Phishing mails and websites could blank out your bank account

Fake wire transfer request e-mails is now seen as a growing trend

Symantec has recently seen a spam campaign involving fake wire transfer request e-mails which is now seen as a growing trend. The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use is registering domains very similar to the target domain. For example, if a scammer was targeting a user at they might register the domain or So for example, you might receive an email sent to you at from The reason for this is that when a recipient replies to the email the scammer is hoping they might not notice the slight difference in the domain and think it’s from a trusted sender.

During our analysis, we noticed that the scammers are sending the emails out on the same day that they are registering the domains. This is likely in the hope that they can extract payment before the domain is reported and suspended.

Figure 1. Fake payment request supposedly from a senior executive

Many of the fake wire transfer emails contain a PDF document (see Figure 1) which contains the credit transfer instructions.

Figure 2. PDF document containing credit transfer instructions

However, we have also seen examples of these scam emails being sent with no attachments and just one line of text (see Figure 3). This version of the scam requires the email recipient to reply to the message; the scammers will then forward on the payment details.

Figure 3. Fake payment request

We have also seen variants where the scammers spoof the “From” address to make it look as though the email is coming from a company executive, even though the true sender’s address is different. The “Reply-To” address, usually a webmail address, can be seen when the user clicks reply.

Figure 4. Email header with spoofed ‘From’ address and webmail ‘Reply-To’ address

If you receive a wire transfer request that seems out of the ordinary, always check that the sender is who they say they are. Ask yourself: is it normal procedure for your CEO to decide that you’re the best (or only) person to help in that situation?

Check the email headers to see where the email has originated from.

If you receive an email with a thread that you’ve supposedly been sent before, check with the person who has supposedly sent the email. Reply to the sender but obtain their email address using your company’s address book in your email client.

If you have any suspicions about an email requesting a wire transfer, investigate it further before proceeding with the request.

Source: Deccan Chronicle.

read more

Business Email Users Fail to Identify Phishing Scams

Via SpamFighter:

Security firm McAfee has warned that four-fifths of business email users are not able to identify phishing scams making the enterprise vulnerable to cyber crime.

According to McAfee Labs Threats Report: August 2014, 79% of business users , who were subjected to McAfee Phishing Quiz, failed to detect at least one scam containing malicious links or malware out of the seven emails shown to them.

It is more alarming that the test seems to reveal that people in Finance and HR departments of organizations who hold some of the most sensitive corporate data are the worst in identifying such scams.

It will be disastrous for a business to click a link in a phishing email as it will enable hackers to install malware or redirect users to compromised websites making the corporate network exposed to attackers.

Researchers of McAfee observed that spoofed email addresses fooled respondents most effectively and explained in a report stating that a UPS (United Parcel Service) phishing email using this tactic coupled with branding elements was very much successful. published a statement during first week of September, 2014 quoting raj Samani, EMEA CTO of McAfee as saying “Our latest report highlights that phishing continuous to pose significant security risks for consumers and businesses. Moreover, it is a matter of worry that due to lack of knowledge in identifying the phishing emails, we receive many such emails daily and it’s no longer enough to react to threats as and when they happen.” published a report on 4th September, 2014 quoting a comment on the findings of quizzes by Amichai Shulman, Chief Technology Officer of security firm Imperva, as “end users should not be blamed for falling to phishing scams because of old-fashioned approach by McAfee to deal with security threat. Its one thing to expect an employee to refrain from opening an apparent executable file enclosed in a slurred out-of-context email. It’s absolutely unreasonable to expect a normal person to inspect carefully each and every attached or downloaded file which looks like a PDF especially if the enclosed message is in context (eg an unpaid invoice or an unsolicited CV).”


read more

The New Face of Social Engineering and Fraud

Via PC World:


You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

Details are still sketchy–sort of standard operating procedure for data breach incidents. What we know is that the breach occurred between February and early March, but was just recently discovered. eBay claims that email addresses, encrypted passwords, names, addresses, telephone numbers, and user’s birth dates were compromised.

Because the passwords were encrypted, there is no immediate risk, but it’s only a matter of time before attackers are able to decrypt them. It definitely makes sense for eBay users to change their passwords. It’s also worth reiterating standard password security practices like making sure you use a strong password, don’t use the same one for multiple sites or services, and change them periodically.

But your eBay password may be the least valuable piece of information from the data that was compromised.

“The fact that user email addresses and physical addresses were taken in the breach is more concerning,” says Dwayne Melancon, CTO of Tripwire. “Criminals could use that information to masquerade as eBay customers on other sites, or perhaps ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore it can be easily reused by attackers.”

“Many sites can be easily tricked into resetting passwords–requiring a minimum of personal information to do so,” says Paul Lipman, CEO of iSheriff. “The non-encrypted personal data that was stolen from eBay could potentially enable users’ credentials to become compromised on a wide array of other sites through this kind of social engineering technique.”

The attackers can also use information like your phone number, email address, and mailing address for targeted phishing campaigns.

You can’t trust any emails or phone calls you receive. You can’t even trust snail mail. Any communication you receive should be treated with skepticism, and you should contact the company in question yourself to make sure it’s legitimate.

Lipman summed up on a somber note: “Unfortunately, we likely haven’t yet heard the end of this story.”

read more

An Iranian Threat Inside Social Media

Via IsightPartners:


iSIGHT Partners believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.

This campaign, working undetected since 2011, targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others who are vocal supporters of Israel to covertly obtain log-in credentials to the email systems of their victims. Additional victims in the U.K. as well as Saudi Arabia and Iraq were targeted.

The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.


The fake personas claim to work in journalism, government, and defense contracting.  These accounts are elaborate and have created credibility using, among other tactics, a fictitious journalism website,, that plagiarizes news content from other legitimate media outlets.

These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content.

Accounts were then targeted with “spear-phishing” messages.  Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date.

Additionally, this campaign is linked to malware. While the malware is not particularly sophisticated it includes capability that can be used for data exfiltration.


The discovery and investigation of the attack reveals three critical insights:

  1. Social media offers a powerful and covert pathway for targeting key government and industry leadership through a third-party platform potentially outside of existing security measures.
  2. Given targeting associated with this campaign, Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S.  Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.
  3. Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber espionage, even when lacking sophisticated capability.  NEWSCASTER’s success is largely due to its patience, brazen nature, and innovative use of multiple social media platforms.


We are unable to say with complete visibility.  However, it is reasonable to assume that a vast amount of social content was compromised in addition to some number of log-in credentials that can be used to access additional systems and information.

As users often maintain the same credentials for multiple sites, it is impossible to determine the scope, scale, and duration of data loss.


Given the covert nature of cyber espionage, its impacts are often difficult to forecast or measure; however, in this instance, we expect any access obtained by the NEWSCASTER network will be ultimately exploited for intelligence value.

We infer, from our limited knowledge of NEWSCASTER targeting, that such intelligence could ultimately support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and proliferation issues.

It is also possible that the compromise of such high-ranking and influential people could be used to access the senior levels of as-of-yet unidentified organizations in the U.S., Israel, and elsewhere.  Furthermore, we surmise that access could be leveraged as reconnaissance-for-attack, supporting eventual disruptive or destructive attacks against targeted entities.  Though there is no evidence indicating the NEWSCASTER network was created to support such activity, previous incidents publicly attributed to Iran, such as Operation Ababil and the attacks on Saudi Aramco underscore this possibility.

The NEWSCASTER network appears to be primarily focused on targeting senior military and policymakers, firms associated with defense technology, and the U.S.-Israel lobby, however, we found victims in the financial and energy sectors, as well as elsewhere, and we recognize that we could only see a portion of the accounts connected to this network.  Organizations involved in critical infrastructure, or who have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.


Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent.  They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day.  These hours conform to work hours in Tehran.  Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend.  Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.


Without seeing how the information stolen by the NEWSCASTER network is used, it is difficult to make a definitive assessment of their ultimate motivation.  However, the actors have intimated their interest in specific defense technology as well as military and diplomatic information by their targeting.  This type of targeting is inconsistent with cyber-criminal behavior.

It remains possible that the actors could selectively reveal information gained through this campaign to embarrass those who were targeted, or already have, but we have seen no evidence of this at this time.  Ultimately, we believe the sponsors of the activity are seeking information advantage over rival military forces, defense industries, diplomats, and others.


We have previously identified cyber espionage campaigns which originate from China using social network accounts to propagate, but never a campaign of such complexity working across so many platforms.  NEWSCASTER is unprecedented in complexity, scale, and longevity.


We are protective of sources and methods, but we can confirm that these actors did not go unnoticed by some targeted entities and they left significant evidence of their activity throughout the Internet.  As with many other threats, iSIGHT Partners combined malware analysis, open source research, and research from our global collection network to create our assessment of the NEWSCASTER network.


Newsonair.COM, a legitimate Indian news operation, is not the same as newsonair.ORG. We have no indication that newsonair.COM was in anyway linked to faux newsonair.ORG site that was part of this campaign.


We can’t be certain.  We have no information implicating the ultimate sponsor.  In the past we’ve seen cyber espionage operations carried out by government organizations, corporate intermediaries, and other third parties.


In addition to blocking known NEWSCASTER infrastructure, an enterprise can protect itself by taking steps to mitigate the human elements of the NEWSCASTER threat.  Though the actors took pains to create a complex social engineering capability, they made many mistakes and were detected by potential victims.  Personnel can learn from these mistakes to better recognize similar incidents.

NEWSCASTER was brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defenses­–exploiting social media and people who are often the “weakest link” in the security chain.  This underscores the importance of cyber threat intelligence that enables enterprises to proactively tune defenses to combat a determined and persistent adversary utilizing constantly evolving tactics.


Don’t be worried, but do be vigilant.  As always, do not create trusted connections with unknown organizations and/or individuals.  Never provide login credentials with any site or person who contacts to you (rather than you contacting it), use strong passwords and regularly change them.


The intelligence development and analysis was completed independently by iSIGHT Partners.

iSIGHT Partners did coordinate with the FBI to:

  • Brief government agencies and our commercial clients
  • Coordinate on the release of the report
  • Identify the relevance/possible impact of the threat to critical infrastructure entities and agencies


read more

The Social Engineering Infographic

The outstanding team at Social-Engineer, Inc. have produced a new infographic to highlight social engineering techniques and responses. These are the same people that run the Social Engineering Capture the Flag event at the Defcon event (which immediately follows the Black Hat conference) every year. Check it out:

Social Engineering phishing vishing



read more

Digital Identities: I Have One For Sale

Via RSA:

The term digital identity is so suiting to who we really are online.  Think about the accounts you log in to on a regular basis, the activities you perform each day, the way you communicate with others…most of our lives are digital.  In a research study by Harris Polls (commissioned by RSA) on digital identities, the most popular online accounts for consumers are email, financial and banking, and entertainment/shopping.  And on average, they access these online accounts from two different digital devices.  But what does a digital identity really mean?

I like to think of myself as an average consumer/online user so let’s take a look at what I consider to be my digital identity – and perhaps make you think a little more about yours.

My financial identity.  My financial identity is the one I treasure most.  I mean seriously, if a hacker takes over my bank account and steals the money in it, I’d be lost.  While my bank would ultimately reimburse me for fraudulent transactions, that could take days or weeks.  How would I pay my bills, buy food or gas – and my daily iced coffee?  But your financial identity goes well beyond just your bank account or credit cards.  We attribute our financial identity just to those two areas because we use or access them almost every day.  However, what about your stock account, 401k, payroll information?  Or if you’re like me, you have a flexible spending or healthcare savings account you use to submit claims for childcare and medical expenses.  As you can see, your financial identity extends well beyond just your bank account.

My personal identity.  The two things I associate most with my personal identity are my personal email and social networking accounts.  I hardly use personal email much anymore, but for most things you sign up for, you have to submit an email address.  That’s probably the reason I maintain one as I can’t have my credit card statements or utility e-bills coming to my work email.  Then we share our personal lives and moments with friends and family on social networking sites such as Facebook and Twitter.   Most don’t realize the value these simple accounts hold to a criminal or hacker, but they do.  For example, many online service providers notify you via email of changes on your account so if a hacker had access to your email, they could go in and delete the notifications so you wouldn’t be suspicious.  Trust me, this happens all the time!

My entertainment/shopping identity.  I do a majority of my holiday shopping online. The deals are usually better and frankly, I just can’t stand the holiday crowds.  Then I have my kids who always seem to want the craziest or rarest things that you just can’t find in a regular store (One word to parents of little boys and you will understand: Minecraft).  I also book a lot of activities online, purchase tickets to shows, and plan my travel among other things.  So I probably have at least two dozen various entertainment/shopping online identities that I use or have used in the past (and that list keeps growing because of Groupon).

My online gaming identity.  Well, this one could have gone under my entertainment identity, but I decided to make it its own category as a reminder to myself that I need to get a life and stop playing Candy Crush Saga.  I’m on Level 270 – and there is no end in sight.  Yes, this is my “You need a life” alert.

My online dating identity.  Now this is the one for sale.  While identity theft is hardly a laughing matter, I will gladly let any data thief steal this one.  I never thought I could hate one of my own digital identities, but this one has got to go. Data thief steals online dating identity and handsome, emotionally available man steals my heart.  Oops, I think I fell into daydream mode for a brief moment there.

Back to reality now.  What made me ultimately realize the depth of my own digital identity occurred the other day when I went online to order my son’s pre-K pictures.  I had to create an account with a username and password, and it made me ask myself, “How many times have I ever done this in my life for an ‘account’ I will probably only ever use once?”  According to the Harris research, the average adult creates about two new online accounts every year, but I think it’s many more than that.  We just don’t realize it because many are “one-time use” accounts – like the one I had to create to order my son’s school pictures.  The problem is that we are likely using the same usernames, email address, and passwords that we use to log in to our everyday accounts like our online banking account.  The reality and the risk: most small merchants don’t have the same security in place to protect your personal information that Amazon does.  And with small merchants such a high value target for cybercrime, just one small breach could translate into your digital identity being compromised across multiple sites you access every day.

Be mindful every time you are asked to create an online account.  If it is one that will be used only once or rarely, give yourself a very unique username and password.  And then just for general online hygiene, also make sure you change the passwords to your major online accounts on a regular basis (about every 90 days).

read more