OneNote Audio Note Scam

Phishing scammers are coming up with more innovative methods to convince their targets to provide login credentials. Such is the case with a new OneNote Audio Note phishing campaign that is currently underway.

Bleepingcomputer reports that “this campaign comes in the form of an email with the subject ‘New Audio Note Received’ and claims that you have received a new audio message from a contact in your address book.” In order to listen to the message, of course, you need to click on a link to listen to it.

Of particular interest is that the phishing scammers are now commonly including footer notes stating the email is safe as it was scanned by a security software. Along with the screenshots, it can look convincing. However, when you click on the “Listen to full message here” link, you will be brought to a fake OneNote Online page hosted on Sharepoint.com. This page states that “You have a new audio message” and then prompts you to click on a link to listen to it. And you will have given the scammers your Microsoft login information.

Remember the following to protect yourself from phishing attempts like this: 

• Before clicking, hover over links to see where they are pointing. Never click on a link in a message unless you’re certain the sender is legitimate.
• For that matter, consider who is sending you this audio note. Do you use OneNote? Was this expected? If not, reach out to the supposed sender to check before clicking. 
• Whenever you get an email from an online service you use, log in to your account through your browser, not through links in the email.

More Government Impersonators

The Federal Trade Commission has warned that complaints about scammers impersonating government agencies reached a record high this spring, with more than 46,000 complaints registered in May alone. The majority of these scams purported to come from the Social Security Administration (as I shared in May), but other popular choices for impersonation included the Health Department, the IRS, and various law enforcement agencies.

Most of the scams tried to obtain payment via gift cards, which the FTC says “is a dead giveaway that the consumer is dealing with a scammer.” Six percent of the people who reported the scams said they fell victim, with the median amount of money lost being $960.

The FTC states that the fraudsters use social engineering techniques that are very effective, but that can be easily recognized once someone knows what to look for. “The vast majority of people who report this type of scam say it started with a phone call, and these callers have their mind games down pat,” an FTC blog post said.

“Government impersonators can create a sense of urgent fear, telling you to send money right away or provide your social security number to avoid arrest or some other trouble. Or they can play the good guy, promising to help you get some free benefit like a grant or prize, or even a back brace. Scammers like to make the situation so immediate that you can’t stop to check it out.”

It’s worth keeping in mind that these numbers only reflect the scams that were reported, so the actual number of attempted scams is probably much higher. Providing new-school security awareness training is one of the best ways for organizations to ensure that their employees can resist all types of social engineering.

Stay safe with these tips:

• Pay attention when you get a call out of the blue. If it’s a legitimate government agency, you should be able to get a phone number, possibly a case or account ID, and other ways to verify before sharing your information.
• Remember that payment via gift card should always be a red flag. 
• Check online or contact the official agency yourself before taking any action from a call like this. 

Don’t Be Fooled by the File Type

Be on the lookout for a brand new phishing attachment. The bad guys are using a different type of file to trick you, and it could reach your inbox.

They’re sending phishing emails with SHTML file attachments (.shtml extension). These types of files are typically used on web servers and may not always be caught by spam filters.

If you “open” this attachment, you’ll be brought to a dangerous website that requests sensitive information.

So how can you avoid this?  

• Always check the details, such as file type, on an attachment you weren’t expecting. If you see .shtml, consider whether that makes sense. 
• Never click on an unexpected attachment. Call to confirm with the sender first.
  

Brand Impersonation Attacks are at an All-time High

According to recent reports, phishing attacks that use brand impersonation are at an all-time high. Cyber criminals are posing as familiar companies so they can trick you and get access to your account in order to steal sensitive data or target additional employees.

Here’s how it typically happens:

Attackers send you a standard-looking email appearing to be from a service or company that you use, such as Office 365. In one example, the subject may be a warning about your files getting deleted. Clicking the link in the email will take you to a fake (but very realistic) login page. The most deceiving part of some of these fake pages is that the web address appears to be safe.

The URL may end with a legitimate domain like “windows.net,” because the bad guys are hosting these pages with Microsoft’s Azure cloud services. But if you enter your information here, the bad guys will gain access to one or more of your accounts which they can use to steal data or plan further attacks on your organization.

Remember the following to protect yourself from brand impersonations:

• Look carefully at the domain in sender addresses. Does it say “microsoft.com” or “micronsoft.com”?
• Before clicking, hover over links to see where they are pointing. Never click on a link in a message unless you’re certain the sender is legitimate. 
• Whenever you get an email from an online service you use, log in to your account through your browser, not through links in the email.

Beware of Voicemail Phishing Scams

If your organization uses online voicemail services, you’ve probably used links in notification emails to check your new messages. Lately, scammers are creating look-alike notification messages that trick you into giving up your login credentials.

The fake voicemail notification takes you through a series of steps. First it will prompt you to click a link to listen to your “new message.” Then, you’re directed to a web page containing another link to click on so you can finally hear your new message.

If you click these links, you’ll be brought to a realistic-looking Microsoft sign-in page where you’re prompted for your email and password. If you enter your login details here, the bad guys will have full access to your account, where they can steal sensitive data or perform further attacks on your organization.

Stay safe with these tips:

• If you’re already logged into your email account, you shouldn’t be prompted to log in again. So if you see a new login page, question it.
• Before clicking, hover over links to see where they’re taking you. When asked to log in to an online service, type the web address into your browser rather than using links in the unexpected email. 
• Get familiar with the format of your voicemail notification emails. If you’re ever in doubt, contact the proper department in your organization before clicking on any links or downloading any attachments. 

Google Calendar Meeting Scams

The bad guys are using unsolicited Google Calendar notifications now to trick users into clicking malicious links.

Here’s how it works:

Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to ‘meet.google.com’ for more details. If you click on it, however, typical tactics will be employed to try to infect your machine with malware and so on.

This kind of attack has a massive attack surface, given the number of people utilizing Google’s Calendar service, i.e., millions. It also has contextual appeal by being hidden within a meeting invite and uses a seemingly valid URL for more information.

So how can you avoid this?  

• Stop and think before clicking on any unexpected meeting requests. Do you know the sender? Does the subject make sense?
• Hover over the link before clicking. If it looks legitimate but you still have a bad feeling, trust your gut. Reach out to the sender through a separate email or phone call.
  

Surprise, You’re Getting Sued

A very effective email phishing and malware attack has come out disguised as a nastygram from a law firm. The scam typically notifies you that you’re being sued, and it instructs you to review the attached file and respond within a few days — or else. The kicker? The attached Word documents are booby-trapped with a trojan used to drop malware on your computer.

This scam was discovered as part of a phishing kit. That’s right, there are ready-made kits hackers can purchase, customize, and put in play. It has some spelling mistakes and awkward grammar that might tip off the vigilant reader, but what’s troubling is how the phishing kit included five booby-trapped Microsoft Word docs to choose from, and none of those files were detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22, ten whole days after they were spammed out.

Also of concern? A legitimate law firm was spoofed in this attack. According to reports, someone had recently called them to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

So aside from putting your own lawyer on speed dial, what can you do to avoid this scam?

• Anytime an unsolicited email evokes a strong emotion (such as fear), stop and think before you click. Look up the law firm online, and call them. Do not click on any links or use any contact information in the message.
• Try to remember that legal proceedings typically require serving papers in person, through the mail, or even by putting a notice in the newspaper. 
• Never open attachments you aren’t expecting, especially from people you don’t know.

Customer Service, How May I Rob You?

In this new age of social media customer service, scammers are seeing opportunity.

As digital giants like Twitter and Facebook scramble to keep up with fake news and fake accounts, some are bound to slip through. So when you want to make a complaint about goods or services and get some sort of fast and public resolution, use caution.

It works like this: you tweet to the company about being overbilled or missed delivery, etc. A very similarly named account that may include “CS” or some customer service variation responds to you.

They’ll ask for basic information such as name, address, and account number or login. But then there’s ‘trouble locating your account’ so further information is requested. This may be your date of birth and phone number.

Once they have your phone number, they call posing as the company and can request even more personal information in a seemingly reasonable way. This may include the bank account you use to pay that company and possibly some security questions for “verifying.”

You’re happy to do whatever it takes to get resolution to your problem, so you may not realize that you’ve now handed over the keys to your entire bank account and login details that can be sold on the Dark Web.

This very scam was used in England to wipe out a woman’s bank account and take out multiple loans in her name. So what can you do, especially when it seems that a public complaint is the only way to get some attention?

• Check to see if the account is verified on Twitter or Facebook or whatever social platform you’re using. Not all businesses will be verified, but large corporations typically are.
• Visit the company’s website to find out the account(s) they use for customer service. Look at their contact page or hover over their social media icons to see their official handles. 
• Limit your exposure by submitting complaints through the company’s chat or email system, and leave social media for more social pursuits. 

Holiday Hacking

The bad guys are known to use holidays such as Memorial Day to try to get you to click on a dangerous link or download a malicious attachment. They can pose as charities asking for donations, especially for veterans on this holiday, and they often mimic sales from major retailers. These scams will probably crop up again for the Fourth of July.

Whether you’re traveling for the holiday weekend or staying home to take advantage of online shopping deals, be cautious when performing any types of online transactions. Be suspicious of any out-of-the-ordinary emails, and be mindful of what information you’re sharing over your phone when you’re on the road.

• If you’re being asked for donations and it’s not a company you have given to before, navigate to the company’s website independently. Do not click on any of the links in the message. 
• If you receive an incredible deal or offer in your inbox, visit the website independently. Private offers may not be listed publicly, so if you don’t see the deal, call the company before clicking any links in the email.
• If you’re traveling, remember to turn off your mobile device’s Bluetooth when not in use. Cyber criminals can pair with your phone’s open Bluetooth connection and steal personal information.
  

SSN Robocall Scams

Be on the lookout for a popular robocall scam that is tricking people into believing their Social Security number (SSN) has been suspended.

The robocall tells you to call the number provided to speak with a government agent about the issue. Some of the robocalls even threaten to issue an arrest warrant if the victim doesn’t respond.

When you call the number back, you are actually speaking with a fake government agent. This scammer will try to trick you into giving up sensitive personal information like your SSN, birth date, and bank account number.

Always remember the following to stay safe from tricks like this:

• Your Social Security Number can never be suspended.
• The Social Security Administration will never threaten to arrest anyone.
• You should not share any personal information with someone you don’t know over the phone.
• If you get this type of call, hang up immediately and report the call to the appropriate agency.

PDFs as Phishbait

The use of malware-laden PDF email attachments has spiked in recent months, internet security company SonicWall has found. Over the course of 2018, SonicWall detected 47,000 new attack variants using PDFs, while they observed more than 73,000 of these variants last month alone. 67,000 of these PDFs linked to scammers, while 5,500 contained links to malware downloads.

John Oates at the Register writes, “Other attacks have been known to nick login details by tricking the user into opening malicious PDFs that use remote document loading mechanisms to capture and leak your credentials.”

Most of the attacks observed by SonicWall simply used PDFs to smuggle malicious links through email security filters. Many security filters struggle to analyze content inside PDFs, so an attacker stands a better chance of getting through to their victim if they place the link in one of these files.

SonicWall notes that PDFs are generally thought of as a safe file type, so users often don’t hesitate to open them. Given the pervasiveness of PDFs within corporate and government environments, employees need to know how to avoid these attacks.

How to protect yourself:

• If you receive a message with an attachment from someone you don’t know, do not open the attachment. Even if it’s a pdf.
• Never click on a link in a message or in an attachment unless you know the sender is legitimate.
• If you think the message is okay, always hover over links to see where they are taking you. If you’re unsure, don’t click!

Fake Emails from HR

The bad guys know how easy it is to trick you with emails that spoof–or appear to come from–your Human Resources team. These attacks are everywhere right now.

The emails are often centered around topics such as “new” or “updated” policies, employee benefits, employee handbooks, payroll, and W-2 information.

Whenever you receive an email from your HR team, you may feel compelled to open the email and address it right away. The sense of authority that comes with HR emails is how the bad guys trick you. They’re counting on you falling victim to this sense of authority so you end up clicking before you think

If you receive an unexpected email appearing to come from your HR team, or an HR-related service, always remember the following:

• Pick up the phone and speak with someone who can confirm the request is valid BEFORE you click on any links or download any attachments.
• Log in to the HR-related service account through your browser (not through links in the email) to check the validity of the information in the email.
• If it’s a scam, immediately report the message to your IT team and your HR department.
  

Robocall Scams

Bad actors are automating robocall scams worldwide. Recently, there has been a rise in this type of fraud. They have a variety of attacks that you should watch out for.

Here are a few examples:

• Bank account and credit card scams where the bad guy claims to be an official from your bank or credit card company
• Extortion scams where they request payment for a kidnapped friend or family member
• Callback scams where you are tricked into calling back a very expensive international number

Always be suspicious when a company calls you requesting action right then over the phone. Legitimate businesses will typically contact you via email or by letter to notify you of issues with your account and inform you of any corrective steps.

If you receive a call from a company urging you to complete a request, politely get off the phone and then call the company directly to investigate. Scammers can spoof any number they like, so even if it looks legitimate, it can be fake.

Never provide personal information over the phone unless you’re the one who initiated the call.

Consider getting on the national Do Not Call registry. The FTC allows you to report numbers that do not comply after you’ve been on the list for 31 days. You can also report robocalls whether or not you are on the list.

Malware thru Messaging Apps

As if email and phone calls aren’t enough, bad actors are using popular messaging apps to trick you into downloading malware. These scammers know you’re used to looking out for suspicious emails, so they’re hoping to catch you off guard in the messaging apps you may use.

The attack is simple: The bad guys send a malicious link in apps such as Skype and Facebook Messenger. If you click on this link, a complex attack begins and you’re left with a ransomware-infected machine.

Don’t fall for this messaging scam!

If you receive a suspicious message from someone you don’t know, don’t even open it.

Never click on a link in a message unless you know the sender is legitimate.

If you think the message is okay, always hover over links to see where they are taking you. If you’re unsure, don’t click!

Child P0rn Phishing Attack

This new blackmail/sextortion scam is pure evil.

You get an email that claims the CIA is about to bust you for child p*rn unless you pay 5,000 dollars to have the sender delete your records. It includes a case number and (fast-approaching) fictional arrest date.

What makes this especially dangerous, even for those who know they have never looked at anything being described, is that there is a link you might be tempted to click for information, whether out of shock, fear, or curiosity.

That link, once clicked, will install the very materials they claim you’re going to get arrested for and will add related searches to your browsing history. Then they notify the authorities about you!

Always resist the urge to click when it is strongest. Any message that scares you that much or makes you so angry is most likely an attempt to override your logic and good sense.

Immediately report such a message to your IT team.

Tech Support Scans

You’re browsing online. The attack usually goes like this: First, you receive a fake Windows Alert pop-up message claiming “Your PC might be infected” and to “click OK to do a quick 10-second scan.”

When you click OK, a very realistic-looking, but very fake, ”system scan” runs within your browser. The scan looks almost identical to your antivirus software’s real system scans.

Once the “scan” ends, you’re told that your PC is indeed infected and that you need to download and install an update to the antivirus software. Don’t do it! This “update” is actually an unwanted application that will install onto your computer.

Never trust internet pop-ups. They often use scare tactics to get you to call a number for tech support or download an application to “fix” the problem.

Go to your IT administrator (if at work) or a reputable computer repair company (if at home) if you think something is wrong with your computer.

Dangerous Office Attachments Bypassing Email Security

As always, be suspicious of email attachments because attackers are finding new ways to get around email security filters. The latest attack includes Microsoft Office attachments containing hyperlinks to dangerous websites.

If you unknowingly download one of these attachments and click on a link from within the document, you will be brought to a malicious website that steals your sensitive information. This particular attack is usually carried out with Microsoft Word attachments, but dangerous links are certainly not limited to files with .docx file extensions. This attack could occur with almost any file type.

Remember the following to prevent this type of attack from happening to you:

• Never open attachments from people you don’t know.
• Don’t open any attachment unless you have asked for it or have verified with the sender (through a channel other than email) that it is legitimate.
• Before clicking on any link in an email or email attachment, hover over it to see where it will take you.

Bogus Job Offers

This one is tricky. A series of phishing campaigns are targeting companies in various industries with phony job offers using direct messages on LinkedIn, according to researchers at Proofpoint.

The attacker initially makes contact by sending an invitation to the target on LinkedIn with a short message regarding a job opportunity.

Within a week after the target accepts the invitation, the attacker will send a follow-up email with either a link or a PDF attachment that contains embedded URLs.

These links take the target to a spoofed version of a real staffing service, which forces the download of either a Word document or a JScript loader. This document or loader will result in the installation of a JScript backdoor known as “More_eggs” which can then install malware or be used to gather information from the machine.

You expect strangers to reach out to you about jobs on LinkedIn, so you’ve got to be incredibly vigilant to avoid this.

• Do some independent research on the supposed offer.
• If you can’t find out about the company or position, Google the person contacting you.
• Look very carefully at the staffing service site you’re directed to. Make sure there are no tricky spellings in the URL or missing or strange information in the rest of the website.
• Remember to always be suspicious of downloads.