The now-patched bug allows an attacker to gain full access to a user's Amazon files.

A high-severity flaw in the Amazon Photos Android App — which has more than 50 million downloads — could allow attackers to steal a user's Amazon access token and use it to access multiple Amazon APIs.

The team at Checkmarx alerted Amazon to the broken authentication vulnerability in the Amazon Photo App for Android, which allows users to share, print, and store mobile photos.

The analysts said the bug is due to a component misconfiguration in the app's manifest file.

"Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer's access token," the team said. After receiving the request, the analysts found they could also gain control of the server.

The report added that, "with all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history."

To protect themselves, users should update to the latest version of the app. Checkmarx researchers said that downloads made before Dec. 18 are affected if users haven't updated the app since then.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broken Authentication Vuln Threatens Amazon Photos Android App

In the always-changing world of cyberattacks, preparedness is key.

What do militaries and hackers have in common? They both use structured techniques to achieve their goals. Just as generals draw up battle plans, cyberattackers follow steps to home in on their targets. In the industry, this is known as the cyber kill chain (CKC), and it has become a blueprint both for digital intruders and those trying to stop them.

Military contractor Lockheed Martin developed the CKC in 2011, basing it on a long-standing concept that the military applies to kinetic warfare.

The CKC applies this model to cyberattacks across several steps:

*   **Reconnaissance:** Attackers look for information that could help them launch an attack. This includes the technology a company uses, its employees' email address scheme and addresses, its leadership, and its suppliers. Mitigating measures include locking down unneeded network ports and webpages, warning employees about posting sensitive company information online, and protecting the personal information of employees and leadership.
*   **Weaponization:** An attacker uses a digital weapon to exploit weak spots. This typically includes an exploit targeting a vulnerability along with a digital payload.
*   **Delivery:** The attacker deploys the weapon. Delivery channels can include email, removable storage, an open RDP port, or a Web application vulnerability. Phishing is popular in this phase.
*   **Exploitation:** The digital weapon detonates. This usually involves the user clicking on an attachment. In some cases, malware may detonate without user interaction once it finds a "landing spot" during the delivery phase.
*   **Installation:** Initial exploits usually involve a dropper that gains access through techniques such as privilege escalation to install malware. This can include ransomware and/or software that lets an attacker control the victim's machine remotely, such as a remote access Trojan (RAT) or a weaponized legitimate tool like Cobalt Strike.
*   **Command and control (C2):** This is where the C2 phase comes in. The tool "phones home" to an attacker's server, sending back network information and executing instructions. The attacker uses the tool to move laterally through the network, gaining access to more assets until they find what they're looking for. The attacker might stay silent for months during this phase.
*   **Action taken:** At some point, the criminal executes their payload. The headlines are littered with the aftermath: encrypted data, stolen customer records and stalled control systems. After the kill chain is complete, the effects on the victim are often dire, including reputation damage, regulatory scrutiny, legal challenges, business disruption, and financial loss. Sometimes the victim doesn't survive.

**Complexity and Costs Increase Along the Kill Chain**

The difficulty and cost of disrupting the kill chain increases as the attack evolves through these steps. It's easier to stop a cyber weapon as it enters your infrastructure than it is to contain and remove it after it detonates.

Defenders face a perfect storm as they struggle to quash attacks in the early stages. Inadequate tools combined with a skills shortage have left many unprepared to stop these attacks.

Plenty of companies employ security information and event management (SIEM) as their main defense during the early and middle phases of the kill chain. This tool captures and correlates network events and might flag emerging incidents as potential attacks. However, these tools still require security analysts to stop attacks manually.

A worsening cybersecurity skills shortage makes that manual work difficult, with 57% of organizations reporting a direct impact on their cybersecurity operations. An increasing workload was the biggest ramification, affecting 62% of those who reported an impact, followed by unfilled open job requisitions and burnout. With risks like these, security operation centers (SOCs) need to stretch their people as far as possible.

As defenders struggle to cope, adversaries are becoming more sophisticated. Attack volume and velocity are increasing as intruders automate various kill chain steps. Focusing purely on monitoring leaves security professionals one step behind. It's time to meet this challenge in kind by automating incident response.

Appropriate tools and services, including managed detection and response (MDR), can automatically spot and neutralize well-known attacks early in the kill chain. Similarly, email defense today is largely an exercise in machine learning-based techniques that have increased detection accuracy.

This automation saves time and money by neutralizing attacks early. It also frees analysts to handle the more complex attacks, making maximum use of your team.

MDR and 24/7 expert services help with these attacks too. They use a mixture of automated detection and response with manual brain power to spot and mitigate both early and advanced attacks. \[Editor's note: The author's company is one of many that offers such services.\]

It's crucial to operate these defenses at all times, because cyberattackers don't stop working when you do. Full defense involves a combination of attack awareness, automation, and always-on response. It also requires cyber hygiene to close as many attack vectors as possible along the kill chain. Every measure, from employee security awareness through to software patching and strict identity and access control, will help you to get ahead and block intrusions early. In the evolving world of cyberattacks, preparedness is key.

How to Master the Kill Chain Before Your Attackers Do

It's time to decide which role to play to best serve your organization's security needs: an auditor, a lawyer, or a developer.

Your business relies on software, and attackers know that. To prevent your applications from being used against you, you need an application security (AppSec) program that delivers three crucial things:

*   **Secure code**: Your code has to be vulnerability-free and well-defended.
*   **Secure software supply chain**: Ditto for your libraries, products, and dev tools.
*   **Secure operations:** You must detect attacks and prevent exploits in production.

You can choose a number of paths to get to that level of protection. Which path you choose depends on your teams, processes, technology, and culture. How do they all work together? Keep in mind that an AppSec program isn't about eliminating risk. Business involves taking risks, and there's no way to completely eradicate it. But there's a big difference between taking blind risks while not knowing what could go wrong vs. being aware of how likely it is that an issue will be found and exploited, as well as how catastrophic (or not) the outcomes might be.

When it comes to risk decisions, choosing a strategy for your AppSec program is the most important one you'll face. Setting up an AppSec program is nuanced and varied, but consider which of the following three general types best fits your company. The wrong path could leave you with a massive weight of security debt, or even possibly breached, because time was wasted chasing vulnerabilities that weren't all that relevant and real risks got buried in the "never got to it" pile.

**1\. The Auditor: Checkbox AppSec**

In "minimal" AppSec programs, small teams do only what's required of them by either external standards or their customers. The goal is to simply check off the boxes for application security standards like OWASP, PCI, and NIST, all of which are, essentially, checklists. Many types of companies adopt this strategy — most commonly, small and midsize businesses — but the checklists don't bring them actual security.

It's not that minimal AppSec programs never succeed. They can by relying on free or very inexpensive tools, such as OWASP ZAP and DependencyCheck, to assess code. An inexpensive cloud web application firewall (WAF) for production might also be in the mix. But these tools can show false-negatives that miss real vulnerabilities, giving organizations a false sense of security. Such tools also tend to throw false-positives that lead to squandered resources and huge backlogs instead of actual remediation.

An upside to having a minimal AppSec program is that the budget for people and tools tend to be small. But because minimal AppSec programs don't offer a clear understanding of business risk, organizations are underinvesting in enterprise security based on incomplete information.

**2\. The Lawyer: Adversarial AppSec**

In adversarial AppSec programs, the development team tries to deliver code as fast as possible while the siloed security team wrestles for control. Development focuses on delivering features, while the security team tries to add more security activities. Large companies tend to adopt this approach, as do critical industries such as finance, banking, e-commerce, and insurance.

This approach requires a large security team to execute all of the activities. Most have various subteams focused on architecture, policy, threat modeling, policy, static scanning, dynamic scanning, WAFs, training, and more. Adversarial programs always have more analysis to do, but security teams don't actually fix code in this type of program. Organizations often adopt "champion" programs to help get all of the work done. But without a clear line of sight from activities desired outcomes, much of the busy work has little to no measurable effect.

Given a big enough team and a big budget, adversarial AppSec programs can be effective. But most programs struggle to handle the volume of tool output, particularly as development teams speed up their software releases. Most vulnerabilities wind up in an ever-growing pile of issues that are neither triaged nor remediated. Development teams are confronted with significant delays and bottlenecks due to these backlogs, which are coupled with security testing and gates. Innovation suffers because of these delays, which cause frustration and force development teams to seek exceptions and bypass security.

**3\. The Developer: Developer-Centric AppSec**

Developer-centric AppSec programs strive to put application security directly into the hands of software development teams as part of their regular work. The goal: for the teams to eventually establish an automated pipeline that ensures strong security across the software development life cycle, starting with the developer and on into production. This type of program is often called "DevSecOps," or "shift left."

DevSecOps programs use the "big machinery" of software development to do security work, as opposed to smaller, siloed AppSec teams. Given that developers won't tolerate slowing down pipelines or wasting time on false-positives, developer teams automate security testing in pipelines, using fast and highly accurate tools that enable fast security feedback loops and reduce cost.

Developer-centric programs employ interactive application security testing (IAST) tools to simultaneously perform fully automated security and quality tests. Doing so aligns development and security interests, as the teams work together on expanding test coverage and strengthening the pipeline. Visibility into attacks with runtime application self-protection (RASP) also provides teams with threat intelligence that informs security priorities. RASP technology prevents vulnerabilities from being exploited, allowing teams to respond to new vulnerabilities without having to run a fire drill.

The developer-centric approach is ideal for projects regardless of their stage in DevOps transformation. That said, this approach may not be able to take advantage of automated pipelines, quality testing infrastructure, and DevOps culture if applied to completely traditional projects. Then again, adopting a developer-centric approach to security may be the perfect catalyst to spark or to speed a DevOps transformation.

**Software Security Has Changed**

Inspired by incidents like SolarWinds, Log4Shell, and Spring4Shell, the world's governments have been pushed into doing something about application security. New regulations and standards from NIST, PCI, and OWASP all require a more sophisticated approach to AppSec and real evidence that what you're doing is actually effective.

Those employing a "minimal" or "adversarial" AppSec program will likely have to respond by making some changes, including:

*   **Threat modeling:** The days of checklists are over. You're going to need to threat-model your applications and then demonstrate that you've implemented decent controls for each.
*   **AST****:** You're also going to be expected to do a much more thorough job of testing the security of your applications and APIs. You'll have to provide evidence that you're testing the effectiveness of your defenses and remediating any problems found.
*   **SBOMs****:** To really get a handle on your open source use, you're probably going to need sensors that report library data to an always-up-to-date database. But in the meantime, you'll also need to generate software bills of materials (SBOMs) for your customers.

Bear in mind that if you decide to change up your approach, transforming one team at a time is probably preferable to trying to change everything all at once.

The trend toward more transparent application security that goes beyond simply checking off boxes likely won't stop here. The US government, for one, is evaluating a software security labeling scheme to create visibility and drive better security from producers. Whether this becomes reality remains to be seen, but one thing's safe to say: Now is a fine time to make sure you've chosen the right strategy for application security.

What's Your AppSec Personality?

External attacks focused on vulnerabilities are still the most common ways that companies are successfully attacked, according to incident data.

Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say -- and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).

According to a Wednesday report by security firm Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises.   

Incident data collected by the firm showed that the ProxyShell exploit for Microsoft Exchange servers accounted for about a third of external breaches, while insecure Remote Desktop Protocol (RDP) servers accounted for a quarter.

While the Log4Shell bug continued to see a great deal of media coverage, the attack vector was only used in 22% of breaches, says Nathan Little, senior vice president of digital forensics and incident response (DFIR) at Tetra Defense.

"We expect these tactics to continue—however, there is a finite amount of vulnerable Exchange servers," he says. "Over time—and we have seen this over the past five-plus years—the vulnerabilities that are used by threat actors will change, but \[in general\] externally accessible vulnerabilities will continue to be a favorite attack vectors for cybercriminals."

Healthcare topped the list of targeted industries, with nearly 20% of compromised organizations falling in that category. Finance and education tied for second at 13%, and manufacturing accounted for 12% of incidents, according to Tetra Defense's data.  

Tetra Defense also tracked the cybercrime actors responsible for most breaches, and found that four groups—Lockbit 2.0, BlackCat, Conti, and Hive—are responsible for about half of all compromises investigated by the firm.  

**Cloud Misconfiguration: Less Costly Than Other Cyber-Incidents**

While a common form of vulnerability, misconfigurations did not account for much of the cost of breaches, with few requests to investigate such compromises, Tetra Defense's Little says.  

"For misconfigurations—because they can range from an AWS S3 bucket being publicly accessible with sensitive information stored in it -- to a non-sensitive server being exposed with a default username and password — the costs can range drastically," he says. "Typically speaking, the costs of misconfiguration are lower than unpatched systems and accidental user action."

While damages are hard to estimate, Little sees the potential impact as a percentage of revenue, with a reasonable financial impact of a major cybersecurity incident accounting for 2% to 10% of annual revenue.

He also notes that two controls -- comprehensive patching and using multifactor authentication (MFA) -- could have prevented nearly 80% of the investigated incidents. That includes 57% of external compromises that used an unpatched vulnerability, and the 13% of successful attacks on virtual private networks that either exploited a vulnerability or used stolen credentials to gain access where there was not MFA enabled, Little says.

"This shows that these two controls alone would have a drastic impact in decreasing the risk of a ransomware incident," he says. "The cost savings for a company would be the difference between having a data breach and ransomware incident that could stop business for a week or more and cause reputational harm or not."

**Conflicting Data**

Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm.   

For instance, earlier this year, security-advisory firm Kroll saw phishing continue to grow, with 60% of the cases the company investigated using phishing attacks as the initial-access vector. Meanwhile, the exploitation of vulnerabilities dropped by half to 13% of all initial compromises, down from 27% in Q4 2021.

    

Source: Tetra Defense

"Despite a decrease in ransomware incidents and the disruption and exposure of a number of key threat groups ... 2022 is proving to be the year of attacker diversity, with actors exploiting new methods, such as email compromise, leading to extortion," Kroll stated in its latest quarterly threat landscape report.  

**Ransomware Spike**

By way of context, in February, incident-response firm CrowdStrike released its annual report on its own incident data from 2021 showing that breaches related to ransomware attacks had grown by 82%. In addition, the company's data showed that malware had only been used in only 38% of successful intrusions, with 45% of attackers manually conducting the attacks.  

The average time to move from an initial compromise to attacking other systems on the network—what CrowdStrike calls the "breakout time"—remained near 1.5 hours, according to the company's data.

Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing

Embrace cyber-risk modeling and ask security teams to pinpoint the risks that matter and prioritize remediation efforts.

New cybersecurity vulnerabilities increased at a never-before-seen pace in 2021, with the number of vulnerabilities reaching the highest level ever reported in a single year. As a threat analyst that monitors security advisories daily, I also observed a 24% jump in new vulnerabilities exploited in the wild last year — indicating threat actors and malware developers are getting better at weaponizing new vulnerabilities. Not only are vulnerabilities proliferating at an unprecedented rate, but threat actors have also gotten better at racing to take advantage of them with a range of new malware and exploits.

These findings were reinforced by the Cybersecurity and Infrastructure Security Agency (CISA) alert issued in April 2022: "Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."

**Focus on Active Threats and Exposure**

There is a silver lining to this compounding surge in vulnerabilities year-over-year: As counterintuitive as it may sound, fixing all vulnerabilities is likely unnecessary for most organizations. And with many large companies battling millions of vulnerabilities, immediately fixing all flaws identified by traditional vulnerabilities scanners is an impossible task.

Why does alert fatigue exist? Traditional approaches to understanding the severity of vulnerabilities rely almost exclusively on the Common Vulnerability Scoring System (CVSS). However, CVSS only provides a general picture and does not consider how the vulnerability would be exploited within a specific network. As a result, organizations are left dealing with a massive list of vulnerability alerts with little to no visibility into how they should be prioritized based on specific security controls and configurations.

**Risk-Based Approach**

While cybersecurity breaches rose sharply year-over-year, the good news is that 48% of organizations with no breaches took a risk-based approach. This risk-based approach includes five key ingredients:

*   Attack surface visibility and context
*   Attack simulation
*   Exposure management
*   Risk scoring
*   Vulnerability assessments

Actual risk reduction requires focusing on eliminating the threats that matter. Thankfully, cybersecurity leaders are now embracing the fact that not all vulnerabilities are created equally. This new way of thinking enables SecOps to ruthlessly prioritize the vulnerabilities that matter for remediation and quantifiably reduce risk.

**Modeling Cyber-Risk Management**

Risk management is an essential principle of cybersecurity, allowing security teams to prioritize threats based on their potential impact to an organization.

For a comprehensive risk score, consider adding these elements to the static CVSS:

**Exploitability:** Are threat actors exploiting the vulnerability in the wild?

**Exposure:** Are existing security controls protecting the vulnerable asset?

**Asset importance:** Is the asset mission-critical? Would it expose sensitive data?

**Financial impact:** How much will it cost your business per day if the system is compromised?

Now is the time to leverage the data you have to embrace breach prevention that will combat the side effects of digital transformation and modern cybercrime strategies. That means focusing on active threats that are accessible to adversaries and have the potential to devastate your business financially — instead of the millions of vulnerabilities that aren't even exposed.

Armed with cyber-risk modeling, security teams are empowered to pinpoint the risks that matter and prioritize remediation where it's genuinely needed. Telling a CISO that you've retired thousands of exploitable vulnerabilities and malware families in a single month will result in a happy executive.

Shifting the Cybersecurity Paradigm From Severity-Focused to Risk-Centric

See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

5 Surprising Cyberattacks AI Stopped This Year

Results from phishing simulation campaigns highlight the five most effective types of phishing email.

**Woburn, MA – June 28, 2022 —** Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks.

According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.

To provide further insight into this type of threat, Kaspersky analyzed data gathered from a phishing simulator provided voluntarily by users\[1\]. Integrated into Kaspersky Security Awareness Platform, this tool helps companies check if their staff can distinguish a phishing email from a real one without putting corporate data at risk. An administrator chooses from the set of templates, mimicking common phishing scenarios or creates a custom template, then sends it to the group of employees without pre-warning them and tracks the results. A large number of users clicking the link is a clear indication that additional cybersecurity awareness training is required.

According to recent phishing simulation campaigns, the five most effective types of phishing email are:

*   Subject**:** Failed delivery attempt - Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
*   Subject: Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18%
*   Subject: Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18%
*   Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
*   Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%

Other phishing emails that gained a significant number of clicks include reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).

Alternatively, emails that threaten the recipient or offer instant benefits appeared to be less “successful.” A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.

_“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,”_ comments Elena Molchanova, head of security awareness business development at Kaspersky. _“Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing.”_

To prevent data breaches, and any related financial and reputational losses caused by phishing attacks, Kaspersky recommends the following for businesses:

*   Remind your employees about the basic signs of phishing emails. A dramatic subject line, mistakes and typos, inconsistent sender addresses and suspicious links;
*   If there is any doubt about the received email, check the format of attachments before opening them and the link accuracy before clicking. This can be achieved by hovering over these elements - make sure the address looks authentic and the attached files are not in an executable format;
*   Always report phishing attacks. If you spot a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email. This will allow your cybersecurity team to reconfigure anti-spam policies and prevent an incident;
*   Supply your employees with basic cybersecurity knowledge. Education should be aimed at changing the behavior of learners and teaching them how to deal with threats. As a major cybersecurity vendor, Kaspersky possesses a relevant base of information on real attacks and continuously supplements its Security Awareness Trainings in accordance with the current threat landscape;
*   Since phishing attempts can be confusing, and there’s no guarantee of avoiding all accident clicks, protect your working devices with reliable security. Choose a solution that provides anti-spam capabilities, tracks suspicious behavior, and creates a backup copy of your files in case of ransomware attacks. Anti-phishing protection is included in some security solutions, even for small and very small businesses, such as Kaspersky Small Office Security.

Kaspersky Reveals Phishing Emails That Employees Find Most Confusing

The clever, interactive phishing campaign is a sign of increasingly complex social-engineering attacks, researchers warn.

A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebook's Messenger chatbot feature.

That's according to an analysis from Trustwave SpiderLabs. Karl Sigler, senior security research manager there, tells Dark Reading that the campaign is notable for its interactivity, and how much more complex the social-engineering aspects of phishing campaigns have gotten.

"You don't just click on a link and then be prompted to download an executable — most people are going to understand that's an attack and not click on it," he explains. "In this attack, it's a link that leads you to a tech-support-type channel asking for information that you would expect tech support to ask for, and that ramping up of the social-engineering aspect is relatively new with these types of campaigns."

**Interactive & Seemingly Legitimate: A New Face of Phishing**

According to the research, the attacks start with emails, as they often do. The emails claim that user pages will be terminated in 48 hours due to a violation of Facebook's community standards — a savvy lure, researchers pointed out, given that the social-media giant has been vocal about its efforts to clamp down on rules-breakers.

The sender, purporting to be from Facebook's support team, claims to be giving users a chance to appeal, and offers an "Appeal Now" button to click directly from the email. If one hovers over the button, the URL uses Meta's legitimate URL-shortening service (which uses the convention "m.me"). If users click, they're taken to a real Messenger conversation with a chatbot.

The chatbot claims to be a representative of the Facebook support team, and presents another "Appeal Now" button to victims. The embedded link takes users to a new tab to a website hosted in Google Firebase.

"Firebase is an application development software that provides developers with a variety of tools to help build, improve, and grow the app \[making it\] easy for anyone to create and publish webpages," according to Trustwave's Tuesday analysis. "Spammers take advantage of this availability, and in this case, they built a website disguised as a Facebook 'Support Inbox,' where the user can purportedly appeal the supposed deletion of their page."

On this page, now-victims are asked to enter their email address or mobile number, first and last name, and page name. An additional text box for a phone number is displayed even though a mobile number is already being asked in the first text box. After pressing a "Submit" button, a pop-up window appears asking for the victims' passwords.

All of the data is of course sent directly to the cybercrooks' database.

The last link of the attack chain involves a bogus two-factor authentication gambit — users are presented with a pop-up box asking for a code, and are told they'll be sent a one-time password, which the attackers do since they've been able to capture victims' email and phone data.

Finally, the page will then redirect to the actual Facebook Help Center.

**Bolstering Trustability in Phishing**

One of the aspects that makes this campaign so effective is the fact that chatbots are a common feature of digital marketing and live support these days, and people are not inclined to be suspicious of their contents, especially if they come from a seemingly genuine source.

"The campaign uses the actual Facebook chat mechanism," Sigler says. "When you click the link in the email and it takes you literally to Facebook, and you can see your account profile up top, you can see that it's Facebook, you can look at the URL and it's got the nice little lock up-top that lends trust. The supporting says Page support. They've given me a case number. And that's often enough to break down those the barriers that a lot of people put up to identify the red flags associated with phishing."

Sigler warns that attacks like these can be especially risky for business-page owners in particular.

"This could be leveraged very well in a targeted-type of attack," he notes. "If I know an organization has standardized on specific messaging clients, whether it's Skype or Teams or Signal, I can start to craft a campaign specific to that messaging platform."

Cybercriminals can cause plenty of damage for business users with Facebook credentials and phone numbers, Sigler adds.

"If the person who is in charge of your social networking falls for this type of scam, suddenly, your entire business page may be defaced, or they could leverage access to that business page to gain access directly to your customers using the legitimacy of that Facebook presence," he explains. "They'll also probably go after additional network access and data."

**Phishing Defense with User Awareness Training: Still Effective**

The use of valid infrastructure to propagate such attacks is a sign of things to come in phishing, Sigler notes.

"A lot of times, these types of attacks will use cloned sites or those typosquatted domains that look like Facebook, but it's actually 'Facebock,' let's say," he says. "Going forward, we're going to continue to see a trend of attacks coming from traditionally valid sources, and it's going to be harder and harder to distinguish these campaigns because of that legitimacy level that they're piggybacking on top of."

That said, it's worth noting that this particular campaign was not without its suspicious red flags. For instance, the emails have grammatical problems, such as the improper capitalization of the word "Page," and the missing period at the end of the third sentence, researchers pointed out. And in the email header, the sender is named as "Policy Issues," but the sender domain does not belong to Facebook. It is also evident in the email's Received headers and sender IP address that it was not sent by the social media platform.

There are also problems when users are taken to the purported support page.

"Closer inspection of the profile owning the page will reveal that this is not an actual support page," according to the research. "The profile used is just a normal business/fan page with zero followers and no posts. Even though this page may seem unused, it had a 'Very Responsive' badge which Facebook defines as having a response rate of 90% and responds within 15 minutes. It even sported a Messenger logo as its profile picture to appear legitimate."

"While this type of attack is a little bit clumsy from my point of view, and I think a lot of people would see through it because of the red flags, I think that this is a start and I think that they're going to get much more clever," Sigler warns.

Thus, the best defense is to focus on user phishing training, Sigler advocates.

"More than 95% of compromises are initially started with somebody clicking on the wrong link in a phishing email," Sigler notes. "Hopefully organizations are having ongoing security awareness training, because the only thing you can do to patch for this type of attack is educate your users. So, it's important to revisit your security-awareness program, to take a look at what you're currently teaching your employees and users about phishing attacks, and make sure that it's up-to-date and includes some of these more complex campaigns."

Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign

Google Analytics has been found to be in violation of GDPR privacy laws by Italy — the third country to ban it.

Italian regulators have decided to ban the use of Google Analytics, citing the US government's easy access to consumer data, which puts the service in violation of European Union General Data Protection Regulation (GDPR) laws.

That means that millions of users' online behavior will no longer be visible to the SEO platform.

Italy's Privacy Guarantor found that a collection of user IP addresses, as well as browsing and operating system, screen resolution, and selected language, in addition to the date and time the user visited a site, was being transferred to the US by Google Analytics without GDPR\-mandated privacy protections.

Website operators inside Italy have 90 days to review their Google Analytics use to ensure data privacy compliance, the Privacy Guarantor ruled.

The ruling follows similar actions taken by French and Austrian authorities.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Analytics Continues to Lose SEO Visibility as Bans Continue

Researchers this week said they had observed criminals using a new and improved version of the prolific malware, barely three months after its authors announced they were quitting.

The authors of "Raccoon Stealer," one of the most prolific information stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia's subsequent investigation showed the authors of the malware had been selling the new version via their Telegram channel since at least May 17.

Sekoia said its analysis showed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The focus of the effort appears to have been on improving the stealer’s performance and efficiency. At its core, the new Raccoon Stealer remains a classic information stealer, with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit card data, and autofill forms from most modern browsers. The malware can steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask, and Coinomi.

**New and Improved**

Sekoia found Raccoon Stealer V2 to also feature capabilities — such as a file grabber for all disks and a built-in file downloader — for exfiltrating files for compromised systems and loading other software on the systems. Additional capabilities include screenshot capturing, keystroke logging, and application enumeration. "It's worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis \[or\] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25. The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer's developers initially distributed it via a malware-as-a-service model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, criminals began distributing it in other ways as well, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using "droppers-as-a-service" to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to systems infected with Raccoon Stealer. The security vendor surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware's command and control infrastructure.

**Resurfacing on Cue**

In January 2022, Bitdefender's Cyber Threat Intelligence Lab observed the operators of the widely used RIG Exploit Kit include Raccoon Stealer in their kit. However, when Raccoon Stealer's developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan. Recently, criminals have also used fake installers for legitimate software — such as VPNs from F-Secure and Proton — to distribute Raccoon Stealer.

In a report last week, Bitdefender predicted that Raccoon Locker would return despite the setback that pushed the developers to ceasing operations in March. It's an assessment that Sekoia shared this week. "We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads," Sekoia said.

Source

DARKReading