Security News

Attackers exploiting an array of Google Services, including Forms, Firebase, Docs and more to boost phishing and BEC campaigns. Armorblox co-founder and head of engineering Arjun Sambamoorthy just published a report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.

A blog post published Thursday by cybersecurity firm Armorblox details how phishing campaigns are using some of the technologies available from Google and offers advice on how to protect yourself. In the post entitled "OK Google, Build Me a Phishing Campaign," Armorblox's co-founder and head of engineering, Arjun Sambamoorthy, explains that Google is a ripe target for exploitation due to the free and democratized nature of many of its services.

While online holiday shopping is nothing new, more of us will be avoiding the malls and brick-and-mortar stores this year - which opens up big opportunities for cybercriminals. We already know that COVID-19-related phishing scams skyrocketed 600 percent between February and March this year, shortly after the pandemic took hold across Europe and the U.S. This year, along with the usual garden-variety holiday scams, we're likely to see more phishing attacks both directly and indirectly related to the pandemic.

Google offers a wide array of free software and services that allow users to create documents, spreadsheets, online forms, and free websites. The first Google tool we will look at is the free form creation service called Google Forms that lets anyone create free online surveys that can then be sent to other users.

Jack Wallen shows you how to run a phishing simulation on your employees to test their understanding of how this type of attack works.

New research shows that 77 percent of pharmaceutical mobile phishing attempts in the third-quarter of 2020 sought to deliver malware on victims' systems. "On a global scale, there have been multiple reports of foreign adversaries targeting pharmaceutical industry executives with mobile spear phishing attacks," according to Hank Schless, senior manager of security solutions at Lookout wrote on Tuesday in an analysis of the trend.

Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets. The phishing emails used in this campaign are also heavily obfuscated to make sure that secure email gateways will not be able to detect the malicious messages and automatically block them before they land in the targets' inboxes.

Fake shipping notices and charity frauds are two scams cited by the security company GreatHorn, which offers tips to consumers on how to avoid them. In a blog post published on Thursday, security company GreatHorn warns of four different scams likely to pop up this season and offers advice on how to combat them.

Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures throughout Q3 2020, with additional insight from Recorded Future. Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.

A new email tool advertised on a cybercriminal forum provides a stealthier method for carrying out fraud or malware attacks by allowing messages to be injected directly into the victim's inbox. Called "Email Appender," the tool can enable more sophisticated phishing and business email compromise attacks as well as help the less technical actors in the ransomware business.