Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

Wednesday, May 22, 2024 08:17

*   Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.
*   Talos has discovered a wide range of techniques threat actors use to embed and deliver brand logos via emails to their victims.
*   Talos is providing new statistics and insights into detected brand impersonation cases over one month (March - April 2024).
*   In addition to deploying Cisco Secure Email, user education is key to detecting this type of threat.

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands.

**Brand logo embedding and delivery techniques**

Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. In the example below, the PayPal logo can be found in plaintext in the HTML source of this email.

An example email impersonating the PayPal brand.

Creating the PayPal logo via HTML.

Sometimes, the email body is base64-encoded to make their detection harder. The base64-encoded snippet of an email body is shown below.

An example email impersonating the Microsoft brand.

A snippet of the base64-encoded body of the above email.

The decoded HTML code is shown in the figure below. In this case, the Microsoft logo has been built via an HTML 2x2 table with four cells and various background colors.

Creating the Microsoft logo via HTML.

A more advanced technique is to fetch the brand logo from remote servers at delivery time. In this technique, the URI of the resource is embedded in the HTML source of the email, either in plain text or Base64-encoded. The logo in the example below is fetched from the below address:  
hxxps://image\[.\]member.americanexpress\[.\]com/.../AMXIMG\_250x250\_amex\_logo.jpg

An example email impersonating the American Express brand.

The URI from which the American Express brand is being loaded.

Another technique threat actors use is to deliver the brand logo via attachments. One of the most common techniques is to only include the brand logo as an image attachment. In this case, the logo is normally base64-encoded to evade detection. Email clients automatically fetch and render these logos if they’re referenced from the HTML source of the email. In this example, the Microsoft logo is attached to this email as a PNG file and referenced in an <img> HTML tag.

An example email impersonating the Microsoft brand (the logo is attached to the email and is rendered and shown to the victim at delivery time via <img> HTML tag).

The Content-ID (CID) reference of the attached Microsoft brand logo is included inline in the HTML source of the above email.

In other cases, the whole email body, including the brand logo, is attached as an image to the email and is shown to the victim by the email client. The example below is a brand impersonation case where the whole body is included in the PNG attachment, named “shark.png”. Also, an “inline” keyword can be seen in the HTML source of this email. When Content-Disposition is set to "inline," it indicates that the attached content should be displayed within the body of the email itself, rather than being treated as a downloadable attachment.

An example email impersonating the Microsoft Office 365 brand (the whole email body, including the brand logo, is attached to the email as a PNG file).

The whole email body is in the attachment and is included in the above message.

A brand logo may also be embedded within a PDF attachment. In the example shown below, the whole email body is included in a PDF attachment. This email is a QR code phishing email that is also impersonating the Bluebeam brand.

An example email impersonating the Bluebeam brand (the whole email body, including the brand logo, is attached to the email as a PDF file).

The whole email body is included in a PDF attachment.

**The scope of brand impersonation**

An efficient brand impersonation detection engine plays a key role in an email security product. The extracted information from correctly convicted emails is valuable for threat researchers and customers. Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered the true scope of how widespread these attacks are. All data reflects the period between March 22 and April 22, 2024.

Threat researchers can use this information to block future attacks, potentially based on the sender’s email address and domain, the originating IP addresses of brand impersonation attacks, their attachments, the URLs found from such emails, and even phone numbers.

The chart below demonstrates the top sender domains of emails curated by attackers to convince the victims to call a number (i.e., as in Telephone-Oriented Attack Delivery) by impersonating the Best Buy Geek Squad, Norton and PayPal brands. Free email services are widely used by adversaries to send such emails. However, other domains can also be found that are less popular.

Top sender domains of emails impersonating Best Buy Geek Squad, Norton and PayPal brands.

Sometimes, similar brand impersonation emails are sent from a wide range of domains. For example, as shown in the below heatmap, emails impersonating the DocuSign brand were sent from two different domains to our customers on March 28. In other cases, emails are sent from a single domain (e.g., emails impersonating Geek Squad and McAfee brands).

Count of convictions by the impersonated brand and sender domain on March 28.(Note: This is only a subset of convictions we had on this date.)

Brand impersonation emails may target specific industry verticals, or they might be sent indiscriminately. As shown in the chart below, four brand impersonation emails from _hotmail.com_ and _softbased.top_ domains were sent to our customers that would be categorized as either educational or insurance companies. On the other hand, emails from _biglobe.ne.jp_ targeted a wider range of industry verticals.

Count of convictions by industry verticals from different sender domains on April 2nd (note: this is only a subset of convictions we had in this date).

Cisco customers can also benefit from information provided by the brand impersonation detection engine. By sharing the list of the most frequently impersonated brands with them regularly, they can train their employees to stay vigilant when they observe specific brands in emails.

Top 30 impersonated brands over one month.

Microsoft was the most frequently impersonated brand over the month we observed, followed by DocuSign. Most emails that contained these brands were fake SharePoint and DocuSign phishing messages. Two examples are provided below.

Other top frequently impersonated brands such as NortonLifeLock, PayPal, Chase, Geek Squad and Walmart were mostly seen in callback phishing messages. In this technique, the attackers include a phone number in the email and try to persuade recipients to call that number, thereby changing the communication channel away from email. From there, they may send another link to their victims to deliver different types of malware. The attackers normally do so by impersonating well-known and familiar brands. Two examples of such emails are provided below.

**Protect against brand impersonation****Strengthening the weakest link**

Humans are still the weakest link in cybersecurity. Therefore, educating users is of paramount importance to reduce the amount and effects of security breaches. Educating people does not only concern employees within a specific organization but in this case, it also involves their customers.

Employees should know an organization’s trusted partners and the way that their organization communicates with them. This way, when an anomaly occurs in that form of communication, they will be able to identify any issues faster. Customers need different communication methods that your organization would use to contact them. Also, they need to be provided with the type of information you will be asking for. When they know these two vital details, they will be less likely to share their sensitive information over abnormal communication platforms (e.g., through emails or text messages).

Brand impersonation techniques are evolving in terms of sophistication, and differentiating fake emails from legitimate ones by a human or even a security researcher demands more time and effort. Therefore, more advanced techniques are required to detect these types of threats.

**Asset protection**

Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. Last, but not least, domain names need to be updated regularly since expired domains can be easily abused by threat actors for illicit activities that can harm your business reputation. Brand names should be registered properly so that your organization can take legal action when a brand impersonation occurs.

**Advanced detection methods**

Detection methods can be improved to delay the exposure of users to the received emails. Machine learning has improved significantly over the past few years due to advancements in computing resources, the availability of data, and the introduction of new machine learning architectures. Machine learning-based security solutions can be leveraged to improve detection efficacy.

Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced ML-based systems. Learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools here.

From trust to trickery: Brand impersonation over the email attack vector

By Uzair Amir
New York City, May 22 – Solv Protocol, a unified yield and liquidity layer for major digital assets,…
This is a post from HackRead.com Read the original post: Breakthrough for Solv Protocol: $1 Billion TVL, Now a Top 32 DeFi Player

New York City, May 22 – Solv Protocol, a unified yield and liquidity layer for major digital assets, has surpassed $1 billion in Total Value Locked (TVL), cementing its position as the 32nd largest decentralized finance (DeFi) protocol according to DeFiLlama rankings.

“Reaching this significant milestone is a testament to the strong demand for Solv’s suite of products and the growing adoption of our flagship SolvBTC offering,” said Ryan, founder of Solv Protocol. “As the largest protocol in the BTCFi space by TVL, we are excited to continue driving innovation and unlocking new opportunities for Bitcoin holders and DeFi participants alike.”

SolvBTC is a liquid yield token that tokenizes the best CeFi and DeFi yields in the industry, providing Bitcoin holders with a stable source of high-quality returns. The protocol’s multi-chain integration also enables SolvBTC to boost liquidity in emerging BTCFi ecosystems across Layer 1 and Layer 2 networks.

Solv has launched SolvBTC on Arbitrum, BNB Chain, and Merlin Chain. The protocol is building an ecosystem where users can bridge SolvBTC to farm points in new chains’ points programs, such as a 1.5x multiplier in zkLinkNova’s Aggregation Parade. Additionally, Solv has also introduced the Solv Point System, where users can exchange points for SOLV token airdrops to incentivize engagement.

Solv Protocol is backed by strong investors, including Binance Labs, Blockchain Capital, Laser Digital, and other renowned firms. The protocol has also undergone extensive security audits by leading firms such as Quanstamp, Certik, SlowMist, Salus, and Secbit.

For more information about Solv Protocol and its products, please visit the official website at solv.finance.

For media inquiries, please contact:  
Name: Ethean Yu  
Email: \[email protected\]

Breakthrough for Solv Protocol: $1 Billion TVL, Now a Top 32 DeFi Player

A notorious cybercriminal involved in breaches has released a database containing 70 million US criminal records.

A cybercriminal going by the names of EquationCorp and USDoD has released an enormous database containing the criminal records of millions of Americans. The database is said to contain 70 million rows of data.

_Post by USDoD on a breach forum_

The leaked database is said to include full names, dates of birth, known aliases, addresses, arrest and conviction dates, sentences, and much more. Dates reportedly range from 2020 to 2024.

The exact source of the database is as yet unknown.

USDoD is a high-profile player in this field, closely associated with “Pompompurin”, the operator of the first iteration of data leak site BreachForums. USDoD is said to have plans to set up a successor to the second iteration of BreachForums which was recently seized by law enforcement. Releasing this database may be USDoD’s way to round up some interested users.

USDoD is also believed to be involved in a breach at TransUnion, the data of which was (partly) dumped in September, 2023.

Needless to say, having the criminal information leaked could have a tremendous impact, not only for the listed individuals but also for the justice system. We’ll keep you updated.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out how much of your own data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report, along with tips on what to do next.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Criminal record database of millions of Americans dumped online 

Since the first edition of The Ultimate SaaS Security Posture Management (SSPM) Checklist was released three years ago, the corporate SaaS sprawl has been growing at a double-digit pace. In large enterprises, the number of SaaS applications in use today is in the hundreds, spread across departmental stacks, complicating the job of security teams to protect organizations against

The Ultimate SaaS Security Posture Management Checklist, 2025 Edition

By Uzair Amir
Blended learning, a method that melds in-person teaching with online learning, has become increasingly popular recently. This innovative…
This is a post from HackRead.com Read the original post: Optimizing LMS Integration: 7 Strategies for Enhanced Blended Learning

Blended learning, a method that melds in-person teaching with online learning, has become increasingly popular recently. This innovative educational approach does not combine the advantages of classroom instruction and virtual learning. It also provides flexible opportunities for students to interact with course materials at their own pace. Having a Learning Management System (LMS) is crucial to effectively incorporating learning. 

In this blog post, we will discuss seven strategies for implementing LMS in blended learning environments, which will empower educators to improve teaching methods.

****1\. Establish Your Goals and Objectives****

Before integrating an LMS blended learning setup, it is vital to define your goals and objectives. Are you aiming to boost student engagement or streamline content delivery? Without an understanding of what you want to achieve through LMS integration, any efforts would lack direction. Once your goals are set, ensure all stakeholders are aligned before proceeding.

****2\. Assess LMS Platforms****

Given the abundance of LMS options available today, selecting the suitable platform for your needs can be overwhelming. Start by evaluating the features that match your goals. Some aspects to consider are user-friendly interfaces, compatibility across various devices, assessment tools, customizable dashboards, and reporting functionalities. Conduct research by reading reviews and exploring demos from providers before finalizing your decision.

****3\. Offer Training and Assistance****

Introducing technology can feel overwhelming for both educators and students. To ensure a transition to learning through an LMS, it’s crucial to provide comprehensive training and ongoing support for all users involved, from teachers handling the system to students actively using it. Classroom training sessions combined with resources like video tutorials or user guides can help users become familiar with the platform’s features.

****4\. Create Captivating Content****

In addition to managing tasks like assigning work and monitoring progress, an LMS also acts as a hub for course materials. To fully utilize an LMS’s potential, develop interactive content that promotes student engagement and knowledge retention. Integrate multimedia elements such as videos, podcasts, quizzes, and simulations within virtual learning modules to cater to diverse learning preferences and enhance teaching effectiveness.

****5.  Encourage Teamwork****

Blended learning settings offer chances for students to participate in exercises beyond classroom boundaries. An efficient Learning Management System should have features that support collaboration among students, such as discussion forums, group projects, and interactive tasks. It’s essential to encourage students to engage with their peers, participate in discussions, and work together on projects to create a sense of community and active learning.

****6\. Utilize Data Analytics for Learning****

One key benefit of an LMS is its ability to gather data on student performance and behaviours. Take advantage of the analytics tools provided by your chosen platform to better understand learning patterns and identify areas where students may need help. Using data-driven insights can help tailor instruction according to each student’s requirements, leading to success rates in learning setups.

****7\. Regularly Evaluate Effectiveness****

Successfully integrating any tool involves continual assessment. Monitor the impact of the LMS on teaching and learning outcomes by gathering feedback from teachers, students, parents, and administrators involved in the blended learning environment. Use this feedback loop to pinpoint strengths and areas needing improvement, implementing changes as needed.

Additionally, periodic evaluations should be conducted to gauge the system’s effectiveness and relevance in meeting organizational goals. Analyze metrics such as engagement levels, completion rates, and user satisfaction surveys to inform strategic adjustments and ensure optimal performance over time.

****In Conclusion****

By following these seven strategies for incorporating an LMS into a learning setup, educators can harness the benefits of technology-enhanced teaching methods while seamlessly blending them with instructional approaches.

Setting objectives, choosing platforms with advanced features, implementing comprehensive training programs, creating engaging content design strategies to encourage collaboration among students, utilizing analytics data to personalize instructional plans, and regularly evaluating the effectiveness of traditional teaching methods can be greatly improved. 

This approach effectively incorporates the use of technology to enhance student outcomes. These combined strategies will drive innovation and achievement in learning settings. By integrating a Learning Management System (LMS) into your blended learning strategy, you can open up opportunities for both teaching and learning!

1.  Maximizing Roi With The Best LMS For Elearning
2.  mLearning – Future of On-The-Go Dynamic Training Programs
3.  How to Teach Your Child Coding: A Gift for Their Digital Future
4.  A Checklist for What Every Online Coding Class for Kids Needs
5.  The Future of Phishing Email Training for Employees in Cybersecurity

Optimizing LMS Integration: 7 Strategies for Enhanced Blended Learning

Microsoft unveiled an AI search tool on new laptops that will require regular screenshots of all device activity to be recorded and stored.

Developing an AI-powered threat to security, privacy, and identity is certainly a choice, but it’s one that Microsoft was willing to make this week at its “Build” developer conference.

On Monday, the computing giant unveiled a new line of PCs that integrate Artificial Intelligence (AI) technology to promise faster speeds, enhanced productivity, and a powerful data collection and search tool that screenshots a device’s activity—including password entry—every few seconds.

This is “Recall,” a much-advertised feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023. With Recall on the new Copilot+ PCs, users no longer need to manage and remember their own browsing and chat activity. Instead, by regularly taking and storing screenshots of a user’s activity, the Copilot+ PCs can comb through that visual data to deliver answers to natural language questions, such as “Find the site with the white sneakers,” and “blue pantsuit with a sequin lace from abuelita.”

As any regularly updated repository of device activity poses an enormous security threat—imagine hackers getting access to a Recall database and looking for, say, Social Security Numbers, bank account info, and addresses—Microsoft has said that all Recall screenshots are encrypted and stored locally on a device.

But, in terms of security, that’s about all users will get, as Recall will not detect and obscure passwords, shy away from recording pornographic material, or turn a blind eye to sensitive information.

According to Microsoft:

> “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

The consequences of such a system could be enormous.

With Recall, a CEO’s personal laptop could become an even more enticing target for hackers equipped with infostealers, a journalist’s protected sources could be within closer grasp of an oppressive government that isn’t afraid to target dissidents with malware, and entire identities could be abused and impersonated by a separate device user.

In fact, Recall seems to only work best in a one-device-per-person world. Though Microsoft explained that its Copilot+ PCs will only record Recall snapshots to specific device _accounts_, plenty of people share devices _and_ accounts. For the domestic abuse survivor who is forced to share an account with their abuser, for the victim of theft who—like many people—used a weak device passcode that can easily be cracked, and for the teenager who questions their identity on the family computer, Recall could be more of a burden than a benefit.

For Malwarebytes General Manager of Consumer Business Unit Mark Beare, Recall raises yet another issue:

> “I worry that we are heading to a social media 2.0 like world.”

When users first raced to upload massive quantities of sensitive, personal data onto social media platforms more than 10 years ago, they couldn’t predict how that data would be scrutinized in the future, or how it would be scoured and weaponized by cybercriminals, Beare said.

“With AI there will be a strong pull to put your full self into a model (so it knows you),” Beare said. “I don’t think it’s easy to understand all the negative aspects of what can happen from doing that and how bad actors can benefit.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Microsoft AI &#8220;Recall&#8221; feature records everything, secures far less 

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack.

**NASA AIT-Core uses unencrypted channels to exchange data over the network**

High severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 22, 2024

GHSA-qv6x-53jj-vw59: NASA AIT-Core uses unencrypted channels to exchange data over the network

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.

**NASA AIT-Core vulnerable to remote code execution**

Critical severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 22, 2024

GHSA-jqff-8g2v-642h: NASA AIT-Core vulnerable to remote code execution

Under certain circumstances it is possible to execute an authorized foreign code in Shopware version prior to 5.2.25.


Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-83jv-4prm-34g7

**Shopware Remote Code Execution Vulnerability**

Critical severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 21, 2024

**Package**

composer shopware/shopware (Composer)

**Affected versions**

\>= 4.2.0, < 5.2.25

**Description**

Published to the GitHub Advisory Database

May 21, 2024

Last updated

May 21, 2024

GHSA-83jv-4prm-34g7: Shopware Remote Code Execution Vulnerability

Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware in versions prior to 5.2.16. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. Themes or plugins that execute or overwrite the following template code are vulnerable.

- Affected file: emotion.tpl

Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl
Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl

The complete line beginning with: `{eval var=$sSupport.sFields[$sKey]...` should be exchanged with the following:

```
{$sSupport.sFields[$sKey]|replace:'{literal}':''|replace:'{/literal}':''|replace:'%*%':"{s name='RequiredField' namespace='frontend/register/index'}{/s}"}
```

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-7336-ghhp-f2qj

**Shopware Remote Code Execution Vulnerability**

Critical severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 21, 2024

**Package**

composer shopware/shopware (Composer)

**Affected versions**

\= 5.2.15

**Description**

Published to the GitHub Advisory Database

May 21, 2024

Last updated

May 21, 2024

Tag

#git