Researchers at PIXM have uncovered a major Facebook Messenger phishing scam that’s "potentially impacted hundreds of millions of Facebook users." More than eight million people have visited just one of these phishing pages so far this year.
"While viewing the Yearly Views page, we see 2.7 million users visited one of their pages in 2021, and around 8.5 million so far in 2022," the researchers write. "This represents tremendous growth in the campaign from 2021 to 2022."
The threat actors used compromised Facebook accounts to spread the phishing pages through Facebook Messenger.
"It appeared evident that these links originated from Facebook itself," the researchers write. "That is, a user's account would be compromised and, in a likely automated fashion, the threat actor would login to that account, and send out the link to the user's friends via Facebook Messenger.
"Facebook's internal threat intelligence team is privy to these credential harvesting schemes, however this group employs a technique to circumvent their URLs from being blocked. This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link.
"After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well."
Notably, the campaign used automation to cycle through different phishing pages, which enabled it to avoid detection by security technologies.
"Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID," the researchers write. "We would often observe several used in a day, per service.
"The use of these services allows the threat actors' links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor."
PIXM has the story.
If you've re-used your facebook credentials anywhere else, we strongly urge you to change your passwords. Always try to keep a unique password for every web account you have to minimize your exposure to these kinds of situations.
“BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn’t,” Suderman writes. “Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.”
Suderman cites a case from San Francisco, where a nonprofit lost more than half a million dollars to one of these scams.
“In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the organization's bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000,” Suderman says.
BEC actors also collaborate and share information with each other to improve their attacks. “Unlike ransomware operators who try to keep their communications private, BEC scammers often openly exchange services, share tips or show off their wealth on social media platforms like Facebook and Telegram, “ Suderman writes. “A Facebook group called Wire Wire.com, which was until recently available to anyone with a Facebook account, acted as a message board for people to offer BEC-related services and other cybercrimes.”
Suderman concludes that organizations of all sizes need to be wary of BEC scams. “Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns,” Suderman writes. “Even the State Department got duped into sending BEC scammers more than $200,000 in grant money meant to help Tunisian farmers, court records show.”
With the recent activity in the job market, it appears that LinkedIn has become the latest avenue for attackers. Emails that appear to be from LinkedIn are being spoofed (impersonated) by bad-actors often times claiming new job opportunities, profiles views or searches that your name has been a part of. Many times these attacks are coming from other compromised email accounts so they appear more legitimate in addition to formatting the messages to look identical to other official ones from LinkedIn.
According to Cyberwire, links in these emails tend to send you to what’s known as a credential harvesting site - a place that looks like LinkedIn’s login page or sometimes Microsoft or Google log-ins where you enter a username and password which is then scraped (taken by a bad-actor) instead of actually being for the legitimate website (such as LinkedIn or otherwise). This type of credentials phishing email is the most prevalent attack currently being exploited online.
As people are reassessing their career goals, or changing jobs to allow for more remote work as we are coming through COVID, attackers are realizing there is a lot of opportunity in this area.
Responding to Phishing
It’s important to remember that we’re all human and prone to making mistakes. We recommend two possible responses to these kinds of phishing emails.
- If you notice it, the best thing to do is report the email to Google. That will then impact our entire environment (@bethel.edu). You do so by clicking the 3 vertical dots next to the reply arrow on that specific email and selecting "Report phishing". That then flags the sender and alerts our security team as well as flagging it for anyone else at Bethel (if they targeted multiple people for example).
- If you happened to click on a link, entered credentials or any other action that you worried was a compromise of your account you can reach out to firstname.lastname@example.org. Our team will then take any necessary steps to remediate your account and/or device as appropriate.
If you are caught in a phishing attack - don’t feel bad! It happens to us all. Reporting it and letting IT take the steps necessary to re-secure your account is the most important thing you can do in that moment.
Have you ever been curious to know what your web activity looks like from a macro perspective? Each day, we spend more and more time connected on the web - browsing, using applications, social media, etc. Have you ever stopped to consider how much time and how much of your identity is on the web?
Consider this, on any given day, the Bethel community consumes (downloads) about 12TB of data on the web. It’s estimated that 85,899,345 pages of Word documents would fill one terabyte. Another comparison is that one terabyte is approximately 17,000 hours of music! So, on any given day we’re downloading the equivalent of 204,000 hours of music!
So, what do we spend our time on that’s equal to that much data? Well, here are the top 10 applications (from a web traffic perspective) over the last 30 days:
QUIC is basically the Chrome browser (and Firefox), and the rest are pretty self-explanatory. The data above is all in KB (so for example, 14TB of data was streamed from Netflix over the past 30 days).
What devices use all that data you may ask? Well, the most popular operating system on campus is Mac OS. That’s followed by iOS, Android and finally Windows devices. The one exception, which sits in the middle of all of those, are gaming consoles. The are the second highest used platform on campus, after Macs.
How does this relate to security? Well, we all have accounts we no longer use, but some apps and websites make deleting your profile a pain. In those cases, simply ignoring them is an easier option. However, unused accounts are a major security threat—all it takes is one successful data breach or credential-stuffing attack to potentially compromise your personal data, financial information, or private files. With how much we are all online, taking some time to eliminate old accounts is a great security measure and can help minimize your exposure. Services like Mine, can be great resources for taking back ownership of your online data. Other avenues include checking your commonly used usernames at checkusernames.com, knowem.com, namecheck.com, and usersearch.org (for looking up your old usernames).
Even if you aren't familiar with Okta, you've probably used it. The digital login system is used by thousands of companies across the world to manage employee and customer logins to various services. Which makes it a real problem when that system, and all that login info, gets hacked. Okta is the most popular identity management system in the world.
While Bethel doesn’t use Okta, we do have an identity management system and a single-sign on solution, similar to what Okta provides. Identity management is what gives a person a Bethel email account, access to log-on to computers around campus and manages access to our file storage (NAS). Single-sign on is what allows you to log into my.Bethel and your email and Banner and Moodle…well you get the point. You use your Bethel Community Account (BCA) credentials to log into it all. It’s convenient for you, cause its just one set of credentials (user name and password) to remember, but it’s also an area we pay a lot of attention to from a security perspective. If your BCA is compromised, then a lot of things can be accessed.
Recently the Lapsus$ digital extortion gang published a series of increasingly shocking posts in its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft's Bing search engine, Bing Maps, and Cortana virtual assistant software. A potential breach of an organization as big and security-conscious as Microsoft would be significant in itself, but the group followed the post with something even more alarming: screenshots apparently taken on January 21 that seem to show Lapsus$ in control of an Okta administrative or “super user” account.
At Bethel, we keep our “super user” accounts behind multi-factor authentication. We also make sure that people have what’s referred to as “least privileged access” - in other words you only get the bare minimum access for your needs. This helps ensure that if an account is hacked, its less likely to give access to administrative things and its also hard to do what’s called “elevating privileges” - meaning a hacker compromises an account and then seeks to get more access on that account once they are in the system.
Identity management is one of the most complex and costly things that IT does, completely in the background - unbeknownst to most users and when it works, the idea is you don’t recognize it at all. When it breaks (or in the case of Okta is hacked) its painful.
As a reminder, we recommend setting up multi-factor authentication on as many log-ins as you can. We also recommend using a password manager to keep all of your various personal (or even professional) account log-ins completely individualized (don’t re-use passwords in other words). Lastpass and 1password are two great services that we recommend.
A new analysis of attacks in 2021 shows massive increases across the board, painting a very concerning picture for 2022 cyberattacks of all types.
New data from security vendor PhishLabs in their Quarterly Threat Trends & Intelligence Report, covering all of 2021 provides a better sense of what last year's state of cyberattacks looked like, and unveils that the increases in efforts by cybercriminals that we saw throughout 2021 looks like they're here to stay for the time-being.
According to the report:
- Phishing attacks grew 28%
- Social Media-based threats grew by 103%
- Attacks with malware nearly tripled
- Vishing attacks (https://us.norton.com/internetsecurity-online-scams-vishing.html) (combinations of phishing emails and phone calls) jumped 554%
- 52% of phishing attacks focused on credential theft
- 38% of phishing attacks are response-based (e.g., job scams, tech support, BEC)
- Only 10% focused on malware delivery
The overarching theme here is email is the delivery mechanism of choice – because it works. Keeping in mind that with only 10% of attacks focused on malware delivery (and a portion of those using malicious links instead of attachments), some percentage of malicious phishing emails will make their way to your Inbox. We use layered security on our email system, but really you are the best defense. Emails should be viewed with a sense of vigilance and skepticism - looking for something unexpected, suspicious or otherwise out of the norm.
Be particularly wary of calls you might receive from individuals claiming to be from your bank or an email asking you to call a number . Recently scammers were spoofing (making fake emails) from Amazon like this one:
Callers reported speaking to someone who then attempts to direct them to a web site in order to input more information. This could be an elaborate credentials theft attempt or a way to install a remote access Trojan on you computer - allowing bad actors any number of possibilities (key stroke logging of passwords for example).
With email being such a large attack surface, we’ve enabled two factor authentication (2FA) on our Google environment. To help keep your email secure, we recommend enabling 2FA on your email account. For step by step directions on enabling that go here: https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform%3DAndroid.
The increased need to pay attention to security also comes in the wake of the Russian aggression in Ukraine. A recent press announcement by the White House (https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/) suggests a the likelihood of larger state-actor threats coming towards the U.S. this year.
For up-to-date cyber information on the threat Russia poses, please see CISA Shields Up program website: https://www.cisa.gov/shields-up
- You: First and foremost, technology alone cannot fully protect you – you are the best defense. Attackers have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. If they want your password, work data or control of your computer, they’ll attempt to trick you into giving it to them, often by creating a sense of urgency. For example, they can call you pretending to be a help desk staff and claim that your computer is infected. Or perhaps they send you an email warning that a package could not be delivered, fooling you into clicking on a malicious link. The most common social engineering attacks include: trying to create a tremendous sense of urgency (I need you to to this now!!), asking you to bypass normal business operations, or pretending to be a colleague or friend but the wording does not sound like them. Additionally, be sure you use your work device for only work-related activities. It's tempting to start to use your work device for more personal activity, but minimizing that crossover between work and personal will greatly reduce the likelihood you compromise your work device and the data/information that is on it. While we monitor risk activity through our antivirus software on work issued devices, it is not a perfect solution / guarantee that we can remotely stop every possible threat.
- Home Network: Almost every home network starts with a wireless (Wi-Fi) network. This is what enables all of your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. Both work in the same way: by broadcasting wireless signals to which home devices connect. This means securing your wireless network is a key part of protecting your home. Three things you can do now if you haven't already are: change the default administrative password on your home router (you can often times google how to do this or contact your internet service provider for instructions), allow only trusted individuals access to your network (don't give out your WiFi password to people you don't know or trust), and make all of your passwords strong (best practices recommend using a password with special characters, a mixture of numbers and letters, capital and lower case and having at least 12 to 15 characters total - more on that below).
- Passwords: When a site asks you to create a password, create a strong password: the more characters it has, the stronger it is. Using a passphrase is one of the simplest ways to ensure that you have a strong password. A passphrase is nothing more than a password made up of multiple words, such as “bee honey barrel.” Using a unique passphrase means using a different one for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe. If you are having a hard time remember all of these passwords, consider using a password manager. We recommend 1password and LastPass.
- Update your Software: Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing them by releasing updates. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TV’s, baby monitors, security cameras, home routers, gaming consoles or even your car.
- Family and Friends: Make sure your family and friends know they cannot use your work devices. They can accidentally erase or modify information, or, perhaps even worse, accidentally infect the device. Bethel does maintain antivirus software on laptops we issue which track and block all risky behavior but with support difficult during this period of time we recommend not taking the chance of sharing a device.
Institutions of higher education (IHE) have hundreds or thousands of new customers that come through their doors every year. If they are successful, those customers are retained for a few years and become happy, economically successful alumni in the future.
With all of the customer data (aka students) and a culture of openness, sharing, flexibility, and each person exploring their own interests, there can be a very serious threat to the confidentiality and integrity of that information.
Some schools are so focused on providing that experience to students that they don’t have the time or resources to focus on an information security. Its critically important though that all employees learn to treat student information as the most important thing they manage on a daily basis.
Hacking vs Leaking
Hacking remains the largest single source of data breaches in the U.S. However, something know as “data leaking” is not far behind. Data leaks are caused by unintentional actions of employees. That may be sending an email with student data in it. Saving a spreadsheet in a space with the wrong permissions. Misconfiguration of an application or database associated with one. These are examples of data leaks - situations where a hacker may not have acted to penetrate a system, but could still access data because someone has made it easily accessible outside of the secure “perimeter” set up by the institution.
So, what data is important? Banking and other financial data is. Social Security numbers are. Those should be very obvious data points that give an employee pause to ensure they are being saved, sent and otherwise handled in a fully secure manner. However, it can be more than just those two big ones - FERPA regulations ensure that information regarding the student’s academic record also be private. So, before you share that information with an outside partner, a textbook company, an application you want your students to use, think - is this secure? Can I do this? If you ever want guidance, feel free to send an email to email@example.com and we’ll do a quick assessment for you - giving you the guidance you need to keep our customer’s data safe and secure.
What is Secure?
Google is a secure file storage location. For long term storage, we still recommend using Network Attached Storage (NAS) aka, department drives. To access those network drives off campus, please use the instructions we've provided in Learning, Teaching and Working Remotely for Students, Faculty, and Staff.
To share files securely outside of the NAS or our Google environment (like with another email provider - comcast.net, yahoo.com, etc) we recommend using our secure file share system. That is accessible at secure-files.bethel.edu.
For that same reason, staff and faculty and STRONGLY encouraged not to forward their Bethel email to a private account. Doing so opens the possibility up for what should have been secure information to be leaked outside of Bethel.
Researchers at Malwarebytes warn that a phishing campaign is informing users that someone logged into their account from an IP address in Moscow. The email contains a button to report the issue, which “opens a fresh email with a pre-filled message to be sent to a specific email account.” If a user sends this email, the attacker will reply and attempt to rope them further into the scam.
The researchers note that while the timing may be coincidental, users will probably be more inclined to respond to the emails given the current situation with Russia and Ukraine.
“We have to be very clear here that anybody could have put this mail together, and may well not have anything to do with Russia directly,” the researchers write. “This is the kind of thing anyone anywhere can piece together in ten minutes flat, and mails of this nature have been bouncing around for years. But, given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason.”
Malwarebytes explains that this is a common but effective technique used in phishing attacks.
“Trying to panic people into hitting a button or click a link is an ancient social engineering tactic, but it sticks around because it works,” they write. “We’ve likely all received a ‘bank details invalid,’ or ‘mysterious payment rejected’ message at one point or another."
"Depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff,’” the researchers write. “That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”
Note how topical scams can be. Criminals and spymasters watch the news and cut their phishbait to fit current events. New-school security awareness training enables your employees a healthy sense of skepticism so they can avoid falling for social engineering attacks.
Malwarebytes has the story.