August 2020’s Cyber Net: A Recap of the Month’s Phishing Scams

In our latest round-up of phishing scams, we look at how criminal hackers infiltrated Twitter and sent tweets from dozens of compromised accounts.

We also explain how fraudsters impersonated Google Cloud Platform in a PDF download scam, and issue a warning to anyone who has recently received an email supposedly from Microsoft about an update to its terms of use.

Celebrity Twitter accounts compromised in spear phishing attack

You’re probably aware of the damage that phishing scams can cause, but last month’s Twitter attack proved to be a landmark in that it reached the consciousness of people who wouldn’t ordinarily follow cyber security news.

The news broke on 15 July that several high-profile figures had had their Twitter accounts hacked in a Bitcoin scam.

The likes of Bill Gates and Elon Musk supposedly claimed that anyone who transferred money to a linked Bitcoin account would double their investment.

In total, 130 accounts were compromised, and 45 sent erroneous tweets, including Kanye West, Kim Kardashian West, Barack Obama, Mike Bloomberg and current US Democratic presidential nominee Joe Biden.

Apple’s official Twitter account endorsed Bitcoin with this message:

Most Twitter users immediately suspected that something was amiss, although not everyone was so discerning – the scammers tricked 399 people into handing over more than £116,000 in Bitcoin.

As the scam became headline news, the number of people being fooled dwindled and attention turned to how the attack took place.

Twitter initially described the incident as a “coordinated social engineering attack” against employees with access to its internal tools.

It later clarified that it was a spear phishing attack conducted over the phone (also known as ‘vishing’).

“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” it explained.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.”

Vishing attacks are rare, because they take much more time than email scams, which can be sent in bulk. Even phishing attacks tailored to specific people are easier to execute, because they rely on the same basic tools of establishing a bogus email address and creating a mock-up of their email template.

Phone scams, by contrast, require scammers to con someone in conversation, which requires confidence, preparation and the ability to improvise.

However, it’s their rarity that makes them so dangerous. Employees are often warned about the threat of email scams, but they probably aren’t taught about phone scams – and if the scam is convincing enough, they may never suspect the fraudster’s true intention.

See also:

Fraudsters imitate Google Cloud Platform

Scams imitating Google are relatively common, but last month researchers discovered a new one that makes use of its Cloud Platform service

Experts at Check Point found that fraudsters were offering legitimate PDF white papers uploaded to Google Drive. However, to receive the document, victims must log in with their Microsoft Office 365 account or work email.

After providing this information, victims are redirected to a genuine report published by a “renowned global consulting firm”.

Because the login page is hosted on Google Cloud Storage, and the PDF document is genuine and doesn’t contain malware, victims are unlikely to become suspicious.

“Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify a phishing attack,” said Lotem Finkelsteen, Manager of Threat Intelligence at Check Point.

“Traditional red flags of a phishing attack, such as look-alike domains or websites without certificates, won’t help us much as we enter a potential cyber pandemic.

“Users of Google Cloud Platform, even AWS and Azure users, should all beware of this fast-growing trend and learn how to protect themselves. It starts by thinking twice about the files you receive from senders.”

Microsoft users warned about privacy policy update scam

Microsoft Office 365 customers have been warned of a phishing campaign that claims the organisation has updated its user policy.

Researchers at the Cofense Phishing Defense Center found that scammers are sending emails that ask recipients to accept a new Terms of Use and Privacy Policy, claiming that Microsoft’s services will be unavailable until they do so.

The email contains two buttons – ‘Accept’ and ‘Learn More’ – but both lead to a duplicate of Office 365’s login page, where users are asked to provide their email address and password.

This in itself makes for an unremarkable scam. Every month, there are dozens if not hundreds of phishing emails mimicking Microsoft, and in most cases they will ask users to hand over their login details.

However, the researchers noted that the scammers were using a Google Ad Services redirect, which suggests that they may have paid to ensure the linked URL went through an authorised source.

Doing this also helps the messages bypass secure email gateways, which are designed to detect phishing scams and direct them to users’ spam folders.

As such, this campaign will have reached a lot more people than usual, which will probably mean more victims.

Can you spot a scam?

Make sure your staff know how to identify and avoid scam emails with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing emails work, what to look out for and the steps you should take to avoid falling victim.

Train your team with a phishing staff awareness course