CyberheistNews Vol 4, 15
Scam Of The Week: Heartbleed Phishing Attack
The Heartbleed vulnerability truly is causing almost everyone a major headache. Talk about a FIRE that needs to be put out. On a scale of 1 to 10, this is an 11.
And to throw some gasoline on this fire, there are hackers sending out phishing emails related to Heartbleed. One of these is that they try to trick users to give passwords that have not been compromised yet!
A list of more than 10,000 domains that were vulnerable, patched or unaffected by the bug was found on Pastebin by Easy Solutions. The fraud prevention company believes hackers are most likely behind the list.
"A lot of time what these guys will do is dump a list of inventory on Pastebin, cut that link and then share the link with their friends on a (underground) forum," Daniel Ingevaldson, Chief Technology Officer for Easy Solutions, said. "So, it's essentially a billboard for a service."
There are now world-wide scans going on across the whole 'Net, many of these are legit scans, but the bad guys are not sitting still and they are also looking for potential victims. "We're seeing a systematic canvassing of the entire Internet right now to see what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a gold rush."
Tell your users to watch out for any emails (or scam phone calls) that relate to the Heartbleed bug. Any emails with links should not be followed, any attachments should not be opened, and in case they want to change a password, wait until that site has announced they are patched, and they should go to that site directly and not click on any link to get there. Oh, and if you want to send them to a simple, funny cartoon that explains the (simple, stupid) bug, here is a recent xkcd cartoon that explains...
KnowBe4 has a new Current Events simulated phishing attack related to the Heartbleed bug so our customers can send this to their users and inoculate them against this attack.
Regarding your own IT environment, Roger Grimes over at InfoWorld has a very good write-up. This thing is more pervasive than you think. Grimes said: "There's a very good chance that if you can connect to an SSL-/TLS-based service and it's not running Microsoft Windows or Apple OS X, it's vulnerable. This includes most VPN appliances, copy machines, and even most appliances. If you can connect to it using HTTPS, and it's not running on Microsoft Windows or OS X consider it vulnerable until proven otherwise. Do your best due diligence to make sure that you and your company are covered. This isn't just about external, Internet-facing websites. The bad guys routinely get on the internal networks and you can bet that they will be looking for vulnerable versions of OpenSSL with vigor." Read his full article here:
Wall Street Journal Quoted Me Regarding Ransomware Phishing Attacks
This week, Wall Street Journal MarketWatch reporter Priya Anand quoted me in an article she wrote about the new wave of ransomware phishing attacks.
She started out with: "Malware attacks that hijack your computer files until you pay a ransom increased by 500% from January to December last year, reaching 600,000 identified cases, according to a report released Tuesday by the security software company Symantec. And the kidnappers may not take cash. The criminals increasingly demand cryptocurrencies like bitcoin as payment, and have raked in some tens of millions of dollars in the last year."
And here is my quote: "The criminals often give their victims a decryption key to get back their files after receiving a ransom. For small businesses that haven’t backed up files, it becomes a game of chance, says Stu Sjouwerman, CEO of the Clearwater, Florida-based security consulting and training company KnowBe4. "If you have a choice between losing a month’s worth of work or playing the game, you’re going to…just pay up and hope it doesn’t happen again," he says. (Unless you step your users through effective Kevin Mitnick Security Awareness Training, that is...)
Here is the article, recommended to forward to your C-level; it's in the WSJ!
Quotes of the Week
"Judge a man by his questions rather than his answers." - Voltaire, Writer and Philosopher (1694 - 1778)
"Don't judge a man by his opinions, but what his opinions have made of him." - Georg Christoph Lichtenberg, Scientist (1742 - 1799)
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
Which Security Awareness Training Has The Best Results?
A new whitepaper from Osterman Research shows which of the 5 types of awareness training has the best results.
Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the awareness training type they use.
Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem.
More Than Half Of End Users Did Not Get Security Awareness Training
This week I attended a webinar about Security Awareness Training hosted by David Monahan, Research Director Security and Risk Management of Enterprise Management Associates.
Some astonishing numbers came out of this study of 600 employees. A whopping 56% of end-users state that they did not get any security awareness training from their employer.
Think about that for a moment, and how that translates in behavior like opening attachments infected with ransomware. Yikes. Next, the other 44% stated that they received their once-a-year training. That is almost just as worrisome, because getting reminded once a year not to click on bad links simply does not hack it (pun intended) these days. Recent scientific research shows that even being reminded every 90 days not to click on phishing links is completely ineffective.
Having no training obviously leads to all kinds of security policy violations, first because they simply do not know about them, and second because they simply don't care. Here are some more hair-raising statistics:
- 59% say they store work information on cloud services
- 58% of respondents say they store company-sensitive information on their personal devices
- 35% of the respondents say they have clicked on an email link from an unknown sender
- 33% say they use the same password for both work and personal devices
- 30% say they leave mobile devices unattended in their vehicles
This is the Internet equivalent of taking candy from strangers. "People repeatedly have been shown as the weak link in the security program," stated Monahan. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."
Words straight out of my mouth, and I'm glad someone else is confirming the sorry state of affairs with security awareness training. More @hackbusters: http://www.hackbusters.com/news/stories/36193-majority-of-users-have-not-received-security-awareness-training-study-says
Fake Anti-Virus App Gets 10,000 Downloads on Google Play
When you do not provide effective security awareness training, people get social engineered ALL the time. For a short time, the fake app was the Top New Paid app on Google Play, but the app simply was a total scam and did nothing at all.
Android Police reports that a new Android app called Virus Shield, which was first made available on the Google Play store on March 28, 2014 for $3.99. Open the app and click on the shield, and an X changes to a check mark, apparently indicating that your device is now being protected. Hah.
"Let's not mince words here," writes Android Police's Michael Crider. "This is fraud, pure and simple, and the developer 'Deviant Solutions' potentially made considerable amounts of money based on a complete lie." The app has since been removed from Google Play, and the developer's account has been suspended. More @hackbusters: http://www.hackbusters.com/news/stories/36217-fake-anti-virus-app-gets-10-000-downloads-on-google-play
The History Of Malware Samples In Numbers
Virus Bulletin came up with some interesting historical facts. In 1989, when the very first Virus Bulletin rolled off the press (produced in a black-and-white, printed pamphlet style), there was only one subscriber and there were only 14 viruses known for the IBM PC. Five years on in 1994 there were over 3,000 viruses known to researchers, and here are the approximate numbers from there on out.
These numbers are an aggregate from several sources like AV-test, and antivirus vendors like Symantec, Sophos and Avast. As you can see, this is exponential. New malware strains are created on an industrial scale at about 1,000,000 a week now. No wonder that traditional antivirus can't keep up anymore and that it's time to "do a 180" and use a whole new way to protect workstations...
1989 = 14
1994 = 3,000
2002 = 15,000
2003 = 28.000
2004 = 90,000
2005 = 103,000
2006 = 124,000
2007 = 711,000
2008 = 11,600,000
2009 = 30,000,000
2010 = 46,000,000
2011 = 63,000,000
2012 = 70,000,000
2013 = 80,000,000
2014 = 130,000,000 est
The graph is at our blog where I have this posted as well. Always good ammo to show users and management to illustrate the malware challenge:
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Old but amazing! Bob Hoover is one of the world's greatest aviators with unbelievable flying skills. Watch him pour iced tea while the plane is doing a roll!. It's an Aviation Special Faves this week:
An Airbus A310 of the Portuguese Airline TAP makes an incredibly low pass turn at the 2007 Airshow in Evora. Watch that wingtip -almost- touch the ground:
Wouldn't it be nice to get a singing reception when you arrive at the airport? No instruments were used in this film, although I suspect they recorded it in the studio first, and then redid it live:
The world’s smallest twin-engine airplane has a wingspan of 16 feet, weighs 158 pounds, runs on two 15 hp engines, cruises at 120 mph, has a range of 310 miles and can even do aerobatics! (first 2 minutes):
And staying with small planes, Featured in the James Bond flick "Octopussy", the Bede BD-5J is the world's smallest jet aircraft:
And here is the exciting future of small planes - The Quiet Supersonic Transport (QSST) aims to redefine air travel in the 21st Century:
Last bit of very cool brand new technology. A bionic kangaroo. Really:
A huge herd of elk crossing the road in Montana near Yellowstone Park. Cute ending:
Last but not least, this is is a 6-minute essay that you should really watch: