is targeting airline consumers with messages craftedAttack.Phishingto trickAttack.Phishingvictims into handing over personal or business credentials . A wave string of phishing campaignsAttack.Phishingis targeting airline consumers with messages craftedAttack.Phishingto trickAttack.Phishingvictims into handing over personal or business credentials . The phishing messages pretend to be sent fromAttack.Phishinga travel agency or a someone inside the target firm , they include a weaponized document or embed a malicious link . “ Over the past several weeks , we have seen a combination of attack techniques . One , where an attacker impersonates a travel agency or someone inside a company . Recipients are told an email contains an airline ticket or e-ticket , ” explained Asaf Cidon , vice president , content security services at Barracuda Networks . According to Barracuda Networks , aviation-themed phishing attacksAttack.Phishingcontain links to spoofedAttack.Phishingairline sites , threat actors personalizeAttack.Phishingthe phishing page in a way to trickAttack.Phishingvictims into providing business information . The attackers show a deep knowledge of the targets , hackers are targeting logistic , manufacturing and shipping industries . “ It ’ s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies , ” Cidon added . Recently the U.S. Computer Emergency Readiness Team issued an alert of phishing campaignsAttack.Phishingtargeting airline consumers . “ US-CERT has received reports of email-based phishing campaignsAttack.Phishingtargeting airline consumers . Systems infected through phishing campaignsAttack.Phishingact as an entry point for attackers to gain accessAttack.Databreachto sensitive business or personal information. ” reads the US-CERT warning . “ US-CERT encourages users and administrators to review an airline Security Advisory ( link is external ) and US-CERT ’ s Security Tip ST04-014 for more information on phishing attacksAttack.Phishing. ” The US-CERT specifically references the security advisory published by Delta Air Lines that warned its consumers of fraudulent activities . “ Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including : fraudulent emails , social media sites , postcards , Gift Card promotional websites claiming to beAttack.Phishingfrom Delta Air Lines and letters or prize notifications promising free travel , ” states the Delta Air Lines warning . Barracuda confirmed that these campaigns have a high success rate : “ Our analysis shows that for the airline phishing attackAttack.Phishing, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails , ” concluded Cidon . “ This is one of the highest success rates for phishing attacksAttack.Phishing. ”
Banks in Russia today were the target of a massive phishing campaignAttack.Phishingthat aimed to deliver a tool used by the Silence group of hackers . The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector . The fraudulent emails purported to comeAttack.Phishingfrom the Central Bank of Russia ( CBR ) and contained a malicious attachment . The message body luredAttack.Phishingthe recipients to open the attachment in order to check the latest details on the `` standardization of the format of CBR 's electronic communications . '' Email authentication mechanism saves the day International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence . This supports the theory that the attackers had accessAttack.Databreachto legitimate emails from CBR . If Silence hackers have any ties with the legal side of reverse engineering and penetration testing , it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work . In a report published today , Group-IB says that the attackers spoofedAttack.Phishingthe sender 's email address but the messages did not pass the DKIM ( DomainKeys Identified Mail ) validation . DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity . Banks see more spear-phishingAttack.Phishingfrom a different group The Silence hackers are not the only ones trying their spear-phishingAttack.Phishinggame on Russian banks . On October 23 , another notorious group , MoneyTaker , ran a similar campaign against the same type of targets . Their message spoofedAttack.Phishingan email address from the Financial Sector Computer Emergency Response Team ( FinCERT ) and contained five attachments disguised asAttack.Phishingdocuments from CBR . `` Three out of five files were empty decoy documents , but two contained a download for the Meterpreter Stager . To carry out the attack , hackers used self-signed SSL certificates , '' says Rustam Mirkasymov , Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert . These clues , along with server infrastructure associated with the MoneyTaker group , allowed the security experts to identify the perpetrator . As in the case of Silence , this attacker is also thought to have had accessAttack.Databreachto CBR documents , most likely from compromised inboxes of Russian banks employees . This allowed them to craftAttack.Phishingmessages that would pass even eyes trained in spotting fraudulent emails . Silence and MoneyTaker are the most dangerous threats to banks According to Group-IB , multiple groups use the Central Bank of Russia in spear-phishingAttack.Phishingoperations , and for good reason , since the organization dictates regulations to financial institutions in the country and maintains a constant communication flow with them . Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organizations . Referring to the latter , the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities . The goal is to access the internal nodes that enable them to withdraw money from ATMs , process cards or interbank transfers . Although Silence uses mainly phishingAttack.Phishing, they are more careful about craftingAttack.Phishingthe message , paying attention to both content and design , adds Group-IB 's threat intelligence expert .
Banks in Russia today were the target of a massive phishing campaignAttack.Phishingthat aimed to deliver a tool used by the Silence group of hackers . The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector . The fraudulent emails purported to comeAttack.Phishingfrom the Central Bank of Russia ( CBR ) and contained a malicious attachment . The message body luredAttack.Phishingthe recipients to open the attachment in order to check the latest details on the `` standardization of the format of CBR 's electronic communications . '' Email authentication mechanism saves the day International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence . This supports the theory that the attackers had accessAttack.Databreachto legitimate emails from CBR . If Silence hackers have any ties with the legal side of reverse engineering and penetration testing , it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work . In a report published today , Group-IB says that the attackers spoofedAttack.Phishingthe sender 's email address but the messages did not pass the DKIM ( DomainKeys Identified Mail ) validation . DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity . Banks see more spear-phishingAttack.Phishingfrom a different group The Silence hackers are not the only ones trying their spear-phishingAttack.Phishinggame on Russian banks . On October 23 , another notorious group , MoneyTaker , ran a similar campaign against the same type of targets . Their message spoofedAttack.Phishingan email address from the Financial Sector Computer Emergency Response Team ( FinCERT ) and contained five attachments disguised asAttack.Phishingdocuments from CBR . `` Three out of five files were empty decoy documents , but two contained a download for the Meterpreter Stager . To carry out the attack , hackers used self-signed SSL certificates , '' says Rustam Mirkasymov , Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert . These clues , along with server infrastructure associated with the MoneyTaker group , allowed the security experts to identify the perpetrator . As in the case of Silence , this attacker is also thought to have had accessAttack.Databreachto CBR documents , most likely from compromised inboxes of Russian banks employees . This allowed them to craftAttack.Phishingmessages that would pass even eyes trained in spotting fraudulent emails . Silence and MoneyTaker are the most dangerous threats to banks According to Group-IB , multiple groups use the Central Bank of Russia in spear-phishingAttack.Phishingoperations , and for good reason , since the organization dictates regulations to financial institutions in the country and maintains a constant communication flow with them . Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organizations . Referring to the latter , the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities . The goal is to access the internal nodes that enable them to withdraw money from ATMs , process cards or interbank transfers . Although Silence uses mainly phishingAttack.Phishing, they are more careful about craftingAttack.Phishingthe message , paying attention to both content and design , adds Group-IB 's threat intelligence expert .
Business Email Compromise (BEC) attacksAttack.Phishingjumped 45 % in the final quarter of 2016 , compared to the previous three months , according to new stats from Proofpoint . The security vendor claimed such attacks have grown both in volume and sophistication . Also known as “ CEO fraud ” and “ whaling ” , these attacksAttack.Phishingtypically involve fraudsters spoofingAttack.Phishingthe email addresses of company CEOs to trickAttack.Phishingstaff members into transferring funds outside the company . However , Proofpoint also includes attempts to target HR teams for confidential tax information and sensitive employee data , as well as engineering departments which may have access to a wealth of lucrative corporate IP . In its analysis of over 5000 global enterprise customers , it claimed that in two-thirds of cases the attacker spoofedAttack.Phishingthe “ from ” email domain to display the same as that of the targeted company . These attacksAttack.Phishingcan thwart some systems , because they don ’ t feature malware as such – just a combination of this domain spoofingAttack.Phishingand social engineering of the victim to force them to pay up . Part of the trick is to harry the target , rushing them so they have less time to think about what they ’ re doing . That ’ s why over 70 % of the most common BECAttack.Phishingsubject line families appraised by Proofpoint featured the words “ Urgent ” , “ Payment ” and “ Request ” . The vendor claimed that firms in the manufacturing , retail and technology sectors are especially at risk , as cyber-criminals repeatedly look to take advantage of more complex supply chains and SaaS infrastructures . Vice-president of products , Robert Holmes , argued that although employee education was important , it needs to be complemented by the right set of tools to weed out fraudulent emails . “ When it comes to BEC attacksAttack.Phishing, employees should never be an organization ’ s first line of defense . It is the organization ’ s responsibility to ensure that security technologies are in place , so that BEC attacks are stopped before they can reach their intended target , ” he told Infosecurity Magazine . BECAttack.Phishinghas become so popular among the black hats that the FBI warned organizations last year the scams had cost billions since 2013 . Trend Micro predicted that 2017 would see more and more cyber-criminals turn to BECAttack.Phishinggiven the potential rich pickings – claiming the average pay-out is $ 140,000 , versus just $ 722 for a typical ransomware attackAttack.Ransom. However , Holmes argued that ransomware and BEC actors are likely “ two distinct types of criminal ” . “ While ransomware attacksAttack.Ransomrequire technical infrastructure to launch campaigns at scale , BEC attacksAttack.Phishingare socially engineered and highly targeted in nature , conducted by a single actor rather than teams , and generally launched from shared email platforms , ” he explained . “ While cyber-criminals will always go where the money is , we do not envision a drastic change in tactics such as traditional purveyors of ransomware transitioning to BECAttack.Phishing. As long as ransomware and trojans continue to pay , cyber-criminals with technical skillsets are unlikely to down tools and pivot towards such a fundamentally different type of attack vector . ”
“ Over the past several weeks , we have seen a combination of attack techniques . One , where an attacker impersonates a travel agency or someone inside a company . Recipients are told an email contains an airline ticket or e-ticket , ” said Asaf Cidon , vice president , content security services at Barracuda Networks . Attachments , he said , are documents rigged with malware or are designed to download it from a command and control server . Cidon said other aviation-themed phishing attacksAttack.Phishingcontain links to spoofedAttack.Phishingairline sites . In these types of attacks , adversaries go to great lengths to spoofAttack.Phishingthe airline ’ s site . “ It ’ s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies , ” Cidon said . Recent phishing campaignsAttack.Phishing, he said , are targeting logistic , shipping and manufacturing industries . Barracuda ’ s warning comes a week after the U.S. Computer Emergency Readiness Team issued an alert of similar attacks targeting airline consumers . It warned email-based phishing campaignsAttack.Phishingwere attempting to obtain credentials as well . “ Systems infected through phishing campaigns act as an entry point for attackers to gain accessAttack.Databreachto sensitive business or personal information , ” according to the US-CERT warning . Delta said some victims were sentAttack.Phishingemails that claimed to contain invoices or receipts inside attached documents . When asked about the warning , Delta declined to comment . More troubling to Barracuda researchers was the success rate adversaries are having with phishing campaignsAttack.Phishingit is trackingAttack.Phishing. “ Our analysis shows that for the airline phishing attackAttack.Phishing, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails , ” Cidon wrote in a research note posted Thursday . “ This is one of the highest success rates for phishing attacksAttack.Phishing” . In June , Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks . Researchers say crooks attempting to install malware and perpetrate credential-harvesting attacksAttack.Databreachare more likely to use social engineering to trickAttack.Phishingpeople into installing malware than to exploit vulnerabilities with tools such as exploit kits .
Last week , the Internal Revenue Service ( IRS ) issued a new warning to employers , urging them to stay alert as reports of compromised W-2 records started to climb . This newest advisory aligns with the agency 's plan to delay refunds for those filing their returns early in order to combat identity theft and fraud . The IRS also informed employers the W-2 scam has moved beyond corporations , expanding to include schools , tribal organizations , and nonprofits . In a statement , IRS Commissioner , John Koskinen , said the scams - sometimes known as Business Email Compromise (BEC) attacksAttack.Phishing- are some of the most dangerous email scams the agency has seen in a long time . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . `` It can result in the large-scale theft of sensitive dataAttack.Databreachthat criminals can use to commit various crimes , including filing fraudulent tax returns . We need everyone ’ s help to turn the tide against this scheme , '' Koskinen said . In 2016 , at least 145 organizations fell victim to BEC scamsAttack.Phishing, exposing tens of thousands of employees to tax fraud and identity theft . Salted Hash kept track of some of the high-profile cases , and Databreaches.net tracked everything , resulting in a massive list of documented successful attacks . As of February 5 , 23 organizations have disclosed BEC-related data breachesAttack.Databreachpublicly , each one resulting in compromised W-2 data . The confirmed BEC victims include ten school systems , a software development firm , a utility company in Pennsylvania , at least one restaurant in Indianapolis , and businesses operating within the healthcare , finance , manufacturing , and energy sectors . Distribution International emailed employees that their W-2 data was compromisedAttack.Databreachon January 27 . Their notification expands the number of affected taxpayers to more than 30,000 . The scammers spoofedAttack.Phishingan email and pretended to beAttack.Phishingone of the company 's owners . W-2 records for all companies and all employees were compromisedAttack.Databreach. Salted Hash reached out to Sky Climber 's CFO , Jeff Caswell , for more information . Also , the College of Southern Idaho has reported an incident that could impact 3,000 employees . According to Public Information Officer Doug Maughan , the W-2 records affected belong to seasonal and auxiliary staff . Palomar College disclosed an attackAttack.Databreachon January 30 , which affected employee W-2 records . The school did n't say the incidentAttack.Databreachwas the result of a BEC attackAttack.Phishing, but Salted Hash is listing it anyway due to the timing of the attack and the information targeted . Finally today , the West Michigan Whitecaps - a Class A minor league baseball team affiliated with the Detroit Tigers - said staff W-2 records were compromised after someone posing asAttack.Phishinga manager requested them . In 2016 , the criminals behind the BEC attacksAttack.Phishingmostly focused on payroll and tax records . This year though , the IRS says that in addition to the usual records request , the scammers are now following-up and requesting wire transfers . `` Although not tax related , the wire transfer scam is being coupled with the W-2 scam email , and some companies have lost both employees ’ W-2s and thousands of dollars due to wire transfers , '' the IRS explained in their warning . `` Employers should consider creating an internal policy , if one is lacking , on the distribution of employee W-2 information and conducting wire transfers . '' BEC attacksAttack.Phishingare essentially Phishing scamsAttack.Phishing, or Spear PhishingAttack.Phishingsince the criminals have a specific target . They 're effective too , exploiting the trust relationships that exist within the corporate environment . In a majority of the reported cases from 2016 , the attackers forgedAttack.Phishingan email and pretended to beAttack.Phishingthe victim organization 's top executive , or someone with direct authority . Often it is the CEO or CFO , but any high-level manager will work .