New report reveals a 121% surge in cybercriminals using legitimate websites to obfuscate malicious payloads
Quote: "71% of malicious payloads sent from compromised accounts were HTML smuggling attacks
51% increase in attacks sent from compromised accounts
Advanced phishing attacks commoditized by crime-as-a-service gangs"
Cybersecurity professionals who promote fear are doing harm to overall cybersecurity awareness training efforts.
As an example, I received this inquiry from a person who was unnecessarily afraid to use a legitimate payment system. Read their question and my reply below:
"Hi Bob, I have a tech question for you. I just had my car serviced at the dealer. They offered a pickup and return service (of the car) which I used, so I did not physically have to go there. When they were done they texted me a copy of the bill and there was a link to make the payment. Since I wasn’t sure how safe that was I called and made the payment, but for future reference I thought I’d ask you if it is a safe/secure way to pay.
Thanks"
My reply:
"Yes! It's safe and secure to use a link in a text message, or QR code, given to you directly by a local business. That business is paying a transaction fee to use an online credit card payment services provider."
Instead of fostering fear, teach people how to distinguish between legitimate payment links and payment links from scammers.
Finnish market chain and bank S-Pankki is informing about #phishing attempts. The funny thing is that they are sending their email from: noreply.s-pankki@email.s-pankki.fi
What garbage is that? That is one confusing email address to use to inform about phishing attempts. Can't they come up simpler that is easier to verify by looking at?
Lately I've been getting #phishing emails where the obscured URL (i.e. made to look like its from my bank, but its actually directed elsewhere) is a t.co short link.
I'm guessing in the skeleton crew left over at #Twitter there probably isn't a huge team dedicated to monitoring the URL shortener for malicious links.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #19/2023 is out! It includes, but not only:
‣ New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing #Phishing Pages
‣ #Netgear Routers' Flaws Expose Users to #Malware, Remote Attacks, and Surveillance
‣ 🇮🇹 🏎️ #WordPress Plugin Vulnerability Exposed #Ferrari Website to Hackers
‣ 🇯🇵 🚗 #Toyota Japan exposed data on millions of vehicles for a decade
‣ 📨 #Microsoft patches bypass for recently fixed Outlook zero-click bug
‣ 🇺🇸 🇺🇦 IRS gives #Ukraine tools to expose Russian oligarchs hiding riches in #crypto exchanges
‣ 🇨🇭 Multinational tech firm #ABB hit by Black Basta #ransomware attack
‣ 🐥 #Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified Users
‣ 🇺🇸 Cybersecurity firm #Dragos discloses cybersecurity incident, extortion attempt
‣ 🇰🇵 North Korean hackers breached major hospital in Seoul to steal data
‣ 🇺🇸 #Google Now Lets US Users Search #DarkWeb for Their Gmail ID
‣ 🇺🇸 #IBM Delivers Roadmap for Transition to Quantum-safe #Cryptography
‣ 🇪🇸 Spanish police dismantle phishing operation linked to crime ring
‣ 🇺🇸 Microsoft #PatchTuesday: 40 Vulnerabilities, 2 Zero-Days
‣ 🇺🇸 🇷🇺 Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by #Russia's Federal Security Service
‣ 🇺🇸 Feds seize 13 more DDoS-for-hire platforms in ongoing international crackdown
‣ #MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
‣ 🇮🇷 Microsoft: Iranian hacking groups join #Papercut attack spree
📚 This week's recommended reading is: "The Pentester BluePrint: Starting a Career as an Ethical Hacker" by @phillipwylie and @crowgirl
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
from what i've seen about the new wave of DM spam:
another cryptocurrency based advance fee fraud, the threat actor appears to be chinese this time (terms are used on the site that are typically used on chinese sites, like "VIP" levels for paid membership)
this time you're given creds to an account with lots of assets; you can't "withdraw" without a password you don't have, you can "transfer out" but only to another paid account
i reported it to google safe browsing and to MS equivalent
Over the past year, I’ve received dozens of spear #phishing/#smishing SMS text messages pretending to be from my employer’s CEO or another executive. Today I got my first one marked as an #iMessage (#Apple’s exclusive messaging service—the “blue bubbles” in your #iPhone Messages app).
This is pretty troubling—it means #scammers are getting past Apple’s defenses in addition to abusing the porous patchwork of SMS providers and networks.
Evilginx 3.0 is finally here!!!
One feature I'm excited for is embedding phishing pages within iFrames. For those familiar with the BITB technique from MrD0x a while back, the same feature is now in Evilginx.
final redirect: https://njsnr9mpv56441484f69432[.]newfiles[.]ru/087da7a55f8f3f967e773cdd999165176454a814cc560LOG087da7a55f8f3f967e773cdd999165176454a814cc563
Phishing bleibt für Hacker die erste Wahl, um fremde Zugangsdaten abzugreifen und den zweiten Faktor zu umgehen. Wir beschreiben, wie so ein Angriff abläuft.