Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Phishing. Show all posts
Latvia Lead
Bengal Schools Bombs Cyber Attacks Cyber Phishing CyberCrime Cybersecurity CyberThreat Emails Latvia Lead

Threatening Emails Rattle Bengal Schools: Police Pursue Latvia Lead

 


In a statement announced Tuesday, the Kolkata Police said that more than 20 schools across the city have been threatened with bombs, which have been later revealed as hoaxes. According to the sender, bombs had been placed in numerous classrooms across a variety of schools in the city, and the bombs would explode in the morning hours following the placement. 

After receiving a hoax bomb threat mail on Monday, Kolkata Police took the initiative to spread an online message on Tuesday to reassure all parents that they would be there to ensure their children's safety and security, clarifying that it was a hoax mail and that they would be on hand to help. It has been revealed that police have traced the IP address to the Netherlands where the threat mail which was sent to 200-odd schools in the city, suburbs, and Siliguri, was sent from.

On the intervening night between Sunday and Monday (April 8, 2024), a user known as "doll" sent an email at 12.28 am on Monday with the email address 'happyhotdog101' threatening to have bombs placed in schools. The user threatened to make it happen with the help of the U.S. Government.   An email screenshot has been shared by over 90 schools and the screenshots have been shared on more than a dozen websites. 

The message itself has not been shared yet, but the fact that it has gone viral has contributed to its success. The sender, it is thought, had threatened the students that bombs would be detonated when they arrived at school that morning and that this was the reason for the mail. 

There had been no official announcement regarding this case from either the Calcutta Police or the West Bengal Police until late that evening. There is also the possibility that none of the schools in either of the cities will publicize the threat. The email reads, “This is a message for everyone. There are bombs planted inside "of the" classrooms. The bombs are set to go off tomorrow morning when there are kids inside "of the" schools. Our mission is to leave as many as people in a pool of blood." 

his attack was caused by 2 terrorists named Ching and Doll." According to the Latvian police, the email had been generated by an account linked to an email service provider founded in 2018 and set up its operations in 2022, but it was conceived in 2018 and started operating in 2022. 

Around 68 educational institutions in Bengaluru received a threat email last January, which came from one of the email addresses that were created by the same company that provides email services to these institutions. Initially, Bengaluru police speculated that the email was coming from either the Czech Republic or Slovakia, but they have since removed that suspicion. 

In the course of the investigation, it was found that the encryption service provider in question was the same as the one used in the Calcutta school case, though the location was in Cyprus instead of India. It was reported that the email sender said that he used a Switzerland-based Virtual Private Network, which is also well-known for the security and privacy of end-to-end encryption and focus on privacy, to send the email according to reports from the Bengaluru Police. 

There is an announcement that, in June 2022, the Narendra Modi government will ask all VPN operators to store for five years data related to its subscribers, such as names, email addresses, contact numbers, and IP addresses to tighten cybersecurity rules. Also, the Indian government requested the use of the data at its discretion as and when it deemed necessary. As a result of the order, most VPN companies have declared themselves uncooperative and have removed their servers from India as a result.

The Calcutta Police and the Bengal Police are yet to discover whether the email service provider has been contacted by either the Calcutta Police or the Bengal Police to review Monday's threat emails as yet. Amidst a flurry of concerning emails inundating over 90 schools across Bengal, authorities promptly alerted law enforcement, triggering a swift response from the cyber crime cell. Their immediate objective: pinpoint the sender's identity through meticulous analysis of the email's IP address. Offering insights into the unfolding situation, a senior police official asserted that the dissemination of such emails was a deliberate ploy aimed at stoking tensions in the lead-up to the elections, underscoring the malicious intent behind the communication. 

In a bid to assuage public concerns, the city police took to social media to affirm that the purported threats were indeed unfounded, branding them as mere 'hoaxes' intended to sow panic and unrest. Further action was swiftly undertaken by authorities, with the registration of a formal case against the individual responsible for the email transmission, signalling the commencement of a thorough investigation into the matter. 

This incident is but the latest in a string of similar occurrences, with the Delhi Police, just last March, apprehending a 29-year-old Bangladeshi national residing in Kolkata for orchestrating a hoax bomb threat targeting a SpiceJet flight en route from Delhi to Kolkata. Delving into the motives behind the elaborate ruse, law enforcement disclosed that the perpetrator, upon interrogation, confessed to concocting the threat in a bid to derail the flight and thus prevent the imminent arrival of his brother-in-law in Kolkata. This calculated manoeuvre, as elucidated by police officials, stemmed from the individual's desire to conceal a web of deceit, as he had falsely claimed to be pursuing a PhD in the United States—a fabrication that facilitated his marriage to his spouse.
Read more »
Online Security
Authentication Cyber Phishing Data Breach ISO MOAB Online Security

Massive Data Breach Sends Shockwaves Through Businesses

 



A colossal breach of data has rattled the digital world affecting billions of users across various platforms and organisations. This vile breach, dubbed the "mother of all breaches" (MOAB), has exposed a staggering 26 billion entries, including those from LinkedIn, Twitter, Dropbox, and others. Government agencies in several countries have also been hit.

The implications for businesses are imminent. The leaked data, totaling 12 terabytes, poses an ongoing threat to personal information and corporate security. It not only comprises information from past breaches but also includes new data, providing cybercriminals with a comprehensive toolkit for orchestrating various cyberattacks, including identity theft.

In response to this unprecedented threat, businesses are urged to adopt a proactive stance in monitoring their infrastructure. Key signals to watch for include unusual access scenarios, suspicious account activity, a surge in phishing attempts, abnormal network traffic, an increase in helpdesk requests, and customer complaints about unauthorised access or suspicious transactions.

This incident underscores the need for a new security paradigm, where companies prioritise user security over user experience. While some may resist this shift, it is essential for long-term protection against cyber threats. Implementing global security standards such as ISO/IEC 27001 and enhancing authentication policies are crucial steps in fortifying defences.

Authentication measures like multi-factor authentication and liveness detection technology are rapidly gaining traction as the go-to standards across industries. These methods not only reinforce security but also seamlessly integrate into user experiences, striking a delicate balance between safeguarding sensitive data and ensuring user convenience. By embracing these sophisticated authentication techniques, businesses can erect formidable defences against cyber threats while enhancing overall user satisfaction.

The recent MOAB incident serves as a sign of trouble for businesses worldwide to bolster their defence mechanisms and hone their cyber acumen. While the paramountcy of data security cannot be overstated, it is equally crucial for companies, particularly those engaging with consumers directly, to uphold user-friendly processes. By harmonising stringent security measures with intuitive and accessible procedures, businesses can adeptly traverse the complex system of cybersecurity, instilling trust among stakeholders and effectively mitigating potential risks in a rampant semblance of digital development.

To get a hold of the events, the MOAB data breach underlines the exponential need for businesses to invest in robust security measures while ensuring a smooth user experience. By staying a step ahead and proactive, companies can mitigate the risks posed by cyber threats and safeguard their customers' sensitive information.


Read more »
SaaS Apps
Artifcial Intelligence Cyber Phishing Cyber Security Cyber Threats malware SaaS Apps

How To Combat Cyber Threats In The Era Of AI





In a world dominated by technology, the role of artificial intelligence (AI) in shaping the future of cybersecurity cannot be overstated. AI, a technology capable of learning, adapting, and predicting, has become a crucial player in defending against cyber threats faced by businesses and governments.

The Initial Stage 

At the turn of the millennium, cyber threats aimed at creating chaos and notoriety were rampant. Organisations relied on basic security measures, including antivirus software and firewalls. During this time, AI emerged as a valuable tool, demonstrating its ability to identify and quarantine suspicious messages in the face of surging spam emails.

A Turning Point (2010–2020)

The structure shifted with the rise of SaaS applications, cloud computing, and BYOD policies, expanding the attack surface for cyber threats. Notable incidents like the Stuxnet worm and high-profile breaches at Target and Sony Pictures highlighted the need for advanced defences. AI became indispensable during this phase, with innovations like Cylance integrating machine-learning models to enhance defence mechanisms against complex attacks.

The Current Reality (2020–Present)

In today's world, how we work has evolved, leading to a hyperconnected IT environment. The attack surface has expanded further, challenging traditional security perimeters. Notably, AI has transitioned from being solely a defensive tool to being wielded by adversaries and defenders. This dual nature of AI introduces new challenges in the cybersecurity realm.

New Threats 

As AI evolves, new threats emerge, showcasing the innovation of threat actors. AI-generated phishing campaigns, AI-assisted target identification, and AI-driven behaviour analysis are becoming prevalent. Attackers now leverage machine learning to efficiently identify high-value targets, and AI-powered malware can mimic normal user behaviours to evade detection.

The Dual Role of AI

The evolving narrative in cybersecurity paints AI as both a shield and a spear. While it empowers defenders to anticipate and counter sophisticated threats, it also introduces complexities. Defenders must adapt to AI's dual nature, acclimatising to innovation to assimilate the intricacies of modern cybersecurity.

What's the Future Like?

As cybersecurity continues to evolve in how we leverage technology, organisations must remain vigilant. The promise lies in generative AI becoming a powerful tool for defenders, offering a new perspective to counter the threats of tomorrow. Adopting the changing landscape of AI-driven cybersecurity is essential to remain ahead in the field.

The intersection of AI and cybersecurity is reshaping how we protect our digital assets. From the early days of combating spam to the current era of dual-use AI, the journey has been transformative. As we journey through the future, the promise of AI as a powerful ally in the fight against cyber threats offers hope for a more secure digital culture. 


Read more »
Website Security
Cyber Phishing Data Beach Phishing scam Telegram Website Security

Decrypting the Threat: Telegram's Dark Markets and the Growing Menace of Phishing Networks

 

In the last few years, social media has gradually become a one-stop shop for scammers. With easily available information, scammers are able to hand-pick their target and create a customized scam for them.

Telegram is one such platform that has also emerged as a hub for all things any scammer might need to create a perfect scam. Information that was once hidden behind the screens of the dark web is now readily and publicly available on Telegram, many of which are even free to access. 

From instructional guides and phishing kits to the services of hackers for hire, this application has increasingly become a comprehensive hub, providing scammers with everything they might require for their illicit activities.

For a newcomer, it is astonishing to see how easy it is to find these marketplaces on Telegram, which were previously deep inside Tor Onion networks. Messages flow incessantly, unveiling an array of products, services, tips, and tricks—knowledge that was once exclusive to the depths of the dark web is now readily accessible. 

One of the most known examples of such a scam is the “Bank of America” phishing page scam which was circulated in the US network. This scam was made to extract the bank account details of potential targets, which were then sold to higher players. 

These scammers who work on the higher chain work by delving into the criminal abyss of cash extraction from these accounts unveils a new echelon of illicit activity, characterized by heightened complexity. This is precisely where the orchestrated network of the scammer's supply chain comes into play. 

Planning a scheme as elaborate as this involves assembling several essential elements: 

Firstly, the foundation lies in crafting a sophisticated phishing web page, often termed a "scam page." To deploy this page seamlessly, a dependable hosting solution is indispensable. An effective email-sending system is then required to initiate the deceptive process. Crafting a compelling email message, strategically designed to lure victims to the scam page, serves as another crucial element. The acquisition of targeted email addresses, known as "Leads," becomes pivotal for precision targeting. Unsurprisingly, there is a separate marketplace that is solely focused on gathering data of potential targets through malicious websites, surveys and pop-up emails offering discounts and free rewards. 
 
Lastly, a mechanism for monetizing the stolen credentials completes the construction. Notably, all these necessary building blocks are readily available on Telegram, with some offered at remarkably low prices, and astonishingly, certain elements are even accessible for free. This holistic approach underscores the alarming accessibility and affordability of these illicit tools within the Telegram ecosystem. 

After analyzing the scam creation process, it's evident that phishing scams exploit compromised security on legitimate websites.

Owners of such sites bear a dual responsibility of safeguarding their business interests and preventing their platforms from being exploited by scammers. This includes protecting against the hosting of phishing operations, sending deceptive emails, and other illicit activities that may occur without their knowledge. Vigilance and proactive measures are essential to ensure the integrity and security of online platforms.
Read more »
Privacy
Banking scam Cyber Crime Cyber Phishing Cyber Security Privacy

A Delhi Lawyer's Encounter Exposes Hidden Perils of SIM Swap Scam

 




In the contemporary landscape dominated by digital interconnectedness, the escalating menace of cybercrime has assumed unprecedented proportions. The latest threat on the horizon is the insidious 'SIM Swap' scam, an advanced scheme exploiting vulnerabilities in the telecommunications system. In this exposé, we read into the intricacies of the SIM Swap scam, shedding light on how unsuspecting individuals could find themselves ensnared in this financially ruinous web. 

The Delhi Lawyer's Ordeal: An Actual Scenario 


Recently, a 35-year-old lawyer residing in Delhi fell victim to the 'SIM Swap' scam, experiencing an undisclosed financial loss after three seemingly innocuous missed calls. This scam involves perpetrators gaining unauthorised access to a duplicate SIM card, subsequently infiltrating bank accounts and more. 

This unfortunate incident unfolds against a backdrop of a surge in scams across the country, ranging from the notorious telegram job scam to deceptive Army officer scams. As scammers continually adapt, it becomes imperative for individuals to stay informed and exercise caution to shield themselves from the fluctuating digital security. 

Understanding the Basics of the Scam: 


Examining the Delhi lawyer's experience, she received three missed calls and, despite not returning them, received text messages indicating a financial transaction from her bank account. What's particularly alarming is that she had not disclosed any confidential codes or personal information. The investigator elucidated that SIM Swap scammers aim to obtain personal information to collaborate with mobile networks and secure a duplicate SIM card. This underscores the need for caution and safeguarding personal information from evolving online threats. 

Ensuring Security: Prudent Measures for All 


To fortify against scams like SIM Swap, proactive measures are paramount. Refrain from sharing personal information such as your address, Aadhar card, or PAN details online. Verify the identity of any entity requesting such details before divulging them. Should your SIM card cease to function unexpectedly, promptly contact your telecom operator. Reporting such incidents expeditiously can mitigate the risk of unauthorised activities. Never share OTPs with individuals purporting to be officials or banking agents, as these codes can be exploited in the SIM Swap scam. 

In the aftermath of the Delhi lawyer's unfortunate encounter, it becomes evident that a seemingly innocuous missed call can cascade into a financial crisis. Safeguarding against such threats necessitates a proactive approach. By unravelling the nuances of scams, adopting essential precautions, and fostering a shared commitment to online safety, we fortify ourselves in the digital realm. As we revel in the benefits of a connected world, let us unite in safeguarding our personal information. Stay vigilant, stay secure—our digital defence is a collective responsibility. Share this article to disseminate awareness and contribute to a secure digital community!


Read more »
Scam
Cyber Fraud Cyber Phishing Government Portal phishing Scam

New Phishing Campaign Targets Saudi Government Service Portal

 

Multiple phishing domains imitating Absher, the Saudi government service portal, have been set up to provide citizens with fraudulent services and steal their credentials. CloudSEK cybersecurity researchers made the discovery and published an advisory about the threat on Thursday. 

"The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal," wrote the security experts. "The phishing website presents users with a fake login portal, compromising the login credentials." 

According to CloudSEK, after the bogus 'login,' a pop-up appears on the site requesting a four-digit one-time password (OTP) sent to the registered mobile number, which is most likely used to bypass multifactor authentication (MFA) on the legitimate Absher Portal. 

"Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal," CloudSEK clarified. 

After completing the bogus login process, the user is prompted to fill out a registration form, revealing sensitive personally identifiable information (PII), before being redirected to a new page where they are asked to select a bank. They are then taken to a bogus bank login portal designed to steal their credentials. 

"After submitting the internet banking login details, a loading icon pops up, and the page gets stuck, while the user banking credentials have already been compromised," the security researchers wrote.

According to CloudSEK, government services in the Saudi region have recently become a prime target for cyber-criminals looking to compromise user credentials and use them to launch additional cyber-attacks.

"Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia," the company wrote.

To lessen the impact of these attacks, CloudSEK urged government organizations to monitor phishing campaigns targeting citizens and to inform and educate them about the dangers, such as not clicking on suspicious links. The warning comes just weeks after CloudSEK discovered a separate phishing campaign targeting Saudi KFC and McDonald's customers.
Read more »
Phishing and Spam
Arrests Cyber Fraud Cyber Phishing Germany hacker arrested Mobile Phishing phishing Phishing and Spam

Germany: Individual Hacker Arrested for Stealing € 4 Million via Phishing Attacks

 

Germany’s federal criminal police, Bundeskriminalamt (BKA) carried out home raids on three suspects for executing a large-scale phishing campaign, defrauding internet users of €4 million. The phishing campaign was carried out by the charged suspects between October 3, 2020, and May 29, 2021, as per the evidence gathered by the German Computer Crime Office. 

One of the three suspects, a 24-year-old, has been arrested and charged by the BKA, the second, a 40-year-old, has also been charged with 124 acts of computer fraud, while the investigation for the third suspect is still ongoing.  

The hackers allegedly defrauded their victims by imitating as legitimate German banks and sending them phishing e-mails that were clones of messages from some real banks.  

“These e-mails were visually and linguistically believable based on real bank e-mails. The victims were informed in these letters that their house bank would change their security system – and their own account would be affected [...] The e-mail recipients were thus tricked into clicking on a link, which in turn led to a deceptively real-looking bank page. There, the phishing victims were asked to enter their login data and a current TAN, which in turn enabled the fraudsters to see all the data in the account of the respective victim – including the amount of credit and availability. The perpetrators then contacted the victims and tricked them into revealing further TAN numbers as alleged bank employees. With the TAN, they were then able to withdraw funds from the accounts of the victims.” reads the statement issued by BKA. 

The phishing emails reportedly informed the internet users of the changes in their respective bank’s security systems, beseeching the victims to click on an embedded link to continue using the bank’s services. The links redirected victims to a landing page, asking them to enter their credentials and Transaction Authentication Number (TAN), allowing the hackers access to their online banking accounts and withdrawal funds.  

According to the BKA, the hackers even used DDoS against the banks to conceal their fraudulent transactions. "In order to carry out their crimes, the accused are said to have resorted to offers from other cybercriminals who worked on the dark net, selling various forms of cyber-attacks as crime-as-a-service." BKA stated in an announcement. 

In regard to the active cases of phishing attacks and online fraud, the police urged internet users to take certain cautionary measures, such as never clicking a link or opening file attachments in emails that appear to be from a legitimate bank. If in doubt, the users are recommended to contact their banks personally or obtain information from the bank’s respective websites.
Read more »
Microsoft 365
Cyber Attacks Cyber Phishing Cyber Threats Cyber-attacks Microsoft 365

Microsoft Upgrading Defender for 365 Users Teams

Last week, the technology giant Microsoft has announced that they are going to add some new advanced features to Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization's security team of any deceitful messages they receive. 

Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) works against malicious threats coming from malicious email messages, links, and collaboration tools to protect organizations. 

The new features are developing upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts. 

According to the given data on Microsoft's official website, this in-development feature will give power to admins to alter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. 

"End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails - to help the organization to protect itself from attacks via Microsoft Teams," Microsoft explains on the Microsoft 365 roadmap. 

Additionally, one of the users reported that Redmond is also developing new features for Office 365's Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on. 

However, as per the process, it is expected that the advance submission feature will be available to the general public next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide. 

Microsoft extended Defender for Office 365 Safe Links protection to the Teams communication platform to help customers from malicious URL-based phishing attacks. 

"Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender,” Microsoft further told.
Read more »
Phishing Attack
Cyber Phishing Cyber Security Domain Hijacking Assaults domains Persistent Phishing attack Phishing Attack

Palo Alto Network: Domain Shadowing is a Prevalent Threat

 

As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content. 
 
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc. 
 
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security. 
 
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains. 
 
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.  
 
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful. VirusTotal also disclosed that some of these were organized into single phishing campaigns by registering 649 fake or deceptive domains on 16 trusted websites. 
 
The shadowed domains work to steal the user’s login credentials known as the phishing technique. To protect your website or data from domain shadowing, you should adopt new-generation security measures, including connected threat intel platforms and checking on the webpage before entering the credentials.
Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
Scam
Cyber Fraud Cyber Hackers Cyber Phishing Fake forms Google Google Forms Scam

SaaS App Vanity URLs Can Be Spoofed for Phishing & Social Engineering

 

Researchers warn that vanity links made by businesses to add their brand to well-known cloud services could become a handy vector for phishing attacks and a technique to deceive users. Cloud services that don't check whether subdomains have been modified may allow URLs that appear to be from "varonis.box.com" or "apple.zoom.us," according to a Varonis advisory released on Wednesday. 

In the instance of Box.com, this could result in a malicious document; in the case of Zoom, it could result in a data-gathering webinar unrelated to the stated brand. The issue arises when a cloud service permits the usage of a vanity subdomain but does not validate it or use it to provide services. More than six months ago, Varonis warned Box.com and Zoom of the problem, as well as Google, whose URLs to Google Docs might be spoofed. 

The issues are essentially fixed, according to the company. According to Or Emanuel, director of research and security at Varonis, the vulnerability is likely to occur for other providers. "We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers." 

Attackers use well-known companies to hide dangerous code and phishing sites, which allows them to dupe victims into trusting false e-mail messages and website links. In 2019, for example, three-quarters of businesses learned that the lookalike domain had been created by a third party using a top-level domain other than.COM. Varonis' research takes a different approach to the problem. 

Rather than looking at top-level domains, the company's researchers looked into ways to abuse the subdomains that many cloud service providers allow their customers to use. "Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

When a customer is permitted to utilise their brand as a subdomain, such as varonis.zoom.us, a software-as-a-service (SaaS) application is vulnerable to the attack since the subdomain is no longer validated when the link is provided to a third party, such as participants in a conference call or webinar. In the case of Zoom's service, attackers may design a webinar that asks registrants a series of social engineering-friendly questions, rebrand the webinar as a well-known organisation, and then modify the resulting URL to the targeted URL. 

The original domain — for example, attacker.zoom.us — might be changed to varonis.zoom.us without affecting the link's functioning. A well-branded page might trick a victim into providing personal information, especially if the subdomain indicates that the host is a well-known organisation. In the case of Box.com, a link like app.box.com/f/abcd1234 may be modified to varonis.app.box.com/f/abcd1234 to make it look like an official form gathering information while actually sending it to the attacker.  

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns." 

This type of social engineering is beneficial in phishing assaults, as well as persuading people to click on links or download suspicious files. According to the FBI's annual Internet Crime Complaint Center (IC3) report, losses from cybercrime, including phishing attacks, reached approximately $7 billion in 2021. According to Emanuel, cloud providers should verify that any URL change is confirmed by the link's encoding. 

According to Varonis, both Box.com and Google have fixed the issues, albeit the errors still present for Google Forms and Google Docs when using the "Publish to the web" function. When the subdomain is changed, Zoom will notify users. Furthermore, users should be wary of links, particularly if the connected page requires too much information or leads to further links or files. 

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.
Read more »
Subscribe to: Posts (Atom)