CyberheistNews Vol 1, #27
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Attack Example With 40% Phish-prone Rate
A customer of ours asked us to send a custom phishing email to about
100 of their employees that had their email address out floating on
the Net, and were found with our Email Exposure Check. The company
did not have SPF enabled, so we were able to spoof the email address
of their CEO. If you don't know what SPF is, here is a link, and it
is a VERY good idea to have it enabled:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
Check with the person responsible for your mail server if SPF is
enabled. If not, I would be able to send your employees an email
impersonating...YOU, coming from YOUR domain. It is surprising to
see how many sites do not have SPF enabled, scary really.
Back to the test now. Out of the 100 employees, 40 clicked on the
link that we put in the email. If we were bad guys, that network would
have been -so- owned... Here is the example that we used:
To: All Employees
From: xxx.xxxx@xxxx.com (Their CEO)
Subject: Change in Benefits Program
As you may have heard in our quarterly presentation to all shareholders
on November second, we are continuing our expansion and doing very well.
As I said in the introduction, innovation and reducing costs continues
to be a high priority, and we have made some improvements in our benefits
program. Human Resources will be providing you with more specifics, but
please check this page with the Benefits Plan that will be starting Jan
first, 2012.
[here was the URL with a link to the 'benefits' page]
Best regards,
xxx.xxxx, CEO
XXXX Systems, Inc.
email:xxx.xxxx@xxxx.com
(Added was the legal disclaimer they standardly have)
Bad guys on the Internet could have done the very same thing, and
40 of your machines would be infected with any kind of malware,
possibly combined with rootkits which are very hard to find.
All employees -need- to be regularly trained to not fall for these
kinds of spear-phishing attacks. A great way to do this is to send
them weekly simulated phishing attacks so that they are and -stay-
on their toes! (of course we could do that for you, fully automated)
:-)
Quotes of the Week
"Rather fail with honor than succeed by fraud." -
- Sophocles
"Whoever is detected in a shameful fraud is ever after not believed
even if they speak the truth." - Phaedrus
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
"We Discovered A Serious Human Vulnerability"
"I'm a system administrator and we regularly get user's workstations
infected with malware. Then Microsoft reported that 45% of the infections
are caused by the users being 'social engineered', so we decided to test it
out for ourselves."
"First we did the Email Exposure Check. Out of our 197 users, 87 email
addresses were found on the Internet. Then we did the Phishing Security
Test, and sent these 87 a relatively simple simulated phishing attack,
that could have been sent by any bad guy."
"We were shocked to see that our spam filters and antivirus did not
catch the phishing email, and that 24 of these 87 clicked on the link.
We discovered a serious human vulnerability." -- P.H. System Admin
Find out for yourself how big this human security hole is in your
organization. Fill out this form, you will get the results for free:
http://www.knowbe4.com/eec/
Cyber Insurance Offers IT Peace Of Mind -- Or Maybe Not
With the onslaught of cyber attacks going on, getting insurance is
probably not a bad idea. And getting in now while the premiums are
still relatively low, is an even better idea. Computerworld has
an interesting story about this:
"It's a question worth careful consideration, given that the price
of cyber attacks is rising at an alarming rate. The second annual
Cost of Cyber Crime study, released last August by the Ponemon
Institute, reported that the median annualized cost of detection
of and recovery from cyber crime per company is $5.9 million -- a
56% increase from the 2010 median figures. The costs of cyber crime
range from $1.5 million to $36.5 million per company." More:
http://cwonline.computerworld.com/t/7810338/987374514/547651/0/
Free Malware Response Guide
Microsoft's TechNet has a free guide that is quite useful. Their new
Infrastructure Planning and Design Guide for Malware Response will
help organizations plan the best and most cost-effective response
to malicious software. This guide provides methodologies for the
assessment of malware incidents, walks the reader through considerations
and decisions that are pertinent to timely response and recovery.
It also describes approaches to investigating outbreaks and cleaning
infected systems. Get the Word and PowerPoint files here:
http://technet.microsoft.com/en-us/library/cc162838.aspx
Zappowned? 24 Million Zappos Records Compromised
Zappos CEO Tony Hsieh sent an email to all customers this week and
told them to change their password after an intruder gained unauthorized
access to the online shoe retailer's servers. The data compromised are
the customer name, their e-mail addresses, both billing and shipping
address, their phone numbers, and last but not least, the last four
digits of their credit card numbers. One consolation, he said that
"critical credit card data and other payment data was not affected
or accessed." And oh, customer's (scrambled) passwords may also have
been accessed.
This is of course means a goldmine for cyber criminals who will not
hesitate to send phishing attacks with all this personal information,
making people click on a link. I would not be surprised if while you
read this, the first waves of phishing emails are sent out, using
CEO Tony Hsieh's email address, with fake warnings about the Zappos
hack, and making people click on a link to change their password.
Warn your users, explain what happened, and tell them they might get
phishing emails at the house that are more sophisticated than usual.
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Electric skateboard with 'Kinect Sensor' uses the gestures of the rider to
control its 800 watt electric motor and accelerate it to speeds of up to
32 mph:
http://www.flixxy.com/tablet-controlled-electric-skateboard.htm
The purpose of a Rube Goldberg Machine is to make a simple task as
complex as possible - turning a newspaper page for example:
http://www.flixxy.com/rube-goldberg-page-turner.htm
Welcome to the Future: Samsung just announced a transparent touch-screen
which is completely see-through and fits any window up to 46 inches:
http://www.flixxy.com/samsung-smart-window.htm
Need a smile? Awesome people and amazing animals:
http://www.flixxy.com/awesome-people-and-amazing-animals.htm
Cranes flying over Venice (Italy), filmed from a microlight airplane
flying alongside the birds:
http://www.flixxy.com/cranes-fly-over-venice.htm
A prototype of a digital carpet that changes patterns as someone walks
over it. This is pretty cool!
http://www.flixxy.com/digital-carpet.htm
Cat is hat. Look at that! Sophie the cat likes the view from the top:
http://www.flixxy.com/cat-is-hat.htm