Security News

The goal is to concoct phishing emails and landing pages so convincing that they can fool even the most sharp-eyed user. A new phishing campaign described by phishing awareness provider Cofense in a Friday blog post uses several tactics to appear legitimate.

On August 20, 2020 the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint security advisory, warning about an ongoing wave of vishing attacks targeting the US private sector. Vishing is a form of criminal phone fraud, combining one-on-one phone calls with custom phishing sites.

The 2020 Phishing Attack Survey gleaned insights into the phishing landscape in August from 317 IT and cybersecurity professionals in the US, finding that email phishing attacks have become more successful during the COVID-19 pandemic. Despite only 6% of phishing attacks resulting in a breach, 36% of respondents said they were not confident that employees at their organizations would be able to spot and avoid an email phishing attack in real-time.

The Sharepoint link you're expected to click to access the One Note file does look suspicious because there's no clear connection between the sender's company and the location of the One Note lure. It's only at this stage that the crooks present their call-to-action link - the click that they didn't want to put directly ino the original email, where it would have stood out more obviously as a phishing scam.

Researchers discovered the new malware being distributed over the past six months through two separate campaigns. "Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413," said Proofpoint researchers in a Wednesday analysis.

The frequency of phishing threats has risen considerably since the pandemic started, with companies experiencing an average of 1,185 attacks every month, according to a survey from GreatHorn. The report broke down the realities of how companies have actually fared in the face of phishing attacks throughout the crisis, how time and money budgeted towards cybersecurity efforts has fluctuated during this time and asked participants to assess their levels of awareness and proficiency in identifying and avoiding phishing emails.

Agari reported average wire transfer loss from BEC attacks smashed all previous frontiers, spiking from $54,000 in the first quarter to $80,183 in Q2 2020 as spearphishing gangs reached for bigger returns. During the second quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,213, down from $1,453 in the first quarter of 2020.

Stop us if you've heard this one before: a remote-code execution vulnerability needs patching in Pulse Secure VPNs. Professional code-probers at GoSecure uncovered a host of security flaws, including CVE-2020-8218, which it publicly disclosed this week after a patch was issued. What we do know is that CVE-2020-8218 can be exploited to execute code on the VPN system by tricking an administrator into, say, opening a URL. "Many vulnerabilities had been found in previous versions of the VPN, so we were eager to see if we could find shortcomings of our own in the latest one," GoSecure's Jean-Frédéric Gauron explained.

Turkish-speaking cybercriminals are sending Instagram users seemingly legitimate messages from the social media company, with the aim of stealing their Instagram and email credentials. While previous phishing messages leveraging Instagram as a lure have been sent via email, the attackers in this campaign send the phishing messages on Instagram's platform itself.

The latest variant of this trojan extracts email threads from Outlook, which it uses for phishing attacks, says Check Point Research. A new phishing campaign analyzed by threat intelligence provider Check Point reveals how the old Qbot trojan has been repurposed to phish people by capturing their email threads.