phishing email

Conceal Threat Alert: Instagram Users Targeted in Phishing Attack

/in /by

Abusing Users’ Trust

Email protection firm Armorblox recently identified a credential theft phishing attack targeting over 20,000 users at a national institution within the education industry. The attack leveraged several common techniques to convince the user that the email and linked login page were legitimately associated with Instagram. This example takes advantage of human nature in the same way as several abuse-of-trust attacks we’ve detailed previously in this blog.

The initial email sent by the attackers contained the Instagram and Meta logos and utilized URLs containing the word “Instagram” to take advantage of users’ trust of the Instagram and Meta brands as a lure for the user to log in and “secure your account”. Because the email utilized URLs that could appear legitimate, and because the lure email looked legitimate and was free of spelling and grammar errors typically used to spot phishing emails, several techniques taught by cybersecurity training programs would be ineffective at getting users to report the email as a phishing attack.

Next, the web page that the email linked to also appeared professional and legitimate, utilizing the Instagram and Facebook logos as well as several legitimate Instagram links to make the page appear credible. The technique also prayed on the user’s concern that their Instagram account had already been compromised by alerting the user that there had been an “unusual login” and that they needed to enter their old password in order to change it. Of course, this was all a ruse to capture the user’s “old” password.

How Does ConcealBrowse Stop Credential Theft by Phishing?

Fortunately, ConcealBrowse can stop this type of phishing attack in its tracks by providing multiple levels of protection. First, any links users click are scanned by Conceal’s decision engine, which is built on advanced threat intelligence and assigns risk rankings to both reported and unreported infrastructure. Any known or suspected phishing sites are blocked before they are opened. 

Next, ConcealBrowse’s AI-based phishing protection can identify phishing pages by comparing logos on the page with known domain names for the displayed company. In this case, even if the phishing page had never been reported as malicious, ConcealBrowse would have identified the fact that it did not reside on valid Instagram infrastructure – despite containing the Instagram logo – and blocked the user from providing credentials.

All of this powerful functionality is delivered in a simple plug-and-play package that requires minimal setup and configuration for your IT or security teams. In addition, information derived from our intelligence engine about visited URLs is available via our advanced telemetry feeds, and can be easily integrated into the rest of your security stack. 

As social engineering gets more and more advanced, it will become ever more important to have the right tools to keep your network safe from phishing and ransomware. Click here to try ConcealBrowse today.

batloader blog hero

Browser-Based Threat Alert: BATLOADER

/in /by

Back in February, Mandiant reported on the discovery of a new piece of malware they called “BATLOADER”. The malware is delivered via malicious web sites that are disguised as download sites for legitimate consumer software. To increase the reach of the web sites, the attackers utilized search advertising to drive users who were looking to download certain types of software. A recent blog post by researchers at VMWare Carbon Black indicates that the tool continues to be widely distributed.

The tool can be used to deliver several different payloads and is structured so that the early stages of an attack are difficult to detect by traditional means. Once the loader is executed on a system, it utilizes built-in operating system tools to establish itself without creating an easily detectable signature. In other words, it’s extremely important to stop this malware and the web sites that distribute it before it is executed on a targeted machine, because it is unlikely to be detected during the initial stages of infection.

Unlike some malware that takes advantage of zero-day vulnerabilities to compromise a system without user interaction, BATLOADER requires the user to download and execute the malicious file. The attackers use social engineering and misleading web sites to lead users to believe they are downloading legitimate software.

In one case documented in the Mandiant report, the attackers posted a question in a forum asking where to find a copy of Microsoft Visual Studio 2015. The actor then used a second forum account to post a link to one of their malware delivery pages as the “only” location the downloader could be found. While the page linked from the forum post was made to look like a typical download site and the file had a legitimate-sounding name, the installer instead loaded the malware onto the user’s system.

This attack abuses user trust at several levels. First, by posing as legitimate software in paid advertising and in forum conversations, users may view the source as legitimate. Next, once they click on the links that are posted in seemingly legitimate places like Google search results, the files they download have names of legitimate software, making it more likely users will run them.

Fortunately, ConcealBrowse protects against this attack by making decisions about what to load and how to load it based on facts and data, not on trust. Regardless of where a user might come across the links used by the attackers behind BATLOADER – whether a forum they trust or Google search results – ConcealBrowse scans every URL and opens risky sites in a protected cloud environment, not on a user’s device. This prevents sites from automatically downloading files to the user’s machine and ensures that any files downloaded in the protected environment are scanned and, if necessary, blocked before they ever enter your network.

Because the file never makes it onto the user’s machine, the attack is stopped before it can start. This means that the malware never enters your organization’s network, and your cyber security teams never have to track down and remove the malware, repair damaged systems, or deal with lost data.

Click here to try ConcealBrowse today.

Phishing 2 factor auth

Conceal Threat Alert: Phishing Incident Targeting Dropbox

/in /by

On November 1st, cloud storage behemoth Dropbox reported that attackers had successfully targeted some of their engineers, capturing credentials for the company’s account on GitHub. This gave the attackers access to the company’s source code for internal prototypes, as well as some of the tools used by Dropbox’s security team.

While users of all levels of sophistication are successfully tricked into providing credentials to phishing sites every day, the Dropbox case is notable for a couple of reasons. First, this attack was highly targeted and relatively sophisticated. The attackers identified a specific piece of software tied to GitHub that the Dropbox development team used and sent an email masquerading as the company that makes that software. Next, although Dropbox had systems in place to identify and quarantine phishing emails, those systems only blocked some of the emails while delivering others straight to users’ inboxes.

Even with protections in place, malicious emails still made it to the engineers’ inboxes and Dropbox’s most technically savvy employees were duped into providing their credentials to the attackers. This incident shows that attackers will go to great lengths to develop targeted campaigns and that conventional tools and security awareness only go so far towards stopping them.

Fortunately, ConcealBrowse offers an extra layer of protection against phishing, distrusting risky web sites by default and providing protection even when email filtering fails. Once a user clicks a phishing link, ConcealBrowse goes into action, scanning the URL and any resources loaded by it to ensure they haven’t been flagged as dangerous. At the same time, ConcealBrowse uses advanced AI to analyze the pages for signs of a phishing attack, and blocks attackers at the browser level before the user has an opportunity to provide credentials.

As attackers grow more sophisticated in their targeting and tactics, companies must build zero trust into their operations. ConcealBrowse works in the browser to stop threats before they reach your network.

zero day hero

WWCD: Staying One Step Ahead of the Attack

/in /by

Last month, Google announced the existence of CVE-2022-307, a zero-day vulnerability in Chrome and other Chromium-based browsers like Microsoft Edge that was already being actively exploited in the wild. What they didn’t say however, is how long the vulnerability had been exploited, or how long they had known about it before they patched it. Furthermore, while Google released a patch for the vulnerability at the same time as the announcement, the patch still required a browser update before it was remediated. 

With browser zero days being discovered all the time – and frequently not until they’ve already been exploited – how can companies protect themselves during the period between the initial exploitation and when they are able to install the latest browser update? 

What Would Conceal Do (#WWCD)?

Fortunately, infrastructure associated with these attacks is often discovered in the wild even before the zero-day can be fixed and is included in the intelligence sources ConcealBrowse relies on to make security decisions on behalf of the user. In these situations, ConcealBrowse can keep users safe even if their browser is still unable to stop a given attack.

Because ConcealBrowse checks every URL a browser is asked to load, it always has the latest information on indicators of compromise. This means that if a particular piece of infrastructure has already been associated with malicious activity, ConcealBrowse stops it from opening directly in the user’s local browser, and instead opens it in remote browser isolation. Even if the attack is successfully executed, the exploit is run on a virtual machine in the cloud that will be destroyed after the user’s session. The code is never executed in the user’s browser, so it can’t compromise the user’s device or your network. 

ConcealBrowse stays one step ahead of attackers and can protect user’s systems while software vendors discover vulnerabilities and develop and deploy patches. 

#BeCyberSmart – Let’s Talk About Phishing

/in /by

Let’s talk about phishing.  Phishing is the top action variety in social engineering breaches, causing over 60% according to Verizon’s Data Breach Investigation report for 2022.  Since 2016, phishing has seen an exponential increase in both the email click and do not click rates. Let’s be real – , phishing is an issue, and it is not going anywhere.  This week, the National Cybersecurity Alliance has talked a lot about recognizing and reporting phishing and discussed.  how it’s a problem that affects all businesses no matter the size. In fact, 30% of small businesses consider phishing attacks to be their top cybersecurity concern.

Recognize Phishing

According to CISA, phishing is defined as “Attacks that use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information. Cyber Criminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerability to attacks.”

Luckily, in this day and age, there is a lot that can be done to prevent users from falling victim to a phishing attempt.  First and foremost, users need to understand what they are looking for so that they can ‘see it so that they don’t click it’.  While signs can be subtle, the National Cybersecurity Alliance has provided eight tips on how to clearly spot a fake phishing email:

  1. –       Email contains an offer that is too good to be true
  2. –       Email contains language that is urgent, alarming or threatening
  3. –       Email contains poorly crafted writing with misspellings and bad grammar
  4. –       Email is very generic and not personalized to you as the user
  5. –       Email requests your personal information
  6. –       Email requires you to click on a link or attachment
  7. –       Email contains an odd business request
  8. –       Email address looks odd or unidentifiable

 

While these are not the only identifiable characteristics of a phishing email, these are among the most common.  The main takeaway here is that if you recognize an email as “phishy”, make sure you avoid it and report it.

Report Phishing

So, you think you have been phished?  Recognizing the fake email is the most important part of a phishing attempt.  Once a user has identified the phishing expedition, reporting the email to your IT manager or security officer can help ensure others do not fall victim to the same attempt.  Some companies may even have a built-in plugin as part of their email application to maximize the ease in reporting.  The most important thing here is NOT to click on any links.  After reporting, ensure the email is deleted and does not exist on any of your user devices.

Another important aspect of reporting is to ensure users report a phishing attempt even if they have fallen victim.  Sometimes a user does not realize they have been phished until they have clicked on a link or opened an attachment.  In these instances, users need to feel comfortable and empowered to reach out to their IT contact to report the phish so that the IT team can investigate and remediate ASAP.  This communication can minimize the damage and spread of the malware or other threats that may have been a part of the email.  This reality also highlights the importance of investing in a security tool that can minimize the impact of a malicious email.

Invest Against Social Engineering

The reality is, even with cybersecurity awareness training, users are still going to fall victim to clicking a phishing link.  As a result, it is important for organizations to explore their options to minimize the impact.  Here at Conceal, we are able to isolate a user’s session when they click on a malicious link, keeping the harmful content from ever accessing your organization’s network.  Through the investment of Conceal, you can protect your users from malware, spear phishing and browser-based cyber threats with clientless, zero-trust remote browser isolation.  To learn more, request a demo with one of our experts today!

Phishing scam abusing trust

WWCD: Defending Against Browser App Mode Abuse

/in /by

Bill Toulas at Bleeping Computer recently highlighted a new phishing technique in the wild that is designed to abuse user’s increased likelihood of trusting applications that appear to be desktop applications over those that appear inside a web browser.  As with many other types of attacks in the wild, these are designed to take advantage of the fact that experiences – and most security training – prime users to expect phishing and other malicious sites to look and behave a certain way.

In the attack Toulas describes, threat actors utilize a little-used feature in Chromium-based browsers to launch web pages in “application mode”. In application mode, the website loads in a clean browser window that hides all the tell-tale signs that the user is on a web site. There are no tabs, no URL bar, no toolbars, nor anything else that normally distinguishes a web application from a desktop one. Since users aren’t primed to suspect phishing pages to load in this type of environment, their guard may be down.

So, What Would Conceal Do (#WWCD)?

We have some good news: Conceal would stop this attack. Since ConcealBrowse protects users by scanning URLs and blocking or isolating them as appropriate, the user’s trust – or lack thereof – is irrelevant.

Let’s take a look at how the attack works, and how ConcealBrowse stops it.

  1. An attacker sends a user a Windows shortcut that launches a web page in Chromium application mode when clicked.
    Chromium application mode
  2. When the user clicks on the icon, the malicious page is loaded in a Window that mimics a desktop application but is actually a Chromium window without any of the usual UI elements.
    Desktop mimic
  3. Despite appearances, the page is still a normal web page and ConcealBrowse scans its URL as well as any other URLs it might call or load.
  4. Because Conceal’s decision engine has flagged the URL as malicious, the page is loaded in a virtual environment in the cloud instead of on the user’s computer.
    URL scan
  5. When the page tries to download a malicious file to the user’s computer, the file is scanned and stopped by ConcealBrowse.

ConcealBrowse protects users and organizations from the types of trust abuse that are commonly responsible for successful malware and phishing attacks like this one, regardless of how creative the technique. Want to learn more? Contact us for a demo today!

WWCD: How can ConcealBrowse stop abuse of trust?

/in /by

VirusTotal recently analyzed its trove of malware and associated metadata to identify ways attackers abuse users’ trust of big digital brands. Specifically, attackers focus on co-opting trusted domains and branding materials like official logos and icons to trick users into downloading and installing malware.

Current “state of the art” in avoiding these types of attacks relies on training end users to identify non-obvious signs that trusted brands are being used maliciously, and by scanning files on the endpoint after a user has already downloaded them. We all know from experience that, regardless of how much training users receive, they far too often let down their guard when they believe they are interacting with a trusted party. Fortunately, Conceal takes over the task of distrusting everything and isolating malicious activity regardless of the user’s perception of safety. So, What Would Conceal Do to subvert these types of attacks?

Check Everything

As the VirusTotal report points out, many of these types of attacks rely not only on humans’ propensity to trust certain brands, but also on defensive systems’ propensity to trust certain domains. Fortunately, ConcealBrowse checks every URI accessed by users or loaded in the background by web apps. Even if most resources accessed via squarespace.com are trustworthy, Conceal’s decision engine identifies the specific URI’s that aren’t and isolates them from the user’s machine.

When a URI is flagged as suspicious, it is opened in a container in the cloud where it can’t cause harm to the user’s system. Additionally, any files downloaded from isolated sites are first scanned in the cloud so that they can be blocked before they are ever sent to a user’s device. In these cases, even if a user or a security system trusts a domain, ConcealBrowse doesn’t.

Trust No One

While the VirusTotal report specifically discusses the use of trusted branding in file icons, we’ve also all seen phishing sites that display a trusted logo to lull victims into thinking they can safely enter their credentials. Again, where a user might be tricked into trusting the attacker, Conceal distrusts the attacker for them.

Using computer vision technology, ConcealBrowse can identify when trusted logos and branding are being misused by attackers and can block phishing sites before the user ever has the chance to compromise their information.

What Would Conceal Do (#WWCD)?

Long ago, attackers figured out how to take advantage of peoples’ trust biases to bypass defenses designed to protect us from the untrustworthy. Fortunately, as more and more zero trust technologies – like ConcealBrowse – provide the necessary distrust, these types of attacks will become less and less successful.

We are excited to empower every individual to protect their personal data from cybercrime throughout this cybersecurity education campaign.  Stay in the loop on all the great content we will be releasing by bookmarking our NCAM landing page.

Visit the NCSAM landing page

Welcome to National Cybersecurity Awareness Month!

/in /by

We are thrilled to announce that we are an official champion of National Cybersecurity Awareness Month (NCSAM)!  What is NCSAM you ask?  It’s only the best month of the year for the cybersecurity community!  NCSAM started 19 years ago as a partnership between the National Cybersecurity Alliance (NCA) and the U.S. Department of Homeland Security (DHS).  The campaign gives our industry the opportunity to collaborate between government and the private sector so that the importance of online security can be addressed.  Each year, a new theme is strategized and shared with the public. This year the theme is…

See Yourself In Cyber

While most of the cybersecurity news articles are about massive data breaches and hackers, it can be overwhelming, leaving you feeling powerless. Cybersecurity Awareness Month is a great reminder that there are all kinds of methods to keeping your data protected and can make a huge difference even by practicing the most basic cybersecurity measures. Each week we will release a series of content on how you can instill one of the four healthy habits that the NCA and DHS has outlined and encourages individuals to take control of their online lives:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords and a Password Manager
  3. Update Your Software
  4. Recognize and Report Phishing

Each behavior will be the star of the show for a week in October.  This week we are starting with Multi-Factor Authentication (MFA).  Foreshadowing the details to come regarding MFA, NCA found that nearly half (48%) of US/UK respondents say they have “never heard of MFA.”  As an important aspect of any identity and access management (IAM) strategy, this reality highlights the need to have a conversation surrounding IAM.  The following three weeks recognize security behaviors with similar statistics.

We love the concept of NCAM.  The tools and tactics discussed throughout the month are helpful to not just educate yourself but also useful for employees, customers, families and friends.  Every weekday this month, Conceal will be providing content relevant and in line to what NCA and DHS are featuring.

We are excited to empower every individual to protect their personal data from cybercrime throughout this cybersecurity education campaign.  Stay in the loop on all the great content we will be releasing by bookmarking our NCAM landing page.

Visit the NCSAM landing page

WWCD: Could Conceal Have Stopped Lapsus$?

/in /by

Could Conceal have stopped Lapsus$?

Several multinational companies have been in the news in recent months thanks to being victims of the prolific data extortion group known as Lapsus$. The most recent victims are Uber and Grand Theft Auto videogame producer Rockstar Games. However, Lapsus$ has been in the news for a majority of 2022 with successful attacks on Okta, Microsoft, Samsung, and others.

One of the group’s earliest high-profile attacks was against authentication management firm Okta, which is used by many companies to control access to all the software used by employees. Its role in the security chain meant that Okta’s security reputation is paramount to keeping the trust of its customers. Although Okta claimed it was able to contain the breach quickly, the high-profile attack meant that the company’s reputation suffered permanent damage.

Modus Operandi

So how does Lapsus$ operate? The group relies heavily on a combination of stolen credentials and social engineering to gain access to privileged accounts within a company. They then use that access to obtain sensitive data and demand a ransom to prevent the data’s release. The ransom demand is usually accompanied by a release of a sample of the data on publicly accessible channels, like Telegram, to put added pressure on the company to pay up.

The initial target of the attacks are typically peripheral employees or contractors that may be less knowledgeable about social engineering or might be less inclined to stringently follow security protocols. If the group can access sufficiently valuable data from this initial access, that could be the end of the attack. Otherwise, they use this initial access as a foothold to gather targeting information for further social engineering attacks against better-placed individuals in the target company.

Could these attacks have been prevented?

Lapsus$ expertly leverages the fact that people are not perfect. Regardless of training, they can be tricked into clicking malicious links, open malicious files, or provide multi-factor authentication tokens to third parties. The interactions between attacker and victim can happen on several channels, some of which are controlled by an organization and others that are not. There are several techniques that can be employed to prevent access escalation and limit what can be accessed once an attacker is in your network.  But, ten times out of ten, it’s better to keep them from ever getting access in the first place.

How could Conceal have helped?

No single product is a cyber security panacea, but ConcealBrowse could have blocked some of Lapsus$’s credential-stealing techniques before they started. One of Lapsus$’s techniques is to steal credentials to gain their initial access, including getting users to click on malicious links that download the credential theft software to the user’s computer. The group also buys credentials from the dark web, and many times the groups selling those credentials have used the same technique.

The most common methods to prevent these attacks include training users to identify the links and not click on them. As we’ve seen, this method relies on teaching 100% of users to make the correct decision 100% of the time. ConcealBrowse eliminates this need. ConcealBrowse is the eyes, ears, and brain that protect users regardless of where they click and isolate questionable websites in a remote browser in the cloud, where any software downloads or zero-day exploits can’t affect a user’s device.

Regardless of what decision they make, ConcealBrowse keeps them safe. #WWCD

Are You Ready for Mandatory Cybersecurity Disclosure?

/in /by

Here are the top 4 ways to prepare for the SEC’s recent cybersecurity proposal

Earlier this year, the SEC released recommendations for organizations suggesting disclosures surrounding cybersecurity. In the 129-page proposal, the SEC proposed rules for cybersecurity risk management, strategy, governance, and incident disclosure by public companies.  If accepted, these rules would be put in place as amendments to existing reporting and disclosure requirements. The goal of the proposed amendments is to better inform investors on an organization’s risk management strategy and governance surrounding cybersecurity incidents.

Amendment Details

Mandatory cybersecurity disclosures can seem daunting for organizations. Here is the breakdown of what you need to know about the three key aspects of the proposed amendment:

Governance

The overall governance surrounding an organization’s security program is a major component of the proposed amendments. While we will get to the governance surrounding risk management and cyber incidents in a minute, from a broader perspective, these proposed rules would require transparency to determine if organizations are investing and prioritizing cybersecurity as a key business function and value. By requiring disclosure on cybersecurity expertise on an organization’s board of directors, investors can draw many conclusions as it relates to the priority level the organization is giving to cybersecurity.  Understanding the board-level experience provides awareness to the board’s ability to provide guidance and insight to the CIO, CISO and other cybersecurity stakeholders.

Risk Management

Identifying and managing cybersecurity risk is currently not a required disclosure for organizations. Without an understanding of an organization’s approach to risk management, such as the policies and procedures for identification and management, investors are unable to use cyber risk management as a data point when deciding whether to invest in a company. For organizations that have a strong policy and procedure for cybersecurity risk management, this reporting requirement would add substantial value to a potential investor. For those that don’t, if the proposed amendment is approved, there will be significant benefit to investing in the improvement of the cyber risk management program.

Cybersecurity Incidents

With the proposed amendment, organizations would be required to report material cybersecurity incidents as well as provide updates on previously reported cybersecurity incidents. While the reporting of a cybersecurity incident brings risk to reputation, stock, public opinion and more, the way an organization handles the disclosure and overall response can also improve reputational opinions and business outlook. Nowadays, cyber incidents are likely to hit the media with or without the organization’s intent to publicly disclose the event. As a result, this portion of the proposed amendments does not have to be a daunting task, just something organizations can invest in as a proactive security task so that they are confident in their disclosure strategy when they do fall victim.

How to Prepare

  • Assess Organization’s Current Priority of Cybersecurity
    At the end of the day, the purpose of the recommended disclosures is to give investors an understanding of where cybersecurity falls on the priority list of an organization.  Looking at an organization’s board to see where cybersecurity experience sits or where there is an opportunity to invest is an effortless way to prepare for the proposed amendments. Additionally, the investment will provide value beyond meeting a requirement, giving the organization the upper hand to improve overall cyber resiliency.
  • Assess Current Risk Management Approach
    What policies and procedures are currently in place to guide the cyber risk management workstream?  Being able to quantifiably show the risk management approach’s success and continuous improvement will be a key advantage to getting investors on board but also to minimizing cybersecurity risk across the enterprise. Showing investments that are made to minimize risk, such as investing in proactive products, will allude to the dedication and priority of cybersecurity in an organization.
  • Assess Current Incident Response Program
    Primarily, organizations must have the mindset that it is not a matter of if but when their organization will fall victim to a cyber-attack. Once this mindset is understood, organizations can invest in a proactive incident response program to best prepare themselves to respond to a crisis. Drafting their overall response plan, playbooks for certain incidents, and disclosure statements, will minimize the inevitable stress and workload that comes with crisis management. Being ahead of the necessary disclosures required by the proposal will ensure your organization is able to handle their public disclosure and overall response strategy tastefully and at the best interest of the organization.
  • Ensure a Level of Assurance
    The ability to quantify the overall success of an organization’s cybersecurity strategy, specifically as it relates to risk management, incident response, and overall governance, will be key for the SEC’s proposal. Investing in solutions that can provide a level of assurance to risk management will speak even louder to investors than showing a document with a written policy or procedure.

Here at Conceal, we can provide a level of assurance to both incident response and risk management. By undertaking activities to prevent, detect and minimize the effects of a cybersecurity incident through the web, we lower an organization’s overall cybersecurity risk while also maximizing the value and success of an organization’s incident response when they do fall victim. Our product’s ability to minimize the effect of an incident will make the overall disclosure and public backlash minimal. Find out how ConcealBrowse, ConcealSearch, and ConcealCloud can each provide unique value to achieving the SEC proposed amendments by scheduling a demo today.