Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Posted on Updated on

Originally seen: Helpnetsecurity on May 20th, 2019

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report.

SaaS webmail phishing increased

The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter.

Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services include sales management, customer relationship management (CRM), human resource, billing and other office applications and collaboration tools.

“Phishers are interested in stealing logins to SaaS sites because they yield financial data and also personnel data, which can be leveraged for spear-phishing,” said Greg Aaron, APWG Senior Research Fellow.

Stefanie Ellis, AntiFraud Product & Marketing Manager at MarkMonitor said: “The total number of confirmed phishing sites increased in early 2019, with the biggest jump in March.”

The total number of phishing sites detected in 1Q of 2019 was 180,768. That was up notably from the 138,328 seen in the fourth quarter of 2018, and from the 151,014 seen in the third quarter of 2018.

Payment Services and Financial Institution phishing continued to suffer a high number of phishing attacks. But attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in the first quarter of 2018 to just 2 percent in the first quarter of 2019.

Meanwhile, cybercriminals deployed HTTPS-protected phishing websites in record numbers, according to PhishLabs, posting a record high of nearly 60 percent of detected phishing websites in 1Q 2019 employing this data encryption protocol.

Phishers turn this security utility against users, leveraging the HTTPS protocols padlock icon that appears in the browser address bar to assure users that the website itself is trustworthy.

SaaS webmail phishing increased

“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46 percent were using certificates,” said John LaCour, CTO of PhishLabs.

“There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because browser warning users when SSL is not used. And most phishing is hosted on hacked, legitimate sites.”

Microsoft: Russians targeted conservative think tanks, U.S. Senate

Posted on

Originally Seen: on August 21, 2018 by Sean Lyngaas

The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.

The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”

The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.

The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.

There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.

The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.

“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.

Greg Otto contributed to this story. 

What’s worse? The AMD chip flaws or the disclosure process?

Posted on Updated on

Originally Seen: Cyberscoop by Zaid Shoorbajee

A small cybersecurity company and research group is publicly reporting major, Meltdown-style vulnerabilities in chips made by AMD, yet the disclosure itself has sent security researchers into a frenzy about possible ulterior motives.

CTS Labs, an Israeli cybersecurity company that purportedly focuses on hardware, launched a website and released a white paper on Tuesday describing 13 security flaws in AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen processors. The chips are used in laptops, mobile devices and servers.

The vulnerabilities reportedly include backdoors that would allow attackers to inject malicious code onto AMD’s chips. Such malware could allow attackers to take complete control of AMD processors, steal network credentials, install malware and read and write on protected memory areas, among other risks.

CTS Labs released the vulnerability information on a public website,, saying it released the findings for the sake of public awareness.

“In particular, we urge the community to pay closer attention to the security of AMD devices before allowing them on mission-critical systems that could potentially put lives at risk,” the website reads.

The company says it has sent technical information to companies, including AMD, in order for patches to be developed. That technical information is not available on the public website.

AMD has addressed the claims on its investor relations page, saying that it is investigating the findings. The chip maker also took umbrage with CTS Labs for not giving proper notice before the research was published.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD says.

CNET, which first reported on the bugs, wrote that CTS Labs gave AMD less than 24 hours of notice before they published their findings. Security researchers typically give a company 90 days to coordinate and patch flaws before they publicly disclosing their findings. That was the plan with Meltdown and Spectre — security flaws in Intel’s processors revealed earlier this year — but information about the flaws was leaked shortly before planned publication.

Up until Tuesday morning, little was known about CTS Labs. The company does not appear to have a social media presence. A glitzy video CTS posted alongside its report features interviews with CTS Labs representatives in front of stock photos of office space and data centers.

The company’s website states it was founded by Ido Li On and Yaron Luk-Zilberman in 2017. Li On’s LinkedIn page lists him as formerly serving in Israel’s Unit 8200, an Israeli intelligence agency equivalent to the NSA. Luk-Zilberman LinkedIn page lists him as being the managing director of NineWells Capital Partners, a hedge fund based out of New York. However, SEC documents currently list him as NineWells Capital’s president.

Additionally, a legal disclaimer on CTS’s disclosure website states the company might have a financial interest in the companies mentioned in its report. In its report, CTS discusses AMD hardware made by ASMedia, a subsidiary of Taiwanese technology company ASUS.

The disclaimer reads:

“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.”

The disclaimer also warns against using CTS Labs’ report as investment advice and classifies all of its findings as “opinions.”

Similar language is found in a 25-page report from Viceroy Research — which Bloomberg describes as a “mysterious short seller” — which was published within hours of when CTS Labs’ research went live.

Fraser Perring, a researcher with Viceroy, told CyberScoop that Viceroy received an advanced email with CTS Labs’ research from an anonymous source.

CTS Labs did not respond to request for comment.

Some third-party security researchers say they’ve confirmed the AMD flaws are legitimate. But that hasn’t stopped some in the community to point out oddities in CTS Labs’ approach.

“The fact that CTS Labs gave AMD less than 24 hours notice before public disclosure is extremely unusual in our industry and suggests an underlying motive,” said Jake Williams, president of Rendition Infosec. “It seems likely that the notice to AMD was done for legal reasons, thinking that some pre-disclosure notification (no matter how short) would offer some legal top cover.”

Udi Yavo, CTO of enSilo, told CyberScoop that the flaws need to go under further scrutiny.

“Based on the publicly available information, we believe that these claims have real legitimacy and certainly merit further analysis by the cybersecurity community and the vendor. However, we believe such publications should be followed by responsible disclosure procedures,” Yavo said.

Dan Guido, CEO of Trail of Bits, tweeted that his company has seen CTS Labs’ proof-of-concept and that the vulnerabilities are legitimate.

AMD said in an emailed statement that it is working validate the findings.

“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” the company said.

Update: This article has been updated to clarify the information surrounding Yaron Luk-Zilberman’s ties to NineWells Capital.

Chris Bing and Greg Otto contributed to this report.