Bogus Docusign Email

From Security Blog I follow:

A friend was sent this email and he forwarded it to me. It's a brilliant new social engineering phishing scam. It will sail through all your spam / malware filters and email protection devices, because it's entirely legit by using the Docusign infrastructure. Prime example of an info grabbing phish that does not use a malicious payload.
{ Click on images to view larger }

Clicking on the yellow "Review Document" button gets you to—again an entirely legit—Docusign page, which requires you to fill out the form as per the normal process. I broke it up in two parts. The top half is more or less normal for a loan application. But wait, the second half really takes the cake.

Continuing to fill out the form allows the bad guy to completely steal the identity of the victim—and the company identity— especially if they are gullible enough to add the "past three most recent bank statements". Circled. 

If someone in accounting would fall for this attack, the damage could be extensive to a point of bankruptcy for a small business that gets hit hard with the potential repercussions.

Q4 2018 Top-Clicked Phishing Email Subjects

Trends That Persisted Throughout 2018

In reviewing the Q4 2018 most clicked subject lines, trends were easily identified; five subject line categories appeared quarter-over-quarter throughout 2018, including:

• Deliveries
• Passwords
• Company Policies
• Vacation

Top 10 Most-Clicked General Email Subjects in Q4 2018:

• Password Check Required Immediately/Change of Password
  Required Immediately 19%
• Your Order with Amazon.com/Your Amazon Order Receipt 16%
• Announcement: Change in Holiday Schedule 11%
• Happy Holidays! Have a drink on us. 10%
• Problem with the Bank Account 8%
• De-activation of [[email]] in Process 8%
• Wire Department 8%
• Revised Vacation & Sick Time Policy 7%
• Last reminder: please respond immediately 6%
• UPS Label Delivery 1ZBE312TNY00015011 6%

As you get time, please look over this graphic carefully as it shows what to look out for in phishing emails.

Click Image to View Larger

Phishing lures imitate applications, social media, private cloud storage and shipping companies.

DocuSign, Office365 and OneDrive have remained consistently popular lures throughout 2018 (screenshot below).

Most lures imitated applications (Adobe, DocuSign and Office 365), social media
(Facebook), cloud storage (Dropbox, OneDrive and Google), and shipping companies (FedEx). The greatest success rate results from the generic invoice lure. Rather than phishing for credentials, this email attack attaches a malicious document disguised as an invoice.

Click Image to View Larger

KnowBe4 Offers No-Cost Children’s Interactive Cybersecurity Activity Kit

With this activity kit, parents, teachers and other guardians have some concrete tools to help teach their children about online safety and security in a fun and engaging way. 

https://www.knowbe4.com/cybersecurity-activity-kit

Increase in Office 365 Attacks and Data Breaches Should Be Expected as We Approach the 2019 Tax Season

Experts warn of uptick in phishing attacks against businesses leveraging Office 365 as the tax season begins, tensions run high, and opportunities to trick off-guard users will be plenty.

Cybercriminals want two things to exist when they attack: First, they want a gullible victim who will fall for a scam email. Second, they want either an immediate payoff, or a quick way to gain access to data that will turn into money quickly.

So, the combination of Office 365 users and tax season create a volatile and dangerous mix for businesses. Phishing scams related to taxes not being filed, unexpected refunds, changes to banking details, or huge tax bills are sufficient enough to get unsuspecting users to click on malicious links or attachments. And Office 365 can be the vehicle by which cybercriminals gain further access to endpoints, servers, applications, and data within the corporate network.

According to Global data recovery firm, Proven Data, during the 2018 tax season there was a significant rise in phishing attacks where emails disguised as tax-related alerts were sent to trick users into giving up their passwords.

BBB Warns Online Retailers Using Bogus IL Addresses

The Better Business Bureau serving Central Illinois and Chicago and Northern Illinois are warning consumers about a variety online retailers using addresses and disconnected phone numbers from Champaign-Urbana, Naperville, Las Vegas, L.A., Nashville, Tennessee, and West Chester Township, Ohio.

Consumers allege the online sites do not deliver purchased merchandise, or deliver shoddy goods that do not resemble what was advertised.

The BBB opened an investigation into the operation in November 2018. With the help of the Better Business Bureaus serving Southern Nevada, Middle Tennessee and Southern Kentucky, the investigation discovered at least 35 shops involved in this operation and another 16 that are inactive as of 12/31/2018. The BBBs linked the businesses via shared addresses, phone numbers, email addresses, and connections on social media platforms.

These online retailers advertise discounted merchandise, including hunting and tactical gear, tapestries, watches, vehicle accessories, and athletic wear, among other products. In addition, the companies advertise that a portion of their sales go to charity. BBB of Central Illinois requested substantiation for such claims, but its inquiries went unanswered.

The shops offer a 30-day refund policy for regularly priced items but only advertise discounted merchandise. However, the businesses’ refund policies state that discounted merchandise is not eligible for a refund. Some consumers allege they received their merchandise after 30 days making the order ineligible for return.

As of January 14, 2019, BBB locations in Illinois, Tennessee and Nevada have received 87 total complaints against these online businesses. In addition to the 87 closed complaints, another 56 complaints are pending.

The BBB has received complaints about Hunteroo, Tactical Deer, Berzerk Athletics, Tapestry King, Urban Mob, Epic Tapestry, Buff Eagle, Vehicle King and Dixon Leather.

The online shops are using 18 addresses across Illinois, Tennessee, Ohio, California and Nevada. Many of the addresses are residential, according to Google Maps.

Email Red Flags

Security Posters

Email Security

I was made aware of this bogus email Brian Faulkner received in his Inbox this morning. Brian did not open it and called me about it.

Normally I would blur out the names, but I decided to leave the sender visible as a learning example.

Tony Benetti from Arrow Glass was a subcontractor on a project recently completed by Brian. However Brian was not expecting it and thought the Subject line looks suspicious.

Subject: Sent from Tony Benetti – No reference to project name, no reference to what attachments were for.

I’m having Brian reach out to Tony to let him know about this email that came from his address.

{ Screenshot of email sent to Brian }