Cybersecurity First – It’s Everyone’s Job!

By Tonia Dudley

Cybersecurity goes beyond October

While we celebrate and bring attention to cybersecurity for the month of October, cybersecurity should always be top of mind. Now that you’ve brought attention to your team, and the ability to host events, find ways to host these monthly throughout the year. Reach out to department heads to speak at their monthly or quarterly all-hands meetings and adapt the topics to address their specific risks. For instance, your finance team is high on the list of top phishing targets. Work with your security operations team to get copies of real emails relevant to their department.

Start the cybersecurity journey early with your employees or teammates. Work with your human resources team to get involved in the onboarding process. Adapt your phishing simulation program to send new hires their first campaign within the first 30 to 60 days of joining the organization.

When it comes to adding new technology or updating your business processes, find ways to incorporate security from the beginning. Work with your infosec teams to include a security engineer or security architect that can assist with ensuring you have security built in upfront, protecting your organization from potential vulnerabilities or a data breach. Making even small system configuration changes can go a long way to reduce the risk of a security incident.

As we saw earlier this year, the White House published the Executive Order on Improving the Nation’s Cybersecurity. One of the sections of this EO is focused on “Enhancing Software Supply Chain Security.” As we continue to learn more about the SolarWinds breach and the extended impacts this has on many organizations, it’s not surprising to see this focus being given to software security. If your organization hasn’t yet adopted a Secure Software Development Lifecycle that embeds security into the build process, it’s a great time to start. A great place to start with your software development team is the OWASP Top 10.

Taking the Message Home

By now you’ve had plenty of content to help build out your robust security awareness program. Don’t forget that your employees care more about how their behaviors will impact their personal life. Many program managers have adapted their program to provide content that employees can “take home” to share with their friends and family. With the swift move to remote work last year, this has become even more valuable.

Several years ago, when I redesigned the monthly Security Awareness Newsletter, I found many reaching out to ask if they could “share this content with their family.” Since the content was typically written to address specific risks and behaviors in the workplace, it wasn’t really something they could easily “take home.” That’s where the content from Stay Safe Online really became useful. It’s free. It’s publicly available. And there’s a vast library of topics you can leverage. So, if the monthly newsletter topic was passwords or patching, you can add a section for “Security @ Home” and link to a specific resource.

Many security awareness programs have incorporated tips for @ Home with the goal of linking overall behaviors between home (something individuals care about) and work. By providing these tips to friends and family, there’s hope that we can ingrain some of these positive behaviors to the younger generation. With the early adoption of technology devices, as well as online presence, it’s even more critical that we start these good cyber-hygiene behaviors when we introduce these to our children.

Throughout this month, we’ve provided several resources to help you get started building or advancing your security awareness and phishing awareness program. Be sure to check out our previous blogs or replay any from our webinar series. We had several great discussions with customers that provided many great tips for you to add to your program.

Resources to Build Your Program or Send Home with Employees

https://cofense.com/awareness-resources/

https://staysafeonline.org/resources-library/

https://www.cisa.gov/cyber-essentials

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

“Missed Voice Message,” the Latest Phishing Lure

By Adam Martin, Cofense Phishing Defense Center

Recently, the Phishing Defense Center (PDC) has observed a trend relative to a phishing tactic involving missed voicemail messages. As illustrated below in figure 1, the end user is notified about a missed voice message from a British Telecom landline. The link directs the recipient to a website that isn’t in any way associated with BT or any other legitimate telecom service.

Graphical user interface, text, application Description automatically generated

Figure 1: Initial Email

Once this malicious link is accessed, the recipient is directed to the landing page seen in figure 2. This page purports to be the BT sign-in page, spoofing the BT logo and reminding the recipient of their missed messages. One minor detail worth noting is that the number of voice messages pending has changed from one to three. This is likely due to the same mass phishing mail being sent out with the parameter of one voice message, and the pre-set HTML code in the phishing page being set to three. A slight oversight on the part of the threat actor, but the page remains convincing, nevertheless.

Once the recipient has entered their details, this information is exfiltrated to an external private address. As is observable from the URL bar of figure 2, the corresponding URL could hardly be more clearly not the BT sign-in page.

Graphical user interface, application Description automatically generated

Figure 2: Landing Page

As with many phishing landing pages, regardless of the details entered, the page will redirect back to the target companies’ home page. This event campaign is no different. Once credentials are entered and data stolen, the recipient is directed straight to the official BT help page. This is done to boost perceptions of “legitimacy.”

Graphical user interface, text, application, Teams Description automatically generated

Figure 3: BT Homepage

Graphical user interface, text, application, email Description automatically generated

Figure 4: Landing Page as it stands

Missed voice messages as a phishing tactic continues to be a trend, leads to one conclusion: A high success rate. The landing page or provider will change depending on the targeted region but one thing remains certain. The tactic will continue in tandem with the threat actor success.

Cofense is here to help with our analysts and technology to enable users to quickly identify validated or newly observed threats. We have the necessary products to help your SOC team isolate threats to reduce risk and further leverage the IOCs to mitigate a potential incident. Contact us to learn more.

Indicators of Compromise

http://n5vxdrhwohgzy3gzy3gjft2xruwhe7zmquok80.Irxi.com 144.76.162[.]245
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.