| |
CyberheistNews Vol 4, 16
Editor's Corner
Scam Of The Week: Blended XP Phishing Security Threat
During the first quarter, I have been warning about the coming wave of Windows XP-related scams having to do with the April 8 End Of Life of XP. Here is what you can expect, and many variants will follow. It is important to warn your end-users about this, even if they -are- running more recent versions of Windows, because often they do not know what version they actually are running, and easily get scared into doing something that may damage your network.
So here is the scam, cybercriminals either send phishing emails or make cold calls and claim to represent either Windows Helpdesk, Microsoft Tech Support, Windows Support Group, or other Microsoft support teams.
They claim that there are now no more official security patches for XP, (true) refer to the Windows popups stating: Windows XP End of Support April 8th, 2014, but Microsoft still releases updates for Win7 and 8, (true) and that hackers have analyzed these updates and found new security holes in Windows XP that cannot be fixed anymore (half-truth). Next, the bad guys claim that they -do- have an urgent update but that they need to apply this patch manually (blatant lie). The end-user gets tricked to allow remote access to the scammers, using admin tools like join.me and others.
Once that is the case, the bad guys own the workstation of the employee and can hack into your network, or they take over their home machine and try to charge them hundreds of dollars on their credit card. So, urgently remind your users (again) of the following:
"In the office or at the house, when anyone sends phishing emails or calls claiming to be from 'Support', and claims that they need to 'update' your computer for any reason and ask for remote access, hang up the phone immediately and report the email or the call to the correct team in your organization." (Note: often these callers have foreign accents.)
Redmond's Security Center states neither Microsoft nor its partners make unsolicited phone calls, but end-users often do not know this. For the rest of this year, we need to be on the look-out for XP-themed scams like this. Security Awareness Training is a -must- these days. Find out how affordable this is for your own organization here:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
BONUS Scam Of The Week: Starbucks Gift From a Friend Phishing Emails
Love your tall latte? Better watch it, as a "friend" might send you an email with a fake Starbucks Coffee Gift offer. These emails read something like this in broken English: "Your friend just made an order at Starbucks Coffee Company a few hours ago. He pointed he is planning to make a special gift for you and he have a special occasion for that. We’ve arranged an awesome menu for that case that can really surprise you with our new flavors."
They then continue with describing the whole menu, and when you can come over and celebrate the day with your friend. The only thing you need to do is (of course) open the attachment.
Granted, Starbucks does have options for people to give gifts to friends, but this phishing attack has nothing to do with that. There are several red flags, the language is broken, the emails come from hacked accounts at Yahoo and Gmail, and they are sent with "high importance."
In the malicious attachments sits a variant of the banking Trojan ZeuS, directly attached without any attempt to hide, and will install itself as a hard-to-remove rootkit. They probably hope you get so excited about the free offer that you will ignore all the warnings. Don't fall for it. Think Before You Click! For a screen shot of the email, check the KnowBe4 Blog:
http://blog.knowbe4.com/bid/383111/Scam-Of-The-Week-Starbucks-Gift-From-a-Friend-Phishing-Emails
Osterman Report Reveals: Only 13% Happy With Compliance Methods
We are excited to announce a new whitepaper that covers important compliance requirements that you are obligated to satisfy, provides some high level recommendations about what you can do to address these issues, and offers a brief overview of a tool that helps you to better manage these compliance problems.
The whitepaper is called "Improving the Compliance Management Process". One of the conclusions of the research is that only 13% of the organizations Osterman surveyed are "very satisfied" with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be "very important".
Moreover, Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, improving the process of just these two requirements can save you significantly on overall compliance costs both in time and budget.
There Is No "Unregulated" Industry
All organizations must deal with compliance obligations. These range from relatively minimal obligations that focus only on protection of certain types of records; to very strict obligations to monitor and sample employee communications, retain a wide range of record types for long periods of time, and to protect the confidentiality of highly sensitive customer information. Consequently, all organizations must satisfy varying levels of compliance obligations – the only difference between a "heavily" regulated vs. a "lightly" regulated one is in the number and invasiveness of the regulations that they must satisfy.
Organizations in some of the more regulated industries – for example, financial services, insurance, healthcare, energy, government, education and life sciences – must deal with a large and growing number of compliance obligations. A failure to satisfy these obligations can result in serious consequences, including fines, sanctions or even business closure.
Complicating the problem is the fact that there are regulations at the federal, state and local level; not to mention the variety of industry-focused and international regulations that organizations must satisfy. Moreover, many of these regulations are in a continual state of flux as regulators modify and add to the body of regulations to which organizations are subject.
Ten Thousand Commandments
Washington set a new record in 2013 by issuing 3,659 "final" rules in the Federal Register, which means they now need to be obeyed, and 2,594 proposed rules are on their way to becoming orders from the political headquarters. And the feds aren't letting up, there are another 3,305 regulations moving through the pipeline on their way to being imposed. Source WSJ 4-16-2014:
http://online.wsj.com/news/articles/SB10001424052702304311204579505953682216682?
Managing Compliance Is Cumbersome And Expensive
Many organizations satisfy their compliance obligations using manual processes focused on maintaining spreadsheets or using out-of-date software to help compliance managers keep the organization as close to full compliance as possible. Moreover, compliance obligations are managed with a significant amount of labor, which drives up costs beyond where they would be if a more automated and holistic approach for compliance management were available.
To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month.
Next Steps
Osterman Research recommends that any organization that must satisfy compliance obligations take a multi-step approach toward reducing their compliance costs and improving their ability to satisfy its compliance obligations. The Whitepaper with these steps is available for download here:
http://info.knowbe4.com/whitepaper-osterman-140414-0
Quotes of the Week
"I count him braver who overcomes his desires than him who conquers his enemies; for the hardest victory is over self." - Aristotle
"It is better to conquer yourself than to win a thousand battles. Then the victory is yours. It cannot be taken from you, not by angels or by demons, heaven or hell." - Buddha
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
How Much Time Can You Save On Compliance Audits?
Only 13% of the organizations Osterman surveyed are "very satisfied" with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be "very important".
Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, how much time can you save on compliance audits? Download this whitepaper and find out ...
http://info.knowbe4.com/whitepaper-osterman-140414-0
Phishing Scam Targets Public School District
A Michigan public school district is the focus of a phishing scheme that almost allowed unknown attackers to steal more than $163,000.
The hackers took control of the finance director's email to send a phishing email to an accounting clerk within the Caledonia Public Schools district, according to a local news station. The email asked about available balances in the schools' accounts.
Because the email came directly from the finance director's account, the clerk replied with a file containing the balances along with account numbers. Following that exchange, multiple emails directed the clerk to complete wire transactions.
After the clerk sent an $8,500 transfer, prompting a query by the finance director, the scam was discovered. Banks in both Pennsylvania and Florida were affected, and the Federal Bureau of Investigation (FBI) is looking into the case.
It is clear that this started with someone clicking on a link and got their workstation infected. Without training and constant reinforcement, people will continue to fall for social engineering attacks. Get your employees trained NOW and prevent attacks like this:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Increased Demands On Compliance Teams
Thomson Reuters fifth annual cost of compliance survey provides insights to help regulated firms with future planning, resourcing and focus.
They recently surveyed more than 600 compliance practitioners from financial services firms including banks, brokers, insurers and asset managers across 71 countries covering Africa, the Americas, Asia, Australia, Europe and the Middle East, building on annual surveys on similar respondents conducted over the course of the last five years.
A major finding of the survey showed 53 percent of compliance officers now feel that their personal liability has increased; a reflection of increased focus on senior individuals at the supranational level. This perceived increase in personal liability may be a contributing factor of costs associated with senior compliance officers continuing to escalate.
The findings also highlighted the diverse pressures which compliance functions continue to face, with shifting supervisory expectations, no let-up in the volume of regulatory change and the start of many of the big implementation programs for major complex legislation.
"The ability to comply with confidence and transparency is integral to building trust in the financial services sector," says Chris Perry, managing director, Risk, Thomson Reuters. "Compliance leaders are being held to increased accountability amidst an ever-increasing volume of regulation, the expectation to move and comply fast, and the exposure to record fines for non-compliance, now regularly totaling in the billions. In this time of heightened scrutiny, it has never been more important that boards support their compliance function and its senior leadership with the budget, resources and tools to help ensure transparency, trust and a lasting change in behaviors throughout firms."
Download a detailed report on the survey’s findings:
http://accelus.thomsonreuters.com/special-report/cost-compliance-survey-2014
Annual ITIC 2014 Global Server Hardware and Server OS Reliability Survey
ITIC’s 2014 Global Server Hardware and Server OS Reliability Survey is live! The survey polls organizations on the reliability and security of the top server hardware and server operating system and virtualization platforms.
The survey should take only about 5 minutes to complete. All responses are confidential. As always, anyone who completes the survey AND leaves an essay comment with their contact information is eligible to win $250 Amazon gift certificate. To be eligible to win the prizes you must leave your email address along with your comment in the comment box of the last question. No sales people will call you and we never share your information with anyone.
Once the survey results are tabulated we will post an Executive Summary in Cyberheistnews and on the ITIC Website: www.itic-corp.com. Anyone who completes the survey is eligible to receive a complimentary copy of the full Report when it’s published. All you have to do is email Laura DiDio at ldidio@itic-corp.com or Stu Sjouwerman at: stus@knowbe4.com. Here’s the link to the survey:
https://www.surveymonkey.com/s/FGQDZDY
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Magician Nate Staniforth performs the impossible and amazing 'Lottery Ticket Illusion.' I know how he does it - do you? It must involve a very small portable thermal printer he has tucked away on his body... LOL
http://www.flixxy.com/incredible-magic-trick-the-lottery-illusion.htm?utm_source=4
It is fascinating to look over the watchmaker's shoulders and see how a mechanical watch is made:
http://www.flixxy.com/look-over-the-watchmakers-shoulders.htm?utm_source=4
Of the seven billion people on this planet, you are the only one that has seen things from your point of view. This is a great ad for Canon cameras:
http://www.flixxy.com/no-one-sees-it-like-you.htm
How six guys in Saudi Arabia change the tires of their Toyota FJ Cruiser, while it's going down the road:
http://www.flixxy.com/how-to-change-your-car-tires-while-driving.htm?utm_source=4
Beavers are fascinating creatures. They move 3 tons of material to build their home:
http://www.flixxy.com/david-attenborough-how-beavers-build-a-lodge.htm?utm_source=4
Richard Hammond from Top Gear sets up a stunt for a Volvo 245 to jump over a line of caravans!
http://www.flixxy.com/caravan-jump-top-gear.htm?utm_source=4
Sometimes when people get into an accident they say: "The other car came out of nowhere." In Russia, it really does happen. Here is the dashcam video to prove it. I just love the Russian commenting copy. You can pretty much predict what they say:
http://www.flixxy.com/the-other-car-came-out-of-nowhere.htm?utm_source=4
Meanwhile in Russia, ingenious firemen have found a way to replace fireladders with a platform lifted by the water pressure of six firehoses:
http://www.flixxy.com/flying-fireman.htm?utm_source=4
This optical illusion is really fun. But as incredible it is - you can easily re-create it yourself and amaze your friends and family:
http://www.flixxy.com/an-optical-illusion-so-amazing-you-will-have-to-try-it-yourself.htm?utm_source=4
Parkour runner Alex Van Duong and Jumpy the dog are both having a great time in the park:
http://www.flixxy.com/jumpy-the-dog-and-alex-the-parkour-runner.htm
|
|
