Google says Iranian, Chinese hackers targeted Trump, Biden campaigns

Google security researchers say they’ve identified efforts by at least two nation state-backed hackers against the Trump and Biden presidential campaigns.

Shane Huntley, director for Google’s Threat Analysis Group, said in a tweet that hackers backed by China and Iran recently targeted the campaigns using malicious phishing emails. But, Huntley said, there are “no signs of compromise,” and that both campaigns were alerted to the attempts.

When reached by TechCrunch, a Google spokesperson reiterated the findings:

“We can confirm that our Threat Analysis Group recently saw phishing attempts from a Chinese group targeting the personal email accounts of Biden campaign staff and an Iranian group targeting the personal email accounts of Trump campaign staff. We didn’t see evidence that these attempts were successful. We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our Advanced Protection Program and free security keys for qualifying campaigns.”

A spokesperson for the Biden campaign confirmed the report in a statement to TechCrunch.

“We are aware of reports from Google that a foreign actor has made unsuccessful attempts to access the personal email accounts of campaign staff,” a spokesperson said. “We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them. Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured.”

The Trump campaign said it was also briefed that “foreign actors unsuccessfully attempted to breach the technology of our staff,” but a spokesperson declined to discuss the precautions it was taking.

Huntley said in a follow-up tweet that the hackers were identified as China’s APT31 and Iran’s APT35, both of which are known to target government officials. But it’s not the first time that the Trump campaign has been targeted by Iranian hackers. Microsoft last year blamed APT35 group for targeting what later transpired to be the Trump campaign.

Since last year’s attempted attacks, both the Democrats and Republicans improved their cybersecurity at the campaign level. The Democrats recently updated their security checklist for campaigns and published recommendations for countering disinformation, and the Republicans have put on training sessions to better educate campaign officials.

Updated with comment from the Biden campaign, and again with a statement from the Trump campaign. 

Anti-phishing startup Inky raises $20M to ramp up enterprise adoption

Anti-phishing startup Inky has raised $20 million in its Series B round of funding, led by Insight Partners .

The funding will help the company push for greater enterprise adoption and expand to international markets including Europe, Asia and Latin America.

Inky started out a decade ago with a bold mission to reinvent email with its desktop app focused on helping users better organize and filter their inboxes. The company pivoted away from its email improvement efforts in 2018 to focus on its cloud-based anti-phishing technology. A year later, it raised $5.6 million in its Series A round.

This latest investment pushes the total amount Inky raised to $31.6 million.

Phishing is a continual headache for all organizations. These attacks rely on tricking users into thinking an email is genuine and turning over personal information or passwords. Verizon’s yearly data breach report said 22% of all breaches are caused by phishing, a technique used more than any other attack vector. Attackers also use spoofed emails to trick human resources or finance staff into turning over sensitive employee files, like W-2 tax forms, on instructions from senior leadership. These so-called business email scams have cost businesses billions of dollars a year.

Inky’s technology works by hooking into existing email systems, like Exchange, Office 365, and G-Suite and alerting users if an incoming email looks safe, unusual, or malicious. The company uses machine learning and other technologies to detect if an email looks like it’s spam, a phish attempt, or leveraging a security vulnerability like an XSS — or cross-site script — that can be used to steal data.

Inky says it blocks hundred of thousands of suspicious or malicious emails a month for the average customer.

“This Series B funding gives us the resources we need to serve the incredible demand we’re seeing from enterprise customers in particular, and will allow us to expand our go-to-market efforts globally,” said Inky’s co-founder and chief executive Dave Baggett.

What you need to know about COVID-19-related cyberattacks

The COVID-19 outbreak has not only caused global disruption, it has also changed the cybersecurity threat landscape. We are observing changing patterns of behaviors from threat actors and noticing waves of coronavirus-related cyberattacks.

To be clear, this trend is not unique to the global pandemic. Hackers have typically preyed on victims shortly after disasters or high-profile events around the world. Over the course of my career, I tracked notable global disasters that have been used as lures, such as the 2004 Indian Ocean earthquake and tsunami, the mass shooting events in Las Vegas and the Zika virus outbreak. Malicious actors notoriously exploit human emotions for financial gain. Today, COVID-19 is not off-limits.

As threat actors continue adapting to exploit the coronavirus pandemic, the global workforce continues to change dramatically. With much of the world ordered to practice physical distancing, an unprecedented number of people are working remotely, many for the first time. Companies are rushing to provision laptops to employees with desktops, deploy collaborative software and implement VPN infrastructure to access internal tools. So, if you were a hacker, what would this opportunity look like for you?

Attack methods logically exploit changes in the global environment. Mass working over remote connection leads to mass remote login activity. This activity is mostly over private, insecure machines with user accounts that have not done so before — therefore making remote login credentials an easy target for attackers.

Since Italy declared a state of emergency on January 31, 2020, information security professionals have recorded an escalation of cyberattacks in Italy reflecting this pattern. Breach protection company Cynet tracked a spike in phishing attacks in the last month in Italy, while non-quarantined countries withstood an unwavering number of attacks.

Red teams OK to push ethical limits but not on themselves, study says

Wake up, make breakfast, get the kids to school, drive to work, break into the chief financial officer’s inbox and steal the entire company’s employee tax records. Maybe later you’ll grab a bagel from across the street.

For “red teams” — or offensive security researchers — it’s just another day at work.

These offensive security teams are made up of skilled hackers who are authorized to find vulnerabilities in a company’s systems, networks but also their employees. By hacking a company from within, the company can better understand where it needs to shore up its defenses to help prevent a real future hacker. But social engineering, where hackers manipulate their targets, can have serious consequences on the target. Although red team engagements are authorized and are legal, the ethics of certain attacks and efforts can go unconsidered.

Newly released research looks at the ethics involved in offensive security engagements. Is it ethically acceptable to send phishing emails, bribe a receptionist, or plant compromising documents on a person’s computer if it means preventing a breach down the line?

The findings showed that security professionals, like red teamers and incident responders, were more likely to find it ethically acceptable to conduct certain kinds of hacking activities on other people than they are with having those activities run against themselves.

The research — a survey of over 500 people working in both security and non-security positions, presented for the first time at Shmoocon 2020 in Washington DC this week — found that non-security professionals, such as employees working in legal, human resources, or at the reception desk, are nine-times more likely to object to receiving a phishing email as part of a red team engagement than a security professional, such as a red teamer or incident response.

It is hoped the findings will help start a discussion about the effects of a red team’s engagement on a company’s morale during an internal penetration test, and help companies to help understand the limits of a red team’s rules of engagement.

“When red teamers are forced to confront the fact that their targets are just like themselves, their attitude about what it’s OK to do to another person about testing security on other people changes dramatically after they confront the fact that it could happen to them,” said Tarah Wheeler, a cybersecurity policy fellow at New America and co-author of the research.

The survey asked about a range of potential tactics in offensive security testing, such as phishing, bribery, threats, and impersonation. The respondents were randomly assigned one of two surveys containing all the same questions, except one asked if it was acceptable to conduct the activity and the other asked if it was acceptable if it happened to them.

The findings showed security professionals would object as much as four-times if certain tactics were used against them, such as phishing emails and planting compromising documents.

“Humans are bad at being objective,” said Wheeler.

The findings come at a time where red teams are increasingly making headlines for their activities as part of engagements. Just this week, two offensive security researchers at Coalfire had charges dropped against them for breaking into an Iowa courthouse as part of a red team engagement. The researchers were tasked and authorized by Iowa’s judicial arm to find vulnerabilities in its buildings and computer networks in an effort to improve its security. But the local sheriff caught the pair and objected to their activities, despite presenting a “get out of jail free” letter detailing the authorized engagement. The case gave a rare glimpse into the world of security penetration testing and red teaming, even if the arrests were universally panned by the security community.

The survey also found that security professionals in different parts of the world were more averse to certain activities than others. Security professionals in Central and South America, for example, object more to planting compromising documents whereas those in the Middle East and Africa object more to bribes and threats.

The authors of the research said that the takeaways are not that red teams should avoid certain offensive security practices but to be aware of the impact they can have on the targets, often which include their corporate colleagues.

“When you’re setting up a red team and scoping your targets, consider the impact on your co-workers and clients,” said Roy Iversen, director of security engineering and operations at Fortalice Solutions, who also co-authored the research. Iversen said the findings may also help companies decide if they want an outside red team to carry out an engagement to minimize any internal conflict between a company’s internal red team and the wider staff.

The researchers plan to expand their work over the next year to improve their overall survey count and to better understand the demographics of their respondents to help refine the findings.

“It’s an ongoing project,” said Wheeler.

Only a few 2020 US presidential candidates are using a basic email security feature

Just one-third of the 2020 U.S. presidential candidates are using an email security feature that could prevent a similar attack that hobbled the Democrats’ during the 2016 election.

Out of the 21 presidential candidates in the race according to Reuters, seven Democrats and one Republican candidate are using and enforcing DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails, which hackers often use to try to trick victims into opening malicious links from seemingly known individuals.

It’s a marked increase from April, where only Elizabeth Warren’s campaign had employed the technology. Now, the Democratic campaigns of Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard, and Republican candidate Steve Bullock have all improved their email security.

The remaining candidates, including presidential incumbent Donald Trump, are not rejecting spoofed emails. Another seven candidates are not using DMARC at all.

That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.

“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” said Armen Najarian, chief identity officer at Agari, an email security company. “Campaigns have to have both email authentication set at an enforcement policy of reject and advanced email security in place to be protected against socially-engineered covert attacks,” he said.

Green indicates a reject/quarantine policy, while yellow indicates a non-enforced policy. (Image: TechCrunch)

DMARC, which is free and fairly easy to implement, can prevent attackers from impersonating a candidate’s campaign but also prevent the same kind of targeted phishing attacks against the candidate’s network that resulted in the breach and theft of thousands of emails from the Democrats.

In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. The phishing email, which was published by WikiLeaks along the rest of the email cache, tricked Podesta into clicking a link that took over his account, allowing hackers to steal tens of thousands of private emails.

A properly enforced DMARC policy would have rejected the phishing email from Podesta’s inbox altogether, though DMARC does not protect against every kind of highly sophisticated cyberattack. The breach was bruising for the Democrats, one that led to high-profile resignations and harmed public perceptions of the Clinton presidential campaign — one she ultimately lost.

“It’s perplexing that the campaigns are not aggressively jumping on this issue,” said Najarian.

Startups face the same phishing risks as big corporations

This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.

One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.

The fact that there was confusion to begin with shows that even gigantic companies like TriNet — a $3.7 billion corporation — are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.

But this problem isn’t unique to TriNet; it’s not even unique to big companies.

Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.

Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.

TriNet sent remote workers an email that some thought was a phishing attack

It was the one of the best phishing emails we’ve seen… that wasn’t.

Phishing remains one of the most popular attack choices for scammers. Phishing emails are designed to impersonate companies or executives to trick users into turning over sensitive information, typically usernames and passwords, so that scammers can log into online services and steal money or data. But detecting and preventing phishing isn’t just a user problem — it’s a corporate problem too, especially when companies don’t take basic cybersecurity precautions and best practices to hinder scammers from ever getting into a user’s inbox.

Enter TriNet, a human resources giant, which this week became the poster child for how how to make a genuine email to its customers look inadvertently as suspicious as it gets.

Remote employees at companies across the U.S. who rely on TriNet for access to outsourced human resources, like their healthcare benefits and workplace policies, were sent an email this week as part of an effort to keep employees “informed and up-to-date on the labor and employment laws that affect you.”

Workers at one Los Angeles-based health startup that manages its employee benefits through TriNet all got the email at the same time. But one employee wasn’t convinced it was a real email, and forwarded it — and its source code — to TechCrunch.

TriNet is one of the largest outsourced human resources providers in the United States, primarily for small-to-medium-sized businesses that may not have the funding to hire dedicated human resources staff. And this time of year is critical for companies that rely on TriNet, since health insurance plans are entering open enrollment and tax season is only a few weeks away. With benefit changes to consider, it’s not unusual for employees to receive a rash of TriNet-related emails towards the end of the year.

But this email didn’t look right. In fact when we looked under the hood of the email, everything about it looked suspicious.

This is the email that remote workers received. TriNet said the use of an Imgur-hosted image in the email was “mistakenly” used. (Image: TechCrunch/supplied)

We looked at the source code of the email, including its headers. These email headers are like an envelope — they say where an email came from, who it’s addressed to, how it was routed, and if there were any complications along the way, such as being marked as spam.

There were more red flags than we could count.

Chief among the issues were that the TriNet logo in the email was hosted on Imgur, a free image-hosting and meme-sharing site, and not the company’s own website. That’s a common technique among phishing attackers — they use Imgur to host images they use in their spam emails to avoid detection. Since the image was uploaded in July, that logo was viewed more than 70,000 times until we reached out to TriNet, which removed the image, suggesting thousands of TriNet customers had received one of these emails. And, although the email contained a link to a TriNet website, the page that loaded had an entirely different domain with nothing on it to suggest it was a real TriNet-authorized site besides a logo, which if it were a phishing site could’ve been easily spoofed.

Fearing that somehow scammers had sent out a phishing email to potentially thousands of TriNet customers, we reached out to security researcher John Wethington, founder of security firm Condition:Black, to examine the email.

It turns out he was just as convinced as us that the email may have been fake.

“As hackers and self-proclaimed social engineers, we often think that spotting a phishing email is ‘easy’,” said Wethington. “The truth is it’s hard.”

“When we first examined the email every alarm bell was going off. The deeper we dug into it the more confusing things became. We looked at the domain name records, the site’s source code, and even the webpage hashes,” he said.

There was nothing, he said, that gave us “100% confidence” that the site was genuine until we contacted TriNet.

TriNet spokesperson Renee Brotherton confirmed to TechCrunch that the email campaign was legitimate, and that it uses the third-party site “for our compliance ePoster service offering. She added: “The Imgur image you reference is an image of the TriNet logo that Poster Elite mistakenly pointed to and it has since been removed.”

“The email you referenced was sent to all employees who do not go into an employer’s physical workspace to ensure their access to required notices,” said TriNet’s spokesperson.

When reached, Poster Elite also confirmed the email was legitimate.

This is not a phishing site, but it sure looks like one. (Image: TechCrunch)

How did TriNet get this so wrong? This culmination of errors had some who received the email worried that their information might have been breached.

“When companies communicate with customers in ways that are similar to the way scammers communicate, it can weaken their customer’s ability over time to spot and shut down security threats in future communications,” said Rachel Tobac, a hacker, social engineer, and founder of SocialProof Security.

Tobac pointed to two examples of where TriNet got it wrong. First, it’s easy for hackers to send spoofed emails to TriNet’s workers because TriNet’s DMARC policy on its domain name is not enforced.

Second, the inconsistent use of domain names is confusing for the user. TriNet confirmed that it pointed the link in the email — posters.trinet.com — to eposterservice.com, which hosts the company’s compliance posters for remote workers. TriNet thought that forwarding the domain would suffice, but instead we thought someone had hijacked TriNet’s domain name settings — a type of attack that’s on the increase, though primarily carried out by state actors. TriNet is a huge target — it stores workers’ benefits, pay details, tax information and more. We had assumed the worst.

“This is similar to an issue we see with banking fraud phone communications,” said Tobac. “Spammers call bank customers, spoof the bank’s number, and pose as the bank to get customers to give account details to ‘verify their account’ before ‘hearing about the fraud the bank noticed on their account — which, of course, is an attack,” she said.

“This is surprisingly exactly what the legitimate phone call sounds like when the bank is truly calling to verify fraudulent transactions,” Tobac said.

Wethington noted that other suspicious indicators were all techniques used by scammers in phishing attacks. The posters.trinet.com subdomain used in the email was only set up a few weeks ago, and the eposterservice.com domain it pointed to used an HTTPS certificate that wasn’t associated with either TriNet or Poster Elite.

These all point to one overarching problem. TriNet may have sent out a legitimate email but everything about it looked problematic.

On one hand, being vigilant about incoming emails is a good thing. And while it’s a cat-and-mouse game to evade phishing attacks, there are things that companies can do to proactively protect themselves and their customers from scams and phishing attacks. And yet TriNet failed in almost every way by opening itself up to attacks by not employing these basic security measures.

“It’s hard to distinguish the good from the bad even with proper training, and when in doubt I recommend you throw it out,” said Wethington.

Facebook sues OnlineNIC for domain name fraud associated with malicious activity

Facebook today announced it has filed suit in California against domain registrar OnlineNIC and its proxy service ID Shield for registering domain names that pretend to be associated with Facebook, like www-facebook-login.com or facebook-mails.com, for example. Facebook says these domains are intentionally designed to mislead and confuse end users, who believe they’re interacting with Facebook.

These fake domains are also often associated with malicious activity, like phishing.

While some who register such domains hope to eventually sell them back to Facebook at a marked-up price, earning a profit, others have worse intentions. And with the launch of Facebook’s own cryptocurrency, Libra, a number of new domain cybersquatters have emerged. Facebook was recently able to take down some of these, like facebooktoken.org and ico-facebook.org, one of which had already started collecting personal information from visitors by falsely touting a Facebook ICO.

Facebooks’ new lawsuit, however, focuses specifically on OnlineNIC, which Facebook says has a history of allowing cybersquatters to register domains with its privacy/proxy service, ID Shield. The suit alleges that the registered domains, like hackingfacebook.net, are being used for malicious activity, including “phishing and hosting websites that purported to sell hacking tools.”

The suit also references some 20 other domain names that are confusingly similar to Facebook and Instagram trademarks, it says.

Screen Shot 2019 10 31 at 1.27.38 PM

OnlineNIC has been sued before for allowing this sort of activity, including by Verizon, Yahoo, Microsoft and others. In the case of Verizon (disclosure: TechCrunch parent), OnlineNIC was found liable for registering more than 600 domain names similar to Verizon’s trademark, and the courts awarded $33.15 million in damages as a result, Facebook’s filing states.

Facebook is asking for a permanent injunction against OnlineNIC’s activity, as well as damages.

The company says it took this issue to the courts because OnlineNIC has not been responsive to its concerns. Facebook today proactively reports instances of abuse with domain name registrars and their privacy/proxy services, and often works with them to take down malicious domains. But the issue is widespread — there are tens of millions of domain names registered through these services today. Some of these businesses are not reputable, however. Some, like OnlineNIC, will not investigate or even respond to Facebook’s abuse reports.

The news of the lawsuit was previously reported by Cnet and other domain name news sources, based on courthouse filings.

Attorney David J. Steele, who previously won the $33 million judgement for Verizon, is representing Facebook in the case.

“By mentioning our apps and services in the domain names, OnlineNIC and ID Shield intended to make them appear legitimate and confuse people. This activity is known as cybersquatting and OnlineNIC has a history of this behavior,” writes Facebook, in an announcement. “This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy,” it says.

OnlineNIC has been asked for comment and we’ll update if it responds.

Google updates its Titan security keys with USB-C

Google has revealed its latest Titan security key — and it’s now compatible with USB-C devices.

The latest Titan key arrives just weeks after its closest market rival Yubico — which also manufactures the Titan security key for Google — released its own USB-C and Lightning-compatible key, but almost two years after the release its dedicated USB-C key.

These security keys offer near-unbeatable security against a variety of threats to your online accounts, from phishing to nation-state attackers. When you want to log in to one of your accounts, you plug in the key to your device and it authenticates you. Most people don’t need a security key, but they are available for particularly high-risk users, like journalists, politicians and activists, who are frequently targeted by hostile nation states.

By Google’s own data, security keys are far stronger than other options, like a text message sent to your phone.

Many companies, like Coinbase, Dropbox, Facebook, Twitter and Google, support the use of security keys. But although the list of supported companies is not vast, it continues to grow as security key usage increases.

Google said its newest key will be available from October 15 for $40.

Microsoft says Iranian hackers targeted a 2020 presidential candidate

Microsoft said it has found evidence that hackers associated with Iran have targeted a 2020 presidential candidate.

The tech giant’s security and trust chief confirmed the attack in a blog post, but the company would not say which candidate was the target.

The threat group, which Microsoft calls Phosphorous — also known as APT 35 — made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers. These accounts, he said, are “associated” with a presidential campaign, current and former U.S. government officials, journalists and prominent Iranians living outside the country.

“Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials,” said Tom Burt, Microsoft’s vice president of customer security and trust.

The attacks happened between August and September, said Burt.

The threat group tried to obtain access to secondary email accounts linked to a Microsoft account, which they would use as a way to break into the account, he said.

Some attacks involved gathering and targeting user phone numbers.

Burt said the attacks were “not technically sophisticated” but attempted to use a “significant amount of personal information” both to identify and attack the accounts.

This isn’t the first time Phosphorous has appeared on Microsoft’s radar. The tech giant sued the threat group, believed to be backed by Tehran, earlier this year to take control of several domains used by the hackers to launch watering hole attacks. The hacker group is also believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage.

In previous campaigns, the hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.

Microsoft said it’s made more than 800 notifications of attempted state-backed attacks against users who are protected by the tech giant’s account monitoring service aimed at political campaigns.