Hackers were busy at it again this week with some standard phishing tactics, as well as some new, creative ones. And it should come as no surprise that Microsoft was in the thick of things being a victim of brand identity theft.

First, there was the Incoming Mail on Hold Phishing Scam. Here the target received a standard phishing email, ostensibly from the Email Security Team at Microsoft, threatening to place their mail on hold unless they click the “Verify” button. According to the report, “Clicking the verify button or other links in the email opens a fraudulent website that asks for your email address and email password. After you enter these details on the fake site, you may see a message notifying you that you have successfully removed the hold on your emails.”

A slightly more creative twist is the Microsoft OneNote Audio Note phishing campaign. According to the report, “[The] campaign comes in the form of an email with the subject ‘New Audio Note Received’ and claims that you have received a new audio message from a contact in your address book. In order to listen to the message, though, you will need to click on a link to listen to it.”

One of the things that makes the phishing email in this campaign more creative is “that phishing scammers are now commonly including footer notes stating the email is safe as it was scanned by a security software.”

Perhaps the most creative scam of the week involves QR codes. QR codes are “machine-readable optical labels that contain information about the item to which it is attached.” They are a type of two-dimensional (i.e., matrix) barcode.

What makes this scam so creative is that there exists phish protection software that scans emails for malicious links (i.e., links to malicious websites) in real-time. But, there isn’t yet any technology that scans emails for QR codes. Why? According to the article, “the code is integrated into the message as a normal photo, which is generally considered safe. A code check is not performed.” That’s pretty creative.

Other scams leveraging business identity theft include phishing email that looks like it came from the Better Business Bureau (BBB). Another one that is supposedly from American Express. This one, according to the report, “is one of the most convincing phishing emails that I have seen in a long time. The graphics, grammar and overall appearance of the email is excellent.”

Access Bank customers were also the target of business identity theft phishing emails. In a common move to create a sense of urgency, the hackers threatened that their “account has been listed for suspension.”

One last scam of note this week is the Apple ID Locked phishing email. Just like with Access Bank, this phishing email tried to create a sense of urgency by “claiming that your account with a particular online service has been locked or suspended.” Unlike the American Express attack, apparently these phishing emails were “unconvincing.” Of course, if you use anti-phishing software to protect yourself, you don’t need to worry about that.


Phishing Frontier

What’s new in the wonderful world of phishing? I’m sure you’ve heard of Software-as-a-Service or SaaS. These are companies that sell a service based on software. There are all kinds of services offered as a SaaS. There’s phish protection, outbound SMTP, email hosting, email archiving, to mention a few. But, I’ll be you didn’t expect to find Phishing-as-a-Service.

Now it’s big business. According to an article on Bleeping Computer, “new criminal sites are being developed that provide a Phishing-as-a-Service that includes a phishing kit and hosting for phishing forms at a very low cost. This allows would-be criminals with little technical knowledge to easily get started with their own phishing campaigns.”

spear phishing attack

The article goes on to say “[that] phishing templates that are available include SharePoint, Office 365, LinkedIn, OneDrive, Google, Adobe, Dropbox, DocuSign, and many more. These templates range from $30 to $80 and include one month of hosting for the page.”

The other thing that’s new in the world of phishing is that hackers are no longer just going after people. Now they’re going after devices. The Smart Home, comprised of Internet of Things (IoT) devices, are now every bit as vulnerable to attack as users. But the interesting thing is, the hackers are using the same attack vector to go after IoT devices as they use against people: phishing.


Body Count

U.S. Virgin Islands hit with ransomware and BEC attack.  The U.S. Virgin Islands Police department was hit with a ransomware attack, but chose not to pay the ransom, and instead decided to work with a federal agency to help decrypt the data. Apparently the territory’s Water and Power Authority was also hit by a phishing scam to the tune of $2.3 million.

Unfortunately for the USVI, once hackers get wind of this, they’re likely to get hit again. Easy targets make for repeat attacks.


Email Forwarding

Here’s something interesting that happened in email forwarding this week. A guy received an unsolicited marketing email (i.e., spam) from a Fortune 50 corporation. Nothing out of the ordinary about that, until he read the fine print at the bottom. Here’s what it read:

This e-mail and any files transmitted with it are the property of XYZ Corporation, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed.  Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.

In other words, if he were to forward this unsolicited email, he could theoretically be breaking the law. He can’t even forward it to his IT department and report it as spam. Ironically, all the information contained in the email is available on the company’s website according to the recipient.


Email Archiving

One of the most costly ransomware attacks of 2019 was the one that hit the city of Baltimore, MD. It began on May 7. Now we find out this week that their email archive is still not accessible. According to City Solicitor Andre Davis, “emails older than 90 days cannot be retrieved. He expects the information will be recovered, but was not certain.”

Clearly Baltimore was not prepared for the attack, nor did they have a disaster recovery plan in place. Too bad, for a few bucks a month, they could have taken advantage of Email Backup MX, which automatically backs up email.

And that’s the week that was.

Pin It on Pinterest

Share This