David Bisson

Formbook Loader Distributed in Three “Extremely Aggressive” Email Attacks

admin — Wed, 16 Feb 2022 04:32:36 +0000

Formbook Loader Distributed in Three “Extremely Aggressive” Email Attacks admin Tue, 02/15/2022 - 22:32 Threat Alert David Bisson

Malicious actors launched three “extremely aggressive” email attacks in which they attempted to distribute samples of the Formbook loader.

Campaign #1: A Fake Wire Transfer Notice

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, explained that Formbook has regularly made an appearance on the security firm’s systems since late 2021.

“Our malware filters have been capturing some extremely aggressive Formbook loader attacks over the past few months using multiple different ruses attempting to dupe recipients,” he said.

The firm detected the first attack email in mid-January. It arrived with the subject line “Wire request initiated,” and it used spoofing techniques to make the message appear as if it had originated from an American multinational financial services company.

Screenshot of the first Formbook-laden attack email. (Source: ��Ƶɫ | AppRiver)

The email informed the recipient that the financial services company had begun processing a wire funds transfer request from their account. It went on to explain that the recipient could cancel the wire transfer by downloading a Word document. Once opened, the file downloaded a Formbook sample onto the recipient’s machine.

Campaign #2: A Bogus Letter of Dismissal

The ��Ƶɫ | AppRiver team came across the second Formbook attack campaign a few days later.

Using the subject line “Letter of Dismissal,” those who crafted the email claimed to be an unnamed “HR Manager” to try to convince the recipient that their employer was letting them go.

Screenshot of the phony dismissal letter. (Source: ��Ƶɫ | AppRiver)

“Due to the affect of covid-19 epidemic in our company, we have no choice but to end your employment with us because we cannot service all the employees anymore,” the email stated.

The message went on to inform the recipient that the company had sent along a two-month salary receipt as an attachment. When opened, however, the attached .RAR file dropped Formbook as a payload on the victim’s computer.

Campaign #3: A Counterfeit Purchase Order

The final Formbook campaign came in the form of a minimalist attack email. It instructed the recipient to view a screenshot of a made-up purchase order embedded in the message.

Screenshot of the final Formbook attack email (Source: ��Ƶɫ | AppRiver)

Those responsible for the campaign included the screenshot in their email to try to trick the recipient into opening a Formbook-laden Excel spreadsheet.

An Ongoing Relationship with Formbook

The attacks discussed above aren’t the first Formbook operations detected by ��Ƶɫ | AppRiver in the past couple of years.

Back in April 2020, for instance, the ��Ƶɫ | AppRiver team witnessed email attackers impersonating the U.S. Small Business Association (SMA). The malicious actors used that guise to trick the recipient into thinking they had received an SBA grant so that they would open an attachment. If the recipient complied, the campaign initially delivered the Remcos remote access trojan before eventually dropping Formbook.

It was about a year later when ��Ƶɫ | AppRiver flagged two additional Formbook operations. The first delivered the threat using malicious macros inside a deed-themed Word document. The other leveraged an “approved order” as a lure to deliver an executable file that began the Formbook infection process upon execution.

Defending Against Formbook Attacks

The attack campaigns discussed above highlight how organizations need to strengthen their email security postures against digital threats like Formbook. One of the ways they can do that is by investing in an email security solution that can scan incoming messages for malware signatures and other threat indicators. This type of solution, when combined with regular security awareness training, will help to prevent threats from gaining a foothold in employees’ inboxes, all while allowing legitimate messages to reach their intended destination.

Attackers Targeting Mortgage Servicers to Steal Email Accounts Credentials

admin — Wed, 09 Feb 2022 21:41:07 +0000

Attackers Targeting Mortgage Servicers to Steal Email Accounts Credentials admin Wed, 02/09/2022 - 15:41 Threat Alert David Bisson

Digital attackers are targeting mortgage servicers and their clients to try to steal victims’ email account credentials.

Data Theft as a Final Payoff=

At the end of January, the ��Ƶɫ | AppRiver team flagged an email informing the recipient that they needed to submit a mortgage payment prior to the date contained in an attached payoff statement.

“Attached” is an odd choice of words here considering that the email didn’t arrive with an attached file. Instead, it arrived with an embedded hyperlinked button named, “Access Payoff Statement File Here.”

Screenshot of the mortgage-themed attack email. (Source: ��Ƶɫ | AppRiver)

Misleading wording wasn’t the only element that gave the attack email away as a fake. As seen in the screenshot included above, the message came with a signature block indicating that it had originated from a nationwide mortgage lender service…with the exception of the physical address. That location pointed to another mortgage service entirely.

Other signs gave away this discrepancy. For instance, the sender email address ended with .EDU—an unusual domain for an established mortgage service company. ��Ƶɫ | AppRiver reasoned that those responsible for this attack likely compromised the account of someone working at an educational institution to conduct their campaign.

Not only that, but the phone number included in the signature block didn’t belong to the mortgage lender specifically mentioned in the message or the other company whose address appeared in the email. A Google search of the number didn’t yield any meaningful results.

Following the Button

Clicking on the embedded button redirected the recipient to a website that appeared to be a page operated by the named mortgage lender service. The page used stolen branding to convince the recipient to click on an “Payoff Statement Access Here” button so that they could view an “encrypted payoff mortgage file.”

Once again, however, the jump page gave itself away as a fake. How? By the inclusion of a statement indicating that whoever built the website did so using site123[.]me, a service for building free websites.

Screenshot of the jump page. (Source: ��Ƶɫ | AppRiver)

Given its profile in the mortgage lending field, the targeted service likely relies on its own web team—not a free website builder—to maintain its digital presence.

It’s therefore not surprising that the jump page didn’t present a mortgage payoff statement to the user. Instead, it redirected them to a phishing landing page with an even more suspicious domain name to try to steal their email account credentials.

Screenshot of the phishing landing page. (Source: ��Ƶɫ | AppRiver)

Keeping a Fixed Email Security Focus for the Long Term

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, doesn’t think that email attackers will refrain from using mortgages as a lure anytime soon.

“Business email compromise attacks targeting mortgage servicers and their clients continue to be an ongoing threat to customers,” he said. “The simplicity of the attack along with the low barrier to entry with a quick payoff keeps it an enticing vector for attackers.”

That’s especially not the case with mortgages haven’t just leapt up to nearly 4% in recent weeks—the highest they’ve been since October 2019, reported Mortgage News Daily.

Acknowledging that reality, organizations need to take action to defend themselves against mortgage-themed campaigns. They can do so by using security awareness training to educate their employees about common tactics and slip-ups committed by email attackers. They can then complement those measures with an email security solution that can scan incoming messages for malware signatures and other threat indicators, blocking suspicious messages before they reach an employee’s inbox while allowing legitimate messages to reach their intended destination.

6.5 Billion Emails Quarantined in 2021

admin — Wed, 26 Jan 2022 22:03:44 +0000

6.5 Billion Emails Quarantined in 2021 admin Wed, 01/26/2022 - 16:03 Email Security David Bisson

The ��Ƶɫ | AppRiver team quarantined 6.5 billion emails in 2021, a volume which constituted a 12.5% increase over the previous year.

A Year of Email Attacks in Review

In its “Global Threat Report: Full Year 2021,” ��Ƶɫ | AppRiver revealed that emails with malware attachments decreased in volume to below five million during the first five months of the year. Those messages jumped up above 15 million the following month and ended at around the same level in December 2021. That was after the team detected over 25 million emails with attached malware samples in November.

Overall, the ��Ƶɫ | AppRiver team flagged 165 million email messages with malicious attachments through 2021.

The monthly totals of directly attached malware emails in 2021. (Source: ��Ƶɫ | AppRiver)

When it examined the origins of these and other malware attacks, the ��Ƶɫ | AppRiver team observed that many of the email campaigns had originated from the United States. China came in with the second highest number of attacks at just over 10 million. This attack volume marked a growth rate of 240% for the country when compared with 2020.

The top 10 most common email malware attack origins in 2021. (Source: ��Ƶɫ | AppRiver)

��Ƶɫ | AppRiver also examined the most common attachment file types used by email attackers in 2021. Excel worksheets were the most common. Even so, malicious HTM/HTML attachments increased throughout the entire year.

Sources of Inspiration for Their Attacks

The ��Ƶɫ | AppRiver team witnessed malicious actors seize on various events as inspiration for their attacks in 2021. Let’s examine a couple of these below.

The Kaseya Supply Chain Attack

Following the software supply chain attack involving Kaseya in July 2021, ��Ƶɫ | AppRiver detected a malicious email that claimed to be offering a patch for the affected software product. The attack email instructed the recipient to open an attached executable file for the purpose of resolving a Kaseya weakness. Once executed, the file loaded Cobalt Strike, commercially available pentesting software which malicious actors can weaponize as an attack tool.

Global Shipping Issues

Several months later, the researchers at ��Ƶɫ | AppRiver detected an attack campaign that claimed to originate from Maersk Line. The message used stolen branding to trick the recipient into thinking that the email had originated from the shipping company. From there, the email instructed the recipient to view some documents including an invoice, a bill of lading, and a packing list by clicking on a “Download Confirmation” button. If the user complied, the campaign redirected them to a phishing page designed to steal their email account credentials.

Email Attack Predictions for the Year Ahead

Looking forward to 2022, the ��Ƶɫ | AppRiver team has several predictions for where email attacks will go. First, they noted that there will be greater coordination between threat groups. The researchers witnessed such collusion following Emotet’s takedown in 2021. Trickbot’s operators stepped up and began distributing Emotet later in the year. This activity helped malicious email traffic involving Emotet to increase beginning in mid-November.

Second, the ��Ƶɫ | AppRiver team anticipates that attackers will make more attempts to target software supply chain attacks like Kaseya. Doing so will help malicious actors to broaden their impact to dozens if not hundreds or even thousands of companies with a single compromise.

Finally, researchers at the security firm wrote that digital criminals are going to continue turning to spear-phishing attacks in 2020. Such activity will support attackers as they devise new customization tactics—all for the purpose of focusing even further on their targets.

Email Defense for 2022

The predictions discussed above highlight the need for organizations to invest in their email threat protection over the following year. They need to prioritize building more specificity into their email defenses. Towards that end, they could consider investing in an email security solution that’s capable of scanning incoming messages at multiple levels for the purpose of blocking email attacks while allowing legitimate correspondence to reach their destination.

Secure Modern Workplace

Log4Shell Targeted by Email Attackers in Two Campaigns

admin — Mon, 17 Jan 2022 21:58:15 +0000

Log4Shell Targeted by Email Attackers in Two Campaigns admin Mon, 01/17/2022 - 15:58 Email Security David Bisson

The ��Ƶɫ | AppRiver team spotted two campaigns in which email attackers attempted to exploit a recently disclosed Log4j vulnerability on susceptible systems.

A Bit of Background on Log4j

As explained by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Log4j vulnerability (detected as CVE-2021-44228 and dubbed “Log4Shell”) is a critical remote code execution flaw that affects versions 2.0-beta9 to 2.14.1 of Log4j, Apache’s Log4j software library which services can use to log security and performance information. Those services include background modules that that help to process email header information as well as perform analytics and reporting.

CVE-2021-44228 affects Log4j’s Java Naming and Directory Interface (JNDI) insofar as some of its features “do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints.” Malicious actors can use a specially crafted request to exploit the flaw and execute arbitrary code for the purpose of infecting the system, exfiltrating information, and/or deploying ransomware. For the purposes of this article, they can launch an email attack where Log4j parses a string, executes malicious code, and compromises a system that attempts to log information about the email.

Campaign #1: A Slack Workplace Invitation

As soon as it learned of the Log4j vulnerability’s disclosure on December 10, 2021, the ��Ƶɫ | AppRiver team prepared itself for attack attempts to begin spreading over organizations’ email systems. It was just four days later when the team detected the first such attempt. In the weeks that followed, those attacks grew in frequency and creativity.

Which brings us to one campaign flagged by the ��Ƶɫ | AppRiver team in the beginning of January. For this attack, someone by the name of “Smith John” invited a recipient to join a Slack workplace. The invite came with a unique workplace name crafted to exploit CVE-2021-44228.

Screenshot of the Slack workplace invitation. (Source: ��Ƶɫ | AppRiver)

“I assume the attacker is hoping that the attempt would be logged by a vulnerable system and trigger the exploit,” noted Troy Gill, senior manager of threat intelligence at ��Ƶɫ | AppRiver. “We don’t know for sure if that was strictly intended as an email attempt or if the attacker was trying to send the exploit via Slack and that action triggered an email. Or both maybe?”

Campaign #2: An AWS Attack

It was around that same time when the ��Ƶɫ | AppRiver team came across another attack that attempted toe exploit the Log4j vulnerability. Whoever designed this attempt dispensed with concealing their efforts behind a well-known brand like Slack. Instead, they sent out an email with the exploit code for Log4Shell included not only in the subject line but also in the body of the attack email.

Screenshot of the attack email. (Source: ��Ƶɫ | AppRiver)

Gill and his team analyzed the email and found that its sender had data theft on their mind.

“It was trying to retrieve multiple AWS items along with java and virtual machine information,” he pointed out. “This AWS attack tried to retrieve the secret access key, session token, shared credentials file, web identity token file, profile, config file, and access key ID. I’m not sure about the efficacy of this attack, but it is certainly being attempted.

Screenshot of some of the AWS items targeted by the attack email. (Source: ��Ƶɫ | AppRiver)

How to Defend Against Email Attacks Targeting CVE-2021-44228

The campaigns described above highlight the need for organizations to defend themselves against attack attempts that seek to exploit CVE-2021-44228. One of the ways they can do that is by using an email security solution that can analyze incoming messages for known vulnerabilities and other malicious indicators. Simultaneously, organizations should seek to patch Log4Shell using their vulnerability management programs.

Secure Modern Workplace

Microsoft Exchange Servers Hacked to Distribute SquirrelWaffle

admin — Mon, 06 Dec 2021 21:35:27 +0000

Microsoft Exchange Servers Hacked to Distribute SquirrelWaffle admin Mon, 12/06/2021 - 15:35 Threat Alert David Bisson

Digital attackers hacked organizations’ vulnerable Microsoft Exchange Servers to distribute SquirrelWaffle malware.

Details of the Attack Campaign

In mid-November 2021, Trend Micro examined the initial access vector for several digital intrusions that occurred in the Middle East.

The security firm’s incident response team determined that all the attacks originated from on-premises Microsoft Exchange Servers. A closer look uncovered evidence of malicious actors having exploited ProxyLogon and ProxyShell on those resources.

One of those campaigns leveraged conversation hijacking, a tactic executed by the Emotet gang more than once, to inject themselves into existing email threats. Those responsible for the attack also used true account names from the victim’s domain for the sender and the recipient. In doing so, they increased the chances that someone would follow the email’s instructions.

The malicious spam email received by targets. (Source: Trend Micro)

As is evident in the above screenshot, the email didn’t exactly relay its instructions eloquently.

“Our specialists composed desired document and I send it to you,” it informed the recipient. “Document can be found through this link.”

Trend Micro went on to inspect the headers for the attack emails. They discovered that the mail path was internal between three Exchange Servers’ mailboxes. The threat actor didn’t drop any tools for moving laterally. They also didn’t execute malware on the Exchange servers that would have triggered alerts before the emails spread across the environment.

“The attacker exploited the Exchange servers to deliver internal mails,” Trend Micro explained. “This was all done to catch users off-guard, making them more likely to click the link and open the dropped Microsoft Excel or Word file.”

Both links embedded in the malicious emails dropped a .ZIP file containing a Microsoft Excel sheet or Word document. Once downloaded, the documents used malicious Excel 4.0 macros to download and execute a malicious DLL related to Qbot (otherwise known as “QakBot”). This infection ultimately led the campaign to infect the machine with “SquirrelWaffle.”

Squirrel-What?

SquirrelWaffle first made news in late October when Cisco Talos spotted some spam campaigns infecting systems with the new malware loader. Upon successful infection, SquirrelWaffle granted threat actors the foothold they needed to infiltrate organizations’ systems and network environments as well as to conduct additional compromise attempts and malware infections.

The ��Ƶɫ | AppRiver team observed this exact behavior in a SquirrelWaffle campaign that took place in mid-November.

Like the operation detected by Trend Micro, the malicious actors behind this attack attempt used conversating hijacking techniques to inject themselves into an existing email thread with the subject line “Re: S.A.M. Newark Lay out.”

The attackers said that they had “uploaded some additional info regarding the recent contract and payslip.” They went on to instruct the recipient that they could resolve a previously mentioned problem if they chose to “follow steps via the link lower.”

Screenshot of the November SquirrelWaffle email. (Source: ��Ƶɫ | AppRiver)

Clicking on either of the links led victims to a SquirrelWaffle payload. At that point, the malware followed up by dropping either QakBot or Cobalt Strike onto the infected machine.

Defending Against Email-Borne SquirrelWaffle Attacks

The attack instances discussed above highlight the need for organizations to defend themselves against SquirreWaffle. One of the ways they can do that is by reviewing their vulnerability management programs to make sure they’re prioritizing and implementing software patches on a timely basis. Regarding the campaign detected by Trend Micro, for example, Microsoft released a patch for ProxyLogon in March and similar fixes for ProxyShell a few months later. Organizations can then go on to pair their vulnerability management efforts with a multi-layered email security solution that scans incoming messages for potential threats.

Microsoft Password Expiration Scam Uses Customized Image to Steal Victims’ Account Details

admin — Mon, 29 Nov 2021 21:00:52 +0000

Microsoft Password Expiration Scam Uses Customized Image to Steal Victims’ Account Details admin Mon, 11/29/2021 - 15:00 Threat Alert David Bisson

A Microsoft password expiration scam used an image customized with a recipient’s email address and domain to steal their account credentials.

“Request (for Data Theft) Received”

In early November, ��Ƶɫ | AppRiver flagged an email that appeared to originate from the helpdesk at a recipient’s company. (The attackers included “HelpDesk” in their email’s subject line to support this ruse.)

But the email didn’t originate from a helpdesk team. Its sender line indicated that it came from a B2B platform serving the commercial real estate industry.

Using branding stolen from Microsoft, the attack email impersonated a password expiration notice and informed the recipient that their password was set to expire in seven days. It included the recipient’s name, domain, and email address to add a sense of legitimacy.

From there, the attack email instructed the recipient to “take the time now to maintain your password activity to avoid login interruption” by clicking on a “Keep My Password” button.

Screenshot of the fake Microsoft password expiration notice. (Source: ��Ƶɫ | AppRiver)

As you can see from the screenshot above, the email included the warning that “Microsoft will not be held responsible for any account loss.”

That’s an imperfect replication of Microsoft’s terms of service. These read as follows: “Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Now, this isn’t the first time ��Ƶɫ | AppRiver came across a Microsoft-themed password expiration scam. Not by a long shot. But it is the first instance where the security firm observed a specific tactic in play.

Here’s Troy Gill, manager of threat intelligence at ��Ƶɫ | AppRiver, with more.

“Instead of the normal text, it utilized an image link for the lure but the image itself was customized to contain the recipients email address and domain,” he explained. “It was also an automated attack being sent in large volumes indicating the attacker had an automated setup for these and not manually changing each image for the recipients.”

“Keep My Password”…Literally, You Can Take It

If a user complied with the attackers’ instructions and clicked on a customized image, the campaign redirected them to a phishing page that abused workers.dev as a means of living off the land (LotL) of Cloudflare’s reputation.

Screenshot of the phishing page abusing Cloudflare’s workers.dev. (Source: ��Ƶɫ | AppRiver)

Malicious actors continue to resort to LotL techniques as a way of evading detection. Back in September 2021, for instance, ��Ƶɫ | AppRiver came across an operation that abused DocuSign to trick victims into handing over their credentials for Outlook, Office365, or another email client.

This campaign doesn’t even include all the times where email attackers abused Azure, Sway, and other legitimate Microsoft services to phish victims’ details in recent years.

For this attack attempt, the phishing site impersonated a Microsoft login page that also included the victim’s domain and email address. The purpose of this personalization was to convince the victim that nothing was wrong.

Defending against a Fake Microsoft Password Expiration Email

The attack campaign described above highlights the need for organizations to defend themselves against Microsoft-themed email attacks. One of the ways they can do that is by familiarizing their employees with what an email from their helpdesk will actually look like. They can complement that security awareness with a multi-layered email security platform.

Emotet’s at It Again!

admin — Tue, 23 Nov 2021 21:13:33 +0000

Emotet’s at It Again! admin Tue, 11/23/2021 - 15:13 Threat Alert David Bisson

Emotet has resumed operations nearly 10 months after an international coordinated action took control of the botnet’s infrastructure.

A Familiar Tactic

On November 15, the ��Ƶɫ | AppRiver team detected 221 email attack attempts from a revived Emotet botnet.

Some of the instances scraped entire conversations, while others scraped the subject and sender. With those techniques, attackers granted themselves the ability to inject themselves into conversations involving individuals with whom the sender had already spoken. This increased the likelihood of the sender (now the recipient) following the attackers’ instructions.

The commands themselves weren’t flashy. In one of their emails, the attackers asked the recipient to “please open the attached document.”

Screenshot of one Emotet attack email. (Source: ��Ƶɫ | AppRiver)

Another instance came with the instruction to “Please see attached” as well as the offer of assistance should the recipient need anything more.

Screenshot of a second Emotet attack email. (Source: ��Ƶɫ | AppRiver)

This isn’t the first time that malicious actors have used this tactic to distribute Emotet. Back in May 2020, for instance, ��Ƶɫ | AppRiver flagged an email as part of a conversation hijacking attack involving a request for a trade reference and bank reference. Ultimately, the email used a .ZIP archive to deliver Qakbot, a common payload of Emotet.

All the attack attempts detected by ��Ƶɫ | AppRiver arrived with Microsoft Excel spreadsheets, Microsoft Word documents, or password-protected .ZIP archives containing Word documents. Those files contained malicious macros that, when enabled, dropped Emotet.

Upon execution, Brad Dunction at the SANS Internet Storm Center spotted something familiar.

“Infection traffic for Emotet is similar to what we saw before the takedown in January 2021,” explained in a blog post. “The only real difference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP. My infected lab host turned into a spambot trying to push out more Emotet malspam.”

Things didn’t slow down with Emotet after November 15. The following day, ��Ƶɫ | AppRiver detected 1,819 attack attempts involving the botnet. Those instances then fell to 665 on November 17.

A Familiar Friend Lent Some Help

Just as a bit of recap, law enforcement agencies in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine with international activity coordinated by Europol and Eurojust announced the seizure of Emotet’s infrastructure in January 2021. The botnet went quiet for 10 months after that.

So, how did the botnet come back online?

Per Bleeping Computer, “active Trickbot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity” in mid-November.

Trickbot has an established history with Emotet. Back in April 2019, security researchers spotted the trojan families working together to infect unsuspecting users with Ryuk ransomware.

Emotet’s takedown didn’t slow down Trickbot, however. On the contrary, Check Point Research wrote in October 2021 that Trickbot had remained at the top of its most wanted malware list for five months straight.

How to Respond to Emotet’s Return

Emotet’s reemergence highlights the need for organizations to strengthen their security against email-based attacks. One of the ways they can do that is by investing in their email security awareness training program. Through regular education modules, organizations can inform their employees about conversation hijacking and other attack techniques used by spammers.

Organizations need to balance those human controls with technical security measures. Hence the need for a multi-layered email security solution. By scanning emails for malicious IPs and other threat indicators, organizations can automatically protect themselves against many email-based attacks—all while allowing legitimate correspondence to reach its intended destination.

Record-Setting DDoS Attack Highlights Malicious Actors’ Strategic Thinking

admin — Tue, 09 Nov 2021 23:36:05 +0000

Record-Setting DDoS Attack Highlights Malicious Actors’ Strategic Thinking admin Tue, 11/09/2021 - 17:36 Threat Alert David Bisson

In mid-October, Microsoft revealed that it had succeeded in mitigating a 2.4 terabyptes-per-second (Tbps) distributed denial-of-service (DDoS) attack against its own infrastructure.

The tech giant explained that the attack targeted an Azure customer in Europe back in August and that it lasted for over 10 minutes. During that period, traffic peaked for a short time at 2.4 Tbps. Microsoft documented two smaller traffic spikes at 0.55 Tbps and 1.7 Tbps after that, as reported by MSN.

What Is a DDoS Attack?

A DDoS attack is a type of operation where malicious actors use remote locations to target an organization’s online presence. It works by flooding a target’s websites and other public-facing infrastructure with HTTP requests and traffic. This can prevent legitimate users from accessing those resources, thereby disrupting the target’s business operations.

What makes DDoS attacks effective is the fact that they abuse the functionality of networking equipment and services like routers for malicious ends. Here’s the Computing Technology Industry Association (CompTIA) with how.

“Sophisticated DDoS attacks don’t necessarily have to take advantage of default settings or open relays,” the trade association explained. “They exploit normal behavior and take advantage of how the protocols that run on today’s devices were designed to run in the first place. In the same way that a social engineer manipulates the default workings of human communication, a DDoS attacker manipulates the normal workings of the network services we all rely upon and trust.”

These types of events aren’t rare—especially not this year. According to VentureBeat, security researchers documented 972,000 DDoS attacks in January 2021. That’s higher than any other month on record. By June, the volume of campaigns had dropped to 759,000. But that didn’t prevent an increase of 11% for DDoS attacks during the first half of the year compared to H1 2020, totaling 5.4 million. VentureBeat went on to note that DDoS attacks could reach a record-setting 11 million by December if the trend in H1 2021 continues for the rest of the year.

Putting DDoS Attacks into Context

DDoS attacks can be standalone incidents. But they don’t have to be. Take email bombs for example. This type of operation targets an inbox with a flood of emails. Those messages aren’t malicious; they don’t contain embedded links or attachments that contain malware or that redirect victims to a phishing page. But they do serve an important function for attackers.

David Picket, senior cybersecurity analyst at AppRiver, explains how.

“The bomb is typically designed to distract the user from emails generated due to fraudulent purchases or financial account updates or transactions,” Pickett pointed out. “During these type of attacks, we've observed fraudulent airline ticket purchases, Apple store orders, and quite a few Best Buy pickup orders. If applicable to the fraudulent purchase - such as a Best Buy pickup order, attackers have mules ready to quickly pick up the fraudulently purchased merchandise soon after the attack begins.”

Digital fraudsters aren’t the only ones who have been known to use DDoS attacks as part of their operations. According to Bleeping Computer, the HelloKitty ransomware gang began leveraging DDoS attacks as another extortion-based tactic in the beginning of November. This involves targeting an organization’s public-facing website with a DDoS attack if the victim doesn’t respond quickly enough or doesn’t pay the demanded ransom.

How to Defend Against DDoS Attacks

In its documentation, Microsoft explains that it uses its global presence and engagement with Internet providers, private corporations, and other security firms to defend against network-based DDoS attacks. Those partners include ��Ƶɫ, which complements Microsoft’s focus on productive and performance with email threat protection. Click here to learn more about how this layered security approach can help to defend your organization against DDoS attacks and other threats.

3 Recent Attacks Where Phishers Abused Google’s Services

admin — Wed, 03 Nov 2021 20:14:58 +0000

3 Recent Attacks Where Phishers Abused Google’s Services admin Wed, 11/03/2021 - 15:14 Trends David Bisson

In a recent blog post, I discussed seven instances in which digital attackers abused Microsoft to launch phishing campaigns in recent years. The reality is that Microsoft is just one of the many companies targeted by phishers. Email attackers misuse the services of others, too.

Take Google as an Example

Attackers have a history of abusing Google’s services. Back in May 2020, for instance, Trustwave SpiderLabs detected multiple phishing attempts abusing Google Firebase, a mobile and web application development platform which provides secure uploads and downloads for supported apps. Some of those attack attempts used the pandemic and Internet banking as lures to trick victims into clicking on a fake vendor payment form that redirected them to a phishing page hosted on Firebase Storage. Others used an Office 365 phishing lure to redirect victims to an Office 365 phishing page hosted on Firebase.

Several months after that, Threatpost reported on a campaign in which digital attackers used Google Forms to create phishing landing pages masquerading as the login pages for more than 25 different entities. Security researchers detected a total of more than 250 different pages created using Google Forms as part of the campaign. More than 70% of those fake login pages impersonated AT&T, while the others claimed to belong to various financial organizations, collaboration apps, and government agencies.

It was about a month later when ��Ƶɫ | AppRiver detected an email that came from someone named “Diana.” Using the subject line “Re-validation,” the message claimed to be official correspondence from Microsoft Exchange requiring recipients to upgrade to the “latest e-mail Outlook Web Apps 2020.” The email contained an “UPGRADE” link that, when clicked, redirected victims to a file hosted via Google Docs and disguised as an OWA login portal.

Google’s Upcoming 2SV Auto-Enroll Drive

In response to the attacks discussed above, among others, Google is taking steps to protect its users. One of its most recent initiatives involves an effort to auto-enroll 150 million users accounts into its two-step verification (2SV) feature. As part of that drive, the tech giant announced its intention to require two million YouTube creators to turn on the feature, as well.

“We also recognize that today’s 2SV options aren’t suitable for everyone, so we are working on technologies that provide a convenient, secure authentication experience and reduce the reliance on passwords in the long-term,” Google explained in a blog post. “Right now we are auto-enrolling Google accounts that have the proper backup mechanisms in place to make a seamless transition to 2SV. To make sure your account has the right settings in place, take our quick Security Checkup.”

How to Defend Against Email Attacks Abusing Google

Organizations can take several steps to defend themselves against email attacks abusing the services of Google and other tech providers. First, they can use security awareness training to educate their users about new email attacks. They can also highlight the point that Google intends to “auto-enroll” users into its 2SV feature, which means they won’t have to do anything on their end. As such, organizations can educate employees to be wary of emails that disguise themselves as Google informing recipients that they need to activate 2FA on their accounts.

That’s not all organizations can do. They can also emphasize the importance of users logging into their web accounts by visiting a website directly, suggest that employees proactively enroll in 2FA schemes on whichever accounts they can, and avoid clicking on links embedded in emails. Finally, they can use a security solution to scan incoming emails on multiple layers.

Secure Modern Workplace

Phishers Impersonating Maersk Line to Steal Victims’ Email Credentials

admin — Tue, 02 Nov 2021 16:08:28 +0000

Phishers Impersonating Maersk Line to Steal Victims’ Email Credentials admin Tue, 11/02/2021 - 11:08 Threat Alert David Bisson

Phishers launched an attack campaign in which they impersonated Danish international container shipping company Maersk Line to steal victims’ email account credentials.

“Confirmation of Shipping Invoice” Scam

At the end of October, the ��Ƶɫ | AppRiver team flagged an email that appeared to have originated from Maersk Line

Those responsible for the campaign used stolen branding to impersonate the shipping giant. They even included the text “Best Global shipping company” in their message. As noted by FleetMon, Maersk Line won this exact distinction for at least 20 consecutive years at the Asian Freight & Supply Chain Awards (AFSCA).

Even so, the attackers slipped up a few times in their email.

First, they used inconsistent capitalization with “Best Global shipping company,” “Original copy of Shipping Docs,” and even the subject line “Confirmation of shipping Invoice,BL & Parking List [sic].” These errors might have raised a recipient’s suspicions.

Second, they used spoofing techniques to trick the recipient into thinking the email came from “Maersk Global Shipping,” with the sending email address “noreply@maersklineshipping[dot]com.” But that’s not a legitimate Maersk Line email address. Official correspondence from the shipping giant uses the domain “@maersk.com.”

Finally, the attackers included a signature block attributing their email to Mark Rosario of MaerskLine China. There appears to be a Mark Rosario who does work at Maersk. But according to this individual’s LinkedIn profile, he’s been associated with the company’s operations in Pakistan for over 20 years, not China.

Screenshot of the fake Maersk Line email. (Source: ��Ƶɫ | AppRiver)

The email instructed the recipient to view some original documents including an invoice, bill of lading, and packing list by clicking on an embedded “Download Confirmation” button.

Troy Gill, manager of security research at ��Ƶɫ | AppRiver, explains what happened next.

“If the user complies, they are directed to a very convincing phishing page located on labour.go[.]th,” he said. “The page cycles through different realistic-looking Maersk backgrounds with a sign-in screen overlayed to steal the users email credentials.”

Screenshot of the phishing landing page. (Source: ��Ƶɫ | AppRiver)

“Per whois DNS data, the domain itself appears to be a Thai government page managed by the Labour Protection and Welfare Department. We were also able to find that it has a history of over 3 years of being abused for phishing attacks, mostly Adobe themed in the past,” he added.

Putting This Attack into Context

The attack described above arrived amid ongoing global supply chain challenges caused by the pandemic. In June 2021, for instance, The White House explained that some industries had shrunk or closed in response to the events of 2020. Some businesses struggled to hire quickly enough as they tried to reopen, while others didn’t have enough inventory to immediately resume their previous levels of business activity.

These events help to explain why 36% of small businesses reported delays with domestic suppliers, according to a U.S. Census Small Business Pulse survey cited by The White House. It also helps to put other events such as abrupt price increases, shortages, and digital attack campaigns impersonating shipping companies into perspective.

“With so many shipping delays and supply shortages around the world, threat actors are eager to spoof logistics and supply chain companies hoping for an easy compromise,” Gill clarified.

Attacks such as the one discussed above didn’t begin with the pandemic, however. Back in May 2019, for example, Maersk published an article warning of a phishing scam where fraudsters used genuine Maersk employee names and positions when contacting customers to trick them into clicking on a link, downloading an attachment, and/or authenticating their information.

Such activity highlights the need for organizations to invest in employee security awareness training and invest in an email security solution capable of spotting new attack attempts.