Newspaper | Hacking News.

The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws and their respective tracking key and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-31736: An error while processing HTTP requests would allow malicious websites to extract the size of a cross-origin resource that supported Range requests, thus bypassing security restrictions on the target system.

This is a low-severity flaw and received a CVSS score of 3.8/10.

CVE-2022-31737: A boundary error in WebGL when processing HTML content would allow remote attackers to create specially crafted websites to trigger out-of-bounds writing and arbitrary code execution attacks targeting Thunderbird users.

This is a high-severity flaw and received a CVSS score of 7.7/10.

CVE-2022-31738: An error when exiting fullscreen mode may allow remote hackers to use an iframe and confuse the browser about its current screen state, thus allowing spoofing attacks.

The vulnerability received a CVSS score of 4.7/10, as it’s considered a medium severity issue.

CVE-2022-31739: An input validation error when saving downloaded files on Windows would allow remote attackers to use the “%” character in filename to store data outside the originally intended directory.

This is a medium-severity flaw and received a CVSS score of 5.7/10.

CVE-2022-31740: A boundary error related to register allocation problem in WASM on arm64 allows remote threat actors to run arbitrary code on the target system using a specially crafted website.

This is a high-severity flaw and received a CVSS score of 7.7/10.

CVE-2022-31741: A boundary error when processing HTML content would allow remote attackers to create a specially crafted webpage and run arbitrary code on the victim’s system.

The vulnerability received a CVSS score of 7.7/10, as it’s considered a high-severity issue.

CVE-2022-31742: An issue while handling a large number of allowCredential entries can allow remote malicious hackers to detect the difference between invalid key handles and cross-origin key handles using a specially crafted webpage.

This is a medium-severity flaw and received a CVSS score of 5.7/10.

CVE-2022-31747: A boundary error when processing HTML content would allow malicious hackers to create a specially crafted website and perform memory corruption and arbitrary code execution attacks.

This is a high-severity flaw and received a CVSS score of 7.7/10.

CVE-2022-1834: The incorrect processing of multiple Braille Pattern Blank space characters would result in displaying every space character, allowing threat actors to spoof senders’ email addresses.

The vulnerability received a CVSS score of 4.6/10, as it’s considered a medium severity issue.

Although these flaws can be exploited by remote, unauthenticated threat actors, no active exploit attempts or exploits have been detected for the attack. Still, Thunderbird users are advised to update to the latest version available to mitigate the risk of exploitation.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post 9 critical vulnerabilities in Mozilla Thunderbird allow easy takeover of your machine via email appeared first on Information Security Newspaper | Hacking News.

One of those arrested faces charges of possession of fraudulent documents, impersonation, and obtaining money with false claims, and could spend more than three years in prison. The other two defendants face only one count of possession of fraudulent documents, which Interpol believes they would have used in a business email compromise (BEC) campaign.

During the arrest of the three individuals, laptops and smartphones used for this fraudulent operation were confiscated, allowing law enforcement to discover that the hackers were using the RAT known as Agent Tesla. This malware variant allows information theft, keystroke logging, and theft of credentials stored in web browsers, email clients, and other platforms.

The defendants allegedly used Agent Tesla to steal credentials in the targeted organizations, in addition to accessing internal emails and maintaining constant surveillance of employees in these companies. The collection of information about the target is a fundamental part of a BEC attack since threat actors need to know the processes, standards, and actors involved in the processes of the affected organizations.

Cybersecurity specialists report that Agent Tesla has become one of the most widely used malware variants today, above other variants such as AveMaria, Formbook, Lokibot, RedLine, and Wakbot.

In recent days, Interpol also collaborated with the arrest of the alleged leader of SilverTerrier, another BEC operation allegedly run by cyber criminals in Nigeria.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Interpol arrests hackers who attacked oil and gas companies worldwide: Operation Killer Bee appeared first on Information Security Newspaper | Hacking News.

This information would have been taken from other data breach incidents, specifically two data breaches detected a couple years ago. 10 million records posted on a hacking forum in 2020 and 142 million more exposed months later are now together available on the messaging platform.

The compromised records date back to 2017 and include sensitive details such as:

• Full names
• Addresses
• Email addresses
• Telephone numbers
• Dates of birth

As in any phishing incident, threat actors could use the compromised information for the deployment of phishing campaigns, SIM swap, identity fraud and other attack variants against the millions of affected customers. In addition, cybercriminals can easily identify older adults, who are especially vulnerable to these types of attacks.

However, because the exposed data does not appear to be up to date, the security risk is reduced. At the time of the original leaks, this data was on sale for at least $2,900 USD; that they are now available for free seems to confirm that the information is of no value or interest to hacking groups.

Although considered a low-security risk, MGM customers are advised to take steps to prevent an attempted attack; resetting passwords for your online platforms, enabling multi-factor authentication, and ignoring suspicious emails or phone calls are recommended measures.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of MGM Resorts customers leaked on Telegram for free. 142 million records exposed appeared first on Information Security Newspaper | Hacking News.

The defendant learned of his conviction on April 28, when he was found guilty of charges such as conspiracy to commit wire and bank fraud, access to electronic devices to commit fraud, identity theft and false statements to federal agents.

To complete the fraud, Oyuntur and his accomplices deployed a complex phishing campaign against an employee of the fuel supply company, who was responsible for communication between the company and the DOD through a government computer system of the General Services Administration (GSA).

The cybercriminals created several fraudulent email accounts with which they pretended to be employees of the fuel company, in addition to designing websites similar to those of the company. Between June and September 2018, Oyuntur and his accomplices sent multiple emails to the affected employee, successfully redirecting him to phishing websites.

On these websites, threat actors managed to trick the employee into obtaining their login credentials, subsequently employed to break into GSA systems and divert DOD money to their bank accounts.

A key element in the fraudulent operation was an automotive dealership and the creation of a fictitious company run by Hurriyet Arslan, Oyuntur’s accomplice. On October 10, 2018, the DOD transferred $23.5 million USD to the shell company’s bank account; subsequently, a third conspirator sent Arslan an altered government contract awarding the transfer of the money to Arslan’s concessionaire.

The charges of conspiracy and bank fraud for which Oyuntur was convicted could lead to more than 60 years in prison, while charges of unauthorized access to electronic systems are punishable by up to 10 years in prison. For his part, Arslan pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering. His sentence will be known in mid-2022.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How a techie guy scammed the US Department of Defense and stole $23 million using a simple phishing email appeared first on Information Security Newspaper | Hacking News.

Siobhan Smyth, director of information security at Mailchimp, said its security teams detected malicious activity on its systems on March 26, when they discovered that a tool employed by its customer support systems was being used by hackers.

“We acted quickly to address the situation, canceling access to compromised accounts and taking steps to prevent other employees from being affected,” Smyth said.

Although the company claims that the incident was adequately addressed, it was confirmed that the hackers had access to about 300 Mailchimp accounts, extracting dozens of records. Although Mailchimp did not add more details about the compromised information, it was unofficially mentioned that this data belongs to cryptocurrency and financial analysis firms.

In addition to viewing accounts and exporting data, threat actors gained access to API keys for an undisclosed number of customers, allowing hackers to send spoofed emails that have already been disabled. Smyth said Mailchimp received some reports of hackers using the information they obtained from users’ accounts to send phishing campaigns to thousands of users.

Reports about this incident began circulating this weekend, after cryptocurrency wallet maker Trezor confirmed that its users had received emails as a result of the attack on Mailchimp.

In these malicious messages, the hackers incited Trezor users to reset their hardware wallet PINs by downloading malicious software that, had it been installed, could have allowed hackers to steal millions of dollars in cryptocurrency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Email marketing company Mailchimp was hacked. Customer accounts control taken over by attackers appeared first on Information Security Newspaper | Hacking News.

Specialists have detected a new Instagram phishing campaign in which threat actors use an email supposedly sent from this social media platform arguing that the user has to respond to an alleged “Instagram claim”. In the following screenshot, we can observe that the message is in plain text and in the subject line it simply mentions “INSTAGRAM SUPPORT”, just like in the sender’s line.

According to the report, this phishing and social engineering campaign is aimed at employees of an insurer in the U.S., under the guise of Instagram Support. The message was sent from a legitimate Outlook domain, and the hackers employed various techniques to evade Google’s email security mechanisms.

As for the content of the message, it states that the target user was reported because their activity on Instagram violates copyright laws. The attackers strategically designed this message with the clear intention of creating a sense of urgency in the user and forcing him to click on the attached link, setting a limit of 24 hours to respond to the alleged report.

As you can guess, the link redirects the user to a fraudulent website with a fake Instagram account verification page; you can even see the Meta logos and the web browser used. On this site the target user is asked to enter their Instagram login credentials and complete a supposed verification form.

If the target user falls into the trap, their login credentials will be sent to a C&C server controlled by the hackers, so these sensitive logs will be completely exposed.

This is an active campaign and can be highly harmful to affected organizations and users, so it will be necessary to follow some recommendations to avoid a catastrophic scenario. The risks of this and other phishing campaigns can be reduced by following the following recommendations:

• Be careful before opening any unsolicited email. No legitimate company or organization requests personal information without prior contact
• Do not download attachments or click on links included in these messages
• Use different login credentials for your personal applications and business applications. Using the same passwords increases the risk of exposure in case hackers can access one of your passwords 
• Use multi-factor authentication for your online platforms whenever possible

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Never-seen-before Instagram phishing scam that can defraud any user appeared first on Information Security Newspaper | Hacking News.

According to the report, the email appeared legitimate and appeared to be sent from the school district’s official accounts. Specifically, the message claimed that Pollard Middle School officials had decided to suspend activities until further notice.

Melissa Stein, mother of a child registered at the school, mentioned that she noticed something strange when reading the message a couple of times. “That’s not how the director would have written a message; there are a lot of punctuation errors,” she said.

Daniel Gutekanst, superintendent of Needham County, sent an email early Tuesday to the families of Pollard Middle School providing the correct information and denying what was mentioned in the previous message. Separately, Police Department Representative Chris Baker confirmed that there is an ongoing investigation along with the school department.

More information on this is not known at the moment, although cybersecurity specialists believe that everything is related to a cyberattack. This could be confirmed in the following days.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hacker took control of US school district systems and mailed every student cancelling all classes appeared first on Information Security Newspaper | Hacking News.

About Squirrelwaffle, the researchers mention that this is a malware loader distributed as a malicious Microsoft Office document in spam campaigns. This tool allows threat actors to gain access to the victim’s system and facilitates the delivery of malware variants for later attack stages, including phishing and banking fraud.

If a target user opens an email with an infected attachment and enables macros, a Visual Basic script is executed for the Cobalt Strike Beacons download, giving hackers full control of the vulnerable system.

Although this is a well-known hacking variant, Squirrelwaffle’s latest operation stands out on its own merits. While conventional attacks are cut short by applying security updates, the use of email threads in this last incident allowed hackers to maintain the attack persistently, so not even the application of security patches stopped the intrusion.

Using the information contained in these emails, the hackers registered a web domain deceptively similar to a legitimate platform, using a small misspelling to avoid detection. Taking the conversation out of the victim’s email infrastructure allowed the attackers to calmly carry out the rest of the process.

The next step only involved sending malicious emails to the conversation, trying to trick finance employees into making transfers to bank accounts controlled by the hackers. The use of other methods, such as creating more deceptive domains, made this deception almost undetectable, as seen below:

In a supposed follow-up email included in the thread, reference is made to the new bank details and attempts are made to create a sense of urgency in the minds of the attacked employees. In the operation detected by Sophos, threat actors continued to seek to obtain bank transfers sent fake urgent messages.

After days of exerting pressure, the hackers are finally informed that the payment is being processed.

According to Sophos, the theft was about to take place, although one of the financial institutions involved detected signs of electronic fraud and the transfer was interrupted.

This is an even more complex variant of a known attack, so it is necessary to take action on it. To begin with, it is best to apply all the updates available for your system, in addition to applying email security policies that help prevent members of an organization from interacting with malicious content.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Squirrelwaffle malware takes control of vulnerable Microsoft Exchange servers to spread banking scam appeared first on Information Security Newspaper | Hacking News.

The cyberattack is divided into two main stages. In the first stage, attackers steal the credentials of exposed users in the affected organizations to subsequently access the compromised networks and expand their hacking activities beyond the reach of the malicious email.

According to Microsoft, connecting a malicious device allows threat actors to spread the attack very discreetly, which experts already consider a growing trend in cybercrime. The researchers also mention that the attack works best against organizations that do not use multi-factor authentication, since it is enough to know the passwords of users to complete the intrusion.

Apparently, it all starts when affected users receive a Phishing email branded with DocuSign, as shown in the following screenshot:

The threat actors employed a set of phishing domains registered under the .xyz top-level domain. This URL domain can be described with the following regular expression syntax:

UrlDomain matches regex @”^[a-z]{5}\.ar[a-z]{4,5}\.xyz”

At this point a unique phishing link is generated for each email, with the victim’s email address encoded in the query parameter of the URL. After clicking on the link, the target user will be redirected to a phishing website on newdoc-lnpye.ondigitalocean.app posing as an Office 365 login page.

When hackers obtain the target user’s credentials, they will use them to establish a connection to Exchange Online PowerShell. This remote connection allows attackers to establish an inbox rule through the New-InboxRule cmdlet, deleting certain messages based on some keywords; the arbitrary inbox rule allows hackers to avoid detection by removing error reports, spam alerts, and phishing attacks.

In an example of this campaign, the creation of the inbox rule in the affected organization eventually led to the compromise of additional accounts by sending side, internal, and outgoing phishing emails. The connection of the malicious device also allowed hackers to send emails within the organization without anyone being able to detect a single hint of suspicious activity, managing to deploy a wide-ranging attack.

In this case, the attackers used the compromised inbox to send phishing messages to more than 8,500 email accounts inside and outside the affected organization. These messages resemble any other malicious email campaign.

This is a new example of how important it is to enable multi-factor authentication mechanisms as a standardized protection measure, as the success of an attack like this depends largely on the absence of these protections.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Novel phishing technique uses hacker-operated devices connected to an organization’s network via lateral phishing appeared first on Information Security Newspaper | Hacking News.

The infection starts with a simple email containing an HTML attachment disguised as an order confirmation receipt, so target users don’t usually distrust the message. When opening the file, the user will be redirected to a web page where they will be asked to save an ISO file.

At this point, this campaign differs from other phishing attacks in that the malicious website does not store a malware payload, but uses JavaScript creatively to locally create the ISO file from a Base64-encoded string, mimicking a legitimate download process.

Michael Dereviashkin, the researcher in charge of the report, points out that the ISO download is not generated from a remote server, but from the victim’s browser using a JavaScript code embedded in the HTML file: “If the target user opens the ISO file, it is automatically mounted as a DVD drive on the Windows host and includes a . BAT or .VBS, which continues the chain of infection by recovering a malicious component through the execution of a PowerShell command,” says the expert.

This process leads to the execution of an in-memory .NET module that subsequently acts as a three-file dropper; the first acts as a trigger for the second file, which will eventually deliver AsyncRAT as the final payload and check if there is an antivirus solution on the affected system to establish some exemptions.

Dereviashkin adds that malware samples like AsyncRAT are typically used to establish a remote link between a threat actor and a target device, allowing hackers to steal information and surveil victims using their devices’ cameras and microphones, essentially making it a spying tool.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New RAT malware evades detection using JavaScript code embedded in HTML receipt files instead of downloading an ISO file from remote servers appeared first on Information Security Newspaper | Hacking News.