2022 Content Review: Abnormal's Top 10 Blog Posts

It’s hard to believe the end of 2022 is only a week and a half away. It’s truly been a year for the books—both for Abnormal Security in particular and the cybersecurity community at large.

Throughout the past 12 months, we’ve invested countless hours into ensuring organizations like yours have the insights and advice needed to protect your workforce from attackers. This includes publishing nearly 200 new pieces of content exploring every facet of the email threat landscape.

We’re already hard at work on planning and creating even more helpful content for 2023, but we wanted to first take a moment and highlight a few of our more popular blog posts from the past year.

Without further ado, here are 10 of Abnormal’s most-read articles from 2022.

10. Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

For accounting and tax professionals, digital file sharing is a necessity. Unfortunately, this makes them especially vulnerable to inadvertently downloading a malicious file.

In early 2022, threat actors posing as potential clients emailed CPAs and tax preparation service providers claiming to be in need of tax filing services. After the recipient engaged with the attacker, the actors sent a follow-up email not with the promised tax documents but instead an obfuscated version of the remote access tool (RAT) Sorillus.

Once the malware successfully connected to the network, remote access was established and the threat actor could start stealing information.

9. BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks

Threat group Lilac Wolverine takes gift card scams to a whole new level.

In these two-stage attacks, threat actors first compromise personal email accounts and copy the contact list. Next, they set up lookalike email accounts and message everyone on the stolen contact list asking for help purchasing gift cards for a friend or relative.

To improve their chances of success, the attacker claims the friend or relative has recently received a catastrophic diagnosis or suffered the loss of a loved one. Because sending gift cards is so easy, it only takes a few clicks for recipients to unwittingly send Lilac Wolverine their money.

8. BEC Group Uses Manufactured Email Threads and Brand Impersonation to Facilitate Invoice Fraud

A BEC threat group we've dubbed Cobalt Terrapin uses a hybrid strategy that combines executive impersonation and vendor impersonation.

First, threat actors impersonate a known vendor, such as LinkedIn or ZoomInfo, and create an email that looks like a follow-up to an outstanding invoice. Then, to make the request appear more credible, they impersonate an executive who "forwards" the email to the final target with a note claiming the invoice should be paid today.

Once the targeted employee engages, the attackers use detailed documents and W-9 forms to compel the targeted employee to pay the bogus invoice.

7. 12 Cybersecurity Influencers to Follow This Year

With new cyber threats emerging almost daily, staying up to date on the latest cybersecurity trends, industry news, and best practices can be challenging.

Browsing Twitter and Linked is certainly an effective way to view valuable insights in aggregate. But one of the downsides of social media is that because anyone can declare themselves a “cybersecurity expert”, identifying consistent sources of reliable and accurate information can be difficult.

We curated a list of some of the most innovative cybersecurity thought leaders who offer a unique perspective on a broad range of topics and regularly share helpful content.

6. The Double-Edged Sword of ChatGPT: How Threat Actors Could Use It for Evil

If you've spent any time fiddling with ChatGPT, you know how much of an absolutely transformational technology it has the capability of becoming.

With it, you can write college-level essays, generate code in various computer languages, and easily answer complex questions without the need to traverse pages of Google search results. At its core, it has the potential to make our work much more efficient.

But all technology can be used by bad actors. And with its tremendous number of benefits, there's always a possibility ChatGPT could be abused for malicious purposes. We explored how the tool can be exploited by cybercriminals to develop more sophisticated cyber threats.

5. Stripe Website Impersonated in Credential Phishing Attack

The way modern cybercriminals approach phishing sites has become increasingly elaborate in recent years. For example, in an attack blocked by Abnormal earlier this year, a threat actor recreated Stripe’s entire website to steal login credentials.

As with most credential phishing attempts, the threat actor first sent an email about a fabricated situation that required immediate attention. Clicking on the link in the email redirected the target to the credential phishing site—an exact replica of Stripe’s sign-in page.

If they entered their credentials, the attacker gained access to their account, giving them the power to change bank information, redirect incoming payments, and send fraudulent payment requests.

4. The 8 Most Dangerous Types of Phishing Attacks

Credential phishing remains the popular choice for cybercriminals, accounting for nearly 70% of all advanced attacks between January and June of this year. And according to the FBI’s Internet Crime Complaint Center (IC3), phishing has been the most common cybercrime for the past three years.

Delivery methods vary by the type of phishing attack, but the basic tenets remain the same: cybercriminals try to trick victims into paying money or revealing sensitive information by creating a false sense of urgency. And while there are certain common characteristics across all phishing attacks, each type has unique attributes.

3. Attackers Use Legitimate Facebook Infrastructure for Credential Phishing

Threat actors have been using phishing emails to try to steal Facebook login credentials for years. However, an attack we encountered earlier this year had an interesting twist: the threat actors leveraged Facebook’s actual infrastructure to execute it.

The initial phishing email claimed the recipient’s account is at risk of being disabled due to repeated policy violations and includes a phishing link disguised as a “request to appeal”. But rather than sending the target straight to the phishing site, the attackers first redirected them to a real post on Facebook.

By using a valid Facebook URL, the attackers improved the chances of the target entering their login credentials without hesitation.

2. Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks

Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions. Instead, attackers rely on the effectiveness of pure social engineering to be successful, hoping a target isn’t paying close attention to the email and simply complies with the request.

Earlier this year we identified a new BEC group leveraging blind third-party impersonation tactics to swindle companies around the world. The group, which we call Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices.

1. BazarLoader Actors Initiate Contact via Website Contact Forms

Email has been and will continue to be a primary attack vector. But that certainly doesn’t mean it’s the only attack vector. One series of malware campaigns blocked by Abnormal this year involved initial communication via an online contact form.

In the contact form, the attacker posed as a construction company employee looking for prices on a product for an upcoming project. After the target replied to the attacker and established email communication, the threat actor sent a file transfer link, claiming it contains important details about the project.

In reality, the file contained one of several malicious files—the first in a multi-stage attack that could lead to the installation of a malware Trojan, ransomware, or worse.

As 2022 comes to a close, one thing is certain: threat actors aren’t retiring anytime soon. And because attackers will always be searching for new ways to target your employees, we at Abnormal will always be committed to helping you stay one step ahead of attackers.

Start the new year strong. Request a demo of Abnormal to see how our platform can protect your cloud email from the full spectrum of email attacks.