CyberheistNews vol 2, #13



CyberheistNews Vol 2, #13







Editor's Corner



KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Do You Comply With The New PCI 2.0 Standard?



We recommend you copy and paste this section, and send it to your

executive team, with a warning that they might be targeted with

spear-phishing attacks. They need to 'Stop, Look, Think' when they

get emails like this. Or, instead of cut and paste, you can send your

execs this Permalink to the KnowBe4 blog post here:


http://blog.knowbe4.com/the-top-5-executive-spear-phishing-scams/







No. 5 "Complaint from the Better Business Bureau". A few execs get this

official-looking complaint that a customer supposedly has filed, or

more recently one that states: 'Your company is accused of supporting

illegal business'. They claim your business is involved in identity theft.

Reply within 7 days, and click on this link with the complaint ID. If

the exec clicks, the PC will be infected with malware.







No. 4 "New Security App For Your Smartphone". Bad guys go to your website

and figure out who your CFO and CEO are. They spoof an email from the

CEO to the CFO and get the CFO to click on something. The CFO's PC is now

infected with a keylogger. This way they know who you are banking with,

and that the bank uses two-factor authentication using the CFO's mobile

phone. Next, they spoof an email 'from the bank' to the CFO that instructs

the CFO to download and install a new security app on their phone, but

this is actually malware under control of the bad guys. Now they have

access to the normal banking logon credentials, but they also control

the two-factor text message sent to the CFO, which opens the door to

all kinds of (expensive) trouble.







No. 3 "Unfortunately, you are part of a layoff". Cybercrime takes

advantage of the current economic conditions and spoofs an email

that supposedly comes from either the CEO or from Human Resources. It

states the employee has been laid off, and please click on this link

so you can claim your severance pay. The link leads to a page that

looks just like the company website and asks for the first name, last

name and SSN# to verify who they are and make sure that they are in

the queue for severance. Double whammy: the PC is infected and the

employee's identity has been compromised.







No. 2 "Free Dinner At Your Favorite Restaurant". The CEO of a company is

singled out for a spear-phishing attack. The attackers do their research

using social media and find that the CEO is active in an anti-cancer

charity as one of the CEO's family members is a survivor. They also

figure out that the CEO has a favorite restaurant about 20 miles away.

They spoof an email from the charity's chief fund-raiser with an

attached PDF that promises a free dinner and please open the PDF with

the new fund raising campaign they need feedback on. One click, the

PC is infected and the network compromised. (Hat Tip to Chris Hadnagy.)









No. 1 "We've been sued". Bad guys go to your company website, look at the

'Executive Team' page and find out who is your In-House Legal Counsel.

Then they do a deep search on the Internet for all email addresses of

your company and find out the address conventions (e.g. first letter

first name, followed by last name). Then they spoof the email address of

your counsel, and attach an infected PDF that pretends to be

about new or pending litigation and send it to two or three execs.

They open it and bingo, your network is compromised.







Attacks like this happen all the time. There are still many organizations

that do not have Sender Policy Framework (SPF) enabled. Having SPF

configured correctly blocks most spoofing attacks in the examples

above. And of course Security Awareness Training for all staff,

especially the execs is a -must-, as they are prime targets. Here is

a link to more data on SPF:


http://en.wikipedia.org/wiki/Sender_policy_framework







Tax Season











Apart from the above, warn everyone that 'Tax Scam Season' is upon us,

and that no one should respond to anything tax-related via email.

The IRS does not use email or social media, don't fall for refund

offers that promise the world, and never click on links in email to

help you fill out your taxes, even it's for TurboTax. Always and

only use your Web browser bookmarks instead!












Quotes of the Week









"Management is doing things right; leadership is doing the right things." — Peter Drucker







"Don’t tell people how to do things; tell them what to do and let them

surprise you with the results."
— George S. Patton







"The price of greatness is responsibility." — Winston Churchill







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/





Stop Phishing Security Breaches







Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.





IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. It’s often a surprise how many addresses are actually out there.





Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.





Sign Up For Your Free Email Exposure Check Now


http://www.knowbe4.com/20120228-Primary/







KnowBe4






It's not WHO you trust, but HOW you trust







A snippet from the new Version 2 of our Security Awareness Training,

expected in the next month or so:





Remember your security ground rules, and apply these three levels of risk:

Any email with a hyperlink or attachment could be dangerous. Ask yourself,

"Do I ordinarily receive this type of email from this person or company?"





LOW-RISK: Attachments or emails that contain links sent from people in

your own organization should be considered low risk.





LOW to MODERATE RISK: Attachments or emails that contain links sent from

people you know should be considered a low to moderate risk. Don't open

the attachment or click any link until you verified with the sender it

was legitimate.





HIGH-RISK: Attachments or emails that contain links sent from people

you don't personally know, or from outside organizations.







KnowBe4






Hacked Inboxes Lead to Bank Fraud





Hacked and phished email accounts increasingly are serving as the

staging grounds for bank fraud schemes targeting small businesses.

The scams are decidedly low-tech and often result in losses of just

a few thousand dollars, but the attacks frequently succeed because

they exploit existing trust relationships between banks and their

customers. Last month, scam artists hijacked private email accounts

belonging to three different customers of Western National Bank, a

small financial institution with seven branches throughout Central

and West Texas. In each case, the thieves could see that the victim

had previously communicated with bank personnel via email. Read this

story at:


http://krebsonsecurity.com/2012/03/hacked-inboxes-lead-to-bank-fraud/









KnowBe4






5 Big Security Mistakes You're Probably Making





Roger Grimes has a short list that is oh-so-true. "Companies get

hacked so often you'd think it was magic, but it really stems from

chronic inability to follow basic security".





How vulnerable are most companies to hacking? So vulnerable that hackers

claim they can point their systems at pretty much any target and be

guaranteed of breaking in fairly quickly. Most run-of-the-mill

vulnerability testers I know can break into a company in a few hours

or less. It must be child's play for professional criminals. It

doesn't have to be this way. The problem is that most IT admins

are making the same huge mistakes over and over."







No. 1 - Assuming that patching is good enough



No. 2 - Failing to understand what apps are running



No. 3 - Overlooking the anomalies



No. 4 - Neglecting to ride herd on password policy



No. 5 - Failing to educate users about the latest threats



Please read this article:


http://www.infoworld.com/d/security/5-big-security-mistakes-youre-probably-making-188517





KnowBe4






Passwords Are The Weakest Link In Enterprise IT Security: Study





Joe McKendrick at ZDNet had the best summary of this news: "Eighty percent

of the security incidents studied by Trustwave were due to the use of

weak administrative credentials.





Organizations are spending millions of dollars to beef up their data,

application and network security, but still keep overlooking one obvious

area of exposure: user passwords. The Trustwave 2012 Global Security

Report has just been published, identifying areas of vulnerabilities

that persist within organizations, and threaten data security. The

report’s authors studied more than 300 data breaches that occurred

during the year 2011 across 18 countries. The report observes that cyber

attacks continue to rise unabated, and hackers are increasingly going

after businesses’ customer records. The risk is even greater for

businesses frequented by consumers and brand name chains. More:


http://www.zdnet.com/blog/service-oriented/passwords-are-the-weakest-link-in-enterprise-it-security-study/8682





KnowBe4






Search Engine With An Eye For Privacy





KnowBe4 customer Craig Fosburg sent me a very useful heads-up about

search engines and privacy concerns. Here is the upshot: the big search

engines store increasing amounts of data about you, and start to change

their search results based on that data. This creates a filter (call

it a bubble) that eliminates information based on what it perceives

you might want/need. See this website that does an excellent job to

illustrate the problem. It boils down to the fact the different people

get different search results, which is potentially harmful. See it here:


http://dontbubble.us/





With this in mind, you might want to change your search engine for a

while and see what this one comes up with, as their their policy is

that they do NOT store ANY personal information or search information.


http://www.DuckDuckGo.com







KnowBe4








Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





Top Gear Italy put spiked tires on a Peugeot 207 Super 2000 and took it

to the ski slopes. Not only did they manage to find a way to bypass

the ski lifts to get up to the top, you absolutely have to watch the

Peugeot take on fearless downhill skier Anna Andreussi in a one-to-one

race down the Italian Alps:


http://www.flixxy.com/mountain-race-car-vs-ski.htm





A tour boat near Wilhelmina Bay, Antarctica noticed an enormous iceberg in

the distance that was started to softly crumble. Just as one of the tourist

asked, "Why don’t we just stay here and watch it?" the iceberg started to

give way, and completely imploded:


http://www.flixxy.com/enormous-iceberg-implodes-in-antarctica.htm





Two Golden Retrievers play the 'flea waltz' on the piano in perfect response

to the notes played to them on an ocarina:


http://www.flixxy.com/dogs-with-a-perfect-pitch.htm





Extreme radio-controlled airplane flying over Monument Valley with HD cockpit

camera video-feed. It's like wingsuit-flying without the risk:


http://www.flixxy.com/extreme-rc-plane-flying-monument-valley.htm





Clip from the Apollo 16 Video Library. Charlie drives the penetrometer into

the soil and, leaning down on it as it descends, he falls forward to the

ground. It takes three attempts for him to get back up by doing press-ups:


http://www.hq.nasa.gov/alsj/a16/video16.html





If you are in IT, and are solving problems for other people as one of your

hats, you might like this observation:


http://WhatHaveYouTried.com/





Rio's 2011 Carnival gets "tilt-shifted" in the stunning short film "The City

of Samba":


http://www.flixxy.com/rio-de-janeiro-2011-carnival-tilt-shift.htm





Peruvian national champion mountain bike rider Alejandro Paz takes his helmet-cam for a fast ride down a rocky mountain trail:


http://www.flixxy.com/extreme-mountain-biking-in-peru.htm





Have you ever told your parents and friends they should stop using Internet Explorer? You aren't alone:


http://www.flixxy.com/the-browser-you-loved-to-hate.htm






Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews