Browsing category


Computer Security, Cyber Attack, Cyber Security News, G suite, IMAP, Malware, Office 365, Phishing,

Hackers Bypass Multi-factor Authentication to Hack Office 365 & G Suite Cloud Accounts Using IMAP Protocol


attackers targeting legacy protocols with stolen credential dumps to increase the speed and efficiency of the brute force attacks. Based on Proofpoint study, IMAP is the most abused protocol, IMAP is the protocol that bypasses MFA and lock-out options for failed logins. These intelligent new brute force attacks bring a new approach to the traditional […]

The post Hackers Bypass Multi-factor Authentication to Hack Office 365 & G Suite Cloud Accounts Using IMAP Protocol appeared first on GBHackers On Security.

Bad Sites, Instagram, Phishing, Social, Spam,

How a Hacking Group is Stealing Popular Instagram Profiles

by Jindrich Karasek and Cedric Pernet (Threat Researchers)

Social media influencers build and expand their business or brand through credibility and authenticity to their audience. For hackers, however, they could be seen as trophies. That’s what happened to a photographer with more than 15,000 followers on Instagram, when she had her account stolen.

A closer look into the incident revealed that the hacker got into her account through phishing. While it seemed straightforward enough, we also found that targeting popular Instagram profiles has become a modus for a certain group of Turkish-speaking hackers. And by abusing Instagram’s account recovery process, they were able to keep the stolen account even if the victim squarely followed the process.  We’ve seen cases where owners of Instagram profiles with followers between 15,000 and 70,000 were hacked and were never retrieved. The victims ranged from famous actors and singers to owners of startup businesses like photoshoot equipment rentals.

The group also engages in digital extortion. Once a victim tries to reach out to the hacker, they would be wringed to fork over a ransom or nude photos and videos to get the account back. Of course, the hackers never give it back.  Indeed, this kind of attack — targeting high-profile accounts or social media influencers — highlights our predictions for this year’s threat landscape.

Figure 1: A visualization of how the hackers are stealing the Instagram profiles

Attack chain
Analysis of the phishing kit revealed that the hosting system blocks requests from wget. We managed to obtain the phishing kit by spoofing a user agent.

The compromise starts with a phishing email pretending to be from Instagram. The email prods the potential victim to verify the account to get the Verified badge for the user’s Instagram profile. Note that Instagram has specific requirements and the verification process happens only after a user requests for it. Instagram doesn’t ask for credentials either.

Figure 2: Screenshot of the phishing email asking the user to verify his Instagram account

Figure 3: The phishing page the user gets redirected to (left) and another that asks for the user’s email credentials (center); after credentials are keyed in and submitted, the user will be redirected to a page that notifies the profile has been verified (right)

Once the user clicks the “Verify Account” button, he will be redirected to a phishing page that asks for the user’s date of birth, email, and credentials. When we first saw these pages, they didn’t have any data validation on the input and returned the same screen even after submitting an empty form. However, they’ve since added basic data validation by not letting the user submit an empty form.

Once the attacker has access to both the victim’s Instagram profile and the email related to the account, the hacker can then modify the information needed to recover the stolen account. The victim will also be prompted to enter his email’s credentials. Once submitted, a badge notification appears, but for only four seconds. This is a trick to give users the impression that their profile has been verified.

After some time, the phishing page will be diverted to Instagram’s website. This is a common tactic in phishing. It’s likely that the victim would already be logged in with cookies, so the victim may just be diverted to his Instagram profile. Since we tested the phishing kit in a clean environment, we only got Instagram’s login page.

The hacker’s modus
We looked further into these cases to learn about the hackers’ motives and how they operate. In an Instagram profile they’ve hacked, they changed its username to “natron_raze”, probably to indicate it was hacked. The email associated with the profile was also immediately modified. After some time, the account’s email was changed again. The trick here is to flood the victim with Instagram’s security emails asking if the changes were legitimate. The hacker would also try to draw the user’s attention by defacing the profile.

Figure 4: A defaced Instagram profile aiming to get attention from its owner

After the profile was compromised, other accounts immediately followed it. Some were fake profiles, while the others were either previously stolen profiles or the hackers themselves. After some time, we saw the hacker removing the hacked accounts from his follower lists, although some returned. This could probably be because the hacker realized that his modus was being monitored.

In one instance, we saw the hacker threatening to delete the account or never return the stolen profile unless the victim pays a ransom or sends nude photos or videos. The hacker also let others know he stole another account, as shown in Figure 4.

Figure 5: Screenshots of the hacked and defaced Instagram profiles

Searching for more information on “Hesap Ebedi,”(Turkish words for “account” and “eternal”) we found a forum from a hacking group discussing how to manage stolen accounts so their owners cannot get it back, even with the help of Instagram’s account retrieval process.

Figure 6: Forum post on turkhackteam mentioning the attack dynamics of stealing Instagram accounts

We reached out and disclosed our findings to Facebook and Instagram but have yet to receive a response as of this writing.

Defending against phishing
The hackers in these instances lure victims into handing out personal information to get an incentive (such as a blue badge in their profile). Their mimicry of Instagram’s emails also made their malicious emails appear legitimate. Here are some of the red flags users and businesses can watch out for:

  • Use of domains other than the social network’s own
  • Dubious font styles (i.e., usage of screenshots instead of actual images)
  • Incorrect grammar and punctuation
  • Emails that ask for credentials; social networks never ask for them outside of their actual, secure login pages

Trend Micro Smart Protection Suites and Worry-Free™ Business Security protect users and businesses from these phishing attacks by detecting malicious files and spammed messages and blocking related malicious URLs.

Indicators of Compromise (IoCs):
IP address related to the phishing attack: 

  • 185[.]27[.]134[.]212
  • 104[.]24[.]119[.]10
  • 2606[:]4700[:]30[::]6818[:]760a
  • 2607[:]f8b0[:]4864[:]20[::]243

URLs related to the phishing attack:

  • hxxps://2no[.]co/2WPr35
  • hxxps://confirm[-]service[.]tk
  • hxxp://instagrambluetick[.]ml/?i=1
  • hxxp://instagrambluetick[.]ml/mailconfirmation[.]php
  • hxxp://instagrambluetick[.]ml/confirmed[.]php
  • hxxps://Instagram[.]derainbow[.]es
  • hxxp://urlkisaltma[.]com/27rjN
  • hxxp://urlkisaltma[.]com/farES

The post How a Hacking Group is Stealing Popular Instagram Profiles appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Bring-Your-Own-Device (BYOD), Business Email Compromise (BEC), Data Privacy, Data Protection, Endpoint, Endpoint Security, Network, Network Security, Phishing, Security Testing, Security Training, Social Engineering, social media,

When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current

The greatest threats to the enterprise are often those that use social engineering to extract information or data from employees. For threat actors, this tactic rarely requires any technical know-how, so the barrier to entry is low.

To make matters worse, the rapid rise in social media use lowers this barrier even further. Regardless of whether your enterprise has rules in place to limit social media use, you can’t stop employees from using social media 24/7. As threat actors continue to leverage social media attacks as a launchpad to infiltrate enterprise networks, what are some defensive tactics organizations should be aware of?

Before we get into specifics, it’s critical for the enterprise to recognize that as social media use increases, the threat of attacks carried out via social media escalates as well.

Understanding Attackers’ Social Media Tactics

The first thing organizations should be concerned about is the ease with which a bad actor can target employees through social media.

“It’s not that difficult with a little bit of information going in,” said Paul Bischoff, privacy advocate at According to Bischoff, a threat actor only needs to know the name of one person who lists a target employer in his or her profile.

If it’s a big company, the attacker may not even need to know a specific person’s name — they can simply take a guess at common names. Now that the threat actor has their target, they have several options. One is to try hacking the account, possibly by using passwords leaked in data breaches at other companies. Or, they can attempt to establish contact with the target and use a phishing attack to get the information they need, such as getting access to a business email account. They could even try to add the mark as a friend or hack an existing friend’s account to impersonate them and communicate with the original target.

Using social media can help threat actors evaluate their targets both inside and outside of the workplace. People share a lot of personal information on social media, which often includes valuable nuggets of data about their work life. While the ubiquity of social media is relatively new on the technology timeline, social engineering is a scheme as old as time.

In our hypothetical hacking situation, if access to the employee’s accounts is compromised, the next step for the attacker can be to infiltrate the target’s corporate network. Depending on the network, the starting point is often getting access to business email, according to Bischoff.

“If a hacker manages to break into someone’s email, they can wreak havoc,” Bischoff added. “Not only are they privy to existing emails, but they can write new ones. Furthermore, an email account is often where two-factor authentication PINs, password reset links and other sensitive account information is sent for all sorts of online accounts.”

Once the threat actor logs in to a victim’s email account, they can buy themselves time by taking steps to lock the target out by changing the password and/or recovery email address. Because these problems can take a while to resolve, attackers typically have some leeway to work their way up the food chain, impersonating victims and sending convincing phishing emails to others in the company.

Exploring Some Simple Prevention Techniques

One prolific method that threat actors use as a stepping stone to access sensitive corporate data is profile cloning, in which fake Facebook (or Instagram or another social network) profiles are created by using duplicate photos and relevant data stolen from a targeted user’s real social media profile.

“Facebook cloning can be used to establish contact with the target by impersonating an acquaintance,” said Bischoff. “The hacker might even clone an existing friend’s profile — would you notice if someone who didn’t post much on Facebook added you as a friend a second time? Facebook mitigates this by showing how many mutual friends you have with anyone who sends you a friend request, but not everyone pays attention or cares.”

To thwart these types of attacks, Bischoff advised employees to not post an employer on their social media profiles. If they must, instead of selecting from the drop-down list of existing employers that appears when you start typing, they can “create” a new employer. This prevents the employee from showing up on the threat actor’s list when they target that specific company.

Additionally, as security experts have mentioned repeatedly, it’s critical to educate employees on common phishing tactics and even consider testing this in real-time with practice phishing emails. With 27 percent of users failing a phishing test, according to a 2018 study, we must continue educating and testing teams across the organization and providing role-based education and awareness sessions. Finally, Bischoff suggested establishing rules that require a second form of identity verification to share certain information.

“For example, if someone requests a password to use the office VPN, that person should also verify the request in person or by phone, and be sure not to use a phone number listed in the email,” Bischoff said.

Stand United to Fend Off Emerging Social Media Attacks

I’m not suggesting that you dictate how and when your employees use social media — a fool’s errand if there ever was one. Especially in this bring-your-own-device (BYOD) era, social media use, even at work, is only going to keep rising. I distinctly recall the arduous task of trying to monitor social media use in the early days of Facebook, and can’t imagine how difficult it would be for IT decision-makers today.

The lure of social media is too much to fight against. Instead of pushing back, we need to work with what we’ve got and do our best to educate employees about potential social media attacks. Make employees part of the process instead of restricting their online behaviors, and arm them with knowledge that can help them become a layer in the organization’s security shield.

“A chain is only as strong as its weakest link,” said Bischoff. It’s all about strengthening the links.

The post When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Stone

Artificial Intelligence (AI), Business Email Compromise (BEC), Credentials Theft, Data Protection, email, Network, Network Security, Phishing, Phishing Attacks, Risk Management, Security Awareness, Security Training, Social Engineering, Social networks, spear-phishing, Threat Detection,

Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security

Even though they’ve been around for quite some time, phishing attacks continue to climb. According to Proofpoint’s 2019 “State of the Phish Report,” 83 percent of businesses experienced a phishing attack and 64 percent of security professionals encountered spear phishing threats in 2018. New vectors are also emerging: As noted by Forbes, software-as-a-service (SaaS) credential theft, messaging app attacks and malicious link embedding within shared files are all on the horizon for 2019.

The data begs the question: What’s wrong with email security? For years, thought leadership articles and information security experts alike have been recommending commonsense best practices that should curtail email attack efforts. Don’t click on unknown links. Don’t open unsolicited attachments. Use automated detection tools. And yet phishers are hauling in bigger catches than ever before, expanding their operations to include new threats and grab more data.

I believe the problem is tied to phishing’s fundamental premise: Social barriers are far easier to break than their technological counterparts. By exploiting critical social flaws — specifically, workplace expectations and personal exceptions — attackers can gain the upper hand.

Email Still Reigns Supreme

Despite recent challenges from up-and-comers such as social messaging apps and unified collaboration tools, email still reigns supreme in the workplace. As noted by CMS Wire, “There appears to be a general consensus that while social networks are useful to achieve work-related goals, email remains the undisputed communications tool in the enterprise.”

Email is timely and transparent — users can quickly send and receive information while creating a digital paper trail. Unlike some messaging apps, users can include attachments and draft longer responses and, since email exists outside of most collaboration continuums, employees can temporarily take a break from their inbox.

But that’s not the whole story. For better or worse, corporate email itself is a kind of social network. As Nathan Schneider, a professor of media studies at the University of Colorado, told The New York Times, “Email is the most resilient social network on the internet.” While it lacks the bells and whistles of social media platforms and the intimacy of face-to-face communication, email has evolved its own set of social rules around usage, etiquette and response times. For example, users are expected to create clear subject lines, reply to all emails (even if received in error), limit the amount of humor and restrict the use of punctuation such as exclamation marks, as noted by Inc.

The rise of interactive business email compromise (BEC) attacks also speaks to the social nature of email. New BECs don’t start with malicious payloads, but instead leverage short social messages to compel employee replies and create a compelling, albeit fake, interactive dialogue before dropping infected documents.

Simply put, email is the biggest, most used social network in the enterprise — and that’s not changing anytime soon.

The Psychology of Urgent Requests

The fundamentally social nature of email leads us to our first security issue: expectations.

Consider common phishing security advice that warns against emails marked “urgent” or “DO NOW.” Why the focus? Because humans are naturally conditioned to meet social norms and feel substantial pressure to conform. According to the Havard Business Review, “Throughout our careers, we are taught to conform — to the status quo, to the opinions and behaviors of others, and to information that supports our views.” What’s more, as noted by Psychology Today, this conformity is accelerated in a small group setting — such as a corporate team or enterprise department — and further enhanced, according to Psych Central, by neurotransmitters such as dopamine that are produced when humans are part of a social group.

As a result, when it comes to well-written phishing emails that are purportedly coming from CEOs or HR mangers, staff are preconditioned to reply ASAP with requested information — even if they’ve had previous security training. Social pressure almost invariably trumps learned email security.

It Won’t Happen to Me!

While socially driven email networks increase the likelihood of faux-insider messages getting through the security chain, what about outside attacks? Much time and attention has been devoted to educating employees about the telltale signs of external phishing attempts, such as emails purportedly from financial institutions, government agencies or new business contacts.

Here, another facet of human social interaction is at work: Our natural disposition to believe we’re better than everyone else. It’s called the superiority illusion and, as noted by Scientific American, causes most people to think they’re better than average at most things, such as the ability to spot and prevent phishing attacks.

Since it’s impossible for the majority of people to be above average, the result is that advanced spam and phishing campaigns that make it past initial defenses may get overlooked by overconfident employees who assume they would recognize any sign of these attacks. It’s the old “it won’t happen to me” argument: Users presume they’ve got all the knowledge they need to spot attacks and if they’re victimized, there’s no way anyone could have seen it coming.

Evolve Your Email Security Strategy

What does this mean for companies looking to prevent phishing attacks?

First, there’s no need to ditch current security training. But, as CSO Online pointed out, it’s also a good idea to educate users on how not to craft an email. Don’t be your own worst enemy by sending unexpected, hastily typed emails with “URGENT” in the subject line.

Fundamental shifts in email security, however, require a rethinking of current best practices. To handle social expectation issues, companies must adopt top-down cultural change that prioritizes safety over speed. This is easier said than done when CEOs need hard data for stakeholders or chief financial officers (CFOs) are handling financial fluctuations in real-time, but giving staff time to double-check message origins and intentions before replying goes a long way toward reducing the number of reeled-in employees.

For security professionals, this means developing the ability to present potential phishing losses as line-of-business issues. In practice, this requires leading with context: How are current security issues impacting strategic objectives such as cost savings, customer confidence and regional performance? This can help shore up the notion that time lost to double-checking email requests via phone calls, face-to-face meetings or other methods is preferable to the monetary loss associated with successful attack campaigns.

Dealing with exceptional behavior, meanwhile, starts with a layered email security approach that eliminates obvious phishing attempts before they hit inboxes. Another key component of this defensive strategy is artificial intelligence (AI). AI-based tools capable of analyzing enterprise communication patterns and spotting inconsistencies already exist. Making them applicable to “above-average” phishing finders means leveraging a kind of low-key notification process, in turn aligning with user beliefs about their own ability to recognize phishing attempts.

Address the Human Components of Phishing

Email remains the top enterprise communication method and the obvious choice for attackers looking to compromise business networks. While current email security solutions can help mitigate phishing impacts, companies must recognize the role of corporate email as a social network to address the critical human components of this risk: social expectation and the superiority exception.

The post Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Chief Information Security Officer (CISO), CISO, cybersecurity simulation, Cybersecurity Training, human error, Human Factor, Incident Response, Incident Response (IR), Incident Response Plan, Phishing, Phishing Attacks, Phishing Emails, Security Awareness, Security Leaders, Security Leadership, Security Services, Security Training, Social Engineering, User Education,

Social Engineering Training: Why Getting Hacked Is a Security Advantage

It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.

“So what?” he said, clearly unimpressed.

As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.

Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.

During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email. The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.

Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.

My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.

Learn more at the Jan. 29 webinar

Components of a Quality Social Engineering Assessment

If you ask someone to define a social engineering assessment, they would most likely say it tests the human aspect of security. However, if done correctly, it evaluates much more than that. Yes, assessments track how many times employees click a link, open an attachment or divulge sensitive information to a suspicious recipient on the phone. However, they can also assess if and how employees are reporting suspicious activity, and the effectiveness of IR and security awareness training programs.

With a well-designed assessment, the client should have a better understanding of how their IR team handles social engineering attacks. Many components of IR programs can be analyzed by answering questions such as:

  • How much time did it take for the IR team to respond to the social engineering activity?
  • Did the IR team follow any playbooks?
  • Did the team determine which employees knowingly or unknowingly divulged credentials, and did they issue password resets for those users?
  • If employees provided their credentials, did the IR team investigate whether those credentials were being used elsewhere as part of a suspicious activity?

In this type of engagement we test more than just people and processes; we can assess the effectiveness of security technologies too. Many of the actions performed — such as emailing a malicious payload, having an employee open a malicious USB device on their workstation, etc. — attempt to bypass different types of technologies in places such as email filters, intrusion detection systems (IDSs), antivirus software and more. Social engineering attack vectors test deployed technology to determine whether the social engineer can bypass them.

Effectiveness and Ethics of Social Engineering

Some critics have argued that social engineering assessments are pointless, as they know employees will always fail against such an attack. But these assessments provide valuable metrics, which are important to track over time to identify how employees are performing and identify any major deviations. Often, individual employees fall victim repeatedly. It’s important to identify these users so they can receive additional training, and the company should ensure those accounts have limited access.

Others have pointed to social engineering tests that went too far, such as targeting employees’ personal accounts. Each social engineering consultancy tests differently. That’s why it’s important for security leaders to define what’s acceptable for the company, so that testers don’t cross any ethical lines. This conversation between security leaders and testers typically happens during the scoping process.

Here’s another common refrain: “We already have a security awareness training program in place, and it covers social engineering.” But how do you know the program is effective? Without properly testing it, there is no way to determine whether it could efficiently and successfully contain an attack. Plus, employees should have continuous opportunities to identify social engineering activities. It is not a one-and-done exercise. Social engineering exercises are the most realistic training employees can get outside of an actual attack.

How a Box of Doughnuts Can Breach Your Defenses

Some of the social engineering assessments performed by X-Force Red include physical tests, such as walking into a building carrying a box of doughnuts to get past security, and remote tests, such as impersonating an auditor to trick employees into divulging sensitive corporate data over the phone. For each test, only a limited amount of company insiders know we are coming, and we scope the project ahead of time to ensure it is effective and ethical.

I can’t give away all our tricks of the trade, but you’ll have an opportunity to hear from five X-Force Red hackers, including me, when we share our greatest hits and best practices during a one-hour webinar on Jan. 29 at 11:00 a.m. EST. You may be surprised by some of the many ruses that get us through the door.

Register for the Jan. 29 webinar

The post Social Engineering Training: Why Getting Hacked Is a Security Advantage appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Stephanie Carruthers