The National Cyber Security Centre Finland’s weekly review – 39/2023
Information security now!
This week, the customers of a Finnish bank have been bombarded with thousands of phishing messages aimed at getting them to enter their bank credentials on spoofed websites created by scammers. We also provide valuable operating instructions for cloud incident response.
Topics covered in this week’s review
- Scammers phishing for OP bank credentials via email
- New instructions for cloud incident response
- In October, our experts will be sharing information on what Traficom's cyber threat prevention work is like in practice
- Vulnerabilities in Apple products, Chrome and other products using the libwebp software library
Scammers phishing for OP bank credentials via email
Over the past week, the NCSC-FI has received dozens of reports of bank credential phishing emails sent to potential victims under various names referencing the Finnish bank OP, such as OP-Petos, OP-Peruutuspalvelu, OP-Tukipalvelu and OP-Turvallisuuspalvelu. The emails claim that the bank is reaching out to the victim about some suspicious activity noticed on their bank account. The messages also include a link that leads to a phishing site disguised to look like the online bank service's login page.
Any bank credentials entered on the phishing site end up in the hands of criminals, giving them access to the victim's bank account.
The emails are written in fairly fluent Finnish. Each message is composed of eight lines of text, the wording of which varies slightly from message to message. What does not vary is the purpose of the messages: to get the victim to click on the included link, which leads to a phishing site. The structure of the messages is reminiscent of old “bullshit generators,” which assemble texts by combining selected words at random.
Each scam message is assembled out of different senders, greetings, forms of address, fearmongering, calls to action, phishing links and signatures, resulting in hundreds of thousands of messages that are all slightly different from one another. The idea is that a hundred thousand different spam messages will more easily escape the attention of online spam filters than a hundred thousand copies of the same message.
Although the scammers have put some effort into the language of the scam messages and setting up the phishing sites, vigilant bank customers will hopefully notice how crude the links included in the messages are. In fact, the scammers have not even tried to disguise them as bank URLs: the phishing sites have been set up on a range of breached servers, such as adult entertainment websites, which is blatantly obvious from the links themselves. If nothing else, that should tell potential victims that they are being scammed. Hopefully the campaign will not end up making any money for the scammers!
New instructions for cloud incident response
The purpose of the new instructions for cloud incident response prepared by Traficom’s NCSC-FI is to provide organisations with advice on how to prepare for and respond to information security incidents affecting cloud services. The instructions focus on examining the special characteristics of the cloud from the perspective of incident response. For effective cloud incident response, organisations should maintain and follow their own incident response plan.
The instructions offer guidance on a general level on how to act in the event of an information security incident and recover from it. It is recommended that each organisation draw up a separate guide for its own use that takes its technological and operational environment into account in more detail. The project is funded by the National Emergency Supply Agency.
Read the new instruction here (in Finnish):
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/toimintaohje-pilviymparistojen-poikkeamanhallinta
In October, our experts will be sharing information on what Traficom's cyber threat prevention work is like in practice
In October, we will be sharing information via our social media channels on what Traficom's cyber threat prevention work is like in practice. We will be covering notable cyber threats from recent years, with our experts detailing what these phenomena were all about and how they were handled in weekly videos. Topics to be covered include the malware FluBot, the NCSC-FI’s vulnerability coordination work and efforts to curtail scam calls.
Vulnerabilities
CVE: CVE-2023-5129
CVSS: 10.0
What: A vulnerability in the libwebp software library used by Google Chrome that also affects numerous other online software products, such as mobile devices, browsers and instant messaging services.
Product: 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera and Android operating system browsers, other products that use the libwebp software library.
Fix: Update the software to the latest patched version.
CVE: CVE-2023-41992, CVE-2023-41991, CVE-2023-41993
CVSS: not known
What: Several vulnerabilities in various Apple products, through the chaining of which an attacker could gain control of the affected device.
Product: iOS, iPadOS, Safari, watchOS, macOS
Fix: Update the software to the latest patched version.
About the weekly review
This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 22–28 September 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.