CyberheistNews Vol 5 #19 Scam Of The Week: Red Bull Money Mule Victims

Scam Of The Week: Red Bull Money Mule Victims

Warn your employees, friends and family about a cunning money laundering scam that is currently back on the rise. This lure was first used during spring break in 2014 and apparently successful because it's back.

It's an email claiming to be from Red Bull and offers offers to place Red Bull ads on the victim's car for 600 bucks a week. It all sounds innocent enough; wrap your car with advertising and make money driving around town. There is a nasty catch though.

The scam email explains the benefits of the "business offer" and promises easy money that basically will pay for the whole car, gas money included. However, if you sign up for it, this deal backfires and the victim is investigated for money laundering fraud.

How This Scam Works

The first payment that arrives is much larger than originally agreed upon. The criminals apologize for the "error" and would the victim please quickly deduct their own fee and wire the rest of the money back to them.

However it's either a forged or stolen check the victim received in the first place, or it's a fraudulent wire transfer from an account that was criminally taken over. In both cases the victim is left holding the bag when the cops come knocking on their door. All initial evidence of the fraud will point to them.

What To Do About It

I strongly recommend you send the following to your employees, friends and family. Feel free to copy/paste/edit:

"A new job scam is doing the rounds, preying on people that want to make $600 a week with Red Bull advertising on their car. It sounds like a great deal, but this scam is run by criminals that will try to use their victims for money laundering. If you get an email claiming to be from Red Bull and offers you an attractive advertising deal, use that delete key. In general, be very careful with any Internet "work from home" schemes, many of these are fraudulent. Do not give out any personal information to these criminals and warn your family members."

For KnowBe4 customers, we have a new phishing template in the Online Services campaign called "Advertising for Red Bull Energy Drink". Send it to your employees and inoculate them against bogus second job offers before they get into some real trouble.

There is an example of the scam email at the KnowBe4 Blog:
https://blog.knowbe4.com/scam-of-the-week-red-bull-money-mule-victims

Heads-up: 'Breaking Bad' Ransomware Beta Tested Down Under

You can expect ransomware in America in the next few weeks which has a Breaking Bad theme. Take this a bit further and we can expect ransomware with Halloween themes later this year. Sheesh.

Some criminals are too smart for their own good though, because using a TV show like this will make it much more recognizable and written about, defeating the purpose.

Apart from the Breaking Bad theme, CryptoLocker.S. is pretty generic ransomware. It is surprising how fast ransom Trojans have spread. A year ago every new strain was headline news, now it's on page 3. This version grabs a wide range of data files, encrypts it using a random AES key which then is encrypted using a public key.

Your employees can run into this strain like any other ransom Trojan by opening an infected email attachment. It even opens a legitimate PDF file to trick your users that everything is fine. In the mean time, back at the server farm... Anyway, block all zip files at the edge if you have not already, and make 100% sure your Backup/Restore actually works. More details and link to Symantec who found this strain at the KnowBe4 Blog:

https://blog.knowbe4.com/heads-up-breaking-bad-ransomware-beta-tested-down-under

Need Your Input On Mobile Security Awareness Training

We are trying to establish your interest in a mobile security awareness training platform for your employees. This platform is an app that runs on their smartphone, and has several features to help you keep your network safe by improving and reinforcing your human firewall. Please take 1 minute to answer 6 short questions and let us know what you think? Thanks so much in advance!

Here is the link to SurveyMonkey:
https://www.surveymonkey.com/s/KnowBe4Mobile

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"If you torture data sufficiently, it will confess to almost anything." - F. Menger

"The confession of evil works is the first beginning of good works." - Saint Augustine

Thanks for reading CyberheistNews!

Security News

Has Anyone Used KnowBe4?

May 14, 2014 7:45 AM BruceyBonus asked the following question at the SpiceWorks Security Forum:

"Hi All, been in contact with a company called Knowbe4, they offer a simulated phishing attack to your users and discover how high your organization’s Phish-prone percentage is...any one heard of them or used them? any information would be greatly appreciated...Thanks"

Within 2 days there were almost 50 replies. If you want independent, actual users describing their experience in their own words, you should read these (unedited) answers at the forum:
https://community.spiceworks.com/topic/951007-has-anyone-used-knowbe4?

Combine that with a very positive review in InfoWorld, and you know where to go if you want to do something about users who never learn to avoid stupid security mistakes that compromise your organization.

InfoWorld's security guru Roger Grimes writes about KnowBe4's integrated training and phishing platform. Check out this article:
https://www.infoworld.com/article/2920804/security/get-real-about-user-security-training.html

This Week's Five Most Popular HackBusters Posts

What are IT security people talking about? Here are this week's five most popular Hackbusters posts:

Feds Say That Banned Researcher Commandeered a Plane:
https://www.hackbusters.com/news/stories/323529-feds-say-that-banned-researcher-commandeered-a-plane
CHIP — The World's First $9 Computer:
https://www.hackbusters.com/news/stories/321580-chip-the-world-s-first-9-computer
Unwilling DNA Samples Used In Advertising:
https://www.hackbusters.com/news/stories/323839-unwilling-dna-samples-used-in-advertising
This Little 3-D Printed Robot Cracks Combination Locks In 30 Seconds:
https://www.hackbusters.com/news/stories/322680-this-little-3-d-printed-robot-cracks-combination-locks-in-30-seconds
Police warn of PennDOT 'phishing' scam:
https://www.hackbusters.com/news/stories/322719-police-warn-of-penndot-phishing-scam-abc27

Starbucks Hack: A Great Example Why You Should Not Reuse Passwords

Use this story and send it to your employees as a cautionary tale to make it real to them they should not reuse passwords in general, but especially not for any online payment accounts!

News broke this week that smart thieves use the Starbucks' mobile app to steal money from users' bank accounts. You can use the app to pay at the Starbucks checkouts with your smartphone, and you can also set it up to draw money from a linked account to reload your Starbucks card. The coffee giant now operates the most popular mobile wallet payment system in the U.S. so this is a big deal.

The attackers have been breaking into Starbucks accounts to repeatedly transfer money from bank accounts using the app's auto-reload function. Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes.

The problem is that the cyber thieves just need the user name and password to get into the account. Starbucks publicly stated that their system has not been breached, but that these thefts are caused by stolen credentials on other sites and cause this problem for people who reuse their user name and password on multiple sites.

So here are a few rules for online payments:

Use a unique pass-phrase for online payment accounts. Do not reuse that pass-phrase anywhere else.
DO NOT share passwords across apps. This is hard but not impossible, especially if you use password managers like OnePass or LastPass.
If you link an app for online payments, only use credit cards and never use debit cards or God forbid your bank account which simply is asking for trouble.
Set your credit cards to email you real-time confirmation of expenses. I have an AMEX card that emails me the amount of any charge over a threshold I set.

Online payment systems are very convenient, but you need to use common sense and password discipline to make sure they don't become a major pain in the neck.

Wetware: The Major Data Security Threat You've Never Heard Of

Adam Levin, Forbes contributor explains what wetware is to the uninitiated, and makes the case for more budget for awareness training. This is great ammo to send to non-IT management level people.

He wrote: "For the first time, according to a recent study, criminal and state-sponsored hacks have surpassed human error as the leading cause of health care data breaches, and it could be costing the industry as much as $6 billion. With an average organization cost of $2.1 million per breach, the results of the study give rise to a question: How do you define human error?

"More than half of the respondents in the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, said their organization’s incident response team was underfunded or understaffed and roughly one third of respondents had no incident response plan in place at all—zip, nada, zilch—a fact that beggars the imagination at a moment when breaches have become the third certainty in life, and one that highlights the seeming no-show of the “first do no harm” approach to patients on the data breach-prone operations side of the health care industry." More at Forbes:
https://www.forbes.com/sites/adamlevin/2015/05/14/wetware-the-major-data-security-threat-youve-never-heard-of/

The Best Defense Against Cybercrime? Get Your Employees On Board

The UK-based ITProPortal's Charles Orton-Jones recently surveyed more than a thousand office workers in the UK to gain insights into employee attitudes about cyber-security and data theft. Many see data theft as a victimless crime, especially millennial employees.

That is a problem but it gets worse. The survey also found that more than 72% of millennials believe they are entitled to take data they have worked on compared with 41 per cent of baby boomers. An organization’s approach to correcting such misperceptions internally should consider these generational differences.

The article lists 4 major items that you should address to make protecting data part of your culture:

"Clarify the business risk: Leadership must detail the consequences of a data breach to the company’s financial results, relationships with customers, and reputation.
"Align with values and culture: Data protection isn’t just the responsibility of IT, it’s the responsibility of everyone in an organization. Ensure you have processes in place for employees to voice concerns, particularly during times of company transition.
"Involve employees directly in solutions: The data showed millennials in particular are motivated by direct engagement in problem-solving, so enlist them to help develop approaches that will resonate with their peers.
"Partner with the compliance and IT teams: Technology or compliance training around cyber security should be preceded by awareness campaigns that reinforce the business urgency."

Quite simply, creating a culture where employees respect data and are motivated to protect the business is critical to cyber security. More at:
https://www.itproportal.com/2015/05/15/best-defence-against-cyber-crime-get-your-employees-on-board/

Cyberheist 'FAVE' LINKS:

This Week's Links We Like. Tips, Hints And Fun Stuff.

Engineers at GE Aviation 3D-printed a working version of a jet engine. This is incredibly cool, soon you will be able to do this at home:
https://www.youtube.com/watch?t=11&v=W6A4-AKICQU