CyberheistNews Vol 4, 27
Prepare Yourself For High-Stakes Cyber Ransom
Roger Grimes over at InfoWorld did a great write-up about the state of cyber ransom these days. He also went back in history for a while and gave the factors that have led up to the current dramatic increase of high-tech ransomware. He started out with:
"Criminals who hold your data hostage have been around for a while. But the threat is about to get a whole lot worse. Why? Because success breeds imitators -- and ransom has been paying off big lately. You either pay a large sum of money or suffer the consequences.
"I'm not talking about some CryptoLocker variant holding an individual's computer hostage unless money is sent via PayPal or Coinbase. I'm talking about scenarios in which a hacker gains complete control over a company's valuable digital assets and demands major compensation to keep all that loot from landing in the bit bucket.
"Ransom incidents will increase significantly in the next decade. I'm not taking a leap of faith here or predicting a new trend -- in fact, I'm hopping on late. The trend is already in progress, and I'm sharing what I know. Any company can be a victim, including yours. Your company's management needs to know how to think about this new threat.
Roger has always been a major proponent of Security Awareness Training and this column is no exception. Read it here, shiver, and forward to your C-Level execs with the request for more budget!
Fascinating Phishing Attack On Bitcoin Auction Bidders
Ever hear of CoinDesk? They are a news site about pricing and other info about digital currencies. They reported a fascinating phishing attack on a list of auction participants.
A member of the US Marshals screwed up and sent information to everyone using CC instead of BCC. That revealed all the parties attempting to bid on the bitcoin seized during the raid on the Silk Road marketplace.
Scammers have been making hay with the list. At least one recipient fell for the scam. Bitcoin Reserve, an Australian bitcoin arbitrage fund, lost 100 bitcoins after co-founder Sam Lee did click on the fake link.
The hackers sent a very clever 4-stage phishing attack.
1) Lee received an email on 21st June from a certain ‘Linda Jackson’ claiming to represent BitFilm Production, a genuine company based in Germany. Jackson falsely claimed that the firm was assembling a series of interviews about the impending auction for a client.
2) "Jackson" then sent Lee a second email containing a link that directed to a file containing the questions for the interviews. This appeared to be a Google Drive document, but was actually a website controlled by the attacker.
3) The faked page then requested Lee’s email password to gain access to the document, and consequently, when the password was entered, the attacker gained access to Lee’s email accounts.
4) As the last step. the scammers sent an email, looking like it was from Lee, to various employees requesting funds be sent to an external bitcoin wallet address, and the Bitcoin Reserve CTO unsuspectingly complied. OUCH.
As we all know, bitcoin transaction cannot be reversed. That means you can expect this type of scam to happen more and more often. Another reminder to THINK BEFORE YOU CLICK! Here is the whole story:
Quotes of the Week
"This I believe: That the free, exploring mind of the individual human is the most valuable thing in the world. And this I would fight for: the freedom of the mind to take any direction it wishes, undirected. And this I must fight against: any idea, religion, or government which limits or destroys the individual." - John Steinbeck, Writer (1902–1968)
"Whatever you may say, the body depends on the soul." - Nikolai Gogol, Writer (1809-1852)
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
New Whitepaper: Improving The Compliance Management Process
How much can you save on compliance costs?
Only 13% of the organizations Osterman surveyed are “very satisfied” with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be “very important”.
Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, how much can you save on overall compliance costs? Download this whitepaper and find out ...
Evolution of Mobile Ransomware
Does BYOD really stand for Bring Your Own Disaster? JD Sherry of Trend Micro discusses the latest mobile security trends and threats, including the evolution of ransomware and the Internet of Things.
In some ways, mobile devices and their users are facing the same security challenges PCs faced 20 years ago, except today's threats are more sophisticated and potentially devastating. Which adds up to bad news for organizations with active BYOD policies, says Sherry, vice president of technology and solutions at Trend Micro.
Another significant mobility concern: The evolution of ransomware. Sherry is seeing a huge shift of ransomware attacks from PCs to mobile devices. In these attacks, users effectively are locked out of their devices by criminals who demand virtual currency payments to stop the assault.
"Individuals are having a hard time because they're not using the basic security precautions. They are becoming infected, going to sites that have malicious downloads and getting this payload on their particular device," Sherry says. "This is a big problem not only for consumers, but for organizations that have an open BYOD policy."
In an interview recorded at the Gartner Security & Risk Management Summit, Sherry discusses:
- Why BYOD can mean "Bring Your Own Disaster";
- The evolution of mobile ransomware;
- Security concerns about the Internet of Things.
Sherry is responsible for providing guidance and awareness regarding Trend Micro's entire security portfolio aimed at protecting both commercial and government ecosystems. Here is the full 6-minute interview at BankInfoSecurity, and is warmly recommended. Sherry paints the scary picture where your Internet enabled TV has been infected with ransomware and you need to pay ransom to view your favorite TV show. DANG!:
Phishing Websites Up 10 percent First Quarter 2014
The United States continued to host the majority of phishing websites in the first quarter of 2014, but did not even crack the top 36 when it came to global computer infection rates, according to research from the Anti-Phishing Working Group (APWG).
Adam Greenberg over at SC Mag had a good summary of the data: "The number of overall phishing sites observed in the first quarter of 2014 was 125,215, marking a more than 10 percent increase over the final quarter of 2013, during which 111,773 phishing sites were observed, according to the APWG Phishing Activity Trends Report for the first quarter of 2014.
"The U.S. hosted more than 40 percent of those sites in each of the first three months of the year, according to the report. The U.S. hosted more than 56 percent of phishing websites in January, but that number dropped a bit following an uptick of sites hosted in Turkey in February and March.
“The U.S. hosts the most phishing sites because a large percentage of the world's websites and domain names are hosted in the United States,” Greg Aaron, president of Illumintel and senior research fellow with APWG, told SCMagazine.com in a Wednesday email correspondence.
"John Lacour, founder of PhishLabs, told SCMagazine.com in a Wednesday email correspondence that about 80 percent of phishing sites are hosted on compromised websites, according to PhishLabs data. Lacour said that trend will not change until website security is significantly improved.
"The number of brands and legitimate entities targeted in phishing attacks also went up in the first quarter of 2014, jumping to 557 from 525 in the previous quarter, according to the report.
“Criminals [are] attacking new brands,” Aaron said. “Almost any enterprise that takes in personal data via the web is a potential target. While phishing has traditionally targeted banks and money transfer services such as PayPal, we're seeing a wider range of targets getting spoofed, such as Airbnb and grocery store chains.” More:
9 Classic Hacking, Phishing And Social Engineering Lies
Whether it is on the phone, online or in person, here are ten lies hackers, phishers and social engineers will tell you to get what they want.
Number one is very relevant and I suggest you remind your users that any tech support person will never (and should never) ask for their password:
"This is Bob from IT. Your computer is infected."
Scammers often take advantage of a timely event, like a high-profile piece of malware that is infecting many computers. The average, non-computer savvy employee gets nervous with the technicality of what the "IT person" on the phone is telling them.
"Eventually, I say 'Look, why don't I fix this for you? Give me your password and I will deal with it and call you back when I am done,'" The strategy plays on a person's fear and lack of comfort with tech. Here are all nine in a slideshow over at the CSO site:
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Be Sure To Watch In HD! Flying a drone through a firework show... a DJI Phantom 2 and filming it with a GoPro Hero 3 silver. Spectacular!:
This Woman Had Her Face Photoshopped In Over 25 Countries To Examine Global Beauty Standards:
10 disturbing attacks at Black Hat USA 2014:
This seven-story high robot juggles cars. They even have a patent pending!:
Two wild rhinos in South Africa come face to face with a GoPro camera that is standing in their way... (not for long):
A pilot shows off his amazing skill by flying his bi-plane sideways while racing with a Lamborghini 10 feet above the ground:
9 Hilarious Out-of-Office Email Auto-Replies
The Terra Wind is a first class motor coach that is as comfortable on the lake as it is on land. I want one:
From the lolcats dept: The cat learned to do this on her own and even tries to flush the toilet afterward:
This painting from the '3D Art Exhibition of Reverse Perspective by Brian Weavers' will amaze you: