CyberheistNews Vol 2, #44
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]
'Project Blitzkrieg': Aggressive Cyberheists Against U.S. Banks
It was all over the news last week, security firm RSA blogged about a new
cybercrime project that plans to recruit 100 botmasters to help launch a
series of cyberheists targeting 30 U.S. banks. RSA's blog post primarily
covered how financial institutions need to prepare for high volume,
sophisticated attacks. Cybercrime investigative journalist Brian Krebs
weighed in on the topic because he thinks the RSA analysis seemed to merely
scratch the surface of a larger enterprise that speaks volumes about why
online attacks are becoming bolder and more brash toward Western targets.
Here is his quite interesting and detailed perspective, and there is more
about this further down in this issue by BankInfo Security:
http://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-cyberheists-against-u-s-banks/
NEW: Free Domain Spoof Test
Can your domain be spoofed? In other words, can the bad guys impersonate
one of your co-workers or your executives? KnowBe4 can help you find out
with our new Domain Spoof Test.
This new Domain Spoof Test sheds light on a major potential vulnerability.
Bad guys searching for your organization's publicly available email addresses
can find enough information to attack your employees by impersonating
(spoofing) a co-worker or executive.
We offer a free one-time Domain Spoof Test (DST) that verifies whether a
hacker -can- disguise a malicious phishing email as a normal message from
someone within your organization, such as a manager or CEO/President. If
this is possible, hackers can easily launch a spear-phishing attack. To
learn more about how this works, and request a domain spoof test for your
own domain name, click here and fill out the form:
http://www.knowbe4.com/domain-spoof-test/
If You Need to Pay Money to Get Money, You Have Been Scammed
Helvetica, sans-serif;" align="left" valign="top">
These scams are still very popular. The victim gets an email or text message
that they have won a large cash prize. Sometimes they add a PDF with a picture
of a fake check, and that they need to pay a small 'processing fee' to get
their hands on the full amount.
Often the cybercriminals use the Publishers Clearing House brand for this scam.
Since most of us are aware of how the grand prize winner is notified in person
with an oversize check, scammers use a ploy that the victim is the runner-up
of a smaller cash prize, usually in the $300,000 range. When the victim
responds, the scammers next move is to send a snail mail with an enclosed fake
check — usually around $5,000 — with the instructions that the victim should
only deposit the check after(!) sending the $2,500 processing fee to an
address via Western Union.
When the victim gets notified by the bank that the check they deposited
is a fake, the scammers are long gone with the $2,500. They move around
and are hard to track down. Remember: If it is too good to be true, it
most likely is.
Please Forward This Newsletter To Your Friends
There are 40,000 people getting CyberheistNews every week, but
we need to get the word out to many more, to protect everyone's
network. Please forward this newsletter to people you know, that can
benefit. Here is the link to subscribe:
http://www.knowbe4.com/cyberheist-news/
Quotes of the Week
"For it isn't enough to talk about peace. One must believe in it.
It isn't enough to believe in it. One must work for it." - Eleanor Roosevelt
"Peace cannot be achieved through violence, it can only be attained
through understanding." - Ralph Waldo Emerson
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/cyberheist-news/
Cyberheist! 1) See the movie 2) Read the book
Our friends at TrendMicro Europe made a short (5:48) movie that shows
exactly what I have been talking about in my book. Here it is:
http://www.youtube.com/watch?v=mkjmHH2GH2w
Next, download the (full) book in PDF format, read about how they
do it and what you can do about it. Register Now For Your Free FULL
Copy (instant PDF Download)
http://www.knowbe4.com/free-e-book/
RSA Warns of New Attacks on Banks
Tracy Kitten at BankInfo Security reported on this. "A cybergang
threatens a blitz of Trojan attacks aimed at 30 U.S. banks, according
to RSA. What steps should all banking institutions take now to
prepare? RSA's Mor Ahuvia offers insight and advice.
On Oct. 4, security vendor RSA posted a blog detailing the discovery of
a coordinated Trojan attack that is expected to strike 30 U.S. banks in
the coming weeks. The purpose of the planned attack: To hit those banks
with a new variant of the legacy man-in-the-middle Trojan known as Gozi,
ultimately giving hackers the ability to manually set up fraudulent wire
transfers in real time.
RSA says it uncovered the planned scheme in underground forums, describing
it as a "blitzkrieg-like" series of attacks to be carried out by an
estimated 100 botmasters.
"RSA believes this is the making of the most substantial organized
banking-Trojan operation seen to date," writes Mor Ahuvia, a cybercrime
communications specialist for RSA FraudAction. If you are a bank or
a credit union you should check this story out:
http://www.bankinfosecurity.com/interviews/rsa-warns-new-attacks-on-banks-i-1681?
Defending Against Phishing Attacks
By now, we all know that the bad guys are using phishing and spear-phishing
to go after your users and penetrate your networks. This type of social
engineering attack is getting used more and more, since it’s the least
effort for the attacker. They are getting pretty good at making users click
on links and open attachments.
Organizations that are successful in defending their networks use the
six-layer 'defense-in-depth' strategy. The outer layer of that model is
Policy, Procedure and Awareness. Create security Policies; make sure everyone
knows about them and the correct Procedures to follow, and give security
Awareness training to everyone with exposure to the Internet. More about
defense-in-depth here:
http://www.knowbe4.com/resources/defense-in-depth/
Next, you need some specific technical measures against these attacks.
Email is the most used vector for these attacks, so you need to have a
few layers of defense in place. Sometimes these are part of your mail
server anti-spam features, however, you need to differentiate between
anti-spam and anti-phishing functionality, as these two actually are
somewhat different technologies, but they are often combined. Let’s look
at a few anti-spam features that also protect against (spear)-phishing.
- A specific Anti-Phishing Database:
Several anti-spam products (either on a server in your own datacenter or
hosted by a service provider) contain a database that is constantly updated
containing so-called ‘finger print’ data which is used to detects elements
encountered in phishing emails. It is a somewhat generic approach that helps
against normal phishing attacks but does not do much against the more focused
spear-phishing attacks.
- Sender Policy Framework (SPF)
You really need this in place, and it is mainly a configuration issue. SPF
blocks email that spoofs their origin email address. That means the attacker
can no longer send an email to all employees, impersonating the CEO with a
‘from’ address within the domain. SPF blocks these attacks by comparing the
host of the email received, against a list of email servers that are authorized
to send emails on behalf of that domain. This method is actually very effective
at stopping both regular phishing emails and spear phishing emails. To see if
you have SPF correctly configured, here is much more about it:
http://www.openspf.org
It will let you know if there is a valid SPF record. KnowBe4 can help you
establish if your organization's domain can be spoofed or not. We provide a
new free service that can do this. More about that here:
http://www.knowbe4.com/domain-spoof-test/
- DNS blacklist (DNSBL)
There are several organizations that have as their goal in life to make the
spammers’ lives difficult. They create lists of the servers that spammers
use to send spam. These spam hosts are made available in a database through
the DNS system. Your email server can talk to these DNS blacklist databases
and ensure that the email server sending you an email is not blacklisted.
Keep in mind that normal phishing emails usually are sent from servers that
also send spam, and are blacklisted, but spear-phishing email is usually
sent from a brand new clean server that was set up especially for that purpose,
so it is not known by the DNS blacklist folks.
These three technologies give you the biggest bang for your buck, and when
you combine them with security awareness training, you are a much harder
target to attack and the bad guys likely just move on to your competitor
who might be easier to hack. (Hat Tip to Emmanuel Carabott of GFI)
In a Zero-Day World, It's Active Attacks that Matter
The recent zero-day vulnerability in Internet Explorer caused many (present
company included) to urge Internet users to consider surfing the Web with a
different browser until Microsoft issued a patch. Microsoft did so last month,
but not before experts who ought to have known better began downplaying such
advice, pointing out that other browser makers have more vulnerabilities and
just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional
than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were
exposed to active attacks against unpatched, critical vulnerabilities for months
at a time over the past year and a half. Hat Tip to Brian Krebs. More:
http://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/
Whitelisting Pushing Out Antivirus At Some Security-Minded Retailers
Ellen Messmer at Network World reported: "The influential Payment Card
Industry (PCI) rules call for use of antivirus software to protect debit
and credit cards, but some retailers have found a substitute that's been
accepted in place of it: whitelisting technology.
Application whitelisting works on a host computer to prevent unauthorized
applications from running. The official PCI rules published by the PCI
Security Standards Council don't include any mention of it, but some
merchants and retailers are saying that their PCI-certified auditors are
signing off on whitelisting as a substitute for antivirus software, which
is giving them what they say is a needed A/V break.
Note, this is only for Point-of-Sale machines, but it's a foot in the
door and the young whitelisting industry can take a win. More at:
http://www.networkworld.com/article/2160451/compliance/whitelisting-pushing-out-antivirus-at-some-security-minded-retailers.html
Prevent Email Phishing
Want to stop Phishing Security Breaches? Did you know that many of the
email addresses of your organization are exposed on the Internet and
easy to find for cybercriminals? With these addresses they can launch
spear-phishing attacks on your organization. This type of attack is
very hard to defend against, unless your users are highly ‘security
awareness’ trained. IT Security specialists call it your ‘phishing
attack surface‘. The more of your email addresses that are floating out
there, the bigger your attack footprint is, and the higher the risk is.
Find out now which of your email addresses are exposed with the free
Email Exposure Check (EEC). An example would be the email address and
password of one of your users on a crime site. Fill out the form and
we will email you back with the list of exposed addresses. The number
is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now:
http://www.knowbe4.com/email-exposure-check/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
This week's 2-minute vacation: SPACE! High Dynamic Range time lapse
sequences of photographs taken by the crews onboard the International
Space Station. Best viewed full screen in HD:
http://www.flixxy.com/iss-views-in-high-dynamic-range.htm
Why does it get dark at night? The answer is more complicated than you
think, and might surprise you:
http://www.flixxy.com/why-is-the-sky-dark-at-night.htm
Talking about space, Austrian skydiver Felix Baumgartner attempting a supersonic free
fall to become the world's highest skydiver:(Server might be busy)
http://www.redbullstratos.com/
A new twist on the average Rube Goldberg machine by powering it up
with freerunner Jason Paul:
http://www.flixxy.com/human-powered-rube-goldberg-machine.htm
People in the London Underground have made up their own "Guerrilla Signs"
Some of these are just a riot!:
http://wharferj.wordpress.com/2012/08/23/underground-guerilla-signs/
The Cloud. (Video) Too bad it isn’t an ad for "cloud computing":
http://www.flixxy.com/the-cloud.htm
Lutz Eichholz and Stephanie Dietze unicycling down a 9,878 ft (3011 m)
high mountain in the Italian Alps:
http://www.flixxy.com/descent-from-a-9878-ft-mountain-peak-on-a-unicycle.htm
The Largest Black Holes in the Universe. 25 mins but fascinating!:
http://www.youtube.com/watch?v=xp-8HysWkxw&feature;=youtube_gdata_player
Johann Sebastian Bach's "Toccata and Fugue in D minor" still rocks today!
http://www.flixxy.com/bach-still-rocks-today.htm
