CyberheistNews vol 2, #3



CyberheistNews Vol 1, #27







Editor's Corner



KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Attack Example With 40% Phish-prone Rate



A customer of ours asked us to send a custom phishing email to about

100 of their employees that had their email address out floating on

the Net, and were found with our Email Exposure Check. The company

did not have SPF enabled, so we were able to spoof the email address

of their CEO. If you don't know what SPF is, here is a link, and it

is a VERY good idea to have it enabled:


http://en.wikipedia.org/wiki/Sender_Policy_Framework







Check with the person responsible for your mail server if SPF is

enabled. If not, I would be able to send your employees an email

impersonating...YOU, coming from YOUR domain. It is surprising to

see how many sites do not have SPF enabled, scary really.







Back to the test now. Out of the 100 employees, 40 clicked on the

link that we put in the email. If we were bad guys, that network would

have been -so- owned... Here is the example that we used:







To: All Employees


From: xxx.xxxx@xxxx.com (Their CEO)


Subject: Change in Benefits Program





As you may have heard in our quarterly presentation to all shareholders

on November second, we are continuing our expansion and doing very well.







As I said in the introduction, innovation and reducing costs continues

to be a high priority, and we have made some improvements in our benefits

program. Human Resources will be providing you with more specifics, but

please check this page with the Benefits Plan that will be starting Jan

first, 2012.

[here was the URL with a link to the 'benefits' page]







Best regards,







xxx.xxxx, CEO


XXXX Systems, Inc.


email:xxx.xxxx@xxxx.com


(Added was the legal disclaimer they standardly have)








Bad guys on the Internet could have done the very same thing, and

40 of your machines would be infected with any kind of malware,

possibly combined with rootkits which are very hard to find.







All employees -need- to be regularly trained to not fall for these

kinds of spear-phishing attacks. A great way to do this is to send

them weekly simulated phishing attacks so that they are and -stay-

on their toes! (of course we could do that for you, fully automated)

:-)





Quotes of the Week









"Rather fail with honor than succeed by fraud." -

- Sophocles







"Whoever is detected in a shameful fraud is ever after not believed

even if they speak the truth."
- Phaedrus







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/





"We Discovered A Serious Human Vulnerability"







"I'm a system administrator and we regularly get user's workstations

infected with malware. Then Microsoft reported that 45% of the infections

are caused by the users being 'social engineered', so we decided to test it

out for ourselves."







"First we did the Email Exposure Check. Out of our 197 users, 87 email

addresses were found on the Internet. Then we did the Phishing Security

Test, and sent these 87 a relatively simple simulated phishing attack,

that could have been sent by any bad guy."







"We were shocked to see that our spam filters and antivirus did not

catch the phishing email, and that 24 of these 87 clicked on the link.

We discovered a serious human vulnerability." -- P.H. System Admin







Find out for yourself how big this human security hole is in your

organization. Fill out this form, you will get the results for free:




http://www.knowbe4.com/eec/





KnowBe4






Cyber Insurance Offers IT Peace Of Mind -- Or Maybe Not









With the onslaught of cyber attacks going on, getting insurance is

probably not a bad idea. And getting in now while the premiums are

still relatively low, is an even better idea. Computerworld has

an interesting story about this:





"It's a question worth careful consideration, given that the price

of cyber attacks is rising at an alarming rate. The second annual

Cost of Cyber Crime study, released last August by the Ponemon

Institute, reported that the median annualized cost of detection

of and recovery from cyber crime per company is $5.9 million -- a

56% increase from the 2010 median figures. The costs of cyber crime

range from $1.5 million to $36.5 million per company." More:


http://cwonline.computerworld.com/t/7810338/987374514/547651/0/





KnowBe4






Free Malware Response Guide







Microsoft's TechNet has a free guide that is quite useful. Their new

Infrastructure Planning and Design Guide for Malware Response will

help organizations plan the best and most cost-effective response

to malicious software. This guide provides methodologies for the

assessment of malware incidents, walks the reader through considerations

and decisions that are pertinent to timely response and recovery.

It also describes approaches to investigating outbreaks and cleaning

infected systems. Get the Word and PowerPoint files here:


http://technet.microsoft.com/en-us/library/cc162838.aspx





KnowBe4






Zappowned? 24 Million Zappos Records Compromised



Zappos CEO Tony Hsieh sent an email to all customers this week and

told them to change their password after an intruder gained unauthorized

access to the online shoe retailer's servers. The data compromised are

the customer name, their e-mail addresses, both billing and shipping

address, their phone numbers, and last but not least, the last four

digits of their credit card numbers. One consolation, he said that

"critical credit card data and other payment data was not affected

or accessed." And oh, customer's (scrambled) passwords may also have

been accessed.





This is of course means a goldmine for cyber criminals who will not

hesitate to send phishing attacks with all this personal information,

making people click on a link. I would not be surprised if while you

read this, the first waves of phishing emails are sent out, using

CEO Tony Hsieh's email address, with fake warnings about the Zappos

hack, and making people click on a link to change their password.





Warn your users, explain what happened, and tell them they might get

phishing emails at the house that are more sophisticated than usual.





KnowBe4






Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





Electric skateboard with 'Kinect Sensor' uses the gestures of the rider to

control its 800 watt electric motor and accelerate it to speeds of up to

32 mph:


http://www.flixxy.com/tablet-controlled-electric-skateboard.htm





The purpose of a Rube Goldberg Machine is to make a simple task as

complex as possible - turning a newspaper page for example:


http://www.flixxy.com/rube-goldberg-page-turner.htm





Welcome to the Future: Samsung just announced a transparent touch-screen

which is completely see-through and fits any window up to 46 inches:
http://www.flixxy.com/samsung-smart-window.htm





Need a smile? Awesome people and amazing animals:
http://www.flixxy.com/awesome-people-and-amazing-animals.htm





Cranes flying over Venice (Italy), filmed from a microlight airplane

flying alongside the birds:
http://www.flixxy.com/cranes-fly-over-venice.htm





A prototype of a digital carpet that changes patterns as someone walks

over it. This is pretty cool!
http://www.flixxy.com/digital-carpet.htm





Cat is hat. Look at that! Sophie the cat likes the view from the top:
http://www.flixxy.com/cat-is-hat.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews