CyberheistNews Vol 2, #47
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]
Top 5 Spear-Phishing Attacks Targeting Executives
Twice a year, KnowBe4 publishes the Top 5 spear-phishing attacks that are
used to lure executives into clicking on links or open infected attachments.
We recommend sending this list to your executives and give them a heads-up.
The bad guys do not discriminate, they attack businesses but also non-profits
like governments and even churches. They are using increasingly sophisticated
spear-phishing scams on executives with access to corporate financial
accounts and other high-level proprietary information. Some organizations
are under constant, 24-hour attack by foreign hackers that are after their
intellectual property, this is known as an Advanced Persistent Threat (APT).
These hackers do their research and spend time customizing their spear-phishing
emails; as a result, many recipients are fooled by the level of detail and
authentic-looking messages and websites.
Here are the most recent spear-phishing attacks that are currently making
the rounds nationwide, and which pose a significant threat to your data-
and financial security. Note that some of these attacks are used for years,
because they continue to work on uninformed people.
Number 5
The Better Business Bureau Complaint In this scam, executives will receive
an official-looking email that is spoofed to make it appear as if it comes from
the Better Business Bureau. The message either details a complaint that a
customer has supposedly filed, or claims that the company has been accused
of engaging in identity theft. A complaint ID number is provided, and the
recipient is asked to click on a link if they wish to contest or respond to
the claim. Once the link is clicked, malware is downloaded to the system.
Number 4
The Smartphone 'Security App' This is a 2-step attack. With minimal
research cybercriminals can find the name and email addresses of a companys
CFO and social engineer them to click a link. That link infects the PC of
the CFO with a keylogger. This way the hacker obtains bank account data
and passwords. In case the bank uses two-factor authentication, the attacker
spoofs an email from the bank asking the CFO to install a smartphone security
app, which is actually malware giving them access to the phone. And with that,
the cybercriminals have full access to the CFOs bank account login credentials
and at the same time control any two-factor text messages sent to or from
the CFO authorizing money transfers.
Number 3
The Watering Hole Attack Hackers do their research on a targeted
executive, and find out which websites the executive frequents, sometimes
to discuss industry related topics with their peers, or perhaps a hobby site
the hackers learned about through the exec's social media postings. Next,
the bad guys compromise that website, and inject a zero-day exploit onto
public pages of the website that they hope will be visited by their targeted
executive. Once the exec does, their PC is infected with a keylogger and
the network penetrated.
Number 2
Free Dinner in Return for Feedback By reviewing an executives social
media profiles, cybercriminals are able to determine what charities that
individual supports or does business with, as well as his or her favorite
local restaurants. The scammer will then spoof an email from a representative
of that charity, asking the exec to download a Word Doc that supposedly contains
details on an upcoming campaign or event, and promises free dinner at their
favorite restaurant as an incentive for providing feedback. When the Word doc
is downloaded the user's password is stolen and gives hackers direct
access to the network. Here is a short video of Kevin Mitnick showing how
this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/
Number 1
'We're Being Sued' In this scenario, attackers dig up the email addresses
of a companys executives and also their legal counsel (in-house or external).
They will then spoof an email from the legal counsel to the executive team,
and attach a PDF that claims to contain information about new or pending
litigation. When the recipients download and open the attachment, their
system becomes infected and the entire network is compromised.
While savvy Internet users realize they should not click links or download
attachments from unknown senders, spoofed emails and official-looking
websites trick recipients into letting their guard down. When executives
receive a time-sensitive email that appears to be sent by the Better Business
Bureau, a fellow exec, their legal counsel or an organization they support,
most wont think twice before clicking because they trust the person they
believe is the sender. Thats what cybercriminals are counting on, and why
theyre willing to invest the time to create realistic-looking messages
from familiar sources. Theyve discovered just how effective these types
of spear-phishing scams can be.
Stepping execs through high-quality security awareness training is a must
these days:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Please Forward This Newsletter To Your Friends
There are 40,000 people getting CyberheistNews every week, but
we need to get the word out to many more, to protect everyone's
network. Please forward this newsletter to people you know, that can
benefit. Here is the link to subscribe:
http://www.knowbe4.com/cyberheist-news/
Quotes of the Week
"The betrayal of trust carries a heavy taboo." - Aldrich Ames (Soviet mole in the CIA)
"I need not fear my enemies because the most they can do is attack me.
I need not fear my friends because the most they can do is betray me.
But I have much to fear from people who are indifferent." - old Russian Proverb
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/cyberheist-news/
Prevent Email Phishing
Want to stop Phishing Security Breaches? Did you know that many of the
email addresses of your organization are exposed on the Internet and
easy to find for cybercriminals? With these addresses they can launch
spear-phishing attacks on your organization. This type of attack is
very hard to defend against, unless your users are highly security
awareness trained. IT Security specialists call it your phishing
attack surface. The more of your email addresses that are floating out
there, the bigger your attack footprint is, and the higher the risk is.
Find out now which of your email addresses are exposed with the free
Email Exposure Check (EEC). An example would be the email address and
password of one of your users on a crime site. Fill out the form and
we will email you back with the list of exposed addresses. The number
is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now:
http://www.knowbe4.com/email-exposure-check/
Why We Are Doing This
Some of you might remember Sunbelt Software, which from 1996 to 2010 sold
system admin and security tools for Windows Server. I am one of the two
co-founders of Sunbelt. After distributing other developer's tools for
a few years we decided to become a security tool developer in the early
2000's. Our first security product was iHateSpam, followed by CounterSpy,
and a few years later we released VIPRE Antivirus, a brand new and
low-resource platform created from scratch to integrate antivirus and
antispyware. As opposed to other antivirus solutions, VIPRE was not a
resource hog, took off like a rocket, and we soon had many thousands of
enterprise customers. Sunbelt was acquired by GFI in 2010 and the VIPRE
brand is still doing great.
However, during that time I observed one problem. The bad guys were bypassing
software-based security and went straight after the user. The moment the
end-user clicks a link or opens an attachment; the risk of infection is much,
much higher. Yes, you can try to protect your domain with URL blacklists
and other layers but those get bypassed too. The average malicious website
lives for just a few hours, and that often is not enough time to make it
in the blacklist.
The problem? The user is the weak link in IT security. The only way to
fix that issue is education and that is where I decided to focus my new
company KnowBe4. We help IT professionals to defend their networks by
educating their users about spam, phishing, spear phishing, social engineering
and malware. But that's not all. We also automated the whole process of
sending regular simulated phishing attacks to all end-users and track
who opens and who clicks. That way you can weed out the weak links
quickly and remedy the problem with some additional training, a chat
with their manager, or ultimately a visit to HR.
And how did we create this security awareness training? I partnered
with Kevin Mitnick ('The World's Most Wanted Hacker') and over an 8-month
period we distilled his 30+ year hacking experience in a 30-minute
course for employees. Consider it another security layer that these days
is super important, your 'human firewall'
The Kevin Mitnick Security Awareness Training has been extremely well
received, and you can check it out here. Read the InfoWorld Article!:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Global Phishing Survey: Trends and Domain Name Use 1H2012
The Anti Phishing Work Group just released their latest survey,
which I strongly suggest you read. For instance, APWG found that
average uptimes of phishing attacks dropped to a record low of 23
hours and 10 minutes in 1H2012, about half of what it was in late
2011, and by far the lowest since the report series was inaugurated
in January 2008. There is great data in there, here are their
major findings:
1. The average and median uptimes of phishing attacks dropped to a record
low in 1H2012, by far the lowest since we began measuring in January 2008.
2. The number of phishing attacks rose.
3. Phishers registered more subdomains than regular domain names,
while the number of domain names registered by phishers has dropped by
almost half since early 2011.
4. The number of targeted institutions has dropped; phishers continue
to target larger or more popular targets.
5. Phishers attacking Chinese institutions were responsible for
two-thirds of all malicious domain name registrations made in the world.
6. Domain name owners in South America had their web servers compromised
by phishers in growing numbers.
Here is the full report in PDF Format. Like I said, recommended reading:
http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2012.pdf
The Dirty Dozen: 12 Notorious Credit Union Heists
Over the years, the credit union industry has witnessed notorious fraud
and embezzlement cases involving CEOs and their family members, credit
union members, rank-and-file employees, labor union chiefs, computer
consultants, lawyers, real estate investors, government workers and
entrepreneurs.
While there has been a lot of credit union fraud cases of varying degrees,
this list focuses on what Credit Union Times believes to be the worst
of the worst cases, which we name the Dirty Dozen. The individuals
involved in these infamous heists many of whom are still in prison
stole a total of more than $185 million over the past 25 years. Not
necessarily high-tech cyberheists, but interesting reading from the
perspective of fraud prevention. You always learn something:
http://www.cutimes.com/2012/10/01/the-dirty-dozen-12-notorious-credit-union-heists?
Nightmare On Database Street: 5 Database Security Horror Stories
OK, it's Halloween soon. I thought this story in DarkReading was
quite appropriate, and a fun read: "Chilling stories from penetration
testers, database pros, and security consultants in the field.
Database security may not be quite as sexy as a teenage party in a
classic horror film. But when it's done wrong, technology executives,
CEOs, and customers alike would shiver at the consequences. Don't think
so? Then read just a few of the horror stories laid out by some of the
grizzled penetration tester vets we quizzed here. Their exploits show
how scary bad database security can really be:
http://www.darkreading.com/database-security/167901020/security/news/240009983/nightmare-on-database-street-5-database-security-horror-stories.html?
Get Your Free Full Copy Of 4-Star E-book 'Cyberheist'
Ben Rothke, an IT security specialist and author, recently reviewed my book 'Cyberheist' and gave it 4 stars! He ended off with:
At just under 200 pages, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008 is not
the definitive text or the most comprehensive one on the topic. But for those looking for a brief and easy to read overview of the
topic, with a lot of real-world advice, Cyberheist makes for a good read.
Register Now For Your Free FULL Copy (instant PDF Download)
http://www.knowbe4.com/free-e-book/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
From the unique perspective of one of its F/A 18 escort jets, here is
an extended aerial view of Space Shuttle Endeavour's final Southern
California flyover:
http://www.flixxy.com/fa-18-view-of-space-shuttle-endeavour-southern-california-flyover.htm
Dial-O-Spresso a phone controlled coffee machine. I want one!
http://ninjablocks.com/2012/10/23/dial-o-spresso-internet-phone-espresso/
If you get one of these flying over your building you can kiss your
whole network goodbye!:
http://www.gizmag.com/boeing-champ-missile-test/24658/
Bridge Against Trucks! Watch this undefeated bridge destroy dozens of
trucks and buses in the city of Durham:
http://gizmodo.com/5955244/watch-this-bridge-destroying-dozens-of-trucks-and-buses
Russia builds its first realistic female android. The face is quite
real but the speech is terrible. Check out the video:
http://www.gizmag.com/russia-female-android/24675/
Hang gliding master pilot and advanced instructor Ryan Voight doing amazing
loops, rolls and aerobatics:
http://www.flixxy.com/hang-gliding-aerobatics.htm
In a small tractor workshop of the dusty village of Banjiehe , 55-year-old
farmer Tang Zhenping has built a prototype of a 'wind powered' car. LOL:
http://www.flixxy.com/chinese-farmer-creates-wind-powered-car.htm
Brad proposes to his sweetheart Emily by recruiting 90 friends and family to perform a choreographed lip dub on the shore of Lake Michigan:
http://www.flixxy.com/brad-and-emily-lipdub-proposalbrad-and-emily-lipdub-proposal.htm
