Last week, I received a phishing test email that was mocked up to appear to be from HR, sharing some bullshit policy change.
I couldn’t help but to reflect that fewer employees would fall for these if they weren’t accustomed to inconvenient and rage-inducing material flowing freely from HR.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #19/2023 is out! It includes, but not only:
‣ New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing #Phishing Pages
‣ #Netgear Routers' Flaws Expose Users to #Malware, Remote Attacks, and Surveillance
‣ 🇮🇹 🏎️ #WordPress Plugin Vulnerability Exposed #Ferrari Website to Hackers
‣ 🇯🇵 🚗 #Toyota Japan exposed data on millions of vehicles for a decade
‣ 📨 #Microsoft patches bypass for recently fixed Outlook zero-click bug
‣ 🇺🇸 🇺🇦 IRS gives #Ukraine tools to expose Russian oligarchs hiding riches in #crypto exchanges
‣ 🇨🇭 Multinational tech firm #ABB hit by Black Basta #ransomware attack
‣ 🐥 #Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified Users
‣ 🇺🇸 Cybersecurity firm #Dragos discloses cybersecurity incident, extortion attempt
‣ 🇰🇵 North Korean hackers breached major hospital in Seoul to steal data
‣ 🇺🇸 #Google Now Lets US Users Search #DarkWeb for Their Gmail ID
‣ 🇺🇸 #IBM Delivers Roadmap for Transition to Quantum-safe #Cryptography
‣ 🇪🇸 Spanish police dismantle phishing operation linked to crime ring
‣ 🇺🇸 Microsoft #PatchTuesday: 40 Vulnerabilities, 2 Zero-Days
‣ 🇺🇸 🇷🇺 Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by #Russia's Federal Security Service
‣ 🇺🇸 Feds seize 13 more DDoS-for-hire platforms in ongoing international crackdown
‣ #MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
‣ 🇮🇷 Microsoft: Iranian hacking groups join #Papercut attack spree
📚 This week's recommended reading is: "The Pentester BluePrint: Starting a Career as an Ethical Hacker" by @phillipwylie and @crowgirl
from what i've seen about the new wave of DM spam:
another cryptocurrency based advance fee fraud, the threat actor appears to be chinese this time (terms are used on the site that are typically used on chinese sites, like "VIP" levels for paid membership)
this time you're given creds to an account with lots of assets; you can't "withdraw" without a password you don't have, you can "transfer out" but only to another paid account
i reported it to google safe browsing and to MS equivalent
Over the past year, I’ve received dozens of spear #phishing/#smishing SMS text messages pretending to be from my employer’s CEO or another executive. Today I got my first one marked as an #iMessage (#Apple’s exclusive messaging service—the “blue bubbles” in your #iPhone Messages app).
This is pretty troubling—it means #scammers are getting past Apple’s defenses in addition to abusing the porous patchwork of SMS providers and networks.
Evilginx 3.0 is finally here!!!
One feature I'm excited for is embedding phishing pages within iFrames. For those familiar with the BITB technique from MrD0x a while back, the same feature is now in Evilginx.
final redirect: https://njsnr9mpv56441484f69432[.]newfiles[.]ru/087da7a55f8f3f967e773cdd999165176454a814cc560LOG087da7a55f8f3f967e773cdd999165176454a814cc563
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
Phishing bleibt für Hacker die erste Wahl, um fremde Zugangsdaten abzugreifen und den zweiten Faktor zu umgehen. Wir beschreiben, wie so ein Angriff abläuft.
🌊 #introduction HI! I'm a security researcher interested in weird things on the Internet. In particular, I love following rabbit holes around phishing emails and infrastructure, C2s, and botnets.
I got my start in tech in data science, where I helped colleagues find users who were doing "weird" and "interesting" things with our company's software. They wanted to find users who were pushing the boundaries of the software, not doing nefarious things, necessarily.
TL;DR I've spent most of my career looking for weird stuff in data.
Now, I'm especially interested in applications of data science methods–including but NOT limited to AI/ML–to problems in the infosec space.
Excited to see the community here and get to know others with similar interests! #phishing#c2#botnet#cybersecurity#ai#machinelearning
Luckily, she's not with EE - because it's a pretty convincing text. That domain name is specifically designed to include the day's date.
If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the URl shows a trusted domain at the start - followed by today's date.
It starts with https:// - that means it's secure, right? Is .info even recognisable as Top Level Domain?
Scammers know these domains get blocked pretty quickly - so there's no point registering a generic name like billing-pdf.biz only to have it burned within a day. By the time I'd fired up a VM to inspect it, major browsers were already blocking the site as suspicious.
Is there any way to stop this? No, not really. Domain names are cheap - you can buy a new .info for a couple of quid. The https://certificate was freely provided by Let's Encrypt. The site was probably hosted somewhere cheap, and whose support staff are asleep when abuse reports come in from the UK.
And that's the price we pay for anyone being able to buy their own domain and run their own secure site.
Money and technical expertise used to be strong barriers to prevent people from registering scam domains. But those days are long gone. There are no technical gatekeepers to keep us safe. We have to rely on our own wits.