Threat Intelligence

3/2/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Millions of Office 365 Accounts Hit with Password Stealers

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.

A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.

Barracuda Networks last month flagged a "critical alert" when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named "taxletter.doc" and phrases like "We are apprising you upon the arisen tax arrears in the number of 2300CAD." The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

"Today's documents are far more active … you're putting in a lot of content, media, links," says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails. While Exchange server makes up a large portion of people affected, Shi notes other types of email accounts are also targeted with the malicious files.

"What they do is they rotate the content of the email; they rotate sender information," he continues. Signature-based systems won't catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It's all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

"Some attackers try to be like a sleeper cell on your system," Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they'll see more pop-ups. All are signs they've lost control of applications on their system.

IRS officials are also recommending caution amid an increase of tax-related phishing emails. Last month, the IRS Online Fraud Detection & Prevention Center (OFDP) announced a rise of compromised emails starting in January 2017. Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.

It's a timely opportunity for attackers to capitalize on users' wariness of tax season and make their campaigns more effective. "You feel vulnerable because you get an email saying the IRS is eyeing you," Shi says. "What happens is, you're likely going to open the document."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
3/2/2018 | 7:50:13 PM
Office 365 Accounts Hit
Not at all unexpected.  Even before reading the article, there's the fact that there are so many small companies that use Office 365, for good reasons.  Unfortunately, most are too small to have anything close to dedicated enterprise-level cybersecurity assets.  Often, they're lucky to have one person in the office with security, or even general IT support, as part of their job description.  But don't think multinationals needn't be concerned - if these small companies are cyber-business-partners, their being compromised can be a steppingstone toward a more lucrative vulnerability. 

It's sad, but what is an obvious scam to those experienced in cybersecurity, can seem all too real to the intelligent, but untrained knowledge workers just trying to get through their workload.  Fold the same old letter, phone, email ploys into Office 365 documents (an environment people assume secure, and where you can be called on the carpet for ignoring something that might be important), and you've increased the potency dramatically. 

Yes the "tax time" feature does make these enticements more effective, but there's more to it.  Get the necessary data to file a false IRS return (with false direct deposit information), and you might be able to walk off with a refund before the real entity has filed. 

Another aspect mentioned in the article is the misuse of PowerShell.  Power is right, but is it too much power, too easily accessible and unnecessary for most users?  Again, something the big companies know to control, but users in small firms might not even know it's there. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/3/2018 | 3:06:45 PM
Bad headline - this is a phishing scam like others
Yes, it's interesting that Office365 users were targeted, but this does not mean that "accounts" were "hit."  Another booby-trapped attachment.  It's a large-scale phishing attack, but nothing more than phishing.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/7/2018 | 8:53:05 AM
Re: Office 365 Accounts Hit
Rather a good reason to cancel the Office365 subscript and go back to the last GOOD one - Office 2010 on my home system
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...