Catches of the Month: Phishing Scams for February 2022

Welcome to our February 2022 review of phishing attacks, in which we explore the latest scams and the tactics that cyber criminals use to trick people into handing over their personal information.

This month, we look at a bogus online contest designed to capture your Facebook login details, the latest Microsoft scam and whether ‘passwordless’ security can mitigate the threat of scams.

Fraudsters are hijacking Facebook accounts via Messenger

Facebook Messenger users are being warned about a phishing campaign in which fraudsters impersonate your friends and hijack your account.

Victims receive a message from one of their contacts asking for help registering for an online contest.

According to the message, there is a huge cash prize for the winner, and to enter, they need to share the link with a friend, who will receive an authentication code to verify that they are real.

However, the code is actually part of Facebook’s password reset mechanism. If the victim shares the code, the fraudster can use it change the victim’s password and take control of their account.

Unless you know the pretext, this is a tricky scam to spot because the message really is coming from someone you know. But how is the scammer able to do this?

The answer is that their message is just one part of a more sophisticated attack. It begins with one compromised account – which can be done using any traditional phishing method or via a brute-force attack.

The attacker then goes through the users’ contacts, finding phone numbers or email addresses, which they can use to begin the login process before selecting the ‘forgot your password’ option.

This will send the one-time password to the victim’s account. From there, they send the victim the request for the code via Facebook Messenger, under the guise that it is part of contest.

Because the attacker performs the same scam on countless people in the victim’s contact list, one compromised account can result in hundreds more being hijacked.

It’s a time-consuming operation, because one-time passwords have a short lifespan, which indicates that the attackers are monitoring the attacks in real-time. Nonetheless, the nature of the campaign means that it can grow exponentially.

The scam was first spotted by Finland’s National Cyber Security Centre, which warns Facebook users to be wary of any impromptu request for information via Messenger.

“If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers,” the organisation advises.

Additionally, because the attacker will be performing the same scam on multiple people in the victim’s friend list, you may have mutual friends who have been targeted. If you receive a message that looks suspicious, you should friends whether they’ve received the same message.

Likewise, if you spot that your friend’s account has been hijacked, you should warn mutual friends to ensure that they don’t fall victim.

Microsoft users targeted by OAuth scam

Microsoft’s Security Intelligence team are warning Office 365 customers about a phishing scam that’s designed to capture their login permissions.

Microsoft is the most phished company in the world, and attacks such as this are an almost ever-present threat.

However, what differentiates this scam from others like it is that it isn’t simply targeting victims’ passwords. It instead uses a malicious app dubbed ‘Upgrade’, and asks users to grant it OAuth permissions.

OAuth is an open standard that’s used to grant third-party apps access to account information and data within apps.

In this case, the attackers use OAuth permissions to read and write emails and calendar items, create inbox rules and view the victims’ contacts.

In a tweet, Microsoft confirmed that it has deactivated the app in Azure AD, and has notified affected customers. But this isn’t necessarily the end of the matter.

Microsoft has acknowledged that consent-phishing emails that abuse OAuth are on the rise, and that attacks are hard to prevent because they don’t conform to many techniques common to phishing.

“In most cases, consent phishing attacks do not involve password theft, as access tokens don’t require knowledge of the user’s password, yet attackers are still able to steal confidential data and other sensitive information,” Microsoft notes.

“Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network.”

Microsoft strikes back against scammers

In more positive Microsoft-based phishing news, the tech giant spoke last week about its successful attempts to identify and prevent online attacks.

In 2021, it blocked 25.6 billion Azure AD brute-force authentication attacks and intercepted 35.7 billion phishing emails.

The news demonstrates the effectiveness of the anti-malware software Microsoft Defender, which comes as standard with Windows devices. However, it’s worth remembering that no matter how robust these systems are, they will never be 100% effective.

Indeed, the success of online fraud is a numbers game. It costs almost nothing to send a phishing email, so attackers can launch hundreds of thousands, if not millions, of emails and it only takes one person to fall victim for their efforts to have been worth it.

It’s why Microsoft’s corporate vice president for security, compliance and identity, Vasu Jakkal, urges individuals to consider additional ways to secure their accounts beyond the use of passwords.

“For example, our research shows that across industries, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021,” Jakkal said.

“MFA (multi-factor authentication) and passwordless solutions can go a long way in preventing a variety of threats and we’re committed to educating customers on solutions such as these to better protect themselves.”

The benefits of MFA authentication are widely discussed, but ‘passwordless solutions’ will be a new concept to many. Microsoft has been rolling out the concept over the past year, giving users the option to replace passwords with biometric authentication, a hardware token or an email with a one-time password.

Many people are celebrating the move, given both the insecurity and inconvenience of passwords. However, not everyone is on board.

WatchGuard Technologies describes ‘passwordless solutions’ “simply repeat[ing] the mistakes from history”.

It adds: “The only strong solution to digital identify validation is multi-factor authentication (MFA). In our opinion, Microsoft (and others) could have truly solved this problem by making MFA mandatory and easy in Windows.”

Can you spot a scam?

As we move into 2022, organisations should consider email security and phishing awareness at one of their biggest priorities.

All companies are vulnerable, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

No Responses