CyberheistNews Vol 2, #30
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Scam Of The Week: Payroll Phish
The nakedsecurity blog over at Sophos highlighted a new phishing scam
that would be good to alert your employees about. The bad guys are
pretending to be payroll processing company ADP. There are two variants
of this phishing scam. They wrote: "One is simply a plain text message
with the subject "ADP Funding Notification Debit Draft" instructing
you to click a link to view your transaction report."
"The second is more professional looking and suggests to a human resource
specialists that ADP is upgrading its security processes and you need
to login and be trained on the new procedures.
I would not be surprised if the bad guys did some homework and checked
on job sites for companies that are looking for HR people with ADP
experience, or scanned LinkedIn for the same and did a spear-phishing
attack where they also included HR@company.com so that the net would
be as wide as possible.
The links in all of the messages we have received redirect to
has all of the telltale signs of the Blackhole exploit kit. Dont
click links in email folks. Its 2012 and we have been saying this
for over 10 years now. Think before you click. If you want to see
a screenshot of this phishing attack, see the KnowBe4 Blog here:
Kevin Mitnick Security Awareness Training Success Stories
You heard it here first! KnowBe4's very successful Internet Security
Awareness Training now has been released in a new Version 2. We
rebranded it, as the last 8 months we have been working with Kevin to
release a killer new training that covers many new attack vectors.
This big news will hit the press wires on July 9th, but CyberheistNews
subscribers are are getting a sneak peak.
Here are some user quotes from employees of a mid-size defense
contractor that were the first to complete the training.
Never want to open an email again. Yikes!
Nice training learned a lot! Was not aware that it was that bad.
Interesting training. Thanks for making this available.
I got a lot of good information from the training this morning. I know
a lot of folks who could benefit from this training that are not
employees (wife, kids, church secretary, friends, etc., etc.). So my
question, is it possible to buy viewings of this for non-employees
somehow? Thanks so much!
This was a real eye opener. Can I have my wife take this training as well?
I need a total scrub down after watching that video can you say paranoid!
Best training weve had yet. Hopefully it will make us smarter.
I went through this training and it was incredibly helpful to me.
Thanks for taking the time to do this. Is there a way I can provide
this to my children?
Here is the page to the new Kevin Mitnick Internet Security Awareness
Quotes of the Week
"There's so much bad in the best of us and so much good in the worst of us,
it ill behooves us to talk about the rest of us" - author unknown
"You cannot depend on your eyes when your imagination is out of focus" - Mark Twain
"The hottest places in hell are reserved for those who in times of
moral crisis preserve their neutrality" - Dante
Please tell your friends about CyberheistNews! They can subscribe here:
Users Are The Weak Link In IT Security
Youre an IT pro. You know that users are the weak link in IT security. But did you know that almost half of all your network malware infections are caused by social engineering? And that 99% percent of malicious action starts on workstations before they penetrate your servers? Because cyber-attacks are rapidly getting more sophisticated, the frustration level and risk continues to mount for IT Administrators and Security teams. Take the first step now to improve your organizations defenses against cybercrime. Find out what percentage of your users is Phish-prone. Start your Free Simulated Phishing Attack Now:
A few days ago I wrote about a 60 million Euro cyberheist. I have been
digging into this a bit more, as its the most advanced attack yet.
Cybercrime is not revolutionary, it clearly builds upon itself in an
evolutionary process. Well, malware has metastasized and moved up into
Up to now, malware lived on the PC itself in its entirety. All the code
was run locally on the workstation, and it communicated only with the
mothership to send stolen data, whether that be keystrokes, files,
credit card numbers or any other confidential data.
But now, the bad guys have upped the game and rewrote their malware
architecture from the ground up. Its almost like they took a page
from the antivirus playbook and cut down their own bloatware to a
small, lightweight agent (that the bad guys can hide easily), with
the real processing being done on a server in the cloud.
So how this works is as follows. The attacks start off with a phishing
email, usually pretending to be from the victims bank and social
engineering them to change their account password which is not that
hard. Next, in early versions, the Zeus or SpyEye trojans would be
downloaded to the workstation. No more, only a tiny bit of malware
is put on the workstation and now the actual attack is coming from
the cloud. Yikes.
When the victim logs into their bank site, the malware uses web-inject
code to throw up a page that looks just like the victims bank web page.
But what happens behind the scenes and invisible to the victim is that
the malware server starts transferring money from the victims account
to the criminals account, with all the work being done on the criminals
cloud server that usually sits at an Internet Service Provider which
is owned by the criminal network.
And quite a bit of work is being done. The attack takes the log-in
from the PC and redirects it to the server in real-time and does all
the transactions in the bank account. It can even circumvent two-factor
authentications where the victim has a card they need to swipe to get
into the account. Double yikes.
The malware on the workstation is relatively small, simple and does
not need to be updated for the next attack, as the updates can happen
on the server side. This makes the attack more agile and scalable.
Once that new, lightweight malware agent infects the users workstation,
that machine can be used for a multitude of criminal activities.
Note that all this still begins with a phishing attack which makes
it all the more important that end-users urgently need to be getting
comprehensive Security Awareness Training:
We are welcoming many friends of Kevin Mitnick, so I decided to
tell you a bit about our background. Here is KnowBe4's philosophy:
We are happy to go against the grain.
Were not a massive developer that turns out bloatware year after year.
We dont work with only the bottom line in mind.
We dont sell top down and force our solutions down everyones throat.
We dont develop code based on yesterdays problems.
And we feel fine with all that.
Were a team free of thinking techies, who look at IT security issues a little differently.
Where other IT security companies may value profits, we value, well security.
When the competition tries to keep things locked up, we want it to be community-based.
We write security software for admins by admins.
We are not in the pocket of any of the large players.
We answer to no one but IT admins in the trenches.
Our company Operating System is: Do it right the first time, do it fast, and have fun while you do it.
We work like that, because we think its the only way to go.
We believe in smarts over money.
We believe that only with community you can effectively secure your domains.
We believe that as IT Admins we need to hang together, because if we dont we will hang alone.
And we feel strong about challenging the status quo, we put admins front and center in the fight against cybercrime.
So, it boils down, we believe in you.
We believe that the worlds best security products can only be made with admins who give a bit of their time, talents, energy and support to defending our mutual domains.
And with this cause in mind, we believe that together we can continue to create innovative security tools for the benefit of your organization and the security of your network.
We are committed to serve the greater good. We are KnowBe4. Were not just a different kind of security company, we are a security company that together with you, makes a difference.
Bank Settles With California Cyberheist Victim
Finally, a positive outcome in a cyberheist lawsuit.
Brian Krebs reported that Professional Business Bank settled with
Village View Escrow Inc, a California cyberheist victim.
A California escrow firm that sued its bank last year after losing
nearly $400,000 in a 2010 cyberheist has secured a settlement that
covers the loss and the companys attorneys fees. The settlement is
notable because such cases typically favor the banks, and litigating
them is often prohibitively expensive for small-to mid-sized businesses
victimized by these crimes. Here is link to his blog post.:
Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly security awareness trained.
IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Its often a surprise how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
This week we found another mini-vacation for you: Europe! A great time-lapse
from a trip to Vilnius, London, Amsterdam, Paris, Stockholm, Copenhagen,
Helsinki, Riga, Crete, Santorin, Milan, and Cinque Terre. Gorgeous:
Check out the new Princeton Artificial Intelligence, which starts to
get pretty darn convincing, wonder if Alan Turing would have approved:
The Future Is Ours - A tribute to the individuals and companies pushing
Polar bear cubs play and wrestle in the snow while their mother keeps
a close eye on them from the den:
Love is in the air when Libero launches their Spring Collection 2012:
On a hot summer day, graduates from St Petersburg, Russia come together
for a song and dance in the river. Flash Mob the Russian way!
The world's tallest and longest zip line is also the fastest. It has a
top speed of 100 mph and is located in Sun City, South Africa:
I knew it would come to this. The Walkstation is the fully integrated
combination of an electric height-adjustable worksurface with an exclusively
engineered, low speed commercial grade treadmill. See it at Steelcase:
Google plots the 20-year evolution of web. Pretty cool !!
Brrzzzt! How to (sort of) shock people like Emperor Palpatine:
Incredible Time-Lapse Video Shows Creation of Giant Higgs Boson Mural:
Useful website for the summer months: Blackout tracker tells you where
the electric grid is down: