IT NEWS

FBI warns of imposter ads in search results

The FBI has issued a public notice which includes advice to block adverts. Why? Let’s take a look.

The bogus advert tightrope

It’s no secret that rogue ads have been a particular plague on the Internet for as far back as we can remember. From irritating pop ups and spinning “You’ve won a prize” banners to adverts pushing malicious redirects and malvertising, you never quite know what’s waiting in your browser when the page you request loads up.

The FBI warning concerns fake ads impersonating the real thing and diverting potential victims off to parts unknown.

…cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.

The ads are regular search engine advertisements that typically sit at the top of your Google or Bing searches. (Depending on the search engine used, ads are indicated by the word “Sponsored” or “Ad”.) The ads the FBI is warning about paid for by criminals, and mimic real brands by using similar domain names, and linking to legitimate-looking web pages that are “identical to the impersonated business’s official webpage.”

Frustratingly, the FBI’s release is quite light on details but it does provide some suggestions for avoiding these scams.

Suggestions for avoiding these rogue ads

The FBI advice for people generally:

  • Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Rather than search for a business or financial institution, type the business’s URL into an Internet browser’s address bar to access the official website directly.
  • Use an ad blocking extension when performing Internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.

The FBI advice for business:

  • Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
  • Educate users about spoofed websites and the importance of confirming destination URLs are correct.
  • Educate users about where to find legitimate downloads for programs provided by the business.

A step too far, or the inevitable conclusion of bad ads out of control?

The really fascinating part here is the suggestion to block adverts. This isn’t something I recall seeing from law enforcement before, even if there is a light reference to enabling and disabling ads on “certain websites”. As noted by Techspot, blocking ads remains a controversial subject in some quarters. It’s likely that many sites you use rely on advertising cash to keep the lights on, with others moving into subscription, paywall, and additional features models instead.

Some folks and organisations use dedicated ad blocker extensions via their browser, or prefer the options found in script blocking apps. Others rely on security tools to block ads or detect and neutralise exploits and malvertising.

Whatever your approach and opinion of paid advertising online, the problem of bad ads cluttering up sponsored search results will be around for a long time to come. While the FBI release may give some folks the impression that fake adverts in search listings is a new threat, it’s been around forever. Even so, criminals know that it works and often gets results.

If you’re shopping around, or looking for financial advice and services, you could do worse than be very cautious around those paid results at the top of your page. A few minutes of hesitation could help you avoid a few hours of calling up customer support.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update VPN Plus Server now! Synology patches vulnerability with a CVSS of 10

Synology has issued an advisory about a vulnerability that allows remote attackers to execute arbitrary commands through a susceptible version of Synology VPN Plus Server.

VPN Plus Server

VPN Plus Server allows users to turn their Synology Router into a Virtual Rrivate Network (VPN) server.

A VPN uses encryption to create a secure connection over a public network, such as the Internet. Consumer VPNs create a secure tunnel between a user and their VPN provider, so they can hide their browsing habits from their ISP and use their VPN provider’s IP address to connect to the Internet. Business VPNs create a tunnel between a user and the organization they work for, so they can access business information securely over the Internet.

The Synology VPN Plus Server is a business VPN that allows users to easily access and control client desktops within a network under a Synology Router, from anywhere, as long as they have Internet access, without further need of a client software.

Vulnerability

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in VPN Plus Server got listed as CVE-2022-43931.

The vulnerability is described as an out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 which allows remote attackers to execute arbitrary commands via unspecified vectors. The CVSS score of the critical vulnerability is rated at 10 (out of 10).

An out-of-bounds write or read vulnerability makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

The vulnerability was discovered internally by the Synology Product Security Incident Response Team (PSIRT). However, just because the problem wasn’t discovered by criminals, that doesn’t mean they won’t use it. Sometimes patches are reverse engineered by threat actors so they can understand what’s been fixed, create an exploit for it, and use it against unpatched systems.

The affected products are VPN Plus Server for SRM 1.3 which needs to be upgraded to 1.4.4-0635 or above, and VPN Plus Server for SRM 1.2 which needs to be upgraded to 1.4.3-0534 or above.

To upgrade VPN Plus Server, go to Package Center, stop the VPN Plus Server service and install the latest version via Package Center.

As a workaround, you can disable the Remote Desktop feature. To do so, click Synology VPN on the left panel of the management, and go to Remote Desktop, and untick Enable Remote Desktop.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

LastPass updates security notice with information about a recent incident

The password management company LastPasss notified customers in late December about a recent security incident. The notice was posted as an update of the security incident previously reported in August of 2022, which also was updated and covered on November 30, 2022.

According to LastPass, an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August incident. Some of the stolen source code and technical information were used to target another LastPass employee, which allowed the threat actor to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Actions for customers

LastPass states that users that followed their best password practices have nothing to worry about. LastPass’ default master password settings and best practices include the following: 

  • Since 2018, a twelve-character minimum for master passwords is required.
  • LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • It is recommended that you never reuse your master password on other websites. This is always true, but it completely defeats the security advantage of using a password manager. In case of a leaked or stolen password, threat actors can use credential stuffing techniques to unlock other accounts.

According to LastPass, if you followed these guidelines, it would take millions of years to guess your master password using generally-available password-cracking technology.

If you haven’t done so already, we would advise that you enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password was compromised. The instructions to enable MFA can be found on the LastPass support pages.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

As a keeper of that many passwords, LastPass is juicy prey for threat actors. So, it comes as a surprise that the initial breach was able to lead to further compromises.

Unencrypted data

Security researchers are worried about the fact that LastPass stores website URLs unencrypted.

Tweets

These questions were raised because the security notice says:

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

It is indeed hard to understand why LastPass would not consider website URLs sensitive fields and it makes you wonder what the other unencrypted data is. Leaked website URLs can lead to targeted pjhishing attacks, so LastPass users should be extra weary of emails asking them to log in or change their password at sites for which they have their password stored in LastPass. Always visit the site directly and do not follow the links in emails. And, as always, enable MFA where you can.

We have reached out to LastPass to ask for additional information and we will keep you informed here.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Okta breached last month, no customers compromised

Some of Okta’s source code fell into the hands of an unauthorized party. The code was stolen from GitHub in the first part of December, according to a statement issued by the company. In the same statement the company reassured users that there was no impact to any customers.

Okta

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of identity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

Stolen source code

GitHub alerted Okta about a possible breach in early December. An investigation by Okta revealed that the unauthorized access was used to copy code from the Okta Workforce Identity Cloud (WIC) code repositories.

Okta Workforce Identity Cloud provides a unified solution for secure access to any resource from any user that needs it, while maintaining the “Principle of Least Privilege” (POLP). The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.

Customers unaffected

In the statement that was also sent out by mail to security contacts, Okta told their customers that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. This includes Okta’s HIPAA, FedRAMP, and DoD customers. This is because Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully functional and secure.

Auth0

A few months ago, Okta subsidiary Auth0 disclosed a similar incident, where code repository archives that predated Okta’s acquisition of Auth0 were stolen. It never became clear how the unauthorized party, that notified Okta about the possession of the archives, exfiltrated them.

LAPSUS$

Okta themselves admitted to a breach that happened in January of 2022, where the LAPSUS$ cybercriminal group accessed two active customer tenants within their SuperUser application and viewed limited additional information in certain other applications like Slack and Jira that could not be used to perform actions in Okta customer tenants. The January breach was initially believed to have a much larger impact and there was talk of possibly 366 customers that might be affected.

Measures

When Okta learned of the latest incident, it placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications. The company also reviewed the integrity of all the code that was recently placed on GitHub, and rotated GitHub credentials. Law enforcement has also been notified of the breach.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Godfather Android banking malware is on the rise

Researchers at Cyble Research & Intelligence Labs (CRIL) have found a new version of the Android banking Trojan called Godfather.

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.

History

Group-IB researchers established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.

Godfather’s success is mostly due to its ability to create convincing lay-over screens for over 400 applications. This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services. The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

Install

Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.

Getting permissions

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices. It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device. With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.

Capabilities

Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number. It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs. The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed. The Command & Control (C2) server’s URL is fetched from a Telegram channel.

IOCs

For the variant posing as the MYT Muzik app CRIL provided:

APK Metadata Information

  • App Name: MYT Müzik
  • Package Name: com.expressvpn.vpn
  • SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Malwarebytes for Android detects these new variants of the Godfather Trojan as Android/Trojan.Spy.Banker.MYT.

How to avoid malware

There are a few basic guidelines that can help you prevent installing malware on your device.

  • Download and install software only from official app stores like Google Play Store or the iOS App Store. And check whether the app you are downloading is exactly the one you wanted and not some imitator.
  • Use a reputed anti-virus/anti-malware and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication (MFA) wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device if possible.
  • Be very careful before opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions. Reading carefully what you are allowing an app to do helps you flag unusual and suspicious requests.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (December 19 – 25)

Why does technology no longer excite us? Lock and Code S04E01

When did technology last excite you? 

If Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with “a set of rules that describe our reactions to technologies.” They were simple and short: 

  1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
  2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
  3. Anything invented after you’re thirty-five is against the natural order of things.

Today, on the Lock and Code podcast with host David Ruiz, we explore why technology seemingly no longer excites us. It could be because every annual product release is now just an iterative improvement from the exact same product release the year prior. It could be because just a handful of companies now control innovation. It could even be because technology is now fatally entangled with the business of money-making, and so, with every one money-making idea, dozens of other companies flock to the same idea, giving us the same product, but with a different veneer—Snapchat recreated endlessly across the social media landscape, cable television subscriptions “disrupted” by so many streaming services that we recreate the same problem we had before. 

Or, it could be because, as was first brought up by Shannon Vallor, director of the Centre for Technomoral Futures in the Edinburgh Futures Institute, that the promise of technology is not what it once was, or at least, not what we once thought it was. As Vallor wrote on Twitter in August of this year: 

“There’s no longer anything being promised to us by tech companies that we actually need or asked for. Just more monitoring, more nudging, more draining of our data, our time, our joy.”

For our first episode of Lock and Code in 2023—and our first episode of our fourth season (how time flies)—we bring back Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to ask: Why does technology no longer excite them? 

Tune in today. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Play ransomware group claims to have stolen hotel chain data

H-Hotels, a large hospitality chain with 60 hotels across several countries including Germany and Switzerland has announced it has fallen victim to a ransomware attack. The incident, which took place on December 11, is allegedly a double whammy of hijacked devices and data theft…if a ransomware group is telling the truth.

Another day, another ransomware press release

From the H-Hotel release:

“…unknown persons carried out a cyber attack on the IT network of the hotel company H-Hotels.com, which led to restrictions in digital communication. The cyber attack was discovered by the hotel company’s IT security systems on Sunday. According to initial findings by internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational IT protection systems in a professional attack.”

The release goes on to say that although bookings are still taking place, email is unavailable as H-Hotels examines all systems to ensure they are no longer compromised. Importantly, H-Hotels claims that there is “no indication” that personal data has been stolen as a result of the attack.

Sadly, this may no longer be the case if what a ransomware gang claims to be true turns out to be accurate.

Play time

Play ransomware is a fairly new addition to the ransomware scene, most notably causing mayhem for the city of Antwerp not so long ago with major digital systems coming to a standstill. When the group claims a juicy target, they post up the details to their leak site alongside the data they claim to have stolen. The typical game plan is to encrypt files, and then threaten to leak files if their demands are not met.

If you’re caught out by Play ransomware, you’ll know quite quickly on account of your files suddenly displaying the .play extension and a ReadMe.txt file containing little more than the word “Play” and an email address.

Play has indeed claimed responsibility for this attack, with H-Hotels joining the growing list of guest appearances on the leak page. There is no indication how much data has been stolen, but the listing mentions “Private, personal data, clients documents, passports, ID, etc”. The proposed publication date for some or all of these files should demands not be met is currently tagged as December 27.

Assuming this is true, it remains to be seen what H-Hotel’s next steps are.

Keeping ransomware at bay

Tackling ransomware can feel overwhelming, especially as even the biggest of organisations fall victim to double or triple threat tactics. Even so, there are many options available to your organisation.

  1. A little recovery time

    Don’t wait until ransomware is in your network and encrypting everything to ask if someone has a backup. Get ahead of the curve, and see if you can come up with a suitable and cost effective way to recover your data and prevent further encroachment on your network. When an attack happens, who is contacted first? Who is the emergency response? Which data is the most crucial and sensitive? Has it already been encrypted by your business to prevent network intruders taking a peek?

    You should also have an idea of who to make outreach to after an incident, and in what order. Law enforcement, cyber insurance (if you have it), external security contractors may well be some of the first entities on your list.

  2. Testing for timeliness

    It’s always a good idea to keep your systems updated, along with your security tools. However: just like those businesses which only consider backups once the damage has been done, there are many out there not running regular scans or ensuring everything is working as it should be. You don’t want to be in the middle of an incident and then find out your licences expired three months ago.

    On a similar note, it’s the obvious attack targets which don’t receive enough care and attention from admins. So many compromises are as a result of unsecured Remote Desktop Protocol brute forcing. Make sure you set those passwords in the first place, and limit the rate that individuals can keep trying to log in before being locked out.

    3. A valuable set of tools

    As you’ve gathered, speed and a calm head is of the essence when dropped into a ransomware incident. You want your Endpoint Detection and Response (EDR) tools to work fast, and with as little friction as possible. Identifying and isolating infected devices, spotting behaviour which resembles ransomware activity, and assisting with file recovery where possible are all extremely useful when that alarm bell starts to ring.

    Additional assistance in the form of rogue website blocking, prevention of exploits and malvertising, and brute force protection will all serve you very well.

We have a lot more information with regard to simplifying the fight against ransomware, alongside multiple reports and guides for best practice and overviews of the ransomware landscape generally.

Stop ransomware


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The pitfalls of blocking IP addresses

In August 2022, the Austrian court ordered the block of 11 IP addresses for copyright violations on 14 websites. Sadly, there was an undesirable side-effect—thousands of websites were rendered inaccessible to internet users in Austria for two days.

There are many possible reasons why governments would order Internet Service Providers (ISPs) to block specific IP addresses—from censorship to several different illegal activities like copyright infringements, fraud, and selling banned substances.

For the sake of the article we will focus on blocking for illegal activities in democratic countries, because censorship in more dictatorial states falls under very different considerations.

The problem

Blocking an entire IP address because there are one or a few unwanted sites hosted on that IP address is unfair at one level to those that happen to be on the same IP address but are unaware of the illegal activities. Compare it to issuing a search warrant for an entire block because the owner of one house is suspected of doing something illegal.

But even though courts have an obligation to consider the rights of those not contributing to the illegal activities, blocking by IP address is something that happens too often according to content delivery network Cloudflare that investigated the matter.

“Freedom House recently reported that 40 out of the 70 countries that they examined – which vary from countries like Russia, Iran and Egypt to Western democracies like the United Kingdom and Germany –  did some form of website blocking.”

Sharing your IP

While it is easy to say that you shouldn’t share your IP with illegal, fraudulent, or even compromised sites, this is not how the internet works for the average user. For starters, there is a huge difference between the number of available IP addresses and the number of existing domains, let alone the possible number of domains. Even when you take IPv6 into account, which allows for more unique IP addresses.

A regular website owner registers a domain and hosts the website on the server of a provider which is often the same one that registered the domain for them. They do not have a say over which other sites will be on the same server. The provider will decide this based on availability and load balancing. All a website owner can do is find a provider that is quick to respond in case there is a complaint about a site.

Cloudflare

The problem in Austria was magnified because the court ordered the ISPs to block the IP addresses owned by Cloudflare that pointed to the websites they wanted to block. This rendered thousands of websites inaccessible.

“In a network like Cloudflare’s, any single IP address represents thousands of servers, and can have even more websites and services — in some cases numbering into the millions — expressly because the Internet Protocol is designed to enable it.”

Better blocking

Better blocking should be based on blocking closer to the source. If you have a problem with a domain, you should first try to block that particular domain.

The designs of IP and domain name resolution (DNS) are independent of each other, but despite that, a one-on-one relationship is often assumed.

The first clue for the Austrian court that IP addresses and domain names don’t have a one-on-one relationship should have been the fact that they only needed to block 11 IP addresses to tackle 14 offending domains.

Another problem with blocking an IP is the lack of transparency for the internet user. When someone tries to visit a blocked IP, the connection fails without providing them with a reason. And an innocent website owner on the same IP does not realize anything is wrong until they receive complaints that their website is unreachable, or they see their visitor numbers drop for no apparent reason.

Inevitable

But sometimes IP blocking is inevitable. At Malwarebytes, we block IP addresses that are scanning other IP addresses for vulnerabilities, simply because there is no domain that can be blocked in these cases. We do try to limit the block to certain ports where possible. We also know the risks of blocking by IP address, but since we have an obligation to protect our customers, the choices are sometimes hard and mistakes are occasionally made.

BEC scammers go after more than just money

In a joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) recently observed incidents of Business Email Compromise (BEC) with a new twist. In these incidents the threat actors didn’t go for money, instead stealing whole shipments of food products and ingredients valued at hundreds of thousands of dollars.

Business Email Compromise

Up until recently, BEC attacks were almost exclusively targeted at money transfers. Malwarebytes’ own glossary entry for BEC says:

“A business email compromise (BEC) is an attack wherein an employee, who is usually the CFO or someone from the Finance department, is socially engineered into wiring a large sum of money to a third-party account.”

We may have to revise that entry since threat actors are now targeting physical goods as well.

In May 2022 we discussed some numbers published by the FBI. A few highlights:

  • $43 billion were stolen between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
  • The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
  • The overwhelming number of organizations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

This new type of attack will most certainly boost those numbers even more.

Methods

The tactics, techniques, and procedures have stayed very much the same. For the best results, attackers can use every bit of knowledge about the target and the legitimate company they are pretending to be. With this information they can:

  • Deploy email accounts and websites that closely mimic those of a legitimate company.
  • Use spear phishing and other techniques to get access to a legitimate company’s email system and send fraudulent emails from there.
  • Use the names of actual officers or employees of a legitimate business to communicate with the victim company to add extra credibility.
  • Copy company logos to lend authenticity to their fraudulent emails and documents.
  • Deceive the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application.

In the end, the victim company ships the product but never receives a payment.

Targets

While this type of fraud can happen in many industries, the CSA specifically points out recent events in the food and agriculture sector. In the listed examples, attackers used email addresses that were slightly different from the ones they were mimicking and seem to be predominantly after milk powder. But they also tried stealing a truckload of sugar. During investigations it also became clear that some legitimate companies were impersonated on more than one occasion.

Domain mimicry

There are many ways to mimic a domain so that the unsuspecting receiver of an email or web portal request might miss. To be proactive, you should look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, and the use of similar characters (i.e. “close” vs “c1ose”) or a minor misspelling of the domain.

Mitigation

The FBI, FDA, and USDA urge businesses to use a risk-informed analysis to deal with this type of crime. Some of the tips they gave are worth repeating:

  • Verify contacts by independents means. Do not trust logos and branding for they can easily be copied.
  • Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners.
  • Check for spelling errors, strange wording, and other grammatical abnormalities.
  • Encourage managerial double checks when employees find something suspicious or out of the ordinary.
  • Be skeptical of unexplained urgency or last-minute changes, especially in shipping destination.
  • Educate your employees to raise awareness of BEC, phishing, and other types of fraud.
  • Immediately report any online fraud or BEC activity to the FBI Internet Crime Complaint Center at ic3.gov/Home/BEC.

To avoid being used as a bait company, you can regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.