Comodo experts prevent new attack on LinkedIn users

Endpoint Security

Cybercriminal attacks on social media user accounts to gain access to user credentials are becoming more refined and sophisticated. Phishing email tricks, often based on deception, play a primary role in these attacks. Comodo Threat Research Lab experts recently revealed how an attack aimed at LinkedIn users was thwarted, thanks to Comodo software.

“This attack demonstrates how sharply cybercriminals raise the complexity of their attacks. For example, this attack merged cybertechnologies and manipulative psychology,” says Fatih Orhan, head of the Comodo Threat Research Lab. “This trend will definitely increase, making the landscape of online security increasingly dangerous. The cybersecurity community must be prepared for attacks such as these. Comodo clients did not suffer from this attack because Comodo software blocked the phishing emails, preventing the emails from reaching their intended targets.”

The attack
Comodo Threat Research Lab discovered that the latest attack was from two IPs: 159.89.149.253 from British Columbia and 58.82.167.42 from Thailand. The attack started on February 1, 2018 at 09:32 UTC, ending at 13:45 UTC.

There were 14 emails sent from the email address admin@besama.ga (inactive domain) with each email addressed to a different user during the month of January. The email imitated a standard LinkedIn message that a user receives when another user wants to connect.

LinkedIn Attack Threat

While it did resemble a LinkedIn message, there were inconsistencies. The email address in the “From” field is <admin@besama.ga> and the email address in the “Reply” field is < gellul.Ebcon.cmo.mt@mail.ru >, neither of which are actual LinkedIn email addresses.

It also had the LinkedIn logo and familiar design, including the “View profile” and “Accept” option.

Once the user clicked an option – they were then redirected to the page that looked like the official LinkedIn sign in page, putting the user one-click away from a new perspective contact on LinkedIn.

https://www.fooddiethealth.com/xzcz/linkx/qrxf5zcpiihybkzuor3ihuvp.php?J2F38F1517502535e6f63c3c703e34a8c98b0bb25f342a1ee6f63c3c703e34a8c98b0bb25f342a1ee6f63c3c703e34a8c98b0bb25f342a1ee6f63c3c703e34a8c98b0bb25f342a1ee6f63c3c703e34a8c98b0bb25f342a1e&email=username@domain.com

The link led to a page similar the official LinkedIn URL, but instead, it was a phishing site created by cybercriminals to steal LinkedIn user credentials. If users submitted their login and password, the credentials went right into the wrong hands.

Why LinkedIn?
Cybercriminals hunt for credentials because it is a powerful springboard for further malicious activity. They can use account information to support a multitude of criminal activities, including fraud, identity theft, even terrorism propaganda.

Cybercriminals also try to use stolen credentials to break into other accounts, including online banking. They know most people use the same password for different accounts and obtain additional private information about users to aid in future spear-phishing or social engineering attack.

LinkedIn is a major interest for cybercriminals because it’s the place of vibrant business activity. A huge number of potential targets can be found on LinkedIn, such as high-ranking C-level employees at leading companies.

LinkedIn attack tricks
First, the users can click on the malicious link only one time, the URL then expires and the phishing page disappears. Comodo Threat Research Lab believes this is a sneaky trick cybercriminals use to cover their tracks, allowing them to remain undetectable for longer time period.

Secondly, a special feature of this attack is the social engineering approach. Comodo Threat Research Lab’s experts have found that similar phishing email attacks imitate senders from Kuwait and Saudi Arabia. This is a psychological trick, as many people in business world associate these countries with wealth, which increases chances the user takes the bait.

Additionally, the phishing email imitated a real LinkedIn message and used the name of the company and person with an account on LinkedIn. These cybercriminals take it a step further, using websites to support the phishing message. For instance, the company noted in the attack leads to: https://www.cad-consultants-kw.com, of the Cad Consultants in Kuwait, which has a logo very similar to the logo in the phishing email:

Neither the company, nor the personal accounts, used in the phishing email attack include photos of their owners. The cybercriminals have the ability to create fake accounts using actual LinkedIn information about a real company and or a real person to cover their malicious activity.

User awareness
A user may suspect something is wrong when the real LinkedIn page does not populate after putting in credentials. The user can then change their LinkedIn password or even report the incident, thus nullifying the hackers attack.

If the user researches the information in the request, then finds accounts of company and sender of the email, then verifies the company name and website, they may come to the conclusion it was a glitch. Then doing nothing, remaining unaware that their credentials are in the cybercriminals’ hands.

Avoid falling victim to a phishing attack. Keep your credentials safe.

Best Threat Detection Techniques to Keep You Safe

Malware Analysis

Threat Detection

Insider threat detection is key to enterprise security. Identifying threats and detecting them on time helps a great deal to ensure comprehensive enterprise security. Let’s discuss here 10 techniques that could be used for effective threat detection. Before that, let’s discuss those basic things that you need to do as part of your getting ready for the threat detection…

  • Inventory all your IT assets.
  • Identify insider
  • threats that are likely to happen, prioritize them.Collect all logs.

Now, let’s move on to the threat detection solution, the best 10 detection techniques…

Best Threat Detection Methods

  • Look for spikes in activity
  • Monitor all access attempts, look for anomalous ones
  • Look for anomalies in the VPN access to your network
  • Monitor privileged accounts, service accounts with utmost caution
  • Check for unusual access to sensitive company data
  • Monitor all shared accounts
  • Monitor all infrastructure resources
  • Assess, correlate data from all sources
  • Assess users in their own peer groups

Look for spikes in activity
Spikes in activity, for example too many file modifications or an unusually great number of login attempts by a particular account could be an indication of a threat. Hence, as part of threat detection, it’s very important to look for spikes in activity. Once you notice a spike, you should investigate it to find out if it’s really a threat or not.

Monitor all access attempts, look for anomalous ones…
It’s very important that you keep an eye on all access attempts and look for anomalous ones, if any. Keep checking and if there is any unusual change in the frequency and volume of logins, successful ones and failed ones as well, do a thorough check. You should also focus on any activity that happens after business hours and anything that’s a deviation from usual activities.

Look for anomalies in the VPN access to your network
Any anomaly that you spot in the VPN access to your enterprise network- abnormal volume or speed, or something fishy in the geographical location could be indicative of a potential threat. Look for such anomalies and if you notice any, analyze them to ensure if it’s a threat or not.

Monitor privileged accounts, service accounts with utmost caution
Privileged accounts in an enterprise are meant to be used rarely. Likewise, privileged accounts as well as service accounts are supposed to be used only for carrying out certain tasks that other accounts they are not authorized to perform. Hence you have to monitor activities of such accounts very carefully and if there’s anything unusual or any policy violation happening, check it out.

Check for unusual access to sensitive company data
You should always check for unusual access to sensitive company data. Things like a high number of access events, access to different files, happening over a short span of time etc should be reviewed.

Monitor all shared accounts
You must identify and monitor all shared accounts in your organization’s network. This is important to ensure effective security for any company. Such accounts should be monitored and all risk factors need to be analyzed; information security breaches happen greatly from such accounts.

Monitor all infrastructure resources
All infrastructure resources need to be inspected through a security lens frequently. Any activity that happens around servers, databases, file shares etc. should have a process and top 5 ram usage applications check. If at all any suspicious activity is spotted, it needs to be further investigated.

Assess, correlate data from all sources
For ensuring proper cyber security, it’s always good to assess and correlate all data that comes from various data sources. That would help you identify any attempt to access sensitive data and act upon it before it’s too late.

Assess users in their own peer groups
Always make it a point to assess users in their peer groups. Don’t go applying the same set of rules to every department or every individual, judge them based on rules that apply to their department or the nature of their work.

Threat Detection Methods

Comodo 2017 Global Malware Report: Cyber Risks and Geopolitical Threats

Information Security & Risk Management Summit 2018

2017 will long be remembered as the year of information breaches. It was also a year of security analysis in enterprise security and multiple geopolitical events that corresponded with major malware spikes. From elections to North Korea nuclear threats and missile launches, it seems likely that cyber actors are using geopolitical events to achieve cyber activism and other goals.
Comodo launched quarterly threat reports throughout 2017, and the Comodo 2017 Global Malware Report summarizes our key findings for the year, analyzing malware patterns across countries, industries and events. Among our discoveries:

Trojans Are the No. 1 Malware Threat

Trojans were detected in 225 countries in 2017, with Russia being the No. 1 recipient, receiving 9% of all Trojan detections. Russia also led the world in backdoors and worm detections, while the U.S. led the world in application threats, including unsafe and unwanted applications, viruses and packer malware. Russia and the U.S. were the No. 1 and 2 countries for malware detections in 2017, while online services and technology were the No. 1 and 2 most targeted verticals.

Backdoors Rise While Other Threats Decline

Comodo witnessed a rise in backdoor threats in Q4 2017 and predicts that they will continue to rise in Q1 2018. Other malware patterns remained even or declined in Q4 2017.

Malware Spikes Occur in Sync with Geopolitical Events

Geopolitical events in multiple regions coincided with malware increases throughout the year. While Comodo cannot prove causation, we can demonstrate correlation between geopolitical issues and diverse malware attacks, including:

  • U.S. elections: A massive spike in Kryptik trojans occurred on Oct. 24, 2017, with more than 94% of nearly 300,000 trojans focused on the state of Virginia, where a close and hard-fought gubernatorial election took place.
  • East Asia: The country of China experienced malware growth, with a virus surge of nearly 20,000 when China’s President Xi visited the U.S. in April 2017 and North Korea fired test missiles. Similarly, Trojan attacks in China spiked to 30,000 during the Silk Road Summit in early to mid-May 2017, 40,000 in early August 2017 after an earthquake and a U.S.-China naval dispute, and 55,000 on Sept. 3, 2017, after China joined the U.S. and Russia in condemning a North Korea nuclear test.
  • North Korea: Comodo is one of the few commercial cybersecurity companies with visibility into North Korea. We witnessed a startling Trojan increase in the country on Sept. 19, 2017, corresponding with a speech at the United Nations where U.S. President Donald Trump threatened to destroy North Korea.

Get the report.

About the Comodo Global Malware Report

The Comodo Threat Research Labs’ 2017 Global Malware Report summarizes global malware patterns, providing business and technology decision makers with critical insights they can use to improve enterprise security. This publication is the year-end edition of a quarterly threat report published by Comodo Threat Research Labs, a group of more than 120 security professionals, ethical hackers, and computer scientists and engineers who work for Comodo full-time analyzing malware patterns across the globe. Comodo Security Solutions Inc. is a global innovator of cybersecurity products for the enterprise.