2015 Crystal Ball / Three Scams To Warn Your Users About

2015 Crystal Ball / Three Scams To Warn Your Users About

During my 15-year stint as the editor of WServerNews, I always started the year with a Crystal Ball issue and I'm resurrecting that tradition with CyberheistNews in 2015. I have looked into the Palantir and here are the things you can look out for in the coming 12 months. In the 2016 Crystal Ball issue we will see how many I got right. [fingers crossed]

To begin with, Lance Spitzner at the SANS Securing The Human program  and I have a lot in common; we evangelize effective security awareness  training and we both drive a Tesla. In his 22 December 2014 Security  Awareness Blog he said:

"2014 has been an amazing year for the security awareness community.  I feel organizations are truly making the fundamental shift from  just compliance to changing human behavior. From working with  hundreds of organizations, teaching multiple classes of SANS MGT433  and the first ever security awareness summit, I'm seeing both interest  and investment in security awareness growing at a tremendous rate.

"In addition the market has matured to where there are numerous vendors  innovating in amazing ways. I feel like security awareness is where  information security was in the early 2000's, when few people took  security seriously, but you could see the tsunami coming. The human  element is no different, we are just beginning to see this field grow,  expect to see amazing things happen in our world in 2015. I know I'm  excited!"  

I completely agree with Lance and could not have said it better myself. Change is needed and there will be a lot of it in IT security during  2015. Mike Rogers, chairman of the House Permanent Select Committee on  Intelligence noted in the WSJ Dec 25, 2014: "In 10 years on the House  Intelligence Committee I’ve watched a range of national security  threats grow and evolve, but none as quickly as cyberwarfare."

He mentions two recent examples, the Sony hack and the recent FIN4 gang who hacked into 100 public companies to grab insider information so they could manipulate the stock market. He predicts more of this to come, and urges congress to expand the private-sector’s access  to government-classified cyberthreat intelligence.

Shawn Henry, president of cybersecurity firm CrowdStrike Services  and a former executive assistant director of the FBI said: "It’s going to take some attacks much greater than what we’re seeing  at Sony to allow the public to change course and say, ‘OK, we get it.  We recognize how dangerous this is.’" Which gets us to the next year  and what we might expect.

Here Are The 2015 Top 10 IT Security Predictions

1. The Sony hack is claimed to be a harbinger for more nation-state  attacks on private sector organizations. Expect a major energy blackout  with the press calling it a successful cyber attack on a U.S. energy  infrastructure company and blaming Iran, DPRK, China or Russia, but  it turns out to be rats and squirrels, gnawing on electrical cables. :-D
2. State-sponsored, APT hacking groups will start to merge / cooperate / subcontract with criminal hacking campaigns like those targeting JP  Morgan Chase to perform spying activities, steal IP and/or gather  intelligence about vulnerabilities in critical infrastructure systems  for these foreign governments.
3. The Financial- and Defense Industry have doubled their IT security  budgets in 2014, and during 2015 several other sectors will follow  their example, specifically Technology, Healthcare, Manufacturing,  and Government.
4. Breach detection tools are now making their way into the enterprise, but correctly responding to a data breach is still very hard. Often CEOs will buy the tools, but not the people to run them. Count on a  Sony-like chaos-and-panic response from a major healthcare organization  driving it out of business.
5. With the event of renewed interest in mobile payment, cybercrime's attention will get focused on this lucrative combo of "mobile & money". I'm predicting Apple Pay will be compromised somehow in 2015, and that a new Apple-specific ransomware will spread via phishing attacks on  iPhones, targeting cloud accounts.
6. 2015 will be the year that trust in effective protection by just  antivirus is mostly lost, and additional layers like software  whitelisting and breach detection are going mainstream.
7. We have not seen the end of POS attacks, but since retailers are going to harden the POS endpoints, cyberheists will move to "middle  layer" targets which means payment processors and third-party POS management infrastructure. When "chip-and-pin" finally rolls out, big breaches will taper off.
8. One of the major companies that was infected in 2014 will not move fast enough to shore up their security infrastructure, and will get  reinfected in 2015, resulting in again losing millions of credit cards. Consumers will have gone into deep breach-fatigue and dismiss the risk.
9. Board Rooms will realize that "culture trumps compliance" and start top-down security culture initiatives, assisted by technology-driven  ethics and compliance programs, which include mandatory security awareness training for all employees.
10. 2014 saw a 650% increase in social media spam and 99% of these  malicious URLs led to malware or phishing sites. Expect this to grow another 400 percent in the next 12 months.

Three Scams To Warn Your Users About

It's the holidays and the bad guys are working overtime. There are three  scams you want to warn your users about. Remember the Phil Esterhaus  character in Hill Street Blues? "Let's be careful out there!" To begin  with, airplane crashes are notorious for click-bait and generating  high infection rates.

1. There are phishing emails and Facebook messages that claim the missing  AirAsia Flight QZ8501 has been found in Tacloban, Philippines. The message includes a teaser image of a crashed AirAsia jet and invite users to click a 'Play' button to view 'breaking news' footage. For existing KnowBe4 customers, we have a Current Events Template ready for you and we recommend to send this one to your users ASAP to inoculate them against this current phishing attack. The title of the template is "Breaking  News - Air Asia Flight QZ8501 Has Been Found - VIDEO"

1. Watch out for Apple Watch scams from today on forward. This new device  will be incredibly popular and be used for a variety of scams that try to infect workstations with malware. There will be lotteries, giveaways, "Free Apple  Watch" contests, and promises that if you buy something, you will get an  Apple Watch thrown in the deal at no cost. Tell your users to be careful  with all these emails, if it sounds too good to be true, it usually is! Think Before You Click!"

1. Bad guys have now created an app that researchers at McAfee identified started in South Korea in the last few days, attempting to exploit the media frenzy related to "The Interview" movie. There is a torrent download, and it poses as an Android App to download the movie to mobile devices. But no, it's a banking Trojan.
 

Warn your users that they need to be very careful not to download anything related to "The Interview" unless they are 100% sure it comes from a legit source. And if they want to see it, go to that website yourself, and do not click on any link in an email promising to play the movie.

Warm Regards,
Stu Sjouwerman

"The key to wisdom is knowing all the right questions."  - John A. Simone

"Fix your eyes on perfection and you make almost everything speed towards  it."  - William Ellery Channing

"Twenty years from now you will be more disappointed by the things that  you didn't do than by the ones you did do. So throw off the bowlines.  Sail away from the safe harbor. Catch the trade winds in your sails.  Explore. Dream. Discover."  - Mark Twain

PCI DSS 3.0 Compliant In Half The Time At Half The Cost

It's time to get and stay PCI DSS 3.0 compliant.

Now that the new 3.0 standard goes into effect, it's a great time to  start using a new tool that will save you half the time and half the  cost becoming compliant: KnowBe4 Compliance Manager 2015.

It comes with a pre-made PCI DSS 3.0 template that you can use immediately  to get compliant and maintain compliance in a business-as-usual process.

Escape from Excel-hell!

Most organizations track PCI compliance using spreadsheets, MS-Word, or proprietary self-maintained software. This is inefficient, error prone, costly, and a risk in itself. Get and stay PCI DSS 3.0 compliant in half the time and at half the cost with KnowBe4 Compliance Manager™.

Get a short, live web-demo, and we will show you how easy and affordable this is!

https://www.knowbe4.com/products/compliance-manager-software

Cybercrime Group Steals Millions From Russian Banks And Targets U.S.

This is actually quite interesting, hackers that are successful inside  Russia, as normally these guys are shut down by the FSB in a heartbeat.  It must be that they are outside of the direct reach of the Russian  security services, pointing to places like Romania, Estonia or even  further away like for instance a Russian cybercrime ring in Israel.  These guys play a very high-stakes game including their lives.

Cyber security researchers from Dutch security firm Fox-IT and Russian  firm Group-IB called this group Anunak, named after the main trojan  they use in their malware toolkit. This very sophisticated gang of  cybercriminals has successfully grabbed over $25 million by hacking  into quite a few financial institutions in Russia and former Soviet Union satellite states, but also into POS systems of European  and U.S. retailers.

As you know, there is no place were more furious innovation occurs  than in cybercrime. Most cyber mafias target the banks' customers,  but this Anunak group targets the institutions themselves. They  directly penetrate the bank networks, and this compromise allows  them to make transfers from accounts under their control. Sometimes  they are even able to compromise ATMs from within, which are then  emptied out by money mules.

"Since 2013 they have successfully gained access to networks of more  than 50 Russian banks and 5 payment systems, and 2 of these institutions  were deprived of their banking license," Group-IB said in a report  released Monday. "To date the total amount of theft is over 1 billion  rubles (about 25 million dollars), most of it has been stolen in the  second half of 2014." Here is the IB-group report: (PDF)
https://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf

Cyberheist 'FAVE' LINKS:

This Week's Links We Like. Tips, Hints And Fun Stuff.

15 of the world's most colorful landscapes. Some of these are amazing!

https://www.cnn.com/2014/12/25/travel/gallery/world-most-colorful-landscapes/

Starting with Lycos to Ask Jeeves to Facebook: Tracking the 20 most popular web  sites every year since 1996 - The Washington Post:
https://www.washingtonpost.com/news/the-intersect/wp/2014/12/15/from-lycos-to-ask-jeeves-to-facebook-tracking-the-20-most-popular-web-sites-every-year-since-1996/

Interesting scientist deathbed confession: ADHD Is A Fictitious Disease:
https://www.youtube.com/watch?v=dLarWMcMY8M

T-Mobile CEO John Legere keeps it classy in cramming the carrier's marketing spiel into a video rendition of 'Twas the Night Before Christmas and letting loose with a few choice words for rivals AT&T and Verizon. So, is he a Genius, Joker or Jerk?:
https://youtu.be/asSvw3cqX8o

Recent presentation by Kevin Mitnick and Dave Kenndy at Derbycon. Fun to watch  over lunch and very instructive:
https://www.youtube.com/watch?v=tcnAWhFf5QM

The World's biggest database breaches visualized in a gorgeous interactive  graph that can be filtered on method of lead and per industry. Worth  checking out!
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks