Why Cybercrime is like Trout Fishing

“Why push on a locked door when there’s an open window?”

As any seasoned fly angler knows, trout are highly selective, continuous feeders with their entire survival strategy centered on conserving energy, remaining close to a safe holding place, and gaining maximum protein intake with minimal movement. To fool the wily trout, fly angler have developed a practice of “matching the hatch” is used by fly anglers to present an artificial fly that most resembles what the trout are currently feeding on and getting it close to where a feeding trout is holding. And often, with the right presentation, the trout is fooled and hooked.

So what does fly fishing have to do with cyber security?

In many ways, cyber criminals behave exactly like seasoned fly anglers. Rarely do they waste time, energy and resources bombarding a company’s firewall. Or in the case of fly fishing, randomly cast using any fly pattern available. And as cybercrime becomes more sophisticated and controlled by criminal gangs and nation states, they favor a targeted approach. Cybercriminals today look for the easiest and quickest way through a company’s security defenses, often focusing on individual employees using an approach called social engineering.

Cybercriminals, like fly anglers, look for the easiest way to fool their target.  And in today’s disrupted business world that seems to be employees working from home, where in most cases the home environment is far less secure than the office IT environment. They also, like a fly angler matching the hatch, impersonate senior executives demanding a lower-level employee (for example from the finance department) wire money immediately to an (fake) client account. All too often the employee, when receiving an urgent email from a named senior executive, complies.

The savvy trout angler spends a great deal of time understanding the trout species they are targeting, the river environment, the types of insect life and potential food sources, most active feeding times etc. They even visit nearby fly shops and talk with knowledgeable fishing guides for specific information. They build a knowledge base used to match the hatch and fool the trout.

 In a similar way, a cybercriminal spends a great amount of time researching the company they are targeting. They scour LinkedIn profiles, search company websites for the names and titles of employees, gather information about employees on Facebook, Tinder, Instagram, Snapchat and other social media platforms. Recently they have begun to telephone employees at home pretending to be a legitimate research company, even offering cash for answering survey questions. In many cases, employee emails and other confidential information can be purchased from other criminal groups on the Dark Net. Using all this information they put together a list of potential employees to target with Phishing emails and social engineering.

Trout anglers know that older and larger trout are more “educated” in spotting real food from an anglers imitation. Older trout have probably seen numerous presentations from lots of different anglers and learned to be wary and highly selective. Also, the clearer the water, the more wary the trout are in general to protect themselves from predators. Smaller, younger trout have yet to learn and are easier to fool. 

Cybercriminals know that new employees are easier to fool as well. This is especially true when cyber security training is minimal and there is little peer to peer education about what to watch out for when it comes to email phishing and social engineering. And working from home has in most cases reduced the amount of team learning and peer to peer interactions, which provide a safe place for new employees to ask questions and seek advice. In many training classes few employees want to be singled out for asking “naïve” questions.

A Human Approach to Mitigating Cybercrime

To blunt the growing impact of cybercrime, companies need to focus more on the human aspect of cyber security. In most organizations, 98% of the cyber security budget is spent on technology and less than 2% on employees. Yet 88% of cyber breaches are the result of human error, poor cyber hygiene, mismanagement, and insider actions. Just 12% of breaches are due to technology failures. And 61% of cyber victims fail to report the incident. 

The analogy between fly fishing and cybercrime offers many opportunities for companies to improve their cyber security. For example, clarity of water in a trout stream is easily equated with open transparency and cross-functional communications in the corporate world. Learning from others, on-going communications about attempted cyberattacks and successful breaches allows everyone to learn quickly and become more aware and accountable. Having the IT department help secure the home technology and internet environment of senior executives, Board Directors and other high value targets helps prevent breaches and high-value-employee data mining by cyber criminals. Adding additional support for the cyber security and IT team to improve and keep on top of cyber hygiene, patches and software upgrades can go a long way in mitigating cyber risks.

Cyber security is the number one threat to businesses and organizations everywhere. Between 2020 and 2021, ransomware attacks increased by 60%, with the average ransomware payment approaching $4.5 million (IBM). And that’s just the payment to the hackers. The cost of downtime, lost revenue, reputational damage and decline in market value is nearly 10 times the ransom payment.

It is past time senior leaders prioritize the human firewall. Otherwise cybercrime will continue to grow and pose an ever growing threat to our global economy and way of life.

Source: https://www.linkedin.com/pulse/why-cybercrime-like-trout-fishing-john-r-childress/?trk=public_post

National Cyber Security Awareness Month: You Could Be the Biggest Threat to Your WordPress Site

October is National Cyber Security Awareness Month in the U.S., and this year’s theme is “See Yourself in Cyber.” What is really being said by this theme is that we all have a role to play in cyber security, whether we work in the industry or not. With this in mind, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have identified four key areas where we can all take action to protect our presence online, and work to keep others safe. These same concepts can be used to help secure WordPress sites as well.

Think Before You Click

The idea behind this concept is that you should always be on the lookout for phishing attempts. This is true in general, but also applies specifically to anyone who is an administrator of a WordPress site. Anyone who is in this role is likely very familiar with receiving emails from their website that advise of available updates, or comments that need to be moderated, and plenty of plugins have their own reasons for sending emails to administrators as well. As most administrators don’t log into the admin panel daily, these emails are often a critical part of the site management workflow.

WordPress is currently used on over 40% of all websites, making it both well-known and a large target for threat actors. What this means is that threat actors are aware of the emails that website administrators are used to receiving, and can likely duplicate them with relative ease. Whenever you receive an email from your website, it is best to check that any links do not contain domain names from other websites before clicking, or better yet log into the admin panel directly and navigate to the page that needs your attention.

Even more important than checking links in the emails you are used to receiving is checking links in emails you aren’t expecting. The folks at WordFence recently discussed how links can be manipulated to enable a complete account takeover, among other malicious activities. By remaining vigilant and checking the actual URL being used, these types of attacks can be avoided.

Update Your Software

One of the best ways to keep a website secure is to ensure that any software being used is regularly updated with the latest security updates. In WordPress, this means keeping your core WordPress version up to date, as well as any themes or plugins that are installed. ProtectYourWP.com does this for you with daily site checks and updates.

Despite the ability to update all of this software automatically, many site administrators allow their websites to run on outdated versions, many of which contain security vulnerabilities. Some may have reasons for using older versions, such as theme or plugin compatibility issues. However, these issues should be resolved as quickly as possible, finding replacement themes or plugins if necessary.

The majority of the targeted attack attempts we see are attempting to make use of vulnerabilities in outdated plugins. As threat actors become aware of vulnerabilities, they also know they can find success in exploiting those vulnerabilities because of the number of administrators who allow outdated plugins to remain active on the website. The simple act of updating all of the site software is one of the simplest ways to prevent the success of an exploit attempt.

Use Strong Passwords – and a Password Manager

It can’t be stated enough that passwords need to be as strong as possible. Threat actors have been looking for ways to get into user accounts since the dawn of the modern era of computing, and they have a number of tools at their disposal to guess or “crack” passwords. The stronger the password, the lower their chance of success. Longer passwords are considered more secure, with current recommendations calling for a minimum of a 16-character password wherever possible. Each password should only be used to log into a single account. This means that individuals should have strong and unique passwords for each and every account they have from WordPress to Gmail and everything in between.

While the requirement to use a unique password for every account may sound like overkill to some, there is a very good reason for it. A type of attack known as credential stuffing is easily prevented simply by using unique passwords. Credential stuffing consists of using known usernames and passwords to try to log in to as many accounts as possible. If credentials from an account are leaked in a data breach, stolen through phishing, or otherwise obtained by a malicious actor, they are often able to gain access to multiple accounts simply by using those same credentials in other accounts, such as Gmail, banks, and of course WordPress.

Another common method of guessing a password is what is known as a dictionary attack. This type of attack utilizes techniques like trying lists of common passwords, or even seemingly random strings, in the password field to attempt to find one that provides access to the account. In the last 30 days, we have blocked 4,239,859,063 password attack attempts, which highlights the importance of using a strong password to keep malicious actors out of accounts.

Blocked password attacks in the last 30 days

Using long passwords that are unique for each account can seem intimidating, especially once you consider that the average person has around 100 different accounts that need passwords. This is where password managers come in. Most password managers can automatically generate secure passwords, and securely store those passwords to easily copy and paste into login forms. There are a number of password managers available, all with their own set of features and use-cases. Ultimately, which password manager you use is far less important than the fact that you are using one, so use the one that fits your needs the best.

Refresh your memory with 10 of the most common password mistakes we’ve seen and employ techniques to mitigate the risks of each one.

Enable Multi-Factor Authentication

While strong passwords are important, enabling multi-factor authentication (MFA) is one of the most effective methods of preventing unauthorized account access. According to details provided in a White House press briefing, 80-90% of all cyber attacks can be prevented with the implementation of multi-factor authentication (MFA). There are various forms that MFA can take, but the basic idea behind it is that you are using something you know (password), along with something you are like biometrics or something you have such as a smartphone or usb device, to provide access.

What makes MFA so effective is the fact that it requires at least one additional form of authentication that a malicious actor is not likely to possess with the first factor. This means that even if a threat actor obtains a username and password through a phishing scam, they still won’t have access to the smart card, MFA token, or other additional form of authentication required. Most MFA methods are also relatively simple for the authorized user to utilize, and combining this with strong unique passwords that are stored in a password manager can even be more convenient for the user than trying to remember password variants that work with the various password requirements of their accounts. As a reminder, Wordfence makes it incredibly easy for site owners to set-up MFA for all Wordfence users.


National Cyber Security Awareness Month is a great time to review our personal and professional security hygiene. Each year a different theme is chosen, based on the areas that have been observed to need the most improvement. The specific behaviors and techniques highlighted should be reviewed and applied everywhere possible. Following this year’s theme of “See Yourself in Cyber” we gain the understanding that cyber security is everyone’s responsibility, and that we can apply new behaviors to avoid phishing and vulnerabilities, as well as better secure access to our accounts.

Scan This: There’s Danger in QR Codes

QR codes have become embedded in daily life for many adults. Their spread was highlighted on Super Bowl Sunday, when a bouncing QR code on a brightly colored field occupied 30 seconds of very expensive air time. Capturing that particular QR code led viewers to information on cryptocurrency. Codes that have popped up on restaurant tables across the country lead to menus and apps for paying meal charges. Other codes could lead to much less benign destinations. 

The same qualities that make QR codes so valuable make them a legitimate threat to enterprise (and personal) cybersecurity. A type of bar code introduced in 1994 by automotive supplier Denso Wave, QR codes were first used to track components and subassemblies through an automobile assembly process. There are now 40 versions of the QR code, each carrying a different amount of information. Depending on the error correction employed, QR code capacity can range from 72 to 16,568 bits — more than enough to carry significant information about a part, or a malicious instruction for your mobile device or enterprise network.

And the opportunities to deliver those malicious instructions exploded shortly after the beginning of the pandemic when countless restaurants, eager to avoid the appearance of delivering viruses along with menus, moved customers to a menu viewed on their mobile phones. How did those menus get to the customers’ mobile phones? Through a scanned QR code. Convenient, hygienic, and ubiquitous, QR codes have revolutionized menu delivery and customer feedback. They have also revolutionized delivery methods for malware and social engineering attacks.

Take a Closer Look
The problem isn’t really with the capability of QR codes — those capabilities make the codes very useful for any number of legitimate business and consumer purposes. The problem is that so many people have stopped thinking about the codes that they scan. How many times have you seen people walk into a restaurant and scan the QR code from a sticker attached to the table, often scanning the code before they’re fully settled in their seats? That kind of reflexive scanning is the human component of the vulnerability that the code introduces to the enterprise.

So, what is an enterprise security staff to do about it? Given the square code’s ubiquity, a blanket prohibition on scanning is unlikely to work. The best approach, as in so many things cyber, is solid education on the threat and best practices for minimizing its impact.

The first thing employees must learn is that scanning a QR code should never be automatic. Want to see a menu on your smartphone? Great — ask the server to bring you a sheet with the QR code printed on it. Want to leave a review? Great — scan the code on the bottom of your receipt. QR codes on random stickers stuck to tables and doors should be treated with suspicion since they’re in far too public a set of locations to trust.

Next up is learning to consider context when scanning a QR code. On an official sign with a logo in your bank’s lobby? Perhaps. On a crooked sticker at the front of a gas pump? Hard no. Treating QR codes as you would any other bit of electronic kit is important because that’s exactly what they are: mechanisms for carrying and delivering code to a device. Just because they’re made of ink and paper rather than silicon and gallium arsenide doesn’t mean they’re any less effective — or dangerous.

Consider Training
The potential danger of QR codes is actually a good excuse to introduce training about dangers beyond the obvious phishing email message and dodgy website. Criminals and threat actors are eager to take advantage of actions taken without thought — times when employees are on “auto pilot” regarding their actions. Train employees to stop and think about codes, images, and stickers before they launch the attached URL and you may well cut down on the number of malware packages that come attached to orders for gooey cookies.

Source: https://www.darkreading.com/omdia/scan-this-there-s-danger-in-qr-codes

Smart homes are hackable homes if not equipped with updated, supported tech

Smart homes are increasingly becoming hackable homes, according to consumer research.

The report by consumer rights organization Which? paints a grim picture for people who have equipped their residences with gadgets, many from trusted tech names.

As with pretty much everything in IT, if you connect a device to the internet, ensuring it’s patched and has a decent password is the very least owners can do. Even then, there are no guarantees that this is secure.

Unsurprisingly, the Which? team found that out-of-support devices were relatively straightforward for hackers to compromise. The example of an early Amazon Echo smart speaker was given where researchers were able to take control without the user being aware.

Other devices, such as smartphones and routers, were also exploited. The Which? team were able to infect a Samsung Galaxy S8 smartphone with malware disguised as a delivery text. Siphoning of user data was then possible.

However, in these cases the devices were out of support and “the attack would have been better blocked or detected by a device that was still receiving security updates,” Which? noted.

Continue Reading: https://www.theregister.com/2022/06/01/which_smart_tech_advice/

Large-Scale Phishing Campaign Bypasses MFA

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.

The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.

In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.

“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.

It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.

Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.

“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.

AiTM Phishing, Unpacked

In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.

AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.

“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”

In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.

“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”

This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.

Specific Attack Vector

In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.

If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.

At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.

If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft office.com page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.

In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.

Follow-Up BEC and Payment Fraud

Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.

The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.

“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.

Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.

Source: https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/

Zero-click attacks explained, and why they are so dangerous

Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.

Zero-click attack definition

Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind—which makes them dangerous.

Once a device is compromised, an attacker can choose to install surveillance software, or they can choose to enact a much more destructive strategy by encrypting the files and holding them for ransom. Generally, a victim can’t tell when and how they’ve been infected through a zero-click attack, which means users can do little to protect themselves.

How zero-click attacks work

Zero-click attacks have become increasingly popular in recent years, fueled by the rapidly growing surveillance industry. One of the most popular spyware is NSO Group’s Pegasus, which has been used to monitor journalists, activists, world leaders, and company executives. While it’s not clear how each victim was targeted, it is believed that at least a few of them have received a WhatsApp call they didn’t even have to answer.

Messaging apps are often targeted in zero-click attacks because they receive large amounts of data from unknown sources without requiring any action from the device owner. Most often, the attackers exploit a flaw in how data is validated or processed.

Other less-known zero-click attack types have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He gives two examples: parser application exploits (“while a user views a picture in a PDF or a mail application, the attacker is silently exploiting a system without user clicks or interaction needed”) and “WiFi proximity attacks that seek to find exploits on a WiFi stack and upload exploit code into [the] user’s space [in the] kernel to remotely take over systems.”

Zero-click attacks often rely on zero-days, vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid those double-whammy zero-day and zero-click attacks,” Lakhani says.

These attacks are often used against high-value targets because they are expensive. “Zerodium, which purchases vulnerabilities on the open market, pays up to $2.5M for zero-click vulnerabilities against Android,” says Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.

Examples of zero-click attacks

The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device. One of the first defining moments in their history happened in 2010 when security researcher Chris Paget demonstrated at DEFCON18 how to intercept phone calls and text messages using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his international mobile subscriber identity (IMSI) catcher to intercept the mobile phone traffic of the audience.

Another early zero-click threat was discovered in 2015 when the Android malware family Shedun took advantage of the Android Accessibility Service’s legitimate functions to install adware without the user doing anything. “By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” according to Lookout.

A year later, in 2016, things got even more complicated. A zero-click attack was implemented into the United Arab Emirates surveillance tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. Then, a text message was sent to the victim, who didn’t even have to click on a link to be infected.

Once that text arrived on an iPhone, the attackers were able to see photos, emails, and location data, among other items. The hacking unit that used this tool, dubbed Project Raven, included U.S. intelligence hackers who helped the United Arab Emirates monitor governments and human rights activists.

By the end of that decade, zero-click attacks were being noticed more often, as surveillance companies and nation-state actors started to develop tools that didn’t require any action from the user. “Attacks that we were previously seeing through links in SMS, moved to zero-click attacks by network injections,” says Etienne Maynier, technologist at Amnesty International.

Amnesty and the Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which was linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s mic and camera, collect passwords, and gather information from apps.

Khashoggi and his close ones were not the only victims. In 2019, a flaw in WhatsApp was exploited to target civil society and political figures in Catalonia. The attack started with a video call made on WhatsApp to the victim. Answering the call wasn’t necessary, as the data sent to the chat app wasn’t sanitized properly. This allowed the Pegasus code to be executed on the target device, effectively installing the spyware software. WhatsApp has since patched this vulnerability and has notified 1,400 users who have been targeted.

Another sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.

Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).

How to detect and mitigate zero-click attacks

Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. “Zero-click attacks are way more common than we thought,” says Maynier. He recommends potential targets encrypt all their data, update their devices, have strong passwords, and do everything in their power to protect their digital lives. There’s also something else he tells them: “Consider that they may be compromised and adapt to that.”

Still, users can do a few things to minimize the risk of being spied on. The simplest one is to restart the phone periodically if they own an iPhone. Experts at Amnesty have shown that this could potentially stop Pegasus from working on iOS—at least temporarily. This has the advantage of disabling any code running that has not achieved persistence. However, the disadvantage is that rebooting the device may erase the signs that an infection has occurred, making it much harder for security researchers to determine whether a device has been targeted with Pegasus.

Users should also avoid jailbreaking their devices, because it removes some of the security controls that are built into the firmware. In addition to that, since they can install unverified software on a jailbroken device, this opens them up to installing vulnerable code that might be a prime target for a zero-click attack.

As always, maintaining good security hygiene can help. “Segmentation of networks, applications, and users, use of multifactor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics may prove to slow down or mitigate risks in specific situations,” says Lakhani. “[These] will also make post-exploitation activities difficult for attackers, even if they do compromise [the] systems.”

Maynier adds that high-profile targets should segregate data and have a device only for sensitive communications. He recommends users keep “the smallest amount of information possible on their phone (disappearing messages are a very good tool for that)” and leave it out of the room when they have important face-to-face conversations.

Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check to see whether they have been infected with Pegasus. The software used for this, Mobile Verification Toolkit, relies on known Indicators of Compromise such as cached favicons and URLs present in SMS messages. A user does not have to jailbreak their device to run this tool.

Also, Apple and WhatsApp have both sent messages to people who might have been targeted by zero-click attacks that aimed to install Pegasus. After that, some of them reached out to organizations such as Citizen Lab to further analyze their devices.

Yet technology alone won’t solve the problem, says Amnesty’s Maynier. “This is ultimately a question of policy and regulation,” he adds. “Amnesty, EDRi and many other organizations are calling for a global moratorium on the use, sale, and transfer of surveillance technology until there is a proper human rights regulatory framework in place that protects human rights defenders and civil society from the misuse of these tools.”

The policy answers will have to cover different aspects of this problem, he says, from export control to mandatory human rights due diligence for companies. “We need to put a stop on these widespread abuses first,” Maynier adds.

Source: https://www.csoonline.com/article/3660055/zero-click-attacks-explained-and-why-they-are-so-dangerous.html

New WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Attackers pounce before site owners can activate the installation wizard.

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

More details at: https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued

Questionable URL? Here’s a tool to help.

We recently heard of VirusTotal.com’s FREE web-based web address checker.

Have you received email which looks suspicious or has a link which you’re uncertain about? (This is how phishing often takes advantage of you!)

Right click on the link and copy the link address, then go to https://www.virustotal.com/gui/home/url and paste it in. It’ll return a rating as to whether it’s likely to be malicious or not.

It’s not perfect – I entered a link to an exploit reporting website and six out of 93 reports said it was malicious (it isn’t). But it will definitely give you a better idea as to the trustworthiness of any random URL you receive.

By the way, it works on most shortened URLs too: bit.ly, goo.gl, etc.

Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts