Tuesday, November 5, 2024

New Password Hacking Warning For Gmail, Facebook And Amazon Users

Must read

Updated 08/29 with details of a phishing campaign that’s using particularly hard to detect attack methodologies.

New threat analysis from researchers at Kaspersky has revealed a dramatic rise in the number of password-stealing attacks targeting Amazon, Facebook and, most of all, Google users. Here’s what you need to know.

Amazon, Facebook And Gmail Are A Magnet For Password Hackers

It should come as no surprise that the likes of Gmail, Facebook, and Amazon account credentials are so sought after by malicious hackers. After all, such accounts can be used to complete the cybercrime triumvirate of data theft, malware distribution and credit card fraud respectively. Google accounts, in particular, are something of a skeleton key that can unlock a treasure trove of other account credentials and personal information to commit fraud. Just think about the information that is contained in your Gmail inbox, and the chances are high that you have one given how popular the web-based free email service is. And that’s before you consider how many organizations still send password change requests and second-factor authentication links to your email account.

ForbesGmail Users Beware—This Simple Mistake Could Wreck Your Privacy

Kaspersky analyzed a total of 25 of the biggest and most popular global brands in order to determine those that are targeted more by cybercriminals when it comes to phishing attacks. The researchers found, Kaspersky said, that there were around 26 million attempts to access malicious sites masquerading as any one of these brands in the first half of 2024 alone. That represents an increase of approximately 40% increase from the same period in 2023.

Phishing Attacks Against Google Increased By 243%

Sitting at the top of the phishing target pile, for all the reasons already mentioned, was Google. When it comes to attempting to steal credentials such as passwords, Google remains a firm favorite on the cybercriminal attack radar. Kaspersky said it had seen a 243% increase in attack attempts for the first six months of 2024, with some 4 million such attempts blocked by Kaspersky security solutions during this period.

“This year has seen a significant increase in phishing attempts targeting Google,” Olga Svistunova, a security expert at Kaspersky, said, confirming that a criminal who gains access to a Gmail account “can potentially access multiple services, making it a prime target.”

Facebook users saw 3.7 million phishing attempts according to the Kaspersky research, which has yet to be published publicly online, while Amazon was on 3 million. Microsoft, DHL, PayPal, Mastercard, Apple, Netflix and Instagram completed the top ten most targeted brands list. Although they didn’t make the top ten, Kaspersky said that other brands seeing a dramatic increase in targeting during the first six months of the year included HSBC, eBay, Airbnb, American Express, and LinkedIn.

It’s important to note, however, that Kaspersky security researchers have put this rise down to an increase in fraudulent activity and not any decline in vigilance on the part of the targeted users.

ForbesWarning Issued As Hackers Fake Google’s 2FA App To Steal Your Data

Attackers Are Using Direct Calls And Text Messages In New Campaign

According to researchers Rui Ataide and Hermes Bojaxhi from the GuidePoint Research and Intelligence Team, a new and worrying ongoing phishing campaign targeting more than 130 U.S. organizations has been identified. The term “highly sophisticated threat actor” has been misused so much that it is now almost worthless, but the tactics and intrusion capabilities used by this as yet unnamed attacker have prompted the GRIT researchers to attach the epithet to this campaign.

As is often the case in so-called spear-phishing campaigns, the starting point for this attack is to target individuals within organizations rather than taking a scattergun approach to the entire business address book. The researchers said that, since June this year, the threat actors have registered at least eight domain names that are created to resemble those of legitimate virtual private network technologies that are used by the targeted organizations themselves. More proof of this being a highly-motivated attacker doing the homework for an attack on specific users of particular enterprises. “This attack starts with the targeting of individual users within an organization to harvest credentials as well as one-time passcodes via social engineering methods,” the researchers said.

Although not new in and of themselves, the use of social engineering techniques that are outside the focus of most traditional security tools such as calls and messages to user’s smartphones does further obfuscate the phishing activity. As the researchers pointed out, unless these users actually report the receipt of the calls or messages then security teams will be none-the-wiser. While this isn’t overly concerning if it were just a one-off, and the recipient recognizes it for what it is, it does become important if, as the report noted, multiple individuals are targeted until a successful result is achieved. Patterns are important when it comes to cybersecurity defense. The calls are made to appear as if they originate from IT staff within the target business and concern a VPN login fault. The threat actor will then send a successfully convinced user a link by text message to a malicious site using the relevant custom VPN domain and interface where credentials are then entered.

The GRIT researchers suggest that in order to mitigate this campaign, security teams should check logs for specific suspicious activity “from VPN assigned IP addresses from the past 30 days from the day of this notification.” If there any signs of compromise this might mean there’s an immediate threat of potential ransomware attack. “You should immediately declare an incident and perform a thorough investigation,” they said. Education is also important, so making users aware of social engineering/phishing in general is a given, but this awareness needs to be kept up to date. “Inform your users of this type of social engineering method for awareness, and to immediately report calls from unknown numbers claiming to be part of the IT or help desk staff,” the researchers concluded.

Microsoft Targeted By New Upswing In QR Code Phishing

Microsoft might have only came fourth in the Kaspersky list of attacks targeting brands, but one phishing technique has seen the Redmond giant rocket in recent months. According to a new report by Jan Michael Alcantara, a threat research engineer at Netskope, “a 2,000-fold increase in traffic to phishing pages delivered through Microsoft Sway” was tracked across July 2024 alone. Microsoft Sway is freely available to users of Microsoft 365 as a cloud-based application to enable the creation of visually rich documentation, newsletters and presentations. Alcantara notes that when opening a Sway page, a potential victim is already logged in to their Microsoft 365 account which adds an air of legitimacy to the phishing attempts. Attempts that, as tracked by Netskope at least, target Microsoft Office credentials by the use of QR codes. The target is advised to scan a QR code on their smartphones for ease of use, but the main reason is to bypass stricter security measures found on corporate laptops. This particular campaign used some interesting techniques to avoid arousing suspicion, such as a CAPTCHA test to protect against static URL scanners and an attacker-in-the-middle technique where the real login URLs are then substituted for the phishing ones to collect the credentials allowing the threat actor to login as the victim.

ForbesSecret Service Puts $2.5 Million Bounty On Most Wanted Hacker’s Head

Unicode QR Code Phishing Evades Detection In Novel Ways

A new variant of QR code phishing has been outlined in some technical detail by J Stephen Kowski, the field chief technology officer at SlashNext, in a LinkedIn article. Whereas the more familiar type of QR code phishing attack relies upon an embedded image-based QR code to redirect users to a malicious site, Unicode QR code phishing takes an altogether different approach. “Attackers have now begun crafting QR codes using Unicode text characters instead of images,” Kowski said, which leave defenders facing three main problems: evasion of image analysis, perfect screen rendering and a duality of appearance between screen rendering and plain text to complicate detection even further. “This development underscores a crucial point we’ve long emphasized,” Kowski said, “phishing is no longer confined to email.”

Advice to prevent falling victim to a phishing attack, including methods of reporting any attempts, is available here online from Google, Facebook, Amazon and Microsoft.

Latest article