Welcome once again to Gone Phishing, the biweekly roundup of the news you can use about the biggest phishing, malware, and cybercriminal activity of the last couple of weeks. As you may have noticed by the delightful picture of Edward R. Murrow here next to the text, we're working on keeping the tone and wording in these posts insightful while also being as readable as possible. That being said, let's get started! 📰
One of the biggest stories of the last couple of weeks is probably going to be one of the biggest stories of the year. Tech giant Microsoft recently announced that a large-scale phishing campaign has been targeting over 10,000 organisations since September 2021 "by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication (MFA)." According to a Microsoft spokesperson, "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets." What this ultimately means is that hackers have been able to steal session cookies and bypass Microsoft, which remains one of the heftiest cybersecurity outfits in the world. In layman's terms, hackers can now fake a successful multi-factor authenticated log-in designed by one of the world's top cybersecurity outfits.
Pretty scary stuff. But this doesn't mean it's the end of the world, or the end of Microsoft. Even though multi-factor authentication is still one of the safest things you can do to make sure people don't access your device, it's starting to look like even stronger forms of authentication — such as device and IP-based protections — will be necessary.
A similar attack happened back in June with gaming behemoth EA, where session cookies were stolen and used to gain access to sensitive files.
Hotels. You probably know them. If you don't, they're like houses but temporary, and when you own enough of them you own a hotel chain. Marriot is one such example of a hotel chain, and they just so happen to be the most successful hotel chain in the entire world, with just shy of 8,000 hotels in their growing portfolio. But enough about that.
One of their hotels — the BWI Airport Marriot that serves Baltimore, MD (and is somewhat of a satellite airport for the Washington D.C. area) — had a data breach that lasted roughly 6 hours after an employee was tricked into giving their login details to someone posing as another Marriot employee. The hacker(s) were then able to get about 20GB of data, including customer credit card information, from the Marriot servers. Marriot is denying that the hack breached any further than the one hotel, but this is another classic example of our favorite acronym: DTOPWYLIBTAPB, or Don't Trust Other People With Your Login Info Because They Are Probably Bad.
Why the acronym joke? Because the hacking group has one themselves, and it sure is punny. According to DataBreaches.net, the hacking group goes by the name GNN... which stands for Group With No Name. Talking to DataBreaches.net, the group said that "We were acting like a RedHat organization and [Marriot] just stopped communicating with us," so they went public with the hack. This is the third Marriot data breach/leak since 2018, according to BleepingComputer.
Much like Sparks, mustache-tattoos-on-fingers, and updating your 'top 8' on MySpace, malware delivery system Qakbot goes all the way back to the mid-2000s. Initially a banking trojan before becoming "a modular information stealer capable of deploying next-stage payloads such as ransomware" (thanks HackerNews for that quote!), it has now changed again in order to sidestep today's protocols. Users should be aware that downloading any .LNK files may be risky, as Qakbot has been seen shifting towards those files to evade detection.
74,000 crypto-wallet holders were duped into giving up more than $8m USD by clicking on a malicious smart-contract, according to Decrypt. What the folks who fell for the phishing scam thought they were getting was 400 free UNI tokens, worth about $2,200... but what they actually got was a (and, yes, I'm paraphrasing here) authentication token allowing the hacker to do whatever they want with what was in their crypto-wallets.
What's perhaps most interesting about this is that many, including Changpeng Zhao, CEO of Binance, to initially assume that it was a security breach before quickly learning that it was an old-fashioned Web2 phishing attack. Here's a free and easy lesson: if it's too good to be true, it probably isn't true at all.
According to new findings, the $540m hack this past March of Axie Infinity's Ronin Bridge all happened because an employee of Sky Mavis clicked on what they thought was a too-good-to-be-true job offer PDF on LinkedIn. Turns out that it wasn't a PDF at all... it was the work of a North Korean hacking collective called the Lazarus Group who have been behind some of the biggest crypto heists of the last couple of years. They're also the same folks who were behind the infamous WannaCry malware. Interestingly, this is a basic-as-a-boiled-potato phishing approach (the likes of which Hoxhunt can easily prevent!) that achieved a huge windfall for the Lazarus Group, who are known to operate with a bit more nuance than what was seen in this particular attack.
If you want an interesting read, the Lazarus Group Wikipedia page has a handy 'greatest hits' (if you can call them that) of cyber-espionage.
Your best defence against cyber-crimes like these is arming your employees (and yourself!) with ways to prevent and report phishing and malware attacks, and the best way to do that is by using Hoxhunt. Give us a shout today. We'd love to hear from you.