The oldest and simplest schemes continue to evolve
Security First - Summer 2022
Content Provided by Intact Insurance
According to Verizon’s 2022 Data Breach Investigations Report, 82% of analyzed breaches involved the “human element,” which are more than 2.5 times likely due to an error than maliciousness. We wanted to make you aware of scams gaining momentum, remind you to be vigilant, and wish you a cyber safe summer. Cyber Safety Tip: If you find yourself overwhelmed by the number of emails in your inbox when you return from vacation, please pause and slow down as you carefully review them.
Persistence Pays for Brazen Teenage Extortion Gang
Lapsus$ is the evocative moniker of an international band of cyber delinquents. They’ve reportedly gained access to major companies like Microsoft. Their strategies, which include tenaciously hounding people, have proven to be highly effective:
· Basic, inexpensive ploys - for example: repeatedly vishing employees until an individual succumbs to the ploy and becomes “Patient Zero,” the initial breach point.
· Ransomware is not deployed
· Steal a large amount of data in a short period of time
· Threaten to publish data unless a ransom is paid
· Announce attacks on social media to damage a company’s reputation
· Persist until their efforts pay off. They learn from failed attempts, refine their approach, and move on to the next person.
The effectiveness of their unsophisticated, bold, low-cost techniques are cause for concern and will inevitably be adopted by other cyber criminals.
Tactics Trending Upward
Lapsus$ as well as other threat actors including nation-states are increasingly combining methods or conducting multi-step scams. Though many individuals will not fall for these cons, all it takes is one lapse to breach an organization’s cyber perimeter.
Microsoft is Frequently Impersonated: Voice-mail themed phishing campaigns are reportedly being used to lure victims to open email attachments and steal Microsoft credentials:
· Phishing email indicates a voicemail is contained in an attachment.
· The “from” field of the email includes the name of the recipient’s company.
· Opening the attachment re-directs the individual to a page emulating a Microsoft sign-in page that includes the name of the targeted organization.
· Entering login credentials is required to complete download of the voice mail recording.
· If credentials are entered, a message that the account does not exist appears.
· To evade automated scanning tools, this method uses a challenge-response authentication method called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).
Spear Phishing: targets recipients and includes personal or professional details to boost credibility.
· Hackers collect publicly available information of employees and combine it with publicly available corporate data to create profiles.
· Newly hired employees are often the aim.
· Attempts to contact employees may come in waves.
Insider Threats and Trusted Third Parties:
· Recruiting employees, suppliers, or business partners to obtain credentials, multi-factor authentication codes (MFA), install remote management tools.
· Use social media platforms to recruit insiders to breach organizations to impersonate employee accounts and conduct insider attacks.
· Pay a weekly fee to employees for access to their remote access credentials.
Vishing: fraudulent phone call or voice mail message from an allegedly reputable organization.
· Impersonating IT employees and repeatedly phoning personnel to instruct them to re-set their passwords and enter their credentials on a fake website controlled by the hackers. The Intact team will NEVER ask for your password or token code.
· Tech scams, such as unsolicited calls from someone claiming to be from Microsoft are common.
Smartphones: are increasingly being used for online access making them lucrative targets. In 2022 Americans are reportedly receiving an average of 41 spam text messages a month – more than double the amount received in 2021.
· SMiShing: SMS is an acronym for Short Message Service, more commonly known as a text message. SMiShing is sending a fraudulent text message that includes a malicious link or requests sensitive information.
o Fake surveys, prize notifications, or urgent messages about a financial account are used to lure people to click a malicious link, call a telephone number, or contact an email address provided by a threat actor.
o Mobile browsers may not display a full website address in a link so scammers create real-looking ones that include only a portion of a valid domain name.
· SIM Swapping: A SIM (Subscriber Identify Module) is a removable chip that stores unique data and is used to identify an owner to a specific mobile network.
o Cybercriminal collects publicly available personal information or data exposed in breaches.
o Calls phone carrier purporting to be the target to request a number move or claims their other device has been lost.
o If successful in scamming the carrier, all digital information on the SIM card is transferred to a SIM card on a device in scammer’s possession.
o Scammer will now receive all calls, texts, MFA texts, and one-time PINs enabling them to access social media, app, and financial accounts.
Multi-Factor Authentication (MFA) Prompt Bombing: Many MFA providers allow people to accept a one-time passcode via an SMS text or receive a phone call and press a key as a second factor.
· Repeatedly sending MFA prompts to compel people to accept one to make them stop. Lapsus$ claims this technique is highly effective late at night.
· Sending one or two prompts a day, which attracts less attention.
Please do not hesitate to contact the IB&M's Cyber Insurance Team at 201-653-6100 ext. 8739 or at email@example.com for a cyber evaluation and insurance quote.