Security News

To boot, the payload-less nature of these BEC attacks evades detection from traditional email security solutions. Unsurprisingly, over the past few weeks the Abnormal Security Research Team has observed that the majority of email attacks have a COVID-19 related element.

Cybercriminals are taking advantage of the massive uptick in unemployment across the U.S. in a recent spear-phishing campaign, which purports to be CVs sent from job-seekers - but actually spreads banking credential-stealing malware. Researchers recently uncovered emails that distributed malicious files masquerading as resumes and CVs. The files, attached in Microsoft Excel format, were sent via email with subject lines such as: "Applying for a job" or "Regarding job." As victims opened the attached files, they were asked to "Enable content."

Phishers are impersonating companies' IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials. "The sender email address is spoofed to impersonate the domain of the targets' respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target's company, the hyperlink actually directs to an Office 365 credential phishing website," Abnormal Security explained.

Kenenty Hwan Kim, aka Myung Kim, 64, pleaded guilty [PDF] in a Texas court this week to one count of conspiracy to commit money laundering. Using an email address very similar to Chance's, Kim asked Solid Bridge to send a $210,000 check for an invoice to an address in Washington state.

The Business Email Compromise is a popular type of attack among cybercriminals as it targets businesses and individuals in an attempt to receive money transferred into fraudulent accounts. In another method, the attackers use phishing, credential theft, or other means to gain control of the email accounts of the people they want to impersonate.

One group that's been exploited in many of these campaigns is the World Health Organization, a tempting target as it's been trying to manage and direct some of the global efforts toward combatting COVID-19. Spoofing the WHO, a new phishing campaign spotted by security provider Abnormal Security is trying to capture the email credentials of unsuspecting users.

The U.S. National Security Agency says the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier. It took Williams about a minute of online probing on Thursday to find a potentially vulnerable government server in the U.K. He speculated that the NSA might have issued to advisory to publicize the IP addresses and a domain name used by the Russian military group, known as Sandworm, in its hacking campaign - in hopes of thwarting their use for other means.

The U.N. disarmament chief warned Friday that cyber crime is on the rise, with a 600% increase in malicious emails during the COVID-19 pandemic. Russia did not attend the informal council meeting broadcast online, which was the centerpiece of Estonia's council presidency.

Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft's security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far - a trend that researchers said they've seen steadily increase over the past month. The emails are titled "WHO COVID-19 SITUATION REPORT" and claim to give an update on the confirmed cases and deaths related to the ongoing pandemic in the U.S. The attached malicious Excel 4.0 document opens with a security warning and shows a graph of supposed coronavirus cases in the U.S. If a victim enables it, the macro is downloaded and the NetSupport Manager RAT is executed.

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. "Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user's password manager," Abnormal Security noted.