CyberheistNews Vol 3, 33

CyberheistNews Vol 3, 33

Editor's Corner

Scam Of The Week: "Held For Ransom" You should alert your users that a particularly effective scam is growing by leaps and bounds recently. It's not new, but it's bursting into mainline cybercrime these last few weeks. The scam takes over the full screen of the PC, stating that the FBI has locked that PC until a fine is paid. The PC may look locked down, but it was a cybercriminal who did that, not the Feds. On the KnowBe4 Blog is a picture how this scam screen looks: http://blog.knowbe4.com/bid/326395/Scam-Of-The-Week-Held-For-Ransom What to do: Do NOT PAY, this is malware on the PC. Treat it like malware and clean that system. The bad guys have found this is a scam that works really well for them. Scared PC users are often willing to pay hundreds of dollars to avoid getting in hot water with the FBI. More than $5 million per year is extorted from victims. If it's a PC in the office, call IT. If it's a PC at the house, here is a video from security company Symantec how to remove this for free: http://www.youtube.com/watch?v=_dKBXeoLIFo Another thing to do is get security awareness training because in the vast majority of cases, this is because the victim clicked on a link they shouldn't have: http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/ $1.5 Million Cyberheist Bankrupts Escrow Firm Been tellin 'ya. Brian Krebs has an example that will send shivers down your spine: "A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds. The heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia. Davidson said he’s stumped over why the bank didn’t bat an eyelash when the company’s money started moving overseas. "This is one of the big issues we have with the bank," Davidson said. "This company had never sent wires overseas before. Why not pick up the phone and confirm the transaction? That’s where I think the bank may have some problems." Efficient Services is not the only escrow firm in California to be hit with a cyberheist this year. A recent bulletin from the California Department of Corporations indicates at least one other company was attacked this year to the tune of almost $1 million." Here's the whole story at Brian Krebs' site: http://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm/ White House Considers Incentives For Cybersecurity The White House is considering incentives, including cybersecurity insurance, grants, and liability limits, in order to get organizations in the private sector onboard with investing in cybersecurity. This is interesting to follow, as it just might give you more budget and/or resources. The incentive areas include cybersecurity insurance, grants, and liability limitation. The only risk of course is complacency: "Oh, IT security is not -that- important, we are insured after all..." Here's the story at the CSO site: http://www.csoonline.com/article/737795/white-house-considers-incentives-for-cybersecurity? Quotes of the Week "How did you go bankrupt?" Two ways. Gradually, then suddenly." - Ernest Hemingway "There are few experiences in life as painful and brutal as the failure of a small business. For a small business conceived and nurtured by its owner is like a living, breathing child. Its loss is no less traumatic than losing a loved one." - William Manchee Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com

Which Security Awareness Training Has The Best Results?

A new whitepaper from Osterman Research shows which of the 5 types of awareness training has the best results.

Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the awareness training type they use.

Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem.
http://info.knowbe4.com/whitepaper-osterman-130806

Ex-FBI Official Claims Remote Activation Of Mic On Android

The Wall Street Journal reported that the FBI employs a number of high-tech hacker tactics in their effort to collect information on suspects. And that includes the ability to remotely activate the mic on Android devices and notebook computers. They mention a source called a "former U.S. official." This hacker tool and many others are used to collect evidence in cases related to organized crime, counterterrorism or child pornography, according to the WSJ.

The FBI gets these tools by both buying them and building them. FBI hacking under court order has increased these last years, as law enforcement officials try to find their way around high tech gear that’s more resistant to old-time wiretapping. For obvious reasons the FBI does not want to the general public to know how they do this, but a warrant dated early 2013 revealed they were using a computer’s built-in camera to take photos of a suspect without their knowledge. Any run-of-the mill PC remote access Trojan can do that, but turning on the mic on Android is trick that is new for most people. More:
http://online.wsj.com/article_email/SB10001424127887323997004578641993388259674-lMyQjAxMTAzMDAwMTEwNDEyWj.html

DEF CON Attendees Demonstrate Social Engineering Prowess

Last week may have been the largest gathering of novice and professional social engineers in North America. As chance (and a pre-planned schedule) would have it, CSO got the chance to watch them in action. Their observations were made while wandering around DEF CON, as well as within the Social Engineering village, the home to the Social Engineering Capture the Flag (SECTF) contest, ran by Chris Hadnagy, from Social-Engineer Inc. This is a fun and interesting article:
http://www.csoonline.com/article/2133816/social-engineering/def-con-attendees-demonstrate-social-engineering-prowess-in-ctf-contest.html

See my business partner Kevin Mitnick do a live hack and social engineering demo at the recent DEF-CON in Vegas. The video starts at 5:20... Heads-up: The ending is a bit NSFW (some strong language from the person video-ing)
http://www.youtube.com/watch?v=DB6ywr9fngU#t=5m20s

Which Sectors Are High Data Breach Targets?

Government Computer News reported that: "Americans are feeling more secure these days, according to the most recent Security Index released by Unisys Corp. But more than 60 percent of those surveyed said they are very or somewhat concerned about the risk of government data breaches that could expose their personal information. According to the snapshot of the nation’s sense of security produced by Lieberman Research Group, the overall index now is at 120, a moderate level of concern, which is down from 131 one year ago and at the lowest level since the surveys began in 2007. The index of concern peaked at 164 in 2011. Financial security tops the list of worries, driven by concerns of identity theft and bank card fraud, trumping concerns over personal, national and Internet security." Check out the graph and see if you are in a danger zone:
http://gcn.com/research/2013/08/data-breach-threats-by-sector.aspx

August version of SANS OUCH!

Black Hat Hacker Claims He Can Make $15K To $20K An Hour

"During an AmA (Ask me Anything) on Reddit’s /r/netsec, a Black Hat Hacker under the (albeit fitting) username throw4way1945 explained the process of running his 3 million PC botnet, which he calls the Black Shadow Project. Offering an inside look at a system built on nefarious schemes like spamming and phishing, throw4way1945's day sounds oddly enough like business as usual.

"After spending three years coding his system, throw4way1945 says he regularly manages his botnet and a smaller, 10,000-bot Android system. Clients pay for services, like 1 million spam messages sent in 50,000-chunk blocks for $150, as well as DDoS attacks on their targets of choice. The hacker says that he sends out 90 million spam emails a day to “anyone and everyone.” This is an eye-opening bit of data, dang. More:
http://gigaom.com/2013/08/07/black-hat-hacker-describes-how-he-makes-15k-to-20k-an-hour/

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

The best costumes from the San Diego Comic Book Convention 2013 (Part 2). After all who doesn't want to be a superhero? Watch it twice. I wanna go!:
http://www.flixxy.com/comic-con-2013-part-2-i-just-want-to-be-a-superhero.htm

People are awesome and brilliant with abilities that are amazing and somewhat out of this world. Here's a bunch of fun & exciting GoPro shots:
http://www.flixxy.com/humans-are-awesome.htm

This Guy Is 3-D Printing a Classic Aston Martin … That Runs:
http://www.wired.com/autopia/2013/07/3d-printed-aston-martin/

Chris Ziegler travels from Los Angeles to San Francisco to put the Tesla Model S electric sedan through its paces. I (really) want one:
http://www.flixxy.com/driving-the-tesla-model-s-in-the-real-world.htm

This Is How You Build a Fully Functional 9-Foot Mech:
http://www.wired.com/underwire/2013/08/making-the-wired-mech/

Need to fend off end-users on a regular basis? Check out this knuckle-duster coffee mug!:
http://fancy.com/things/143691667910693349/Knuckle-Duster-Mug?ref=ffemail

One of the best videos I've seen on a unique approach to behavior change. As a bonus learn why/how to lower your household electricity bills!:
http://www.ted.com/talks/alex_laskey_how_behavioral_science_can_lower_your_energy_bill.html

How can you make the song 'YMCA' even better? Have the Lord of the Rings characters sing it. LOL:
http://www.flixxy.com/ymca-as-sung-by-lord-of-the-rings-characters.htm

A fire-fighting airplane cools off a traffic accident in Labrador, Canada: Talk about a cold shower...
http://www.flixxy.com/fire-fighting-airplane-cools-off-traffic-accident.htm