Special February Warning:
The Rising Insider Threat – Ransomware Recruiting
KnowBe4 shares the Hitachi ID report that says hackers have approached 65% of executives or their employees to assist in ransomware attacks.
“Since our last survey conducted in November, there has been a 17% increase in the number of employees and executives who have been approached by hackers to assist in ransomware attacks,” the researchers write.
Perhaps you heard about the Tesla employee offered 1 million in 2020 to trigger a DDoS attack.
Kumar Saurabh, CEO and co-founder of LogicHub, explains, “The top ransomware groups are run like well-organized businesses, and paying ‘finder’s fees’ to insiders for access is well worth the investment.”
Click the image to view the infographic from Hitachi ID.
And revisit our article about National Insider Threat Awareness Month (September) here.
1. Supply Chain Scams
Supply chain issues are impacting businesses worldwide. Threat actors like to take advantage of global trends and are using fake ‘shipping delays’ to deceive customers and businesses.
Troy Gill, senior manager of threat intelligence at Zix, a security technology company, explains:
“Over the last couple of months, the Zix Threat Research team has observed threat actors using new tactics to spoof logistics and supply-chain companies, hoping for an easy compromise. With shipping delays and supply shortages expected to continue well into 2022, it’s a good bet that these lures will continue to land in corporate inboxes.”
In fact, International shipping company DHL was the most impersonated brand during the fourth quarter of 2021 (pushed Microsoft out of the top spot) according to researchers at Check Point.
A recent scam works like this.
You receive an email that appears to be from a major shipping company.
The email is designed to get you to click the link, often to download a ‘shipping confirmation’ document. Other variations may imply that you will lose access to a valuable account if you do not respond quickly.
Clicking on that link takes you to a convincing yet fake website that asks for your credentials as if to confirm your email login. If you enter them, you’ve just given them to the criminals.
How can you protect yourself?
- Consider the message–any message–before taking any action. Should you have received a shipping confirmation? Were you expecting anything to be delivered? Do you normally handle that at work? If not, then send the message to your IT team to check before simply forwarding it to a coworker who may think it’s safe because it’s coming from you.
- Always stop before entering your credentials on a page someone else sent you to. If you did not actively navigate to a page you expected to have to log into, then do not enter your credentials.
2. ‘Consent’ Attacks
Be careful of the apps you download.
Scammers have caught on to people not wanting to enter credentials online and are trying a new route. They are creating apps that request access to your email as part of their setup.
Microsoft Security Intelligence identified (and disabled) apps that were asking for OAuth permissions. Granting permission, or consenting to this, allowed the app to create Inbox rules, access contacts and calendars, and pull emails out of your Inbox.
That is unusual behavior for another app to perform, and Microsoft’s app governance feature in Microsoft Defender for Cloud Apps flagged it. But experts warn that new apps will keep trying this, so be on your guard.
What makes this tricky is that we often blindly agree to everything once we’re in installation or setup mode. Terms and Conditions? Agree. Send notifications? Sure. Access email and contacts? Why not.
So how can you stay safe from this?
- The simplest way is to only download apps from reputable sources like the App Store or Google Play. Bad apps can still get in, but they are often quickly reported and removed, and this will always be safer than downloading from a random link somewhere on the internet.
- Train yourself to always ask Why.
If you download an app in order to play a game, why would it need access to your email or your calendar? Many chat or meeting apps want access to your contacts. That seems reasonable. So pay attention to what level of access is being requested. Do they want to just read or be able to add, update, and remove things?
Legitimate apps often explain why – that they want to access your contacts in order to invite them or allow you to communicate with them through the app, for example. If you know it’s a trusted app, like Microsoft Teams, then feel free to give your consent. But if anything seems odd or off to you, don’t blindly agree.
You can almost always add more permissions. It can be very difficult or impossible to remove them after consenting.
3. No Comment
Last July I shared ways that scammers use Google docs to hide malicious webpages and send messages that make it past security scans (because they are legitimately from Google). Now we have a new approach using this same foundation.
Avanan, an enterprise AI cloud security company, has “observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users [though not exclusively].
In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.”
This scam is hard to spot for multiple reasons.
- The comment notification email is likely to come through to you despite security filters because it is truly from Google.
- The email does not show you the email of the sender. A scammer can create any free Gmail account they want, such as john.doe@gmail.com, but the only name that will show in the comment email is the name they created (John Doe), not the full email. So if you know someone named John, you could think this was legitimate.
- The link in the email contains the payload. You do not have to enter credentials. You won’t see an attachment that makes you think twice. You’ll simply be notified that you were mentioned in a comment on a document by ‘John’ with a link to that document.
How can you avoid this trap?
- Be alert for unsolicited Google docs. If you don’t normally work in them or share them with friends, then stop yourself before you click. If you think you recognize the sender’s name, think about whether the included note sounds like them. If you know someone with that name but you don’t know why they’d be tagging you in a comment on something, reach out to them separately from this message. Call, chat, or send them a text to see if it’s legitimate.
- Remind yourself to stop whenever you can’t verify a sender’s email address.
- And if you have any doubts, ask your IT team to check the message for you.
