Researchers at RSA stumbled upon a Facebook page that had been up for several months, and was marketing the Zeus banking Trojan. This is something new as up to now, this type of marketing was limited to the 'darknet' criminal underground. The Facebook page has been taken down but Trojans being sold out in the open with 'hints and tips' how to steal credit cards shows that cybercrime is going mainstream. RSA's Limor Kessem said: "Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?" Full article over at BankInfoSecurity: https://www.bankinfosecurity.com/facebook-used-to-market-banking-trojans-a-5714
Scam Of The Week: Mother's Day
Cybercrime has their yearly campaigns carefully mapped out just like real internet marketers. The first Mother's Day scams are sticking up their ugly heads, and they usually start off with: "Don't Forget Mother's Day - $19.99 Flowers". Once you click on the link, you get to a website with all kinds of potential presents, but if you buy these, the only present you give is your credit card information for free to the bad guys. Other Mother's Day scam sites promote jewelry, designer clothing and shoes. Send your users a quick heads-up and tell them to browse for gifts only at sites they know and are reputable!
Yahoo Warns: "Your Small Business May Have Already Been Hacked"
Veteran IT reporter Dan Tynan has a very popular Yahoo SMB column. He interviewed me and I was quoted in his April 25 article about hacking. There is a lot of good ammo in there if you need (to increase) IT security budget: "While attacks on large enterprises have declined slightly over the last year, threats to SMBs have risen sharply. Cyber attacks targeting businesses with 250 employees or less doubled in the first six months of last year, according to Symantec. The average loss per attack: more than $188,000."
"You get the best out of others when you give the best of yourself." - Harvey S. Firestone
"If you want something done, ask a busy person to do it. The more things you do, the more you can do." - Lucille Ball
Stop Phishing Security Breaches
Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks, and over 90% of data breaches start with a phishing attack.
IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. It's often a surprise how many of your addresses are actually out there, and who's.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
FAQ: Phishing Tactics And How Attackers Get Away With It
Network World reported: "Phishing attacks on enterprises can be calamitous in terms of compromised networks or damaged brand names, and the Anti-Phishing Working Group (APWG), which aggregates and analyzes phishing trends data worldwide, offers some of the best insight from industry into what's occurring globally in terms of this cybercrime. The following list of frequently asked questions about phishing is derived from the APWG's April report that covers the period July-December 2012 worldwide: https://www.networkworld.com/article/2165769/security/faq--phishing-tactics-and-how-attackers-get-away-with-it.html
What Do Spear-Phishing Emails Have To Do With Drones?
I found a great article by Kai Roer, Senior Partner at the Roer Group.
"Lately, some of the smartest people in Infosec decided that security awareness trainings are a waste of time. Last out is Bruce Schneier, who decided to speak up against awareness training.
"The claim that security awareness trainings are not working is, in my opinion, a claim based on wrong assumptions. It also shows a clear lack of understanding of the inner workings of the human mind, and a total lack of respect for your co-workers.
"If all you focus on is technology, code and cryptology, and you have very little real interaction with people, I can understand where you are coming from. It takes more than code to decrypt the subtleness of human interaction." He continues with a clear cut case for training that I think you will enjoy: https://www.net-security.org/article.php?id=1833&p=1
The 7 Elements Of A Successful Security Awareness Program
Ira Winkler and Samantha Manke wrote: "When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was "security culture." From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture.
"It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well. To determine the components of a truly successful security awareness program, we performed a study to identify critical success factors for building one. We interviewed security awareness practitioners at Fortune 500 companies and surveyed the security staff and general employees at the companies. Additionally, we validated the results and gathered additional information at a security executive event in the United Kingdom with more than 150 security executives participating.