The Latest in Phishing: October 2016

To kick off National Cyber Security Awareness Month, we bring you the latest in phishing statistics and attacks from the wild.

Phishing Statistics and News:

• Yahoo has confirmed the theft of at least 500 million user accounts as the result of a data breach. The data was stolen in late 2014 by a “state-sponsored actor” and may include names, dates of birth, phone numbers, emails, hashed passwords, and other PII, potentially causing millions of individuals to become the victims of targeted phishing attacks.
• Facebook, Instagram and Twitter users have been exposed to a phishing vulnerability that is the result of a common html attribute that makes links open in new pages. The vulnerabilty was discovered by developer Ben Halpern, who has offered a simple fix to protect users. At the time of this post, Facebook and Twitter have yet to remedy the issue.
• Electronics maker Seagate is the defendant of a class-action lawsuit by its employees that accuses Seagate of “malpractice and a lack of regard for employees affected by the negligent handling of data” after falling for a phishing scam that exposed the sensitive data of its staff.
• The SNAP_R machine learning spear phishing Twitter bot was revealed at this year’s Black Hat USA security conference. The bot is capable of using the information contained in tweets to target individuals, and was reportedly successful in deceiving two out of three users of the platform.
• A second hacker has pleaded guilty in the “celebgate” scandal in which intimate photos of celebrities were stolen via a phishing scam. The hackers broke into more than 300 Apple iCloud and Gmail accounts, including those of Hollywood celebrities, eventually leaking them via the popular image site 4Chan.

Increase your security response team's efficiency with PhishAlarm Analyzer

Phishing Attacks:

• Oklahoma election officials have warned voters to watch out for phishing emails designed to look like they’re coming from the state or county election boards claiming their voter information has changed or need to be verified.
• Customers of National Australia Bank who access their accounts online found themselves the targets of a sophisticated phishing scheme in which they were sent fraudulent emails posing as the bank asking for additional verification in order to avoid their online accounts being suspended.
• Researchers at Proofpoint have identified a new angler phishing scam where attackers monitor the activity of PayPal’s actual Twitter feed and respond via fake PayPal tech support Twitter accounts that are tricking users into clicking on a malicious link embedded in the tweet. PayPal is working with Twitter to have the issue resolved.
• GoDaddy customers were the target of a phishing scam that falsely notified recipients that their email storage had reached capacity. A prompt to upgrade the user’s storage within 24 hours led to an unsecure http page, where their login credentials were stolen.
• A Netflix email scam that utilizes a fake iTunes bill fooled users into giving their credit card details to scammers, attempting to convince the email’s recipients that someone impersonating them gained access to their Apple account to subscribe to Netflix.
• United Services Automobile Association members have been hit with multiple phishing attacks asking recipients to click on links requesting PII to update their account info or notify them of a canceled transaction.
• More than 130 organizations were identified as victims of Operation Ghoul, a series of spear phishing attacks that targeted industrial, manufacturing, and engineering organizations in more than 30 countries.
• Two Utah counties were the victim of spear phishing attacks netting close to $100K, which prompted statewide warnings to public agencies.
• The record-breaking success of Ninantic’s Pokemon GO sparked a very clever phishing scam in which users received an email pretending to be from the game’s developer. The message demanded that players pay $12.99 for the full version in order to compensate for the “overwhelming response” and “the need for more powerful servers,” claiming the user’s account would be frozen within 24 hours if they did not take action.
• A phishing scam posing as a copyright notice for viewers who have pirated Game of Thrones episodes was targeting fans of the popular HBO series.
• Kaspersky Lab security experts uncovered a global Facebook phishing scam that had initially claimed a new victim every 20 seconds. According to Kaspersky, the attack gave hackers the ability to change privacy settings, steal data, and spread the infection through the victim’s Facebook friends.
• A sophisticated phishing scam mimicking Australian telco Telstra has been collecting customer account login and banking details. Recipients were told their bills had been paid twice by mistake via a fake message signed by Telstra executive Gerd Shenkel, and they were prompted to log in to get their money back, leading to an almost identical ‘My Account’ page.
• Emails delivering malware were discovered in the wake of the Brexit vote, capitalizing on recipients’ fears by promising to protect bank accounts and creating a sense of urgency.