Why Me? - Target Of Phishing Attacks
What’s on this page
Introduction
Businesses around the world might differ in operating industry, sector, and geographic location. However, almost all businesses are united in the suffering of phishing attacks targeting their users. Such attacks could be easy to spot by tech-savvy users. Nevertheless, a sophisticated phishing attack could even trick trained users, posing a critical threat and forming a great chance for threat actors to achieve their goals. Moreover, one of the most interesting elements is the variation of the targets, as some users were observed to receive a large volume of phishing emails, while others are receiving a relatively less amount. This advisory aims to uncover the most used techniques by threat actors to obtain the email addresses of the organization’s users to initiate the phishing campaign.
Sources of Email Addresses
Publicly Exposed Accounts
In this case, the threat actors attempt to obtain the email addresses of the users belonging to the targeted entities by searching for any mailboxes associated with the entity's domain in search engines, public resources, and deep web resources such as paste sites. Users in many cases are unintentionally exposing their business emails in LinkedIn or Github accounts as a communication means. However, threat actors will always take advantage of such exposed details to target the users. Additionally, organizations should abstain from publishing content that contains users’ email addresses. The email addresses that can be published are the generic accounts that represent organization departments such as info, HR, marketing, and legal mailboxes.
B2B Directory
A B2B business directory is basically an online directory that is listing businesses around the world, categorizing businesses, and collecting their contact details; aiming to guide users and help them in their search for companies for marketing/business purposes. However, services such RocketReach, Zoominfo, Apollo, Hunter, and SignalHire are truly a goldmine for malicious actors to obtain a user's contact details. These online databases of businesses have their own methodologies for obtaining, verifying, and then selling the employees’ contact details of an entity. B2B directories provide such information for business purposes; hence, most of them also provide a “removal request” feature in their platform so the targeted entity will be allowed to contact them in order to remove their own data from the B2B Directory platform. In the Appendix, we have listed the most common B2B Directory platforms along with their contact details to request the removal of the organization’s details.
Email Syntax Guessing
In this case, the attacker is capable of guessing multiple user mailboxes, either by searching for the email format used by a specific entity or by guessing the generic department's mail lists, such as Public Relations, IT Department, or HR. In this case, the threat actor is not looking for a specific email account; instead, the goal here is to identify the email format being adopted by an organization. Then, the threat actor will work on identifying the employee’s names from public sources such as LinkedIn and map the employee’s name to the organization’s email format. For example, the threat actor was able to identify that the email format followed by XYZ organization is “{First Initial}.{Last Name}@xyz.com”. Then, by exploring the LinkedIn page of XYZ organization, the actor was able to find an employee with the name “John Smith”. Therefore, the threat actor will attempt to target this specific user by sending the phishing email to the mailbox “jsmith@xyz.com” which will likely be a valid email address for the user.
Third-Party Data Breaches
Data breaches are the leakage of an organization's sensitive information, including the Personally Identifiable Information (PII) related to the organization’s users or customers. The breached information is not limited in most cases to email addresses or passwords. Breaches can include the exposure of dates of birth, geographic locations, names, employer name, gender, and phone numbers. Once a third-party entity - such as social media or any service provider - is breached, the malicious actor will tend to sell the data to the public. Such data exposure represents a great source of information for threat actors as for sure some information of the organization's employees will be part of such breaches due to the registration in the breached party. By acquiring the dumps of data breaches and looking for the details associated with the users belonging to the targeted entity, this method can be utilized by the attackers to perform more sophisticated attacks. Users that are using their corporate email accounts for the registration of third-party services are for sure highly vulnerable to this type of information exposure.
Phenomenon: Targeting Personal Inboxes With CxO Name
CTM360 witnessed an increase in a sophisticated attack willing to lure the victims by delivering the phishing email to the victim’s personal inbox. Hence, the victim would be in a tough situation where he might be in a direct encounter with the threat actor; far away from the corporate defenses. The attack scheme is mostly utilizing compromised mailboxes from well-reputed email providers, using a C-level executive name as a sender, and requesting urgent action to be performed from the victim. Such details are actually aligned with the scope of advisory, where the attacker is taking advantage of the exposed details in data breaches, which includes useful information such as email addresses, job titles, employers, names, phone numbers, and social media profiles. Then, the attacker is mapping and correlating these exposed details to the victim profile of the targeted entity and initiates the Phishing attack targeting the victim’s personal mailbox.
Recommendations
In order to protect your organization from email exposure, the following steps are recommended to be taken:
- Ask your employees to remove their business account details if it was published online.
- Reach out to the B2B directories listing your users requesting the removal of the accounts.
- Use generic mailboxes in your online publications such as HR, Marketing, or Legal.
- Ensure to have a strict policy regarding the registration in online third-party services.
- Ensure not to use the same email address pattern across the organization. Use different email patterns such as:
- {LastName}@xyz.com
- {First_Initail}{LastName}@xyz.com
- {FirstName}{LastName}@xyz.com
- {LastName}{First_Initial}{Middle_Initial}@xyz.com
Appendix
Recent Blogs
Solar Wind Attack Update
SolarWinds - an American software vendor for managing networks and infrastructure has been breached. Orion, a network monitoring product was modified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This allowed remote access into the victim’s environment and a foothold in their networks; this enabled attacker to obtain privileged credentials.
The SolarWinds Orion products are designed to monitor the networks of systems and report on any security issues. Due to this, there are no comparable limiting boundaries on the scope or potential security impact; this has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to compromise tools and code that would then enable them to target other victims. After Microsoft discovered that they were breached via the SolarWinds compromise, they further discovered that their own products were then used “to further the attacks on others.”
The attack was initially disclosed by the cybersecurity firm, FireEye, as early as December 8th but published publicly on 13th. It was revealed that the attack on SolarWinds was conducted by an unknown APT (Advanced Persistent Threat) group. They were able to steal Red Team assessment tools, similarly, used by FireEye to probe its customers’ security. FireEye has made its countermeasures freely available on GitHub.
According to Microsoft, hackers acquired superuser access to SAML token-signing certificates. This SAML certificate was then used to forge new tokens to allow hackers to obtain trusted and highly privileged access to networks.
While analyzing further on this attack, it was discovered that there was another backdoor likely from a second threat actor. This malware was dubbed as SUPERNOVA. This was a web shell planted in the code of the Orion network and applications monitoring platform and enabled attackers to run arbitrary code on machines running the trojanized version of the software.
Hackers inserted malicious code into an updated version of the software, called Orion. Approximately 18,000 SolarWinds customers installed tainted updates, between March and June 2020, onto their systems. The malware was inserted in these Orion app versions:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
This disclosure was followed by a coordinated report issued by Microsoft, FireEye, SolarWinds, and the U.S. government. The report concluded that SolarWinds had been targeted by threat actors who aimed to gather undisclosed information from major customers of theirs, including FireEye.
Compromise: What is Known so Far
A key indicator of the attack was the conceived backdoor that was able to gain access to and breach the SolarWinds Orion build system. This backdoor was attached to the said system by rescripting the legitimate SolarWinds.Orion.Core.BusinessLayer.dll DLL file. This file was then distributed to SolarWinds’ clients in a supply chain attack. This was achieved due to an automatic update platform used to dispense new software updates; clients were unaware of this taking place.
According to reports, the threat actors may have performed trial runs of the distribution method as early as October 2019. Researchers believe that the attackers had already compromised networks previously; it is suggested that they had harvested information or performed other malicious activities silently for months. Due to this, FireEye eventually detected that they were hacked after the threat actors registered a device to the company’s multi-factor authentication (MFA) system using stolen credentials. The alert from the system, regarding an unknown device, was able to notify FireEye of the compromise.
Recommendations
Urgently update any exploited SolarWinds Orion software to Orion Platform version 2020.2.1 HF 2 and Orion Platform 2019.4 HF 6
Third party vendors who may be susceptible to exposure of this compromise should report as part of responsible disclosure and urgently remediate.
In case of possible exposure devise an incident response plan.
Prioritize the TTPs leveraged by the threat actor mapped to mitre att&ck. This is available in Adversary Intelligence within CTM360’s CyberBlindspot.
External Attack Surface Management: Protecting Your Organization in the Digital Age
In an increasingly interconnected digital world, organisations face a growing number of cyber threats. As businesses expand their online presence, their attack surface increases, making it more vulnerable to cyberattacks. This is where External Attack Surface Management (EASM) comes into play.
In this blog, we will explore the concept of EASM, what it includes, its importance, how it differs from security ratings, and what the future holds for this crucial aspect of cybersecurity. Additionally, we’ll discuss how CTM360 HackerView can help your organisation effectively manage its external attack surface.
What is EASM?
External Attack Surface Management (EASM) involves the continuous discovery, monitoring, and management of an organisation’s external-facing digital assets. These assets include websites, IP addresses, cloud services, and any other publicly accessible resources. A comprehensive EASM would also have the organisation’s mobile apps, genuine social media inventory, Executive Management profiles and more. EASM focuses on first building a comprehensive “Digital Asset Register” and next identifying vulnerabilities and potential entry points that could be exploited by malicious actors. By gaining a deep understanding of the external attack surface, organisations can proactively mitigate risks and prevent breaches before they occur.
From the management perspective, EASM is an essential component of a robust cybersecurity strategy. It enables organisations to see their digital footprint from the perspective of an attacker, allowing them to identify and secure weak points that could be targeted.
What is Included in an Organization’s Attack Surface?
An organisation’s attack surface consists of all the external-facing digital assets that could potentially be targeted by cybercriminals. These include:
Domains, Hosts, and Sub-Domains:
An organization’s collection of domains, along with their associated hosts and sub-domains, creates numerous potential entry points for attackers. Each sub-domain may have unique vulnerabilities that can be exploited if not properly secured.
Web Applications:
Public-facing websites and web applications are common targets for attackers seeking to exploit vulnerabilities such as outdated software or weak authentication mechanisms.
Cloud Services:
With the rise of cloud computing, organisations often use cloud-based services for data storage and processing. Misconfigurations or insufficient security measures in these services can expose sensitive information.
IP Addresses:
Public IP addresses can be scanned by attackers to identify open ports or vulnerable services that can be exploited.
Third-Party Integrations:
Organisations often rely on third-party vendors or services that have access to their systems. These integrations can introduce additional vulnerabilities if not properly managed.SSL/TLS Certificates:
Weak or expired certificates can leave encrypted communications vulnerable to interception.
A comprehensive EASM solution would also include -
Inventory of Genuine Social Media Profiles:
An organisation's presence on social media platforms can be targeted by attackers for impersonation or phishing attempts.
Mobile Apps:
Attackers can create rogue mobile apps on third party stores to impersonate trusted brands, with the goal of gaining unauthorised access to information that can be used to commit fraudulent transactions.
Executive Management Names/Profiles:
Attackers may attempt to impersonate an organisation's executive leadership for social engineering attacks.
BIN Numbers:
Payment card information, including BIN (Bank Identification Number) data, can be exposed and used for fraudulent activities.
Environments & Technologies:
The list of technologies and their respective versions visible in the organisation's attack surface can help identify potential vulnerabilities and misconfigurations.
The attack surface also includes shadow IT, which refers to information technology systems implemented by departments outside of the central IT department to circumvent the limitations and restrictions set by the central information systems.
Why is EASM Important?
EASM is critical for several reasons:
1. Technology consolidation
EASM promotes a unified security strategy, enabling organizations to consolidate their ever growing digital assets and stack of technologies and enhance the overall management of external cyber risk.
2. Reducing Attack Surface
Through continuous monitoring and assessment, EASM assists organizations in reducing their attack surface by proactively managing and securing external assets.
3. Proactive Risk Management:
EASM allows organisations to identify vulnerabilities before they are exploited. By continuously monitoring the attack surface, organisations can address security gaps promptly, reducing the likelihood of a successful attack.
4. Real-Time Visibility:
Cyber threats are constantly evolving, and new vulnerabilities emerge regularly. EASM provides real-time visibility into an organisation’s external assets, ensuring that security teams are always aware of the current state of the attack surface.
5. Regulatory Compliance:
Many industries are subject to strict regulatory requirements regarding data protection and cybersecurity. EASM helps organisations maintain compliance by ensuring that all external assets are properly secured.
6. Cost Efficiency:
Preventing a cyberattack is often far less expensive than dealing with the aftermath of a breach. EASM enables organisations to allocate resources more efficiently by prioritising the most critical vulnerabilities.
How is EASM Different from Security Ratings?
While both EASM and security ratings play a role in assessing an organisation’s cybersecurity posture, they serve different purposes and offer distinct benefits:
1. Scope of Analysis:
Security ratings are typically based on a broad assessment of an organisation’s overall security practices, often using data from public sources. EASM, on the other hand, focuses specifically on the external attack surface, providing a more detailed and targeted analysis of potential vulnerabilities.
2. Continuous Monitoring:
EASM involves continuous monitoring of external assets, offering real-time insights into the attack surface. Security ratings are often static, providing a snapshot of an organisation’s security posture at a specific point in time.
3. Actionable Insights:
EASM provides actionable insights that organisations can use to address specific vulnerabilities. Security ratings are more generalised and may not offer the same level of detail needed to implement targeted security measures.
4. Perspective:
EASM approaches cybersecurity from the attacker’s perspective, identifying entry points and weaknesses that could be exploited. Security ratings focus on the organisation’s overall security practices and controls.
What Does the Future Hold?
As cyber threats continue to evolve, the importance of EASM will only grow. Organisations are increasingly adopting digital transformation strategies, expanding their digital footprints, and moving more services to the cloud. This expansion introduces new vulnerabilities, making EASM an essential component of any comprehensive cybersecurity strategy.
In the future, we can expect EASM tools and technologies to become more sophisticated, incorporating advanced AI and machine learning algorithms to identify and mitigate risks more effectively. The integration of EASM with other cybersecurity solutions, such as Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), will provide organisations with a more holistic approach to managing their security posture.
How Can CTM360 HackerView Help?
CTM360’s HackerView is an innovative External Attack Surface Management (EASM) platform designed to give organisations a comprehensive understanding of their digital presence from an attacker’s perspective. By combining automated asset discovery, issue identification, remediation guidelines, security ratings, and third-party risk management, HackerView empowers businesses to proactively defend against potential cyber threats.
Here’s how CTM360 HackerView can significantly enhance your organisation's cybersecurity strategy:
1. Continuous & Automated Digital Asset Discovery
One of the most critical aspects of EASM is the ability to identify and map all external-facing digital assets. HackerView excels in this area by automatically discovering and mapping your organisation’s digital footprint. Operating in a passive and non-intrusive manner, it leverages data available in the public domain to uncover assets that may otherwise be overlooked.
The platform comes pre-populated, ensuring that from the moment you start using it, you have a comprehensive view of your digital assets. This includes websites, IP addresses, cloud services, and more. Automated discovery ensures that no asset is left unmonitored, reducing the risk of shadow IT and other unsecured entry points.
One of the key advantages of HackerView is how often it continuously discovers, updates, and refreshes all assets belonging to the organisation. The platform automatically updates its inventory of digital assets every 24-48 hours, ensuring that your security team has access to the most current and complete information about your attack surface.
2. Comprehensive Digital Risk Scorecard
HackerView provides a detailed digital risk scorecard that assesses your organisation’s visible cyber vulnerabilities. This scorecard is essential for understanding your current security posture and identifying areas that require immediate attention. The scorecard is updated continuously, allowing you to track improvements or new risks as they emerge.
3. Detailed Inventory of Digital Assets
Understanding what you have is the first step toward protecting it. HackerView provides a detailed inventory of your digital assets, allowing you to keep track of all external-facing resources. This inventory is continually updated as new assets are discovered or changes are made, ensuring that your records are always accurate and up-to-6.
4. Remediation Plans & Ongoing Guidance
Identifying vulnerabilities is only half the battle; addressing them effectively is the key to maintaining a robust security posture. HackerView not only identifies issues but also provides detailed remediation plans and ongoing guidance. These plans are tailored to your specific vulnerabilities, offering step-by-step instructions on how to address each issue.
5. Third-Party Risk Monitoring
In today’s interconnected world, organisations rely heavily on third-party vendors and partners. However, these relationships can introduce additional risks if not properly managed. HackerView’s third-party risk monitoring feature allows you to assess the security posture of your vendors, partners, and other third parties with whom you share data or systems.
6. Pre-built and Custom Portfolios
The platform allows you to access pre-built portfolios that include entities from important industry sectors within your geographic region. This allows you to benchmark your organisation's cybersecurity posture against your peers, gaining valuable insights into how you measure up. Additionally, you can create custom portfolios of your key vendors and third-party providers, continuously tracking their security health and potential vulnerabilities.
In conclusion, as organisations continue to navigate the complexities of the digital landscape, EASM will remain a vital component of cybersecurity. By leveraging advanced tools like CTM360 HackerView, businesses can protect their digital assets, stay ahead of potential threats and ensure the security of their operations.
Fraudulent Immigration Scam
Global Fraudulent Scheme Targeting National Immigration Services
Overview
CTM360 has identified a fraudulent scheme involving fake websites targeting National Immigration services globally. The deceiving campaign extends to Electronic Travel Authorization, Evisa, and Electronic Custom Declaration processes. These scams have increased dramatically as more things shifted online and require less paperwork. Scammers take advantage of this by making fake websites. People need to be aware of this and be careful not to get tricked.
These fake websites usually use a basic web design and are hosted on well-known hosting services to look real. Additionally, these fake websites put up disclaimers in fine print stating to be private companies and have no affiliation with any government entities. By doing this, it makes it challenging for the Hosting Providers and Domain Registrars to take action on them.
CTM360 Observations
Based on our analysis of the suspicious infrastructure, we believe these fake websites are part of a broader scam campaign targeting multiple immigration services at the same time. Some of the top countries being targeted include Singapore, South Korea, the Philippines, and Turkey. We expect this scam to also occur in other countries in the near future.
The scam initiates with scammers paying for fake ads on search engines, so they show up at the top of search results. They manipulate the search engine algorithms to get their fake sites noticed more easily. This technique makes it more likely for people to accidentally find these fake websites. The ads are constructed in a way that makes the fake sites seem real, so people might trust them without realizing they're being tricked.
When clicking on the fake ad, users will be redirected to a fake website. On the fake website, they will be prompted to initiate the online visa application process. The process found on the fake website is crafted closely to mimic the procedures found on the official website.
After entering the card details, users will be consistently displayed with error messages falsely claiming payment failures. In reality, the sensitive carding information has already been captured and submitted to the server controlled by the scammers.
Moreover, numerous countries have issued official warnings advising against such fake websites. Please refer to the following sources for more information:
- https://www.cgisf.gov.in/page/important-advisory-on-fake-indian-e-visa-websites/
- https://ircc.canada.ca/english/helpcentre/answer.asp?qnum=1233&top=16
- https://www.perthnow.com.au/news/bali/bali-scam-warning-for-aussie-travellers-to-watch-out-for-fake-websites-providing-counterfeit-visas-c-10513578
- https://www.kenyaembassyaddis.org/2021/06/fraudulent-visa-application-websites/
Recommendations
How to avoid becoming a victim of such scams
For individuals:
- Be very cautious about the sponsored ads specifically about government services.
- When applying for any travel-related services, only use the official website provided by the immigration authorities of the country you're visiting. This may require some research by individuals to ensure they have reached the genuine website.
- Be cautious about clicking on suspicious web URLs, even if they seem to come from people you know.
For Government agencies, ISPs and Domain Registrars:
- Government service providers should publish a list of authorized agents on their websites. This will enable end-users to verify the right provider. Furthermore, it will also provide evidence for the Domain registrar to take prompt action.
- Government agencies are advised to regularly monitor such fake websites that do not have any authorization from the government and update the list of these fake websites on their official portal.
- Government agencies should actively engage with security vendors to identify and take down these fake websites and fake ads.
- There should be national procedures for Local ISPs and National CERTs to block such websites once notified by the right authorities.