At a glance.
- Ransomware hits US school district.
- Ransomware campaign hits financial services.
- Craigslist phishing.
US school district hit by ransomware.
The Janesville School District in the US state of Wisconsin has suffered a ransomware attack that shut down their servers, leaving staff, students, and parents unable to access necessary platforms. As Channel3000.com explains, the district says no data has been stolen, and they have not yet received a ransom request. Wisconsin’s Division of Enterprise Technology Cyber Response Team, the Federal Bureau of Investigation, and the Department of Homeland Security have been notified.
Russian ransomware group revives attacks on financial sector.
TA505, a Russian-based ransomware gang that first emerged twelve years ago but has grown dormant in recent years, has resurfaced with updated malware and scripting languages and a phishing operation targeting North American financial entities including banks and credit unions. Dubbed "MirrorBlast," the email campaign directs victims to a fraudulent site where employees are tricked into downloading malicious software onto their company machines. SC Media recounts that the US Treasury Department found TA505 responsible for over $100 million in losses in past years, and the Department of Justice issued sanctions against alleged gang members. Ivan Tsarynny, CEO and co-founder of Toronto-based client-side security vendor Feroot, explains that financial services institutions are prime targets because “Banks are woefully unprepared to deal with client-side threats...If a criminal is able to deploy a keylogger script on a bank's website, they can capture usernames and passwords, and then can control the FSI customer's bank account. Criminals can make a quick buck without much effort."
Adrien Gendre, Chief Products Officer at Vade, notes that, while they tend to be harder targets, relatively speaking, financial services companies aren't immune to such attacks:
"Despite having enterprise cybersecurity budgets, financial services organizations are, like all organizations, vulnerable to phishing attacks because no solution blocks 100% of phishing emails. The moment an email is blocked, a hacker is making adjustments to increase their chances of success on the next try.
"Sophisticated groups like EvilCorp know their targets, and they know what is protecting them: the security infrastructure that is in place, including email security. Many email security solutions are even visible in a simple MX query. This gives the hacker an advantage. When they know what they are up against, they can find a way to reverse engineer the solution and breakthrough.
"When an email does slip through, even a trained user can mistake a highly sophisticated phishing email for a legitimate email. The OneDrive and SharePoint links in the MirrorBlast campaign add an air of legitimacy to the emails, and the use of a redirect from a legitimate service confuses the email filter.
"It ultimately comes down to two things: invisibility and user training. Your security stack should not be visible to cybercriminals--they will learn how to exploit them, and your users must be trained on the latest threats--not once or twice a year but continually and particularly after they have made the mistake of engaging with a malicious email."
Ransomware operators exploit fear and greed in Craigslist phishing.
Inky details a Craigslist phishing operation preying on users of Craigslist by capitalizing on the online classifieds platform’s internal mail relay system. The scam messages do appear to be sent from Craigslist’s servers, and the targets have active ads on the site, which indicates that Craigslist’s systems might have been compromised by the attackers. The target is sent a fraudulent email notifying them that their ad is in violation of Craigslist’s terms and conditions and is instructed to download a form to rectify the situation. The document is, of course, malicious, but uses Docusign branding and Norton and Microsoft logos to appear legit. Judging from the url, the macro-enabled spreadsheet appears to be linked to Russian-speaking hackers. The malicious code attempts to make external connections to download more components or exfiltrate data, but in trials appears to be unsuccessful, indicating an error on the part of the hackers, or that perhaps the malicious content has already been taken down by the hosts.
James McQuiggan, security awareness advocate at KnowBe4, looks at aspects of the scam and sees several elements that should put people on their guard:
“Through training and awareness for phishing, we may ask ourselves questions about the email. Am I expecting this? Do they want me to do something quickly, and do I know the sender? When an exploit impacts an organization from cybercriminals, they already have the customer's trust, so any request drops the guard of the email victim. They recognize the sender and therefore follow the request as accurate. When fear is involved, like a "terms and condition violation," it further bypasses any additional investigation into the email, and the user clicks the link and lets in the cybercriminals to their device.
"Users should be reminded of the practice of checking their links and reporting any suspicious emails to their appropriate IT team or simply deleting them. Considering social engineering and phishing are the leading way for cybercriminals to gain access, it's apparent that humans are the most significant attack vector and require proper education and awareness to recognize these online scams.”
Another KnowBe4 expert, Erich Kron, adds an observation on how trusted brands can be used by social engineers:
“By using the trust potential victims have in a well-known brand, and by sending the email from the legitimate email system, this phishing attack has a much higher chance of tricking people. By adding an emotional trigger to the email, telling them they posted inappropriate content, these attackers are making it much more likely that they will click on the included link without first hovering over it to ensure it goes to Craigslist.
"While the use of Craigslist email service is clever, the link to a Russian website should be a huge red flag to people that are savvy and aware enough to hover over the button before clicking it. In addition, the download of a .zip file containing an .xls file with macros, which will almost always prompt the user for an action to enable the macros, is another huge sign that this email is nothing more than a fake, making it far less likely to be successful.”
Purandar Das, Co-founder and President at Sotero, sees a variation on an old theme:
“Phishing emails from stolen user credentials is an old scheme. Utilizing a domain that users are used to receiving without the sender’s id in the address is a new variation. Utilizing a platforms own email system to deliver emails is also a new variation. There appears to have a fair bit of analysis for this attack. That being said there were sufficient warning signals for most users. The redirection to a one drive document, the spreadsheet, the permissions to override document safety protocols should all have been giveaways. What this demonstrates is the continuing evolution in utilizing ever more complex payload delivery mechanisms. Playing on the fear of losing access, operating behind a veneer of validity, attackers continue to prey on consumers.”