bec - X-Industry - Red Sky Alliance2024-03-28T15:41:09Zhttps://redskyalliance.org/xindustry/feed/tag/becCyber Criminals using BEChttps://redskyalliance.org/xindustry/cyber-criminals-using-bec2024-03-18T11:50:00.000Z2024-03-18T11:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12399992484,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12399992484,RESIZE_400x{{/staticFileLink}}" width="201" alt="12399992484?profile=RESIZE_400x" /></a>Organizations in the US have been targeted since at least 2021 in various phishing and business email compromise (BEC) campaigns spoofing government and private businesses. The attacks, attributed to a threat actor tracked as TA4903, were focused on harvesting corporate credentials to enable BEC activities such as invoice fraud or payroll redirect. As part of the observed attacks, the threat actor frequently registered new domains spoofing government entities and private organizations in sectors such as construction, energy, finance, food and beverage, healthcare, manufacturing, and others.<a href="#_ftn1">[1]</a></p>
<p>Here’s what happens in a BEC scam:</p>
<ol>
<li>Scammers research their targets and figure out how to fake their identity. Sometimes they create fake websites or even register companies with the same name as yours in a different country.</li>
<li>Once they have access, scammers monitor emails to figure out who might send or receive money. They also look at conversation patterns and invoices.</li>
<li>The scammer tries to gain the target’s trust and then asks for money, gift cards, or information.</li>
<li>During an email conversation, the scammer impersonates one of the parties by spoofing the email domain. (The email address might be off by a letter or two, or it might be the correct email address “via” a different domain—for example, chris@contoso.com via fabrikam.com.)</li>
</ol>
<p>In December 2021, TA4903 was seen masquerading as the US Department of Labor. In 2022 and 2023, the Departments of Housing and Urban Development, Commerce, Transportation, and Agriculture, and the Small Business Administration (SBA) were spoofed.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/dirty-deeds-done-dirt-cheap">https://redskyalliance.org/xindustry/dirty-deeds-done-dirt-cheap</a></p>
<p>In mid-2023, the threat actor started spoofing small and medium-sized businesses (SMBs) and increased the tempo of its BEC attacks. Historically, TA4903’s credential phishing attacks employed PDF attachments containing links to the spoofed websites, typically using bid proposal lures. In late 2023, QR codes started appearing in the PDFs. The threat actor was also seen diversifying the lure themes, switching to the use of HTML attachments, or zipped HTML attachments, and employing freemail addresses to deliver the phishing messages, in addition to using the domain infrastructure spoofing US entities.</p>
<p>Starting mid-2023, TA4903 was seen using lure themes referring to ‘cyberattack’ and ‘payment’ in its BEC attacks and relying on domains likely spoofing the suppliers of the victim organizations. The observed messages were benign but encouraged the victim to reply to a spoofed email address. After setting up a honeypot, Proofpoint <a href="https://www.proofpoint.com">https://www.proofpoint.com</a> observed the threat actor using purposely leaked credentials to access a dummy email account and search it for keywords such as ‘bank information,’ ‘payment,’ and ‘merchant.’ Proofpoint assesses with high confidence the actor was attempting to look for existing threads to conduct BEC activities such as invoice fraud or payroll redirect using thread hijacking techniques.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/cybercriminals-spoof-us-government-organizations-in-bec-phishing-attacks/">https://www.securityweek.com/cybercriminals-spoof-us-government-organizations-in-bec-phishing-attacks/</a></p></div>SVB Customers - Fraud Targetshttps://redskyalliance.org/xindustry/svb-customers-fraud-targets2023-03-21T13:50:49.000Z2023-03-21T13:50:49.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11000905285,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11000905285,RESIZE_400x{{/staticFileLink}}" width="250" alt="11000905285?profile=RESIZE_400x" /></a>Cybercriminals have started taking advantage of Silicon Valley Bank’s (SVB) downfall to carrying out scams that can steal money and bank account information or infect customers’ systems with malware. SVB was shut down on 10 March 2023 by the California Department of Financial Protection and Innovation and the Feds after the bank failed to raise capital to keep running.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/svb-bank-run-not-good">https://redskyalliance.org/xindustry/svb-bank-run-not-good</a></p>
<p>SVB customers are expected to transfer their financial operations to other banks in the coming weeks. This means these customers will receive notifications including the new bank account numbers from their new bank. Hackers are using this as an opportunity by posing as banks and carrying out phishing and business email compromise (BEC) campaigns, targeting SVB customers.</p>
<p>Security researchers have found that threat actors have already registered suspicious domains and pages to carry out the attacks. Some of the suspicious websites that have emerged are:</p>
<ul>
<li>svbcollapse[.]com</li>
<li>svbclaim[.]com</li>
<li>svbdebt[.]com</li>
<li>svbclaims[.]net</li>
<li>login-svb[.]com</li>
<li>Svbbailout[.]com</li>
<li>svb-usdc[.]com</li>
<li>svb-usdc[.]net</li>
<li>svbi[.]io</li>
<li>banksvb[.]com</li>
<li>svbank[.]com</li>
<li>Svblogin[.]com</li>
</ul>
<p>These domains presented according to Cyble Research & Intelligence Labs (CRIL). Some websites emerged immediately after the collapse of SVB. On 13 March 2023, the Department of the Treasury, Federal Reserve, and FDIC issued a joint statement to safeguard all depositors’ funds and ensure access to their money.</p>
<p>However, despite being a relief for affected depositors, threat actors have started using this announcement to launch their malicious campaigns. The SVB collapse entices threat actors as it involves a lot of money and creates a sense of urgency and uncertainty. Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now? For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?).</p>
<p>It is not just the registration of suspicious domains; the threat actors have also begun carrying out other scams. Several cryptocurrency scams have already been identified. In one such scam analyzed by security researchers, phishing sites such as svb-usdc[.]com and svb-usdc[.]net have set up bogus USDC reward programs. The sites claim the bank distributes USDC as part of the SVB USDC payback program to eligible USDC holders. USDC, or the USD Coin, is a digital stablecoin pegged to the US dollar. The scammers aim to steal cryptocurrency from the victim’s account by offering them free USDC.</p>
<p>On the phishing site, once the user clicks on “click here to claim”, a QR code is displayed. The user is instructed to scan the QR code using any cryptocurrency wallet, such as Trust, Metamask, or Exodus. However, scanning the code will compromise the user’s wallet account, per investigators following the cyber threat actors.</p>
<p>Similar phishing sites that carry out the same malicious activity were observed soon after Circle, the issuer of USD coins, announced that they held $3.3 billion worth of USDC with SVB and would resume their operations. The phishing sites pretended to be Circle and lured victims, promoting a deal of one (1) USDC for $1.00.</p>
<p>In addition to cryptocurrency scams, BEC scams have also surfaced, targeting SVB customers. SVB customers are receiving new non-SVB account details from their existing vendors to facilitate payments. However, these account details are actually of the threat actors, and if the customer transfers the payment to the account, they will likely never see the money again. Other users have also reported similar scams on platforms such as Mastodon, Twitter, and LinkedIn.</p>
<p>SVB customers need to be vigilant of these attacks. Experts are advising that customers directly contact their vendors before changing any account details and do not purely rely on emails for any such change requests. Due to the recent news (true and otherwise) surrounding the collapse of SVB, which will have long-lasting effects on affected organizations, these entities are likely to become targets for cyber threat actors who may use malware and phishing attacks to victimize them.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/technology/2023/03/15/cybercriminals-target-svb-customers-with-bec-and-cryptocurrency-scams/">https://www.oodaloop.com/technology/2023/03/15/cybercriminals-target-svb-customers-with-bec-and-cryptocurrency-scams/</a></p></div>Phishing Season never Closeshttps://redskyalliance.org/xindustry/phishing-season-never-closes2023-03-09T13:00:00.000Z2023-03-09T13:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10995148872,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10995148872,RESIZE_400x{{/staticFileLink}}" width="250" alt="10995148872?profile=RESIZE_400x" /></a>In cybersecurity defense, the use of automatic protection tools is half the assignment. The human element plays an increasingly important role. Scammers like to take shortcuts and know that it is easier to trick people than it is to exploit software or hardware. Any organization with a well-guarded security perimeter is an easy target, as long as its employees fall for phishing scams. </p>
<p>The problem reached new heights during the coronavirus pandemic. This situation for led to online panic that gave cyber threat actors an advantage to deliver effective online frauds. According to a recent by the international Anti-Phishing Working Group (APWG), Q3 2022 was the worst quarter for phishing attacks the consortium had ever observed, with the number of recorded attacks exceeding 1.2 million. In addition, the average amount of money requested in wire transfer Business email Compromise (BeC) scams reached US $93,881.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/phishing-how-not-to-get-caught">https://redskyalliance.org/xindustry/phishing-how-not-to-get-caught</a></p>
<p>Thinking like a fraudster can help create additional barriers for these social engineering tricks and form a foundation for effective security awareness training so that the human factor hardens an organization's defenses instead of being the weakest link. Any phishing email aims to make a recipient to err in one of the following two ways: clicking a malicious link or downloading a malware-riddled file. The former typically results in visiting a credential phishing page, and the latter mostly triggers rogue macros within a Microsoft Office document.</p>
<p>During penetration tests, Pen testers use harmless decoy elements that allow them to keep a record of link hits or instances of opening attachments. During actual attacks, the bad actor instantly obtains credentials entered in the fake sign-in page, and recklessly enabled Visual Basic for Applications (VBA) macros quietly drop malware that can provide backdoor access to the target device.</p>
<p>The narrative of the message has to be accurately aligned with the attacker's goa/interests and the would-be victim's position in the organization. If the scammer wants to get a hold of a senior executive's correspondence, the email should pretend to come from a person whose rank and reputation in the business world match those of the recipient. If the objective is to remotely access a workstation used by a finance department employee, the message would be masqueraded as an accounting report or a manager's request to verify wire transfer details.</p>
<p>Urgency is a scammer's best strategy. The most effective phishing messages instruct victims to take some kind of action immediately. For instance, they emphasize the adverse consequences of not meeting a specified deadline. Another step in prepping for the attack is to proofread the email. Typos and grammar errors can raise red flags and cause the recipient to ignore the message. Do not be afraid to telephone the requesting party and ask some questions before doing anything. <em>Read this again</em>.</p>
<p>Potential victims are more likely to open email attachments than enter personal information on a credential phishing page. It means that perpetrators have a greater chance of depositing malicious programs than pilfering passwords via a phony web form. Trojan downloaders and ransomware are becoming inalienable components of a phisher's repertoire. They add an extra layer of monetization to these attacks.</p>
<p>As far as phishing themes are concerned, the most lucrative ones revolve around corporate benefits, such as freebies and discounts from partnering businesses. Statistically, about a third of all targeted users get on the hook in such scenarios. Messages that tell employees to familiarize themselves with changes to organizational policies and other rules relating to the corporate culture are also highly effective.</p>
<p>One more aspect is to lace the attack with a little bit of hype like seasonal events or news that is currently in the news. For instance, when winter holidays are approaching, it is time to be wary of scams in which criminals try to bait people with bogus promos and giveaways. During this period, crooks may also camouflage malicious files as a holiday work schedule that most users will open without a second thought, only to receive the malware.</p>
<p>An email thoroughly tailored for a specific recipient has a much higher success rate than a generic message used in a Spray-and-Pray (SaP) attack. This kind of foul play is known as spear-phishing. Some open-source intelligence (OSINT) based on publicly available sources, such as social networks, discussion groups, and professional publications, may suffice to retrieve personal data and gain insights into pain points that allow a scammer to concoct a legitimate-looking email. An attack targeting only several employees in a company is usually a sure-shot exercise, contrary to a large-scale campaign that lacks personalization.</p>
<p>Most phishing attacks are easy to spot, but things can get challenging when experienced fraudsters are in play. It is in every organization's best interest to nurture a proactive security posture and forestall these scams regardless of their sophistication.</p>
<p>No matter what position an employee holds in the company's hierarchy, they must keep in mind that any hyperlink or file embedded in an email is potentially dangerous, even if the message appears to come from a trusted individual or organization. Long-standing loopholes in the design of the SMTP protocol make it ridiculously easy to pull off email spoofing via tweaks of a message header, which lowers the bar for carrying out effective impersonation attacks.</p>
<p>Being on the lookout for red flags in incoming electronic correspondence is a precious skill you should practice. You and your colleagues should pay attention to anomalies like misspellings, inaccuracies in the sender's name, and regular domain names (for example, gmail.com or yahoo.com after the "@" symbol) when the email claims to come from a reputable company.</p>
<p>Most importantly, you need to understand that security is a process, not a plug-and-play product. Deploying a Secure Email Gateway (SEG) and an anti-malware program with online security features in its toolkit is worthwhile because these solutions do filter out most scams that match known phishing templates. However, crooks are increasingly proficient in bypassing them.</p>
<p>Security awareness training is mandatory these days. In addition to teaching your teams on the ways to identify frauds, it teaches them to respond to various cyber threats and helps refine their online hygiene overall.</p>
<p>See the negative side: <a href="https://redskyalliance.org/xindustry/can-chatgpt-write-malware">https://redskyalliance.org/xindustry/can-chatgpt-write-malware</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p>source: <a href="https://www.secureworld.io/industry-news/know-your-enemy-phishing-tactics">https://www.secureworld.io/industry-news/know-your-enemy-phishing-tactics</a></p></div>Criminals Use BEC to Steal Shipments of Foodhttps://redskyalliance.org/xindustry/criminals-use-bec-to-steal-shipments-of-food-12022-12-21T13:30:00.000Z2022-12-21T13:30:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10914936298,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10914936298,RESIZE_400x{{/staticFileLink}}" alt="10914936298?profile=RESIZE_400x" width="200" /></a>The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) are releasing this joint Cybersecurity Advisory (CSA) to advise the Food & Agriculture sector about recently observed incidents of criminal actors using business email compromise (BEC) to steal shipments of food products and ingredients valued at hundreds of thousands of dollars.</p>
<p>While BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals do not pay for the products. Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation. BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses. </p>
<p>Immediate Actions Businesses Can Take Now to Protect Against Product</p>
<p>Theft and BEC Schemes:</p>
<ul>
<li>Train employees on how to identify fraudulent email addresses and</li>
<li>Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.</li>
<li>Conduct web searches for your company name to identify fraudulent websites that may be used to impersonate you in a scam.</li>
</ul>
<p>Recommendations to help reduce the risk of financial loss and possible food contamination resulting from these schemes.</p>
<p>Threat actors may target Food & Agriculture businesses using the following common tactics, techniques, and procedures (TTPs) to steal food products and ingredients:</p>
<ul>
<li>Creating email accounts and websites that closely mimic those of a legitimate company. The accounts and web addresses may include extra letters or words, substitute characters (such as the number “1” for a lower case “l”), or use a different top level domain (such as .org instead of .gov).</li>
<li>Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.</li>
<li>Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.</li>
<li>Copying company logos to lend authenticity to their fraudulent emails and documents.</li>
<li>Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application. The victim company ships the product but never receives payment.</li>
</ul>
<p>Food & Agriculture Sector BEC Incidents:</p>
<p>In recent incidents, criminal actors have targeted physical goods rather than wire transfers using BEC tactics. Companies in all sectors—both buyers and suppliers—should consider taking steps to protect their brand and reputation from scammers who use their name, image, and likeness to commit fraud and steal products.</p>
<p>Recent BEC incidents targeting the Food & Agriculture sector include:</p>
<ul>
<li>In August 2022, a US sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit. The request contained grammatical errors and purportedly came from a senior officer of a US non-food company. The sugar supplier identified the email address had an extra letter in the domain name and independently contacted the actual company to verify there was no employee by that name working there.</li>
<li>In August 2022, a food distributor received an email purportedly from a multinational snack food and beverage company requesting two full truckloads of powdered milk. The criminal actor used the real name of the chief financial officer of the snack food company but used an email address containing an extra letter in the domain name. The victim company had to pay their supplier more than $160,000 for the shipment after responding to the fraudulent request.</li>
<li>From at least June through August 2022, unknown criminal actors used the identity of a US company to fraudulently attempt to obtain store credit and/or place large purchase orders to procure shipments of powdered milk and other ingredients from multiple suppliers. Industry dairy vendors notified the company that the unknown third party created falsified credit applications, purchase orders, and invoices in their attempts to place large orders for powdered milk. In one instance, the attempted purchase orders totaled nearly $230,000. In another instance, a vendor shipped two truckloads of powdered milk valued at approximately $200,000. The criminal actors sent emails using the names of the victim company’s president and other employees, used the company’s logo, a variation of the company’s name, and an email address that varied only slightly from real company addresses.</li>
<li>In April 2022, a US food manufacturer and supplier received a request through their web portal inquiring about pricing for whole milk powder purportedly from another food company. The spoofed food company email used the name of the president and the company’s actual physical address. The ingredient supplier ran a credit check on the company, extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from the supplier. The victim company refused to release the second load until payment was received and realized the email address used by the criminals was a slight variation on the actual company’s domain name. The victim company contacted the legitimate company, who indicated their identity had been used in similar scams with other companies.</li>
<li>In February 2022, four different fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until they did not receive payment. In all four instances, real employee names and slight variations of the legitimate domain names were used.</li>
</ul>
<p>RECOMMENDATIONS: The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to prepare for, mitigate, and respond to cyber incidents and cyber-enabled crime. Mitigation recommendations to prevent, detect, and respond to BEC-enabled product theft schemes include:</p>
<ul>
<li>Independently verify contact information provided by new vendors or customers through reputable online sources like associations or business directories. Pay close attention to the verified company name and branding. For example, a scammer’s email may reference “Acme Baking, Inc.” instead of “The Acme Baking Company” and contain an off-color or pixelated logo which mimics the original.</li>
<li>Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners. Look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, or misspelling of the domain.</li>
<li>Regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam, i.e. the actual website “abccompanyllc.com” may be spoofed by fake domains like “abccompany.biz”, “abccompany11c.com”, or “abcompanyllc.com”.</li>
<li>Look for grammar, spelling errors, and awkward wording in all correspondence, to include email or requests through company web portals.</li>
<li>Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information.</li>
<li>Encourage employees to request clarification and report suspicious requests to their management prior to authorizing transactions.</li>
<li>Confirm legitimacy of advance payment or credit requests when not previously required.</li>
<li>Verify all payment changes, credit requests, and transactions in person or via a known telephone number rather than through a number or link provided in a suspicious email.</li>
<li>Be skeptical of unexplained urgency regarding payment requests or orders, especially from new customers.</li>
<li>Be wary of last-minute changes in wire instructions, account information, or shipping destinations as well as changes in established communication platforms or email account addresses.</li>
<li>Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises. The FBI has BEC resources here.</li>
<li>Implement a user training program with phishing exercises to raise and maintain awareness among users about risks of visiting malicious websites or opening malicious attachments. Reinforce the appropriate user response to phishing and spear-phishing emails.</li>
<li>Immediately report any online fraud or BEC activity to the FBI Internet Crime Complaint Center at ic3.gov/Home/BEC.</li>
</ul>
<p>Recommendations for information technology administrators to help prevent BEC-enabled product theft schemes and to prevent the company’s email system from being used in a scam include:</p>
<ul>
<li>Enable anti-phishing and anti-spoofing security features that block malicious email.</li>
<li>Enable multi-factor authentication for all email accounts.</li>
<li>Prohibit automatic forwarding of email to external addresses.</li>
<li>Frequently monitor the company email exchange server for changes in configuration and custom rules for specific accounts.</li>
<li>Add an email banner to messages coming from outside your organization.</li>
<li>Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.</li>
<li>Ensure changes to mailbox login and settings are logged and retained for at least 90 days.</li>
<li>Enable alerts for suspicious activity, such as foreign logins.</li>
<li>Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.</li>
<li>Disable legacy account authentication.</li>
</ul>
<p>RESOURCES:</p>
<ul>
<li>gov – Contact the FBI Internet Crime Complaint Center to report incidents and find industry and consumer alerts.</li>
<li>gov – Resources to educate yourself and avoid becoming a victim of crime and fraud.</li>
<li>FDA OCI – Contact FDA Office of Criminal Investigations to report suspected criminal activity relating to FDA regulated products.</li>
<li>gov – CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By requesting these services, organizations of any size can find ways to reduce their risk and mitigate attack vectors.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Dirty Deeds, Done Dirt Cheaphttps://redskyalliance.org/xindustry/dirty-deeds-done-dirt-cheap2022-12-02T14:05:27.000Z2022-12-02T14:05:27.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10898077866,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10898077866,RESIZE_400x{{/staticFileLink}}" alt="10898077866?profile=RESIZE_400x" width="250" /></a>A cruel business email compromise (BEC) gang called Lilac Wolverine is hacking people's email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend to manipulate people into sending online gift cards. Detailed by cybersecurity researchers, this organized cybercriminal group has fine-tuned techniques pulling on people's heartstrings.</p>
<p>They include false claims that the gift cards are meant for people diagnosed with serious illnesses or a recent accident, with the claim that they cannot buy gifts because their bank card is missing or because they are out of the country. Gift cards are requested from familiar brands like Apple, Amazon, and Google Play, with amounts ranging from $100 to $500.</p>
<p>In what researchers describe as an "extremely high attack volume" and "one of the most prolific" BEC campaigns today, one of the elements which make it look more realistic to victims and, therefore, potentially more successful for the scammers is hacking into real email accounts.</p>
<p>This is likely achieved with phishing attacks, using passwords leaked in an earlier data breach, or simply because the password securing the account is common or re-used. But once an email address is successfully compromised, the attackers do not use the account itself to send out BEC campaigns. Instead, they copy the victim's address book and set up a lookalike account, using the same name and username, or if that isn't available, making very subtle, often unnoticeable changes. The attackers use <u>free</u> webmail services to set up these accounts.</p>
<p>These newly generated email accounts, which are used to send out BEC phishing lures to the first victim's contacts, are designed to look like the real account, and they do come from the real address, but the reply address is to the newly created account used by the scammers.</p>
<p>Setting up one of these accounts sounds elaborate, but it means there is less chance that the victim of the initial account hack will notice something is wrong. They likely use a separate, lookalike account so the owner of the compromised account does not get alerted when someone responds to an email they did not send. Instead, any responses go to the lookalike account controlled by the attacker.</p>
<p>Ultimately, making the BEC email look like it comes from someone the targets know, rather than a stranger or a vague contact address, makes it more likely that the attackers will succeed in scamming victims. This is also achieved by not bringing up the idea of needing a gift card in the initial email, which look innocuous enough, asking the receivers if they want to catch up, asking for a favor or asking where they do their online shopping. </p>
<p>If the victim responds to the initial spoofed email, the scammers will send an additional message requesting a gift card. It is here they attempt to emotionally manipulate victims, using claims of bank cards not working and needing to buy a gift for someone dealing with serious illnesses urgently. The pretexts the group uses in their BEC campaigns are meant to elicit an emotional response that they hope would persuade a target to comply with their request. Like other gift card BEC attacks, since the target population is substantially larger than other types of attacks, their success rate does not need to be that high to get a good return on investment on their campaigns.</p>
<p>It is suspected that the campaign is still active and that people should be made aware of telltale signs of BEC gift card scams. With the Christmas holiday and gift-giving season only a couple of weeks away, these attacks are likely to increase. These include unexpected urgent requests, particularly if they are trying to use emotional subjects requiring swift action and messages which do not sound like they come from who they say they come from.</p>
<p>If you are unsure if the message is real, you should check with the person sending it by calling them on the phone or checking with them in person. To prevent your email from being abused to send out BEC scams to your contacts, cyber threat professionals recommend that you use a strong password and multi-factor authentication to help protect your account.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We recommend that if you want to provide charity during these holiday times, use tried and truly charitable organizations. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Biggest Threat - BEChttps://redskyalliance.org/xindustry/biggest-threat-bec2022-08-04T17:10:07.000Z2022-08-04T17:10:07.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10748540290,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10748540290,RESIZE_400x{{/staticFileLink}}" width="250" alt="10748540290?profile=RESIZE_400x" /></a>As a cyber security professional and you are asked about the biggest cybersecurity threats facing business, which one springs to mind first? Maybe it is relentless ransomware attacks, with cyber criminals encrypting networks and demanding vast sums for a decryption key, even from hospitals. Or maybe it is a devious malware attack, which lets hackers hide inside the network for months on end, stealing everything from usernames and passwords to bank details. To be sure, both are on the list. These are awful attacks to experience and can cause terrible damage. But there is another much simpler form of cyber-crime that makes scammers the most money by far and does not get the attention it deserves.<a href="#_ftn1">[1]</a></p>
<p>The scale of business email compromise (BEC) attacks is clear: according to the FBI, the combined total lost to BEC attacks is $43 billion and counting, with attacks reported in at least 177 countries.</p>
<p>At the most basic level, the easiest scam is to find out who the boss of a company is and set up a spoofed, fake email address. From here, they send a request to an employee saying they need a financial transaction to be carried out quickly; and quietly. It is a very basic social-engineering attack and often it works. An employee keen to do as their boss demands could be quick to approve the transfer, which could be tens of thousands of dollars or more, especially if they think they will be chastised for delaying an important transaction.</p>
<p>In more advanced cases, the attackers will break into the email of a colleague, a boss or a client and use their actual email address to request a transfer. Not only are staff more inclined to believe something that really does come from the account of someone they know as scammers with the right malware can watch inboxes and wait for a real financial transaction to be requested. Then they send an email from the hacked account that contains their own bank details. By the time the victim realizes something is wrong, the scammers have made off with the money and are long gone.</p>
<p>What's most challenging about BEC attacks is that while it is a cyber-crime that is based around abusing technology, there's actually very little that technology or software can do to help stop attacks because it is really a human issue. Anti-virus software and a good email spam filter can prevent emails containing malicious links or malware from arriving in your inbox. But if a legitimate hacked account is being used to send out requests to victims using messages in emails, well….that's a problem. A problem because as far as the software is concerned, there is nothing suspicious to detect, as it is just another email from your boss or your colleague. And the money is not stolen by clicking a link or using malware to drain an account, it is transferred by the victim to an account they have been told is legitimate. No wonder it is so hard for people to realize they are making a mistake. The insurance industry calls this, ‘errors and omissions.’<a href="#_ftn2">[2]</a> Insurance is currently clamping down on cyber-fraud and blaming E&O as a reason to not pay a financial fraud claim. </p>
<p>But victim blaming is not the answer and is not going to help; if anything, it will most likely make the problem worse. What is important in the prevention of BEC attacks is ensuring that people understand what these attacks are and to have processes in place that can prevent money being transferred. In proper training, it should be explained that it is very unlikely that your boss will email you out of the blue asking for a very urgent transfer to be made with no questions asked. And if you do have concerns, ask a colleague or even better, talk directly to your boss to ask if the request is legitimate or not. It might seem counterintuitive, but it is always better to be safe than sorry.</p>
<p>Businesses should also have procedures in place around financial transactions, particularly large ones. Should a single employee be able to authorize a business transaction valued at tens of thousands of dollars? Probably not. It is not good security procedure. Businesses should ensure multiple people have to approve this type financial process. It is true this might mean transferring finances will take a little longer, but it will help ensure that money is not being sent to criminals. That business deal can wait a few more minutes. Technology can help to a certain extent, but the reality is these attacks exploit human nature.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.zdnet.com/article/your-biggest-cyber-crime-threat-has-almost-nothing-to-do-with-technology/">https://www.zdnet.com/article/your-biggest-cyber-crime-threat-has-almost-nothing-to-do-with-technology/</a></p>
<p><a href="#_ftnref2">[2]</a> “Errors and omissions” refers to a type of liability insurance. Errors and omissions insurance, also termed “E&O insurance,” provides policy-holding professionals with coverage against damage suffered as a result of the professional's errors and omissions in rendering professional services.</p></div>Automated Phishing with Ex-Robotoshttps://redskyalliance.org/xindustry/automated-phishing-with-ex-robotos2021-07-27T13:18:01.000Z2021-07-27T13:18:01.000ZJulian Molterehttps://redskyalliance.org/members/JulianMoltere<div><p class="western" align="justify"><span style="color:#000000;"><span style="font-family:Verdana, serif;"><span style="font-size:small;"><a href="{{#staticFileLink}}9318796279,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9318796279,RESIZE_400x{{/staticFileLink}}" width="250" alt="9318796279?profile=RESIZE_400x" /></a>Red Sky Alliance has been monitoring a global phishing campaign which leverages the Ex-Robotos phishing kit to gain access to usernames and passwords of targeted victims. This specific attacker generally targets engineering organizations but has been seen targeting other industries as well. They have been sending out emails since May of 2021, though the tool has been publicly available for purchase since 1 July 2019<a class="sdfootnoteanc" href="#sdfootnote1sym" name="sdfootnote1anc"><sup>1</sup></a>. </span></span></span><span style="color:#000000;"><span style="font-family:Verdana, serif;"><span style="font-size:small;">Phishing plays a major role in cyber-attacks and often leads to data breaches and/or malware activation on the victim system. Training users to search for these threats is critical to preventing a successful phishing attack. Indicators of compromise (IoC) and open source YARA rules...</span></span></span></p><p class="western" align="justify"> </p><p class="western" align="justify"><span style="color:#000000;"><span style="font-family:Verdana, serif;"><span style="font-size:small;">Read the full story here: <a href="{{#staticFileLink}}9318844058,original{{/staticFileLink}}">IR-21-204-001-Ex-Robotos.pdf</a></span></span></span></p><div id="sdfootnote1"><p class="sdfootnote-western"><a class="sdfootnotesym" href="#sdfootnote1anc" name="sdfootnote1sym">1</a><span style="font-family:Verdana, serif;"><span style="font-size:small;"> <a href="https://www.facebook.com/Ex.Robotos">https://www.facebook.com/Ex.Robotos</a></span></span></p></div></div>What the Heck is BEC?https://redskyalliance.org/xindustry/what-the-heck-is-bec2020-12-09T20:52:24.000Z2020-12-09T20:52:24.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8267325297,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8267325297,RESIZE_400x{{/staticFileLink}}" alt="8267325297?profile=RESIZE_400x" width="250" /></a>Business Email Compromise or BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors. Once in, they request a seemingly legitimate business payment. The email looks authentic, seems to come from a known authority figure, so the unsuspecting employee complies. These fraudsters are increasingly exploiting the auto-forwarding feature in compromised email accounts to help conduct business email compromise scams, the US Federal Bureau of Investigation (FBI) warns. Once again, any out of the ordinary/routine request to issue or authorize payments should be confirmed by a supervisor, director, CFO, and the requesting party by voice. Regular payments are normally authorized and paid in batches that are made on a regular or once a week sequence for business control purposes. There are multiple authorizations levels to ensure compliance with company and GAAP guidelines.<a href="#_ftn1">[1]</a></p>
<p>The FBI notes in an alert made public the first week in December 2020, that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.</p>
<p>This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes. "If businesses do not configure their network to routinely sync their employees' web-based emails to their internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email applications," the FBI says. "This leaves the employee and all connected networks vulnerable to cybercriminals."</p>
<p>Because system audits will not detect email discrepancies or updates, BEC scammers can retain email access to the compromised accounts and then continue with their malicious activities, the alert notes. The FBI reported earlier this year that the bureau had received nearly 24,000 BEC-related complaints in 2019, with the scams generating a total loss of $1.7 billion and an average loss per incident of about $72,000.</p>
<p>The FBI alert highlights two types of BEC scams that are taking advantage of email-forwarding rules. The first was detected in August 2020, when fraudsters used the email forwarding feature in the compromised accounts of a U.S.-based medical company. The attackers then posed as an international vendor and tricked the victim to make a fraudulent payment of $175,000, according to the alert. Because the targeted organization did not sync its webmail with its desktop application, it was not able to detect the malicious activity, the FBI notes.</p>
<p>In a second case in August 2020, the FBI found fraudsters created three forwarding rules within a compromised email account. "The first rule auto-forwarded any email with the search terms 'bank,' 'payment,' 'invoice,' 'wire,' or 'check' to cybercriminals' email accounts," the alert notes. "The other two rules were based on the sender's domain and again forwarded to the same email addresses."</p>
<p>Chris Morales, head of security analytics at security firm Vectra AI, says that in addition to reaping fraudulent payments, fraudsters can use email-forwarding to plant malware or malicious links in documents to circumvent prevention controls or to steal data and hold it for ransom.</p>
<p>In a keynote presentation at Group-IB's CyberCrimeCon 2020 virtual conference in November, Craig Jones, director of cybercrime at Interpol, noted that BEC scammers are among the threat actors that are retooling their attacks to take advantage of the COVID-19 pandemic. Interpol revealed that it recently worked with others to uncover a massive Nigerian business email compromise gang that was active across more than 150 countries. Several members of the criminal organization were arrested.</p>
<p>"With the COVID-19 pandemic continuing to remain in the forefront of public consciousness, organized criminal groups are taking advantage of new working arrangements and global brands to steal large sums of money," says Mark Chaplin, principal at the London-based Information Security Forum. "Uncertainty will continue to provide criminals with further opportunities. BEC sits firmly on every organization's threat radar and will remain there for the foreseeable future."</p>
<p>Keylogged accounts can also lead to BEC attacks. These keylogged accounts are available on the dark web for sale or for free. Your cyber threat intelligence vendor should be reporting these keylogged account details to you on a daily basis. This service is a standard feature of Red Sky Alliance’s RedXray service.</p>
<p>The FBI recommends several steps that businesses can take to mitigate BEC threats:</p>
<ul>
<li>Ensure the organization is running the same version of desktop and web applications to allow appropriate synching and updates.</li>
<li>Track changes established in email account addresses.</li>
<li>Prohibit automatic forwarding of email to external addresses.</li>
<li>Monitor the email Exchange servers for changes in configuration and custom rules for specific accounts.</li>
</ul>
<p>Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have painfully learned through our clients that the installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of malware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.</p>
<p>Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:<br /> <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498">https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498</a></p></div>Hackers Typosquat US Construction Companieshttps://redskyalliance.org/xindustry/hackers-typosquat-us-construction-companies2019-12-02T21:00:50.000Z2019-12-02T21:00:50.000ZYury Polozovhttps://redskyalliance.org/members/YuryPolozov<div><p><a href="{{#staticFileLink}}3752022765,RESIZE_930x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}3752022765,RESIZE_710x{{/staticFileLink}}" width="250" alt="3752022765?profile=RESIZE_710x" /></a>Red Sky Alliance information sharing portal provided data about a member falling for a business email compromise (BEC). Attackers sent a payment request spoofing a well-known local contractor by changing TLD from .COM to .US. In total, 113 additional domains were registered by the same actors in August-November 2019.</p><p><strong>Details</strong></p><p>On 26 November 2019, a Red Sky Alliance member shared a fraud report regarding a local construction company email which was spoofed. The attackers convinced the member’s procurement office to change a billing ACH to the suspect company, in order to process a, "past due invoice."</p><p>The attacker domain was registered to "anu blessed" and djh35@mail.com. A total of 114 domains were then registered to the same attacker domain (see Table 1, and Indicators table). </p><p> </p><p>Table 1. WHOIS for Djh35@mail.com-registered domain typosquatting Absher Construction Co.</p><table><tbody><tr><td width="180"><p>Domain Name:</p></td><td width="210"><p>absherco.us</p></td></tr><tr><td width="180"><p>Registrar:</p></td><td width="210"><p>NameCheap, Inc.</p></td></tr><tr><td width="180"><p>Creation Date:</p></td><td width="210"><p>2019-09-05</p></td></tr><tr><td width="180"><p>Registrant Name:</p></td><td width="210"><p>anu blessed</p></td></tr><tr><td width="180"><p>Registrant Address:</p></td><td width="210"><p>1018 bentwood way</p><p>atlanta</p><p>GA</p><p>30350</p><p>US</p></td></tr><tr><td width="180"><p>Registrant Phone:</p></td><td width="210"><p>+1.404776778</p></td></tr><tr><td width="180"><p>Registrant Email:</p></td><td width="210"><p>djh35@mail.com</p></td></tr></tbody></table><p>Most of those domains were also impersonating various construction companies throughout the US, and the attackers simply used the same domain name in the .US TLD. In some cases, likely when a domain was already used in the .US zone, they modified the domain. For example, legitimate construction/real estate company Al. Neyer, neyer.com was spoofed with typo-squatted domain alneyer.us.</p><p> </p><p>Serial: TR-19-337-002</p><p>Report Date: 11272019</p><p>Country: US </p><p>Industries: Construction, Education, All</p><p>Prepared by: Yury Polozov</p><p> </p><p>Red Sky Alliance clients: IOCs available in Blacklist channel and by querying Red Sky Alliance CTAC Kibana.</p></div>