A TrickBot warning. LockBit’s fail. Unclaimed domains. Tax season fraud.

At a glance.

• TrickBot is back.
• A welcome fail for LockBit.
• The risk of unclaimed domains.
• Tax season unpleasantness (we mean the fraud, not the taxes).

US government warns about Trickbot malware campaign.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have issued an advisory warning of a Trickbot traffic infringement scheme via phishing emails. As Dark Reading explains, Trickbot is a Trojan that was initially designed to steal financial data from banking institutions, but has since evolved into a multistage malware used to distribute other malware or to serve as an Emotet downloader. The advisory recommends “implementing the mitigation measures...which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.” We also received some comments from Saryu Nayyar, CEO of Gurucul:

“Malicious actors usually look for the easy route which leads to them using social engineering and phishing to target users. Their preferred hook for the last year was often Covid related, and recently tax related with tax season starting in the US, but the recent alert from the FBI and CISA is a reminder that threats will use whatever they think will work. In this case it is related to supposed traffic violations, and what driver wouldn't be concerned about a potential photo ticket?

“The attack relies on a series of technical steps to bypass the target's defenses, but at heart is still a social engineering attack. That makes user education the first line of defense. A solid security stack including security analytics can help stop the spread once a victim has taken the bait, but a well educated user base goes a long way to avoiding the threat in the first place.”

LockBit bug accidentally gives away the goods for free.

A bug in LockBit’s ransomware-as-a-service operation is allowing victims to decrypt their files for free, The Record reports. After an attack, LockBit victims are directed to a dark web payment portal for ransom negotiations. The portal also gives the victim access to a one-time free decryption mechanism to prove the decryption key works, a free sample of sorts. However, a cybercriminal who calls himself 3xp0rt discovered that, due to a glitch in the system, LockBit’s one-time decryption was actually allowing for an unlimited number of free decryptions. The LockBit portal is currently inactive, indicating they’re likely already working on a fix. 

Privacy risks of unclaimed domains.

KrebsOnSecurity details how Fiserv, a Fortune 500 financial tech firm providing banking technology solutions to thousands of financial institutions, accidentally shipped code referencing an unregistered domain name. Security researcher Abraham Vegh noticed an email from his bank directed recipients to send all replies to an email address with an unusual domain: defaultinstitution.com. Curious, he purchased the domain, and after receiving emails from several of Fiserv’s clients, Vegh determined that the domain was a default placeholder from boilerplate text meant to be swapped out for a real email address. Clearly some clients didn’t get the memo. Fiserv responded, “Upon being made aware of the situation we immediately conducted an analysis to locate and replace instances of the placeholder domain name. We have also notified the clients whose customers received these emails.” Vegh has graciously agreed to hand over control of the domain name to Fiserv.

We heard from Reesha Dedhia, security evangelist at PerimeterX, who reminds developers not to let the pressure to deliver overshadow the requirement to preserve customers' privacy:

“Financial institutions are responsible for protecting their customers’ personally identifiable information (PII). Oftentimes, web application and software developers make mistakes as they hasten to keep pace with evolving business needs and to innovate faster. One area where we see this a lot is when web application developers heavily rely on open source libraries and third-party scripts. These libraries and third-party scripts in turn call other scripts, creating a digital supply chain of fourth-, fifth- and Nth-party scripts powering web applications and websites. Industry estimates show that up to 70% of the scripts running on a typical website are third-party, and only 8% of organizations have full insight into this code. This creates an opportunity for malicious Shadow Code to enter the application.

"Shadow Code is any code introduced into an application without formal approval or security validation. It is the application development equivalent of Shadow IT. It introduces unknown risks into the application and makes it difficult for the business to ensure data security and privacy, and to comply with regulations. These attacks on third-party code are hard to spot because they happen on the client-side, but a successful attack can result in stolen data and regulatory fines for non-compliance with GDPR and CCPA, as well as other SEC rules. 

"Financial institutions must continue to monitor the client side of their websites for suspicious activity such as communication with suspicious domains. They should use client-side application protection solutions to ensure malicious code is discovered and removed before it leads to compliance penalties and brand damage.”

Nothing is certain but death, taxes, and identity theft.

The US tax filing deadline is just weeks away, and with the necessary exchange of sensitive documents containing identifying info, tax season means a surge in identity theft. The Internal Revenue Service reported over $2.3 billion in tax fraud operations in 2020 alone. Case in point: Cybersecurity tech company Cybereason has discovered a malware campaign targeting US taxpayers in which the victim receives a tax-themed email containing malicious documents that, when opened, deliver NetWire and Remcos malware, remote access trojans which allow the attackers to take over the target’s machine. As PRWeb explains, the operation evades antivirus detectors by employing a technique called steganography, hiding the malicious code within a jpeg image file.

Besides being wary of suspicious emails like the one described above, PropertyCasualty360 offers tips for keeping your tax data secure from identity theft. This year is expected to be especially treacherous, as the dramatic surge in unemployment claims due to the pandemic means increased opportunity for unemployment claim fraud. Many individual victims won’t even realize they’ve been hit until they begin to process their taxes and discover that someone else has been using their credentials. Keep an eye out for unusual credit card charges, missing bills, and any signs of mail tampering, and be sure to use a secure, fully updated network when filing tax returns online. 

Dark Reading focuses on the risks to businesses during tax season. Chief security scientist at Thycotic Joseph Carson explains, "If you have a large target list at a company and many of the victims are unable to tell the difference between a scam and authentic notices, then even if a small number of people fall for such a scam, it's still extremely profitable for the cybercriminals." Thus, a key first step is keeping employees informed. Educate staff about phishing campaigns and business email compromise, and limit the number of employees who are authorized to handle sensitive tax data. Make sure employees know how the organization will be delivering tax documents, and consider using a secure corporate portal that requires authentication. 

We heard from several industry sources about staying secure during tax season. Lamar Bailey, senior director of security research at Tripwire, reminds all that phishbait follows the news, because current events are shiny enough to induce victims to bite:

“Attackers use stories in the news to influence targets to click links in phishing attacks. 2020 was the year of COVID and attackers took full advantage by crafting phishing attacks based around the epidemic. They were able to play off the ever changing story to promote cures, treatments, and case numbers to get targets to click malicious links. The trend continues into 2021 by using COVID vaccines as the top story to promote the malicious links. This time of year in the US using phishing emails that appear to originate from the IRS is a very effective way to spread malware.”

In response to a recent Cybereason report that identified an ongoing phishing campaign targeting US taxpayers with NetWire and Remcos malware, an expert at cybersecurity firm KnowBe4 offers perspective. 

James McQuiggan, Security Awareness Advocate at KnowBe4, makes two points worth remembering: first, this is a good time to avoid mingling personal information with your work accounts, and second, the IRS isn't going to email you and ask you to open a document or follow a link:

"With the tax season currently active and now being extended to May, this provides more opportunities for cybercriminals to launch phishing and malware attacks against users. By using attachments and cleverly worded emails, they rely on people's fear, curiosity or greed as the trigger to click on links in the emails, open attachments and unknowingly launch the Remote Access Trojan or RAT onto their systems.

"Users want to ensure that they do not open any IRS or tax information on their work email accounts because they should be using their personal email accounts instead. 

"If they do receive an email, it is essential to take a moment and question if this email was expected and to verify the source. Suppose it is the IRS or another government agency. In that case, one can easily visit their website through a quick online search to determine if they are sending out these types of requests, alerts or other alarming information.

"The IRS will not contact people to verify their tax returns by sending them an email and asking them to open it for review."

Gurucul's Saryu Nayyar points out that criminals know the human attack surface:

“Malicious actors know that users are the weak link in the security chain. They know that a timely and relevant hook can be all it takes to get a victim to reveal their credentials or download a malicious application. For much of the last year, they used Covid 19 as the hook. Now that it's tax season in the US, they're shifting to tax related hooks.

"The technical methods attackers have adopted to bypass anti-virus and anti-malware applications is evolving, but it still comes back to the Human element. Which means user education remains the first line of defense against malicious actors. A complete security stack can help, but well trained users are less likely to become victims.”

Brad Keller, Shared Assessments' Chief Strategy Officer, gives the obvious, Willie Suttonesque but worth-stating, reason why criminals continue to phish during tax season. It works:

“Phishing continues to be a major threat because it remains a very successful method for obtaining credentials and other information directly from a user’s system. Having run the anti-phishing programs at two major US financial institutions I understand how difficult it is to create meaningful employee awareness and training to identify phishing emails. Taking those awareness programs to customers is an even more daunting task.

“While most major companies have initiated robust anti-phishing programs, smaller companies do not have the resources to develop and maintain these initiatives making them ideal targets for phishing campaigns. Most individuals are unaware of phishing methods and are not able to identify them, unless they work for a company that provides robust anti-phishing training.”

And, finally, SCYTHE's CTO Jorge Orchilles has some thoughts for businesses during tax season:

“We have invested heavily in preventing malware from running in out environments and that is clearly not working as advertised. Organizations need to operate in “assumed breach mode”, where they know they will eventually be compromised. How they detect and respond to the inevitable is what is differentiating victims. We need to work together to improve people, process, and technology.

“All users must remain cautious and vigilant to all types of scams, from emails to text messages and phone calls. Scammers will use any current event to take advantage of the most vulnerable to make a quick profit. It is unfortunate but that is the online world we live in today.”

Comments are closed.