Subscribe to our Newsletter!

Subscribe to Blog

Follow Me

KnowBe4 Security Awareness Training Blog

Current Articles | RSS Feed RSS Feed

Meet CryptoWall, The New Ransomware Leader (with heatmap)

 

CryptoWall, the new Ransomware Leader in townMalware comes in waves. CryptoLocker was the first major, vicious ransomware, and set off a bunch of copycats. Recently 16 competing ransomware gangs were identified. After CryptoLocker got dinged by Operation Tovar in June, the new kid on the criminal block is CryptoWall.

The former CryptoLocker wannabe has netted 625,000 infected systems (80,000 more than CryptoLocker) and more than $1 million in ransom money up to now according to a new report by Dell SecureWorks' Counter Threat Unit (CTU). 

They stated in a new threat intelligence report they "consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing."

CryptoWall social engineers an end-user, infects an endpoint, and encrypts what it can get access to: hard disks, removable drives, network drives, and even cloud storage services that are mapped to a targeted file system. 

CryptoWall has encrypted 5.25 billion files. Victims pay ransoms ranging from $200 to $2,000 apiece, however one victim paid $10,000. Over the course of six months CryptoWall criminals extorted 1,683 victims to pay up and made over $1 Mil in ransom money.

Compared to CryptoLocker's first 2 months ($27) Mil that's not all that much but they do not provide a lot of payment options compared to CryptoLocker which provided the much easier MoneyPak option. CryptoWall only allows Bitcoin which are hard to come by for people that have no wallet set up. 

"The threat actors behind this malware have several years of successful cybercrime experience and have demonstrated a diversity of distribution methods," the report said. "As a result, CTU researchers expect this threat will continue to grow."

Remember that KnowBe4's Kevin Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their workstation, KnowBe4 pays for your crypto-ransom. Find out how affordable this is for your organization now: 

Get A Quote Now

Chase Is Asking For Phishing Trouble

 

Chase bank says to click links if you suspect phishing. Huh? Yup, they do. Check out this email from Chase, scratch your head, and do not make this error in your own organization. If you want to train people to NOT click on dodgy links, be consistent about this in everything you do. Here is the offending Chase email:

Chase Is Asking For Phishing Trouble

If you cannot read the image, this is what it says: ""If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here..." 

FAIL !!

The email was sent to Salted Hash by a reader. Thanks for the heads up ! 


J.P. Morgan Hacked Because Malware Infects Employee PC

 

J.P. Morgan victim of phishing attackThis morning, the Wall Street Journal reported on the front page that J.P. Morgan was hacked and suffered a cyberheist called "a significant breach of corporate computer security".

Bloomberg reported that the FBI, the US Secret Service, and even the NSA are investigating an incident that seems to have occurred in mid-August. 

According Bloomberg, Russian hackers breached the bank's defenses and compromised gigabytes of data, but exact nature of that data remains unknown. However, they said that the attackers "grabbed sensitive data from the files of bank employees, including executives."

There is such a thing as "the fog of war" and the same thing happens in cyberwar. There are conflicting reports as to how the hackers got in. One report states a zero-day vulnerability on one of the applications on J.P. Morgan's website. 

However, other people familiar with the probe said the evidence at this moment points to malware that infected an employee's personal computer and from there the hackers were able to move further into the bank's network. "They then plowed through layers of elaborate security to steal the data, a feat security experts said appeared far beyond the capability of ordinary criminal hackers," one source said.

The news of this data breach came just days after J.P. Morgan customers were targeted by a large wave of phishing emails trying to get their banking username and password. Proofpoint researchers, who discovered the campaign, said that victims were lead to a fake login portal, which delivered banking malware made to look like a Java update after their username and password are entered into the form.

The J.P. Morgan employee's PC that was infected used VPN software to work remotely and the Journal said: "Such an attack would mark the latest instance in which a large corporate network was breached by a weak external link".

My take? The weak link in this case is an employee, as their personal computer got infected with malware, and guess how that happened. They clicked on a link or were social engineered to open up an attachment that carried a malicious payload. The human is the weak link in IT security, and this latest data breach again shows how true this is. The employee probably fell for a (spear-) phishing attack and clicked on something they should not have.

When hackers broke into Target last year and stole 40 million card numbers, they originally infiltrated the retailer by stealing a ventilation contractor's password, also using the same tactic.  J.P. Morgan reported in their annual report that they will spend more than $250 Million per year and have about 1,000 people focused on cybersecurity. 

All that time and money is wasted unless you also pay attention to the "human firewall" which you need to create first and foremost. You do that with effective security awareness training for all employees that have a PC and have access to the Internet. KnowBe4 has a highly effective program to stay safe online, both for employees in the office and at the house.

It is vitally important that all employees get educated about the dangers of the Internet. Find out how affordable this is for your organization now.

Get A Quote Now

 

 

 

 

 

 

 

 

 

 

Bitcoin Phishing Click Rate Higher Than Regular Scams

 

Bitcoin Phishing The Proofpoint Threatinsight blog reported on something curious. They called their posting "Curiosity Clicks: Using Bitcoin’s hype for phishing fun" and came up with some interesting statistics.

To begin with, the world of the new crypto currency Bitcoin is unregulated and designed for anonymity. It represents an attractive, $6.8 billion target to cyber criminals. 

Blockchain.info, the most popular Bitcoin "wallet" web site, reports that since September 2013 the number of "My Wallet" users has grown over 500% to over 2 million users, and daily transactions have nearly tripled to over 30,000 transactions per day. A percentage of these are ransomware victims transferring money to cyber criminals hoping to get their files unlocked.

Phishing Expeditions

The bad guys go where the money is, so with numbers like this, phishing attacks targeting Bitcoin users are literally "phishing expeditions." Attackers have used lists of known/active Bitcoin users and used widespread misperceptions about Bitcoin to try and improve their odds of success. 

They drilled down into a specific Bitcoin 'themed' phishing campaign and found that the 12,000 messages part of this campaign received a 2.7% click rate, which is more than the percentage of Bitcoin users in the general population.

Curiosity Killed The Cash

The conclusion is simple. It means that in some cases the link pointing to the phishing website was accessed by users that did not even have a Bitcoin Wallet, highly likely out of curiosity about the digital currency. 

The phishing emails used a classic phishing strategy, a bogus alert of a suspicious sign-in attempt. To make sure that no Bitcoins are stolen, a password reset is recommended with a link to do that at the end of the message.

The messages claim to be from a Bitcoin related website called Blockchain.info and give a case number for the "incident", a classic social engineering tactic.

If the victim clicks the link, they land on a phishing site impersonating the Blockchain log-in page and any information entered in the fields is sent directly to the phishers. Once the bad guys that data they can login to the user’s real Blockchain.info account and empty it out. "Because Bitcoin transactions are by design irreversible and difficult to trace, the victim has almost no recourse for their loss,” says Proofpoint.

New KnowBe4 Phishing Template

To test end-users and make sure their curiosity does not get them to click on Bitcoin-related phishing attacks, KnowBe4 has a new template in the Banking category, which uses a similar approach to what the bad guys did, however, the "access attempt" comes from Russia instead of China.  Send this to your users and inoculate them against Bitcoin-related attacks. If you do not yet use simulated phishing attacks to your users to protect your network, find out how affordable it is for your organization.

Get A Quote Now

 

CyberheistNews Vol 4, # 34 Cryptolocker Being Spread Via YouTube Ads

 
CyberheistNews Vol 4, # 34
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 34

Editor's Corner

KnowBe4

Cryptolocker Being Spread Via YouTube Ads

VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. Malware researchers Vadim Kotov and Rahul Kashyap discovered the cyber criminals purchase advertising space and use exploit kits to infect workstations.

They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits."

YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy.

Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product. Some of these same gangs have moved on to ransomware.

What is new here is this: clicking on a thumbnail after the first video causes a redirect, an exploit kit located on a compromized website kicks in, finds a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in mere seconds, so the "ad-network" threat just escalated to a much higher level.

So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance, I would look at either blocking YouTube at the edge, and/or deploying ad blockers in your Internet filter or as a browser plug-ins, and of course, you guessed it, educate your users! Story at VirusBulletin:
https://www.virusbtn.com/blog/2014/08_15.xml

More Ransomware News

Last week, Nicole Perlroth at the New York Times wrote: "You are guilty of child porn, child abuse, zoophilia or sending out bulk spam. You are a criminal. The Federal Bureau of Investigation has locked you out of your phone and the only way to regain access to all your data is to pay a few hundred dollars.

"That message — or variations of it — has popped up on hundreds of thousands of people’s Android devices in just the last month. The message claims to be from the F.B.I., or cybersecurity firms, but is in fact the work of Eastern European hackers who are hijacking Android devices with a particularly pernicious form of malware, dubbed “ransomware” because it holds its victims’ devices hostage until they pay a ransom.

In just the last 30 days, roughly 900,000 people were infected with a form of ransomware called “ScarePackage,” according to Lookout, a San Francisco-based mobile security firm.

“This is, by far, the biggest U.S. targeted threat of ransomware we’ve seen,” said Jeremy Linden, a senior security product manager at Lookout. “In the past month, a single piece of malware has infected as many devices in the U.S., as a quarter of all families of malware in 2013.”

By reverse coding the ransomware, Lookout’s engineers found several clues indicating that the ransomware’s authors are of Eastern European origin. Russian and Slavic words and slang appeared in the code. Here is the full blog post:
http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/

Even MORE Ransomware News

The Avast Blog reports a new "password stealer" feature in the Reveton ransomware. Reveton is the type of "police" lock/screen ransomware which falsely alerts users they've broken some law and demands payment of a fine, usually in Bitcoin or MoneyPak. The new password stealer is very powerful and dangerous.

The authors upgraded the despised malware from a LockScreen-only version to a powerful password and credentials stealer by adding the last version of "Pony Stealer". This addition affects more than 110 applications and turns your computer to a botnet client. It's a good example of the criminal ecosystem that exists now; malware writers license other malware writer's apps and integrate them for more profit. Much more about this at the KnowBe4 Blog. (You can subscribe to the blog and get new post alerts via email):
http://blog.knowbe4.com/bid/394854/Reveton-Ransomware-Adds-Powerful-Password-Stealer

All the above are great reasons for effective security awareness training, Find out how affordable this is for your organization now. Why Kevin Mitnick security awareness training? Ransomware, that's why. Get a quote now:
http://info.knowbe4.com/ransomware-cryptolocker-guarantee_primary_14-08-26

Workers At U.S. Nuclear Regulator Fooled By Phishers

Antone Gonsalves at CSO reported something that worries me, and this SHOULD NOT BE at this day and age.

"Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three foreign-based phishing attacks that occurred over a three-year period. The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.

In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.

A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.

In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.

Both of the attacks originated from foreign countries that were not identified. In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer. Whether the attack was from a foreign country was not known.

The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said. During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.

The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations. Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.

Security Awareness Training anyone? PLEASE?

There is more to this story, so continue to read here:
http://www.csoonline.com/article/2466725/physical-security/workers-at-u-s-nuclear-regulator-fooled-by-phishers.html

Quotes of the Week

"The best road to progress is freedom's road." - John F. Kennedy

"Freedom is never more than one generation away from extinction. We didn't pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same." - Ronald Reagan

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

WHITEPAPER:
Which of the 5 types of user education works best?

This whitepaper from Osterman Research shows which of the 5 types of security awareness training has the best results. Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the training type.

Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem:
http://info.knowbe4.com/whitepaper-osterman-primary_14-08-26

KnowBe4

Video: SQL Injection Explained In 5 Minutes

I was at Black Hat and left my email address at the Imperva booth. They sent me this and it's a very good little intro: "SQL injection attacks have been around for more than ten years … yet 97 percent of data breaches worldwide are still due to a SQL injection somewhere along the line," Neira Jones, Head of Payment Security for Barclaycard, 2012.

SQL injection attacks are the single most dangerous hacking attack today. Do you know how SQL injection password attacks work from start to finish? Test your knowledge with this video demonstration of a SQL injection attack. This step-by-step video:

 

  • Shows how hackers use SQL injection to hack into databases
  • Demonstrates the steps for SQL injection reconnaissance
  • Explains how passwords and credit card numbers can be extracted with SQL injection. View Video (5:00)

 

https://www.youtube.com/watch?v=yZ8aDFs0Z38&feature=youtu.be

KnowBe4

Hacking Into Traffic Lights With a Plain Old Laptop Is Scary Simple

Gizmodo reported yesterday about a new study from the University of Michigan on the vulnerabilities of traffic lights which is shocking proof that we need to make some major changes, and we need to make them now.

A team led by computer scientist J. Alex Halderman recently conducted a study on the security of traffic lights in an unnamed Michigan town and found them to be ridiculously easy to hack. There are three major weaknesses:

 

  • unencrypted wireless connections,
  • use of default usernames and passwords, and
  • vulnerable dubugging ports

 

These meant that the researchers were able to take control over the lights with a normal laptop. As long as the wireless card in the hacker's computer can communicate at the same frequency that the traffic lights use, it can break into the wireless network that powers the entire system. It's pretty mind-boggling actually. A hacker can find the default usernames and passwords needed for unfettered access and take over a whole city's traffic system with one dinky exploit. And it really is a systemic problem. The research team wrote: "The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness." We agree. Security Awareness Training is needed on all levels from the end-user on up through development and the C-Suite. Link:
http://gizmodo.com/hacking-into-traffic-lights-with-a-plain-old-laptop-is-1624102517

KnowBe4

Is Microsoft Antivirus Legit Again?

This question was asked in the Security Forum at Spiceworks. My answer was as follows, and you might be surprised.

"Unfortunately, from where the most of us are sitting (inside an organization), it is practically impossible to determine the quality of AV engines. The next issue is that the "testing" organizations also only have a partial look at the whole universe of malware out there. AV-test and Virustotal are relying mostly on a collection (or zoo) of known and new strains out there, and these are normally gathered using all AV engines (around 40-ish) and see who catches a sample first. Then they do their testing and scoring, but sadly it is a matter of the blind leading the blind.

The actual problem is that there are many hundreds of unknown zero-day threats out there, that NO antivirus engine can protect against. These 0-days are spread over dozens of popular apps. And as we recently saw, even AV engines themselves are riddled with 0-days. Government spy agencies buy these from specialized companies like British/German FinFisher, the French company Vupen, and the Italian Hacker Team. Cyber mafias buy them from independent criminal researchers. The spear-phishing attacks that target your company are laced with these 0-days. No AV is going to be effective against that.

Let's use logic for a moment. Microsoft has by far the world's largest network of "sensors", hundreds of millions of windows machines. They stand to gain the most from Windows being stable and not infected with malware. This massive detection network means they will be among the very first to get samples from unknown malware, and the first able to update their most recent Windows Defender code, which by now is a full-fledged AV engine.

Redmond is downplaying its quality to not upset their AV channel partners and not get into trouble with the Monopoly-cops. They do not care about certification from Virus Bulletin or AV test, because the tests are not very relevant. What is relevant are real-life threats out there in the wild. And they do know about them first.

I have uninstalled all AV protection and rely on two things: Windows Defender and training. I started KnowBe4 after having been inside the AV industry and created Kevin Mitnick Security Awareness Training, because that is at this point is a missing element in defending against those 0-day spear-phishing attacks.

What I would consider is a whitelisting product that only allows known-good executables to run, and perhaps MalwareBytes as a second opinion when needed.

KnowBe4

"Cybersecurity As Realpolitik" By Dan Geer - Black Hat 2014

Dan Geer's Black Hat 2014 Keynote Cybersecurity as Realpolitik is thoughtful, smart, vital, and cuts through -- then ties together -- strands of security, liability, governance, privacy, and fairness, and is a veritable manifesto for a better (digital) world.

Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.

Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency. 54 minute video:
http://videosift.com/video/A-video-about-cybersecurity-that-you-should-really-watch

Available in text: http://geer.tinho.net/geer.blackhat.6viii14.txt

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Magicians Kevin James, Dan Sperry and Adam Trent perform during the live results show of America's Got Talent 2014 at Radio City Music Hall:
http://www.flixxy.com/the-illusionists-magic-trio-americas-got-talent-2014.htm?utm_source=4

A unique aerobatic display in the world's top aerobatic glider aided by wingtip smoke and pyrotechnics:
http://www.flixxy.com/glider-plane-shooting-fireworks-from-the-wings.htm?utm_source=4

No action movie features a stunt as wild as this real-life footage from a dash-cam in Mogilev, Belarus:
http://www.flixxy.com/luckiest-motorcyclist-ever.htm?utm_source=4

The story of a man who proposes a wager as an opportunity to challenge himself to create an original performance in order to win a money-can’t-buy experience. 6 minute short, starring Jude Law and Giancarlo Giannini:
http://www.flixxy.com/the-gentlemans-wager-short-film.htm?utm_source=4

French athlete Floria Guei catches up from 4th place to 1st to win the Women's 4x400m Relay Final at the European Gymnastics Championships in Zurich 2014:
http://www.flixxy.com/incredible-victory-4x400m-relay-european-championship.htm

Should you believe your ears and the things they hear? Sometimes not!
http://www.flixxy.com/can-you-trust-your-ears-audio-illusions.htm?utm_source=4

'Beautiful' is the only word that can possibly be used to describe this video filmed at the Okinawa Churaumi Aquarium in Japan. The glass is 2 feet thick:
http://www.flixxy.com/okinawa-churaumi-aquarium.htm?utm_source=4

Survival Bike: Black Ops combines a moped and end of the world arsenal:
http://www.slashgear.com/survival-bike-black-ops-combines-a-moped-and-end-of-the-world-arsenal-05339952/

Bulletproof Coffee, The New Power Drink Of Silicon Valley:
http://www.fastcompany.com/3032635/most-creative-people/bulletproof-coffee-the-new-power-drink-of-silicon-valley

Billionaire Elon Musk: How I Became The Real 'Iron Man' - Lunch & Learn:
https://www.youtube.com/watch?v=mh45igK4Esw&feature=youtu.be&app=desktop

An excellent video animation created by Zero One Animation for the account of the Melbourne museum showing the destruction of the historic city of Pompeii after the eruption of the volcano Vesuvius. 8 minutes of WOW:
https://www.youtube.com/watch?v=dY_3ggKg0Bc

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

A cybersecurity video you should really watch

 

Dan GeerCybersecurity as Realpolitik by Dan Geer at Black Hat USA 2014

If you are active in IT Security in any way, Dan Geer's Black Hat 2014 Keynote Cybersecurity as Realpolitik is thoughtful, smart, vital, and cuts through -- then ties together -- strands of security, liability, governance, privacy, and fairness, and is a veritable manifesto for a better (digital) world.

Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.

Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency. 54 minute video:
http://videosift.com/video/A-video-about-cybersecurity-that-you-should-really-watch

Available in text: http://geer.tinho.net/geer.blackhat.6viii14.txt

900,000 Android Phones Hit by Ransomware in 30 days

 

mobile ransomwareAugust 22, 2014 - Nicole Perlroth at the New York Times wrote: "You are guilty of child porn, child abuse, zoophilia or sending out bulk spam. You are a criminal. The Federal Bureau of Investigation has locked you out of your phone and the only way to regain access to all your data is to pay a few hundred dollars.

"That message — or variations of it — has popped up on hundreds of thousands of people’s Android devices in just the last month. The message claims to be from the F.B.I., or cybersecurity firms, but is in fact the work of Eastern European hackers who are hijacking Android devices with a particularly pernicious form of malware, dubbed “ransomware” because it holds its victims’ devices hostage until they pay a ransom.

In just the last 30 days, roughly 900,000 people were infected with a form of ransomware called “ScarePackage,” according to Lookout, a San Francisco-based mobile security firm.

“This is, by far, the biggest U.S. targeted threat of ransomware we’ve seen,” said Jeremy Linden, a senior security product manager at Lookout. “In the past month, a single piece of malware has infected as many devices in the U.S., as a quarter of all families of malware in 2013.”

By reverse coding the ransomware, Lookout’s engineers found several clues indicating that the ransomware’s authors are of Eastern European origin. Russian and Slavic words and slang appeared in the code.  Here is the full blog post.

Not news: Windows Store is full of scam apps

 

 over at WindowsIT Pro wrote:

"I wish this were news, in the sense that I wish it were a new development. But the dark underbelly of Microsoft's efforts to quickly establish an apps ecosystem that can rival those by market leaders Google and Apple is in fact a years-long problem. You may have seen recent reports about "scam" apps in the Windows Store, which sells apps for Windows 8/RT. These apps look like real apps—VLC Player, iTunes, whatever—but are in fact just ways to siphon money out of your pocket.

The thing is, Microsoft has been allowing this crap in its store since it opened the Windows Phone Store back in 2010. And it continued the practice with the Windows Store in 2012. So it's good that people are calling attention to this, of course. But this isn't new, nor is it news. It's just a really, really shabby thing that Microsoft does to pump up its app numbers. But this practice also ensures that its own stores are second rate and always will be until they clean it up."  The whole post can be found at: http://windowsitpro.com/paul-thurrotts-wininfo/short-takes-august-22-2014?

Security awareness training is a way to not get scammed and look out for these apps that just steal your money.

Workers At U.S. Nuclear Regulator Fooled By Phishing

 

Atomic ExplosionAntone Gonsalves at CSO reported something that worries me, and this SHOULD NOT BE at this day and age.

"Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three foreign-based phishing attacks that occurred over a three-year period. The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.

The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations. Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.

In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.

A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.

In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.

Both of the attacks originated from foreign countries that were not identified. In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer. Whether the
attack was from a foreign country was not known. 

The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said. During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.

Security Awareness Training anyone? PLEASE?

  Get A Quote Now

There is more to this story, so continue to read here: http://www.csoonline.com/article/2466725/physical-security/workers-at-u-s-nuclear-regulator-fooled-by-phishers.html

Cryptolocker Being Spread On YouTube Ads

 

CryptoLocker spread vis YouTube

VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. The cyber criminals purchase advertising space and use exploit kits to infect workstations, malware researchers Vadim Kotov and Rahul Kashyap discovered.

They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits."

YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy.

Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product.

What is new here is this: clicking on a thumbnail after the first video caused an exploit kit to kick in, finding a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in no time, and this "ad-network" threat just escalated to a much higher level.

So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance. I would look at either blocking YouTube at the edge, and/or deploying more generic browser ad blocker plug-ins, consider an application whitelisting layer, and of course, you guessed it, educate your users!

It is necessary now more than ever to step your users through effective Kevin Mitnick Security Awareness Training. Click the button to find out how affordable this is for your organization. 

Why security awareness training? Ransomware, that's why:

Get A Quote Now

(This story was updated 8/23/2014 related to earlier scareware.) 

All Posts