30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)
The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.
A report from the Government Accountability Office (GAO) highlighted an urgent need to address critical cybersecurity challenges facing the nation.
The post GAO Urges Action to Address Critical Cybersecurity Challenges Facing U.S. appeared first on Security Boulevard.
In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.
The post Misconfigured MFA Increasingly Targeted by Cybercriminals appeared first on Security Boulevard.
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
The post Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field) appeared first on Security Boulevard.
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
The post EU Opens the App Store Gates: A Call to Arms for MDM Implementation appeared first on Security Boulevard.
Snowflakes has become the latest corporate victim in a cyberattack but how it is playing out is a little different than many breaches.
The post Snowflake Breach appeared first on Security Boulevard.
The LockBit ransomware group is claiming that it hacked into systems at the U.S. Federal Reserve and stole 33TB of data that it will begin leaking as early as Tuesday if the institution doesn’t pay the unspecified ransom. The notorious cybercriminals announced the attack on its dark web leak site on June 23, giving the..
The post LockBit Claims Ransomware Attack on U.S. Federal Reserve appeared first on Security Boulevard.
Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Google’s Project Zero – a group founded a decade ago whose job it is to find zero-day vulnerabilities – have been..
The post Google’s Project Naptime Aims for AI-Based Vulnerability Research appeared first on Security Boulevard.
Copying users’ files and deleting some? Even a cartoon hound knows this isn’t fine.
The post Microsoft Privacy FAIL: Windows 11 Silently Backs Up to OneDrive appeared first on Security Boulevard.
Effective April 30, 2024 Airbnb, the global vacation rental giant, announced a significant policy change: the prohibition of all indoor security cameras in its listings worldwide. This decision, aims to bolster the privacy of guests and address longstanding concerns about hidden cameras. While the majority of Airbnb’s over 7 million listings did not report having […]
The post Airbnb’s Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on BlackCloak | Protect Your Digital Life™.
The post Airbnb’s Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on Security Boulevard.
Multiple bad actors are using the Rafel RAT malware in about 120 campaigns aimed at compromising Android devices and launching a broad array of attacks that range from stealing data and deleting files to espionage and ransomware. Rafel RAT is an open-source remote administration tool that is spread through phishing campaigns aimed at convincing targets..
The post Rafel RAT Used in 120 Campaigns Targeting Android Device Users appeared first on Security Boulevard.
Source: X[/caption]
In this episode of the Shared Security Podcast, the team debates the Surgeon General’s recent call for social media warning labels and explores the pros and cons. Scott discusses whether passwords should be stored in web browsers, potentially sparking strong opinions. The hosts also provide an update on Microsoft’s delayed release of CoPilot Plus PCs […]
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Shared Security Podcast.
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Security Boulevard.
Long simmering suspicions about the loyalty of Kaspersky Software, a cybersecurity firm headquartered in Russia, came to a head this week after the U.S. government banned the sale of the company’s software, effective July 20th, to both companies and individual consumers. In addition, the U.S. Treasury Department has placed sanctions on 12 senior leaders of..
The post U.S. Bans Sale of Kaspersky Cybersecurity Software appeared first on Security Boulevard.
Recently, we hosted Ross Randall, Director of Technology at Lamar County School District in Georgia, and Tim Miles, Director of Technology at Steamboat Springs School District in Colorado, for a summer-inspired live webinar focused on fortifying your district’s multilayered cybersecurity strategy. From beach balls to firewalls, Ross and Tim generously shared their practical insights, […]
The post Ross Randall’s 3 Essential Tips to Strengthening Your District’s Multilayered Cybersecurity appeared first on ManagedMethods.
The post Ross Randall’s 3 Essential Tips to Strengthening Your District’s Multilayered Cybersecurity appeared first on Security Boulevard.
Spend more on security! Car and truck dealers fall back on pen and paper as huge SaaS provider gets hacked (again).
The post 30,000 Dealerships Down — ‘Ransomware’ Outage Outrage no. 2 at CDK Global appeared first on Security Boulevard.
As per recent reports, cybersecurity experts uncovered a troubling development on the Python Package Index (PyPI) – a platform used widely by developers to find and distribute Python packages. A malicious package named ‘crytic-compilers‘ was discovered, mimicking the legitimate ‘crytic-compile’ library developed by Trail of Bits. This fraudulent package was designed with sinister intent: to […]
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on TuxCare.
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on Security Boulevard.
Modern chief information security officers (CISOs) are navigating tough circumstances due to complex challenges and heightened regulatory pressures.
The post It’s a Hard Time to Be a CISO. Transformational Leadership is More Important Than Ever. appeared first on Security Boulevard.
An analysis of ransomware attacks claimed to have been perpetrated by cybercriminal syndicates that was published today by NCC Group, a provider of managed security services, finds LockBit 3.0 has reemerged to claim the top spot amongst the most prominent threat actors. Previously dormant following the groups’ takedown by law enforcement officials earlier this year,..
The post Report Details Reemergence of Lockbit 3.0 Ransomware Syndicate appeared first on Security Boulevard.
Ongoing European Union quest to break end-to-end encryption (E2EE) mysteriously disappears.
The post EU Aims to Ban Math — ‘Chat Control 2.0’ Law is Paused but not Stopped appeared first on Security Boulevard.
Cato Networks today launched a framework for IT services partners that promises to make it simple to integrate its secure access service edge (SASE) service with third-party services.
The post Cato Networks Launches SASE Platform for Partners appeared first on Security Boulevard.
CHOROLOGY.ai today emerged from stealth to apply generative artificial intelligence (AI) to data governance.
The post CHOROLOGY Emerges to Apply Generative AI to Data Governance appeared first on Security Boulevard.
Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Government , Industry Specific New Report Says DOD Is Lagging in Procuring New Tech Amid Cybersecurity Failures Chris Riotta (@chrisriotta) • June 19, 2024 A lack of cybersecurity and software talent is slowing down the development of advanced weapons, says the Government Accountability […]
La entrada Pentagon Cybersecurity, Workforce Woes Threaten Tech Rollout – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
While many businesses invest heavily in frontline defense tools to keep out bad actors, they spend far less time and money preparing for what happens when the criminals eventually get in.
The post Closing the Readiness Gap: How to Ensure a Fast Recovery From the Inevitable Cyber Attack appeared first on Security Boulevard.
Source: blog.eclecticiq.com[/caption]
ONNX Store offers a variety of powerful phishing tools designed to support cybercriminals, including custom phishing pages, webmail servers, 2FA cookie stealers, and "fully undetectable" referral services that use trusted domains to direct victims to phishing landing pages.
Researchers from EclecticIQ have noticed that threat actors using the ONNX Store phishing kit tend to distribute PDF files as attachments in phishing emails. Impersonating a reputable service, these documents contain a QR code that directs victims to malicious phishing landing pages. This tactic, known as "quishing," takes advantage of the lack of detection or prevention present on employee's personal mobile devices, which are usually left unprotected. The lack of protection on mobile devices also makes it challenging to monitor these threats.
The phishing landing pages aim to steal sensitive credentials using the Adversary-in-The-Middle (AiTM) method, which allows for real-time capture and transmission of stolen data without the need for frequent HTTP requests. This makes the phishing operation more efficient and harder to detect.
The ONNX Store Phishing Kit uses encrypted JavaScript code that decrypts itself upon page load and includes a basic anti-JavaScript debugger. This adds a layer of protection against phishing scanners and complicates detection. The decrypted JavaScript code then collects the victims' network metadata, including details such as browser name, IP address, and location.
The decrypted JavaScript code is designed to steal 2FA tokens entered by the victims. This allows attackers to bypass typical 2FA protection and gain unauthorized access to the victim's account before it expires.
Researchers identified similarities in domain registrant and SSL issuer across various infrastructures deployed by the ONNX Store phishing kit. These similarities indicated the use of bulletproof hosting services to host the campaign.
Source: blog.eclecticiq.com[/caption]
The rebranding of the platform appears to be focused on improving operational security for malicious actors. The ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients rather than a single web server. This shift in infrastructure and management makes it more challenging to take down the platform's phishing domains.
To further increase its resilience, ONNX Store uses Cloudflare services to delay the removal process of its phishing domains. This abuse of Cloudflare's CAPTCHA feature and IP proxy helps attackers avoid detection through the use of phishing web crawlers and URL sandboxes. This practice also hides the original host and makes it more difficult to take down phishing domains.
Advertised with slogans like "Anything is allowed" and "Ignore all reports of abuse", these services are designed to support a wide range of illegal activities without the risk of being blocked, creating a safe haven for cybercriminals.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.IRONSCALES has made generally available a phishing simulation tool that makes use of generative artificial intelligence (AI) to enable cybersecurity teams to create as many as 2,000 simulations of a spear phishing attack in less than an hour.
The post IRONSCALES Applies Generative AI to Phishing Simulation appeared first on Security Boulevard.
A distributed workforce allows us to secure a globally connected world. It widens our talent pool, accelerates innovation, and increases our 24/7 vigilance
The post The Distributed Workforce: Why Flexibility and Trust are Essential in Cybersecurity appeared first on Security Boulevard.
The constant vigilance required to protect against evolving threats, and the sheer volume of routine tasks that demand attention contribute significantly to burnout.
The post Cybersecurity Worker Burnout Costing Businesses Big appeared first on Security Boulevard.
The variety of tactics, from fake lotteries to impersonating officials, demonstrates the broad scope of threats targeting the Paris 2024 Olympic Games.
The post Cybercrime Targeting Paris 2024 Olympic Games Gains Steam appeared first on Security Boulevard.
The problems with passwords drive the interest to adopt newer authentication methods, like passkeys, a type of passwordless technology.
The post Criminals are Easily Bypassing Passkeys – How Organizations Can Stay Safe appeared first on Security Boulevard.
The future of modeling catastrophic cyber risk hinges on our ability to move beyond misconceptions and confront the true extent of our exposure.
The post Debunking Common Myths About Catastrophic Cyber Incidents appeared first on Security Boulevard.
Source:archive.org[/caption]
The next day, Singh told Ceraolo in an online chat that he shouldn’t have accessed the portal and was “no gov official.” Ceraolo then shared the stolen login credentials with others in the ViLe hacking group.
Shortly after, Singh used the database to obtain personal information on an individual. He messaged the victim, referred to in court documents as Victim-1, threatening to harm their family if they did not provide login credentials to their Instagram accounts.
To prove he had access to sensitive information, Singh included Victim-1’s Social Security number, driver’s license number and home address. He told Victim-1 that through the database portal, “i can request information on anyone in the US doesn’t matter who, nobody is safe.” Singh instructed Victim-1 to sell access to the Instagram accounts and give him the money. His messages implied he would use the information to harm Victim-1’s parents if demands were not met.
[caption id="attachment_77699" align="alignnone" width="2186"] Source: dea.gov[/caption]
While the court documents focus on the case of Victim-1, the duo also threatened other individuals whose information they had access to for financial gains. According to an earlier report from Vice, the portal that was used by the duo is the EPIC(El Paso Intelligence Center) Portal.
Donald Trump’s presidential campaign is known for aggressively trying to raise money, even sending emails to donors hoping to cash in on setbacks like his conviction late last month on 34 felony counts for illegally influencing the 2016 campaign. Bad actors now are trying to do the same, running donation scams by impersonating the campaign..
The post Cybercriminals Target Trump Supporters with Donation Scams appeared first on Security Boulevard.
IT pros understand that not all open-source products are created equal. Some of the most beloved tools for business and personal computing, including Firefox, WordPress, and Apache, are the result of successful, long-term open-source (OS) projects. However, when it comes to protecting your organization against information security threats, how do available OS options objectively stack up?
The post Is Open Source File Integrity Monitoring Too Risky? appeared first on Security Boulevard.
A global survey of more than 1,033 security and IT leaders published today finds nearly two-thirds (65%) lack confidence that their existing security tooling cannot effectively detect breaches.
The post Survey Surfaces Lack of Confidence in Security Tools appeared first on Security Boulevard.
Or junk it if EOL: Two nasty vulnerabilities need an update—pronto.
The post ASUS Router User? Patch ASAP! appeared first on Security Boulevard.
Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting Earlier this month our expert takedown team responded to a bad actor that used link shortener services to obfuscate a link to a phishing page that impersonated one of our financial institution customers. The destination was a sign-in webpage presenting malicious content including […]
The post Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting first appeared on alluresecurity.
The post Threat Actors Use Obscure or Self-Made Link Shortener Services for Credential Harvesting appeared first on Security Boulevard.
You could have a solid pretext that slips right by your target secure email gateway (SEG); however, if your link looks too sketchy (or, you know, “smells phishy”), your phish could go belly-up before it even gets a bite. That’s why I tend to think of link filters as their own separate control. Let’s talk briefly about how these link filters work and then explore some ways we might be able to bypass them.
Over the past few years, I’ve noticed a growing interest in detecting phishing based on the links themselves–or, at least, there are several very popular SEGs that place a very high weight on the presence of a link in an email. I’ve seen so much of this that I have made this type of detection one of my first troubleshooting steps when a SEG blocks me. I’ll simply remove all links from an email and check if the message content gets through.
In at least one case, I encountered a SEG that blocked ANY email that contained a link to ANY unrecognized domain, no matter what the wording or subject line said. In this case, I believe my client was curating a list of allowed domains and instructed the SEG to block everything else. It’s an extreme measure, but I think it is a very valid concern. Emails with links are inherently riskier than emails that do not contain links; therefore, most modern SEGs will increase the SPAM score of any message that contains a link and often will apply additional scrutiny to the links themselves.
If a SEG filters links in an email, it will first need to detect/parse each link in the content. To do this, almost any experienced software engineer will directly go to using Regular Expressions (“regex” for short):
To which, any other experienced software engineer will be quick to remind us that while regex is extremely powerful, it is also easy to screw up:
As an example, here are just a few of the top regex filters I found for parsing links on stackoverflow:
(http|ftp|https):\/\/([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:\/~+#-]*[\w@?^=%&\/~+#-])
(?:(?:https?|ftp|file):\/\/|www\.|ftp\.)(?:\([-A-Z0–9+&@#\/%=~_|$?!:,.]*\)|[-A-Z0–9+&@#\/%=~_|$?!:,.])*(?:\([-A-Z0–9+&@#\/%=~_|$?!:,.]*\)|[A-Z0–9+&@#\/%=~_|$])
(?:(?:https?|ftp):\/\/)?[\w/\-?=%.]+\.[\w/\-&?=%.]+
([\w+]+\:\/\/)?([\w\d-]+\.)*[\w-]+[\.\:]\w+([\/\?\=\&\#\.]?[\w-]+)*\/?
(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0–9%])|www\d{0,3}[.]|[a-z0–9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:’”.,<>?«»“”‘’]))
Don’t worry if you don’t know what any of these mean. I consider myself to be well versed in regex and even I have no opinion on which of these options would be better than the others. However, there are a couple things I would like to note from these examples:
These are also some of the most popular (think “smart people”) answers to this problem of parsing links. I could also imagine that some software engineers would take a more naive approach of searching for all anchor (“<a>”) HTML tags or looking for “href=” to indicate the start of a link. No matter which solution the software engineer chooses, there are likely going to be at least some valid URLs that their parser doesn’t catch and might leave room for a categorical bypass. We might also be able to evade parsers if we can avoid the common indicators like “http” or break up our link into multiple sections.
Side Note: Did you see that some of these popular URL parsers account for FTP and some don’t? Did you know that most browsers can connect to FTP shares? Have you ever tried to deliver a phishing payload over an anonymous FTP link?
Once a SEG has parsed out all the links in an email, how should it determine which ones look legitimate and which ones don’t? Most SEGs these days look at two major factors for each link:
Checking the domain reputation is pretty straightforward; you just split the link to see what’s between the first two forward slashes (“//”) and the next forward slash (“/”) and look up the resulting domain or subdomain on Virustotal or similar. Many SEGs will share intelligence on known bad domains with other security products and vice versa. If your domain has been flagged as malicious, the SEG will either block the email or remove the link.
As far as checking how the link “looks”, most SEGs these days use artificial intelligence or machine learning (i.e., AI/ML) to categorize links as malicious or benign. These AI models have been trained on a large volume of known-bad links and can detect themes and patterns commonly used by SPAM authors. As phishers, I think it’s important for us to focus on the “known-bad” part of that statement.
I’ve seen one researcher’s talk who claimed their AI model was able to detect over 98% of malicious links from their training data. At first glance, this seems like a very impressive number; however, we need to keep in mind that in order to have a training set of malicious links in the first place, humans had to detect 100% of the training set as malicious. Therefore, the AI model was only 98% as good as a human at detecting phishing links solely on the “look” of the link. I would imagine that it would do much worse on a set of unknown-bad links, if there was a way to hypothetically attain such a set. To slip through the cracks, we should aim to put our links in that unknown-bad category.
Even though we are up against AI models, I like to remind myself that these models can only be trained on human-curated data and therefore can only theoretically approach the competence of a human, but not surpass humans at this task. If we can make our links look convincing enough for a human, the AI should not give us any trouble.
Given what we now know about how link filters work, we should have two main tactics available to us for bypassing the filter:
If the parser doesn’t register our link as a link, then it can’t apply any additional scrutiny to the location. If we can make our link location look like some legitimate link, then even if we can’t bypass the parser, we might get the green light anyway. Please note that these approaches are not mutually exclusive and you might have greater success mixing techniques.
One of the most basic parser bypasses I have found for some SEGs is to simply leave the link URL in plaintext by removing the hyperlink in Outlook. Normally, link URLs are placed in the “hypertext reference” (href) attribute of an HTML anchor tag (<a>). As I mentioned earlier, one naive but surprisingly common solution for parsing links is to use an HTML parsing library like BeautifulSoup in Python. For example:
soup = BeautifulSoup(email.content, 'html.parser')
links = soup.find_all("a") # Find all elements with the tag <a>
for link in links:
print("Link:", link.get("href"), "Text:", link.string)
Any SEG that uses this approach to parse links won’t see a URL outside of an anchor tag. While a URL that is not a clickable link might look a little odd to the end user, it’s generally worth the tradeoff when this bypass works. In many cases, mail clients will parse and display URLs as hyperlinks even if they are not in an anchor tag; therefore, there is usually little to no downside of using this technique.
One interesting method of bypassing some link filters is to use a little-known HTML tag called “base”. This tag allows you to set the base domain for any links that use relative references (i.e., links with hrefs that start with “/something” instead of direct references like “https://example.com/something”). In this case, the “https://example.com” would be considered the “base” of the URL. By defining the base using the HTML base tag in the header of the HTML content, you can then use just relative references in the body of the message. While HTML headers frequently contain URLs for things like CSS or XML schemas, the header is usually not expected to contain anything malicious and may be overlooked by a link parser. This technique is known as the “BaseStriker” attack and has been known to work against some very popular SEGs:
The reason why this technique works is because you essentially break your link into two pieces: the domain is in the HTML headers, and the rest of the URL is in your anchor tags in the body. Because the hrefs for the anchor tags don’t start with “https://” they aren’t detected as links.
The first part of a URL, before the colon and forward slashes, is what’s known as the “scheme”:
URI = scheme ":" ["//" authority] path ["?" query] ["#" fragment]
As mentioned earlier, some of the more robust ways to detect URLs is by looking for anything that looks like a scheme (e.g. “http://”, or “https://”), followed by a sequence of characters that would be allowed in a URL. If we simply leave off the scheme, many link parsers will not be able to detect our URL, but it will still look like a URL to a human:
accounts.goooogle.com/login?id=34567
A human might easily be convinced to simply copy and paste this link into their browser for us. In addition, there are quite a few legitimate schemes that could open a program on our target user’s system and potentially slip through a URL parser that is only looking for web links:
https://en.wikipedia.org/wiki/List_of_URI_schemes
There are at least a few that could be very useful as phishing links ;)
What if there isn’t a link in the email at all? What if it’s an image instead? You can use a tool like SquarePhish to automate phishing with QR codes instead of traditional links:
GitHub - secureworks/squarephish
I haven’t played with this yet, but have heard good things from friends that have used similar techniques. If you want to play with automating this attack yourself, NodeJS has a simple library for generating QRs:
(Hold on. I need to get on my soapbox…) I can’t count how many times I’ve been blocked because of a masked link only to find that unmasking the link would get the same pretext through. I think this is because spammers have thoroughly abused this feature of anchor tags in the past and average email users seldom use masked links. Link filters tend to see masked links as far more dangerous than regular links; therefore, just use a regular link. It seems like everyone these days knows how to hover a link and check its real location anyway, so masked links are even bad at tricking humans now. Don’t be cliche. Don’t use masked links.
Many link filters block or remove links to domains that are either uncategorized, categorized as malicious, or were recently registered. Therefore, it’s generally a good idea to use domains that have been parked long enough to be categorized. We’ve already touched on this in “One Phish Two Phish, Red Teams Spew Phish”, so I’ll skip the process of getting a good domain; however, just know that the same rules apply here.
If you don’t want to go through all the trouble of maintaining categorized domains for phishing links, there are some generally trustworthy domains you can leverage instead. One example I recently saw “in-the-wild” was a spammer using a sites.google.com link. They just hosted their phishing page on Google! I thought this was brilliant because I would expect most link filters to allow Google, and even most end users would think anything on google.com must be legit. Some other similar examples would be hosting your phishing sites as static pages on GitHub, in an S3 bucket, other common content delivery networks (CDNs), or on SharePoint, etc. There are tons of seemingly “legitimate” sites that allow users to host pages of arbitrary HTML content.
Along the same lines as hosting your phishing site on a trusted domain is using trusted domains to redirect to your phishing site. One classic example of this would be link shorteners like TinyURL. While TinyURL has been abused for SPAM to the point that I would expect most SEGs to block TinyURL links, it does demonstrate the usefulness of arbitrary redirects.
A more useful form of arbitrary redirect for bypassing link filters are URLs with either cross-site scripting (XSS) vulnerabilities that allow us to specify a ‘window.location’ change or URLs that take an HTTP GET parameter specifying where the page should redirect to. As part of my reconnaissance phase, I like to spend at least a few minutes on the main website of my target to look for these types of vulnerabilities. These vulnerabilities are surprisingly common and while an arbitrary redirect might be considered a low-risk finding on a web application penetration test report, they can be extremely useful when combined with phishing. Your links will point to a URL on your target organization’s main website. It is extremely unlikely that a link filter or even a human will see the danger. In some cases, you may find that your target organization has configured an explicit allow list in the SEG for links that point to their domains.
Did you know that links in an email can also point to an email attachment? Instead of providing a URL in the href of your anchor tag, you can specify the content identifier (CID) of the attachment (e.g. href=“cid:mycontentidentifier@content.net”). One way I have used this trick to bypass link filters is to link to an HTML attachment and use obfuscated JavaScript to redirect the user to the phishing site. Because our href does not look like a URL, most SEGs will think our link is benign. You could also link to a PDF, DOCX, or several other usually allowed file types that then contain the real phishing link. This might require a little more setup in your pretext to instruct the user, or just hope that they will click the link after opening the document. In this case, I think it makes the most sense to add any additional instructions inside the document where the contents are less likely to be scrutinized by the SEG’s content filter.
This blog rounds out our “message inbound” controls that we have to bypass for social engineering pretexts. It would not be complete without mentioning one of the simplest bypasses of them all:
Not using email!
If you pick up the phone and talk directly to your target, your pretext travels from your mouth, through the phone, then directly into their ear, and hits their brain without ever passing through a content or reputation filter.
Along the same lines, Zoom calls, Teams chats, LinkedIn messaging, and just about any other common business communication channel will likely be subject to far fewer controls than email. I’ve trained quite a few red teamers who prefer phone calls over emails because it greatly simplifies their workflow. Just a few awkward calls is usually all it takes to cede access to a target environment.
More interactive forms of communication, like phone calls, also allow you to gauge how the target is feeling about your pretext in real time. It’s usually obvious within seconds whether someone believes you and wants to help or if they think you’re full of it and it’s time to cut your losses, hang up the phone, and try someone else. You can also use phone calls as a way to prime a target for a follow-up email to add perceived legitimacy. Getting our message to the user is half the battle, and social engineering phone calls can be a powerful shortcut.
If you need to bypass a link filter, either:
People still use links in emails all the time. You just need to blend in with the “real” ones and you can trick the filter. If you are really in a pinch, just call your targets instead. It feels more personal, but it gets the job done quickly.
Feeding the Phishes was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Feeding the Phishes appeared first on Security Boulevard.
By centralizing, enriching and correlating identities to events, the suggestion is that security and platform teams can break silos and readily share findings to expedite investigations.
The post Sysdig Bids to Bolster Brittle Cloud Infrastructure Layers appeared first on Security Boulevard.
Reading Time: 11 min Cybersecurity remains a top concern for most industries, including logistics. Learn five ways to protect your logistics company's cybersecurity.
The post Top 5 Ways To Protect Your Logistics Company From Fraud appeared first on Security Boulevard.
Cybercriminals are not about to give up – this is how they make their living. So it’s up to cybersecurity professionals to stay vigilant and learn as much as they can about the forces they face.
The post Are We Turning the Corner in the Fight Against Cybercrime? It’s Complicated. appeared first on Security Boulevard.
Runtime enforcement is the future of software security, if we can only make it accessible to the developers that understand their applications the best.
The post Runtime Enforcement: Software Security After the Supply Chain Ends appeared first on Security Boulevard.
Traditional vulnerability scanning tools are enhanced with NodeZero's autonomous penetration testing, revolutionizing Vulnerability Management by providing comprehensive risk assessment, exploitability analysis, and cross-host vulnerability chaining, empowering organizations to prioritize and mitigate security weaknesses strategically.
The post Enhancing Vulnerability Management: Integrating Autonomous Penetration Testing appeared first on Horizon3.ai.
The post Enhancing Vulnerability Management: Integrating Autonomous Penetration Testing appeared first on Security Boulevard.
Login