Category: Phishing

This isn’t new, but it’s increasingly popular:

The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.

Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.

Device authorization relies on two paths: one from an app or code running on the input-constrained device seeking permission to log in and the other from the browser of the device the user normally uses for signing in.

Since they first appeared in the 1990s, quick response (QR) codes have rapidly become intertwined in our daily lives. Used today for everything from ordering food to paying for parking or undertaking virtual tours at a museum exhibition, QR codes make it convenient and easy to access digital information using a smartphone camera. However, just as with any other widespread technology, it’s no surprise that cybercriminals have now begun to exploit them.

News stories about members of the public who have been scammed when they scanned a malicious QR code in public spaces are becoming commonplace. However, this type of fraud is relatively small compared to the more targeted types of cyber fraud now being directed at UK businesses.

As cybercriminals hone and evolve their phishing tactics, they have begun sending out emails with phony QR codes designed to trick people into providing sensitive information or downloading malware. With these so-called quishing attacks on the rise, organisations will need to take steps to counter this sophisticated new attack trend.

What is ‘quishing’ and what is it being used for?

QR phishing, or quishing, works like a standard phishing attack except that the malicious link is hidden in a QR code rather than a ‘click through’ email link. When the recipient scans the QR code with their phone or a QR code reader, they are re-directed to a malicious website that may request sensitive information or download malware. The QR code links used in quishing attacks can also initiate actions on a smartphone, including the composition and distribution of phishing emails to the user’s contacts. All of this further compromises the victim and the organisation they work with.

As with phishing attacks, quishing attacks use social engineering tactics to establish a degree of trust while impressing the need for urgent action. An email could feature an urgent message stating that an employee will be unable to access their data or applications unless they scan and confirm their identity. Alternatively, printed leaflets and brochures featuring offers that can be accessed with a quick scan of a QR code can be sent through to an organisation for distribution or collection from the front desk.

What’s prompting scammers and hackers to use quishing?

Cybercriminals have become adept at exploiting everyday tools to convince employees to reveal confidential information or execute fraudulent transactions and this new attack strategy is fast gaining in popularity for a number of reasons.

Interpreted as harmless images, digital QR codes are sometimes capable of bypassing a number of basic email scanners and firewalls. Added to this, users will typically scan QR codes using their own personal devices which will lack the enterprise cyber security tools that can detect potential compromises.

Cybercriminals also don’t really need to write complex code to deliver a QR code link. In some instances, they can simply stick a fake QR code over an existing piece of physical content.

Finally, the general public is so used to using phones on a day to day basis, most will think nothing of using a phone to scan a QR code and then log into services without feeling the need to exercise caution; people seem to see a phone as a safety blanket when it comes to security, one which is somehow immune to traditional attack vectors. 

A versatile attack method

Capable of being delivered via email, texts, WhatsApp messages, social media posts, and websites, as well as printed copy, the sheer versatility of QR codes is making them the attack vector of choice for a growing number of cybercriminals. 

In recent months, attackers have become increasingly inventive and are now perpetrating quishing attacks via video conferencing apps. They are also using attacker-in-the-middle/impersonation token attacks in a bid to outmanoeuvre multi-factor authentication techniques.

Aware that general knowledge or awareness around quishing attacks means that few employees will be on their guard, attackers are keen to leverage people’s inherent trust in QR codes to swerve cyber security defences and perpetrate their malevolent activities.

Key mitigation steps

Personnel across the enterprise need to be alerted to this new threat, and organisations need to deliver education and training on what quishing is and the importance of treating QR codes with the same degree of suspicion and caution as dubious looking email links. They should also be informed of the risks they face outside work, whenever they scan a QR code in a public place. Using a scanning app to preview a QR code link before accessing it is an essential precautionary step that will help prevent malicious QR codes from automatically downloading malware when scanned.

Organisations should also review their email filtering, URL filtering, and endpoint protection to ensure it is up to date and is capable of blocking phishing emails with suspect QR codes before they reach a recipient. Should a user open a malicious link, endpoint protection should ensure that QR codes are prevented from launching a malware attack and virus scanners and checkers can be used to identify and remove active or dormant malware.

To mitigate the risk of physical codes sent in the post, ensure that processes are in place to support anyone responsible for opening mail to report and check any mail received containing QR codes. Digital mailrooms should also have systems in place to spot potentially malicious QR codes.

As cybercriminals adapt their methods, organisations should review and adjust their defence strategies and make sure they deliver security training that ensures everyone stays vigilant. Doing so will enhance the ability of the organisation to withstand quishing attacks and prevent cybercriminals gaining direct access into the company’s systems.

The post Is quishing the new phishing? Protecting your business against the next threat vector appeared first on Cybersecurity Insiders.

In today’s digital age, phishing attacks have become one of the most prevalent threats to organizations. Cybercriminals are constantly devising new methods to deceive employees into sharing sensitive information, whether it be through emails, phone calls, or other communication channels. As these attacks continue to evolve, organizations must prioritize training their employees to recognize and respond to such threats. One of the most effective ways to achieve this is through simulated phishing attacks.

Simulated phishing attacks are controlled, mock versions of actual phishing attempts, designed to mimic the tactics and techniques cybercriminals use to deceive employees. These simulated attacks can be used as a part of broader security awareness programs to educate employees, test their vigilance, and ultimately improve the organization’s overall security posture. Here’s how simulated phishing attacks can play a key role in employee training and awareness.

1. Realistic Training Scenarios

The best way to learn is by experience, and simulated phishing attacks offer a practical approach to training employees. These exercises expose employees to real-life phishing attempts in a controlled environment, helping them to recognize malicious emails or suspicious links before they fall victim to a real attack. Unlike traditional theoretical training, simulated phishing mimics the urgency and trickery used by attackers, giving employees hands-on experience that improves their ability to identify future threats.

For instance, a simulated phishing attack could involve sending a fake email that appears to come from the organization’s IT department, urging employees to click on a link to reset their passwords. When an employee clicks on the link, they’re redirected to an educational page that explains the dangers of phishing and how to avoid falling for similar traps in the future. This method reinforces the lesson much more effectively than simply reading about phishing threats.

2. Raising Awareness and Reinforcing Best Practices

Phishing awareness isn’t just about identifying deceptive emails—it’s about fostering a broader understanding of cybersecurity best practices. Simulated phishing campaigns not only teach employees how to recognize phishing attempts but also reinforce key security behaviors such as verifying the sender’s email address, hovering over links to check their destination, and being cautious about unsolicited attachments or requests for sensitive information.

By repeatedly exposing employees to simulated attacks, organizations can make phishing awareness a part of their employees’ daily routine. Over time, these behaviors become ingrained in the workforce, leading to a security-conscious culture that helps prevent successful phishing attempts.

3. Identifying Knowledge Gaps and Vulnerabilities

One of the biggest advantages of running simulated phishing attacks is the ability to identify specific knowledge gaps among employees. Organizations can track which employees fall for simulated phishing attempts, the types of phishing schemes they are most susceptible to, and how long it takes for them to recognize a threat. This data can then be used to tailor future training programs to address the specific vulnerabilities within the organization.

For example, if a large number of employees fail to identify phishing emails related to password resets, the organization can target this weakness with additional training or simulations focused on this particular type of phishing attack. This personalized approach ensures that training is relevant and effective.

4. Reducing the Risk of Real-World Cyberattacks

The ultimate goal of simulated phishing attacks is to reduce the risk of successful cyberattacks. By creating awareness and enhancing employees’ ability to recognize phishing attempts, organizations can significantly lower the likelihood of falling victim to real attacks. Phishing remains one of the primary entry points for cybercriminals to gain access to sensitive data, install malware, or launch ransomware attacks. Through repeated exposure to simulated phishing, employees become better equipped to defend against these threats, minimizing the risk of security breaches.

Moreover, organizations that conduct regular simulated phishing campaigns demonstrate their commitment to cybersecurity. This proactive approach can also lead to increased trust from clients, partners, and stakeholders who are assured that the organization takes security seriously.

5. Continuous Improvement Through Feedback

Simulated phishing attacks also provide valuable feedback that can be used to refine security training programs. By analyzing how employees respond to simulated attacks, organizations can continuously improve their training materials and methods. Feedback can also be provided to employees on their responses to simulated attacks, allowing them to learn from their mistakes and strengthen their ability to detect phishing attempts in the future.

Conclusion

Simulated phishing attacks offer a powerful tool for training and creating awareness among employees about the dangers of phishing. By providing realistic, hands-on experience in a safe environment, these simulated attacks help employees understand the tactics used by cybercriminals and develop the skills to recognize and avoid phishing attempts. In addition, simulated phishing campaigns enable organizations to identify vulnerabilities and gaps in knowledge, allowing them to tailor training programs for maximum effectiveness.

Ultimately, simulated phishing attacks play a crucial role in fostering a security-aware culture, reducing the risk of cyberattacks, and ensuring that employees remain vigilant in the face of increasingly sophisticated phishing schemes. With cyber threats continuing to evolve, ongoing training and awareness are essential to safeguarding organizational data and maintaining strong defenses against cybercriminals.

The post Can Simulated Phishing Attacks Help in Training and Creating Awareness Among Employees? appeared first on Cybersecurity Insiders.

UK Home Office Seeks Access to Apple iCloud Accounts

The Home Office of the United Kingdom, a key ministerial authority responsible for overseeing immigration, national security, law enforcement, and order, has recently made a significant move aimed at gaining access to sensitive data stored in Apple iCloud accounts. The request, reportedly sent by the UK Home Office to the iCloud platform, seeks to access the servers in order to obtain intelligence regarding individuals who have been found guilty of certain crimes or are under investigation.

However, as expected, Apple has firmly rejected the Home Office’s request. The tech giant reiterated its long-standing position on user privacy, emphasizing that it is committed to protecting the fundamental right to privacy for its customers.

Apple stated unequivocally that it would never compromise the privacy of its users, even in the face of government requests, and would not allow law enforcement agencies to access sensitive data from iCloud accounts.

This statement mirrors the stance Apple took earlier with American authorities, reinforcing the company’s dedication to safeguarding its users’ personal information. Apple’s unwavering position highlights its commitment to upholding privacy rights globally, regardless of governmental pressures. For Apple, protecting the integrity of its customers’ data and respecting their privacy remains a core value of the company.

In this context, Apple’s actions serve as a reminder of the growing tension between tech companies and governments around the world, as authorities increasingly seek access to encrypted data for investigative purposes. However, the balance between national security concerns and individual privacy continues to spark debate.

FBI Issues Cybersecurity Warning: Phishing Scam Targeting Toll Payments

In recent days, residents of several U.S. states—California, Massachusetts, North and South Carolina, Illinois, Colorado, and Florida—have reported receiving fraudulent messages regarding unpaid toll tickets. These messages claim that a toll ticket is pending under the recipient’s name and often include a link that leads to a phishing page designed to steal personal information. The fraudulent message typically appears legitimate, making it difficult for unsuspecting individuals to discern the scam from a genuine notification.

The phishing attack, which is being attributed to cybercriminals, has raised alarm across various states. Some experts speculate that the campaign could be coordinated by Chinese state-sponsored actors due to the wide reach of the scam and its ability to target residents in multiple states simultaneously. This suggests that the scam may be part of a larger, coordinated effort to exploit vulnerabilities and gather sensitive data.

According to cybersecurity department of FBI, the scammers are requesting small sums—often no more than $10—to create an illusion of legitimacy and build trust with the victim. This low amount makes the scam more believable, as individuals are less likely to question a modest fee. However, the payment is not actually for any toll-related charges. Instead, the link leads to a fraudulent website where victims unknowingly provide financial information, leaving their bank accounts vulnerable to theft.

The FBI has issued a warning to the public, urging everyone to be cautious of unsolicited messages, especially those containing links or attachments. Cybersecurity experts advise that individuals should avoid clicking on suspicious links, especially those from unknown sources, and should never enter personal or financial information on unfamiliar websites. The best course of action is to delete such messages immediately and report them to local authorities if necessary. Additionally, experts recommend using updated antivirus software and security measures to safeguard against future threats.

With the rapid spread of these phishing attempts, it’s crucial for residents across the U.S. and beyond to remain vigilant and cautious when dealing with unsolicited communications, especially those that seem to come from official or trusted organizations. Cybercriminals are becoming increasingly sophisticated, and scams like these are just a small part of a larger trend of online threats.

Conclusion

By elaborating on the core issues, we can better understand the gravity of both privacy concerns related to iCloud data and the ongoing cybersecurity risks posed by phishing schemes. These topics highlight the delicate balance between technological innovation, privacy rights, and the growing need for robust cybersecurity defenses in the modern digital age.

The post Details on Home Office Apple iCloud access and FBI message scam alert appeared first on Cybersecurity Insiders.

In recent years, we’ve witnessed the rise of phishing attacks, where cybercriminals trick victims into clicking on malicious web links to harvest sensitive personal information. Building upon this tactic, a new form of attack has emerged known as “Mishing” — a cyber campaign specifically targeting mobile devices with phishing links, usually propagated through SMS or messaging apps like whatsapp, signal and telegram.

Zimperium, a leader in offering mobile security solutions, has uncovered a sophisticated mishing campaign where hackers impersonate the United States Postal Service (USPS) to target mobile users. Their zLabs threat research team has reported that malicious SMS messages are being sent to U.S. and a few UK based phone numbers. These messages typically contain a short URL that leads to a PDF file, which when opened, redirects users to a website designed to steal credentials and compromise personal data.

The crux of this attack is that many telecom service providers fail to adequately scan or provide visibility into the contents of attached PDF files, which leaves users vulnerable to threats like data breaches and credential theft. These malicious files often contain obfuscated code or scripts that execute when accessed, facilitating the download of malware or ransomware on the victim’s device.

It’s important to note that the United States Postal Service is in no way involved in this mishing campaign. The USPS is an innocent party, and the malicious links are purely a social engineering tactic used by the attackers to gain victim trust.

To counter such attacks, awareness is the most powerful defense. As with email security, users should exercise extreme caution when receiving unsolicited messages from unknown numbers, especially those containing links or attachments. The same best practices used to avoid phishing emails should be applied to mobile security. For instance, users should avoid clicking on any links that seem suspicious or come from unknown senders, and never open attachments unless they are absolutely sure of the source.

In summary, this mishing campaign targeting iPhone and Android users under the guise of USPS alerts is a growing threat, though the specifics of the scam — such as the sender’s identity or the phrasing of the message — may evolve over time. The attackers may attempt to deliver malware, drop a malicious payload, or further escalate their attack in a variety of ways. Keeping vigilant and adopting a proactive stance toward mobile security will be key in defending against these increasingly sophisticated threats.

The post Mishing Cyber Attack from malicious PDF appeared first on Cybersecurity Insiders.

Microsoft’s Threat Intelligence teams have uncovered and exposed a spear phishing campaign targeting WhatsApp accounts, attributed to the Russian-linked hacker group Star Blizzard. The campaign began in October 2023 and continued through August 2024.

Following extensive analysis, Microsoft’s experts revealed that the campaign primarily targeted journalists, politicians, think tanks, and NGO leaders. These individuals’ data was collected and transmitted to remote servers, according to the company’s findings.

Star Blizzard’s method was straightforward: they initially sent a link to WhatsApp users that appeared to be from a well-known U.S.-based organization, such as a government agency, NGO, or public utility. Once a user engaged with the link, they were subsequently sent an email containing a malicious web link. This was the beginning of the covert operation to gather sensitive information from the victims without their awareness.

The U.S. Department of Justice, in collaboration with the FBI, has identified and taken action against those responsible for the campaign. They seized the perpetrators’ IT infrastructure and gathered substantial evidence. However, the threat remains persistent as the attackers continue to find new ways to carry on their cybercriminal activities.

It’s worth noting that this tactic mirrors previous incidents, such as the spread of Pegasus spyware by the NSO Group. Originally developed for government use to monitor terrorists and criminals, Pegasus made its way to the dark web and was eventually used to infiltrate the device of Amazon founder Jeff Bezos via WhatsApp, leading to a high-profile personal scandal.

Similarly, Star Blizzard appears to be carrying out surveillance on behalf of the Kremlin, conducting spear phishing campaigns to gather intelligence for political or strategic purposes.

 

The post Microsoft exposes WhatsApp Spear Phishing Campaign of Star Blizzard appeared first on Cybersecurity Insiders.

I am always interested in new phishing tricks, and watching them spread across the ecosystem.

A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not work. So—this is the new bit—the messages said something like: “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it.”

I saw it once, and now I am seeing it again and again. Everyone has now adopted this new trick.

One article claims that this trick has been popular since last summer. I don’t know; I would have expected to have seen it before last weekend.