CyberheistNews Vol 4, # 44 Important items in this issue. Read it.



CyberheistNews Vol 4, # 44
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 44

Editor's Corner

KnowBe4

Top 5 Facebook Scams of the Week

Here is something to send to your users. Feel free too copy/paste/change.

"Facebook now has over a billion users, that's a mind-boggling thousand million people who check their page regularly. The bad guys are irresistibly attracted to a population that large, and here are the top 5 scams they are trying to pull off every day of the year.

  1. Who Viewed Your Facebook Profile lures you with messages from friends or sometimes malicious ads on your wall to check who has looked at your profile. But when you click, your profile will be exposed to the scammer and worse things happen afterward.
  2. The Facebook Color Changer App tries to trick you to personalize your Facebook page, but it also leads you to phishing sites, deceives you to share the app with friends, and infects your mobile devices with malware. Stay away from it.
  3. Fake Naked Videos There are tons of fake naked videos being posted all the time using the names of celebrities like Rihanna or Taylor Swift that sometimes make it past the Facebook moderators. These scams are in the form of an ad or a post and have a link to bogus YouTube videos. That site then claims your Adobe Flash player is broken and you need to update it - but malware is installed instead!
  4. Facebook Videos With Come-On Titles The bad guys often try enticing titles like "Not Safe For Work" or "Scandalous" to lure you into clicking on these videos and get redirected to phishing sites that steal your personal information.
  5. Check my status update to get free Facebook T-shirt Messages from your Facebook friends to go to their page, and get a free Facebook t-shirt. It's a scam. Remove any access to rogue applications if you have clicked on something like this.

Facebook is what it is, there simply is no way to change the colors of your profile or change the theme. Stay away from such messages if you want to avoid getting your PC infected with malware. As an additional reminder, do not click on anything to do with Ebola, they are now offering free toolbars that will warn you when Ebola pops up in your town, but it's malware being installed instead. Do not fall for it: Think Before You Click!

How Did Russians Hack The White House?

The White House told the press this week that its Executive Office of the President (EOP) network was hacked a few weeks ago, and pooh poohed the data breach by pointing out that it was "only" an unclassified network and the hackers were committing "fairly standard espionage." Yeah, sure.

The fact an unclassified White House network has been penetrated is an epic fail, and that they are downplaying the hack indicates it is probably a lot worse than they are admitting. To add insult to injury, they did not even know until a friendly foreign government told them about the compromise. Ouch.

It's likely that this hack was a staging area so the hackers could get into a classified network, potentially using something similar to the AirHopper keylogger which allows bridging the air gap using FM radio signals. Here is a video that demonstrates this very scary new technology:
https://www.youtube.com/watch?v=2OzTWiGl1rM

Part of the mitigation procedures included White House staffers having to change their passwords, and some intranet and VPN access was being shut off temporarily. Their email systems seem to have been shut down for a while as well, while responding to the breach.

The Washington Post reported that Russian hackers may be to blame, which is an educated guess at this point, but very likely spot on. The Post report goes on to mention recent hacking campaigns that have targeted NATO, the Ukrainian government and US defense contractors – and draws a parallel with those incidents.

The FBI, Secret Service and National Security Agency are all involved in the investigation. White House officials are not commenting on who was behind the intrusion or how much data, if any, was taken.

It's not the first time that Russian intelligence has breached U.S. networks. In 2008, a Defense Dept staffer picked up an infected USB stick and stuck it in a workstation connected to a Military classified network. In 2012, Chinese hackers breached the White House network using a phishing attack that gave them access.

Graham Cluley over at ESET noted that "If the White House attack is linked to other recent attacks against nation states, that could implicate... the [Russian] Sandworm cyber-espionage gang who have been using highly targeted email attacks to infect victims’ systems with the BlackEnergy Trojan horse.

"Last month, ESET researchers Robert Lipovsky and Anton Cherepanov gave a presentation at the Virus Bulletin conference in Seattle, detailing how the BlackEnergy Trojan has evolved over time from having simple DDoS functionality to exploit Word and PowerPoint vulnerabilities and incorporate the ability to spy on targeted computers." Here is their presentation:
https://www.virusbtn.com/conference/vb2014/abstracts/LM3-LipovskyCherepanov.xml

So, how did the attackers get in? Highly likely spear-phishing. A recent report from April 2014 show 56% of employees in large enterprise and government still receive NO security awareness training. The data comes out of an interesting survey from the folks at Enterprise Management. According to employee responses in the survey report:
- 30% leave mobile devices unattended in their vehicle
- 33% use the same password for both work and personal devices
- 35% have clicked on a link in an email from an unknown sender
- 58% have sensitive information on their mobile devices
- 59% store work information in the Cloud

They said: "Some of the reported behaviors present inherent risks, while others depend on contributory factors like the failure to use device or data encryption. Insights into why employees make risky choices are revealed in two other report findings. Fifty-six percent of corporate employees, excluding security and information technology staff, have not had security or policy awareness training from their organization, while 45% of employees received training in one annual session. Without the foundation of on-going security awareness training, employees don’t receive the critical security information they need to make secure choices." As we have seen in continuous data breaches, and now at the very highest level.

PCI Publishes Guidance on Security Awareness Programs

The Payment Card Industry Council thinks Security Awareness Training is so important that they just published a 25-page guidance paper that fully explains the why, how and what of awareness training programs. And they start out with: "In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place."

The PCI Security Standards Council (PCI SSC) was founded in 2006 by payment card companies American Express, MasterCard, Visa, Discover and JCB International, and was tasked with educating merchants and other involved parties handling cardholder data, on the PCI Data Security Standard (PCI DSS), so that compliance could and would be enforced more easily.

Troy Leach, the CTO of PCI SSC, said in a statement. "PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information. This guidance can help businesses focus on the 'people' part of the equation and build a greater culture of security awareness and vigilance across their organizations.”

I was happy to read it, because they got it totally right. The PCI council took their time, discussed with their Special Interest Group (SIG) and came out with a well thought-through, measured and actionable guide which helps you to get a program in place.

One section highlights the whole message: "One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on."

It was encouraging to see that using KnowBe4's Kevin Mitnick Security Awareness Training program, you can fully comply with the PCI requirements. Here is the PDF, downloadable from KnowBe4's content delivery network at Amazon Web Services. Home Depot, are you listening?
https://s3.amazonaws.com/knowbe4.cdn/pci_security_awareness_program_23537.pdf

Quotes of the Week

"Do not lose hold of your dreams or aspirations. For if you do, you may still exist but you have ceased to live." - Henry David Thoreau, (Author, Philosopher, 1817 - 1862)

"The price of originality is criticism. The value of originality is priceless." - Vala Afshar, CMO of Extreme Networks

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here


You can read CyberheistNews online at our Blog!:
http://blog.knowbe4.com/bid/399144/CyberheistNews-Vol-4-43-CryptoWall-Ransomware-Claims-Fresh-Victims

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

PCI DSS 3.0 Compliant in Half the Time at Half the Cost

It's time to get and stay PCI DSS 3.0 compliant.

Now that the new 3.0 standard goes into effect, it's a great time to start using a new tool that will save you half the time and half the cost of becoming compliant: KnowBe4 Compliance Manager 2015.

It comes with a pre-made PCI DSS 3.0 template that you can immediately use to get compliant and maintain compliance in a business-as-usual process.

Escape from Excel-hell!

Most organizations track PCI compliance using spreadsheets, MS-Word, or proprietary self-maintained software. This is inefficient, error prone, costly, and a risk in itself. Get and stay PCI DSS 3.0 compliant in half the time and at half the cost with KnowBe4 Compliance Manager™.

Get a short, live web-demo, and we will show you how easy and affordable this is! http://info.knowbe4.com/_kcm_pci_30-14-11-04

KnowBe4

Free Novella That Truthfully Describes Pentesting

Want to get your management a good idea how whitehat pentesting works? In the form of a novella that is entertaining and can read in an hour? At no cost? Go to Amazon and download: Social Engineer: A Brody Taylor Novella. Warmly recommended as a warm-up to a full-length novel, the first of a series I am looking forward to reading. Sutherland is able to weave real-life social engineering tactics in a compelling storyline:
http://www.amazon.com/Social-Engineer-Taylor-Novella-Thriller-ebook/dp/B00MD20GUW/

KnowBe4

6 Ways to Stop Criminal Attackers in Their Tracks

In the wake of a string of high-profile data breaches such as Dairy Queen, JP Morgan Chase, AT&T and Home Depot, enterprises need to be ever vigilant to fend off bad actors. Exabeam offers tips on what CSOs and CISOs can do to prevent these breaches. This is a good short slide show!
http://www.networkworld.com/article/2839607/security0/6-ways-to-stop-criminal-attackers-in-their-tracks.html

KnowBe4

FBI: List of Purchase Order Scam Victims Growing Rapidly

Nigerian organized crime has moved far beyond the old 911 scam and have gone pro. Increasingly, they are behind purchase order frauds which use fake or stolen e-mail addresses to deceive retailers. To get the stolen goods out of the country, they dupe people who look for "work-from-home" opportunities to re-ship the goods to Nigeria.

 

The FBI on October 28 updated a warning that they issued a month earlier: Nigerian-based cyber criminals use a combination of social engineering, e-mail spoofing, and phishing to increase attacks that scam retailers out of their merchandise, everything from laptops and routers to industrial equipment, often using schools as bait.

More than 85 entities like companies and universities nationwide were used in this type of what the FBI calls "invoice fraud". About 400 incidents have targeted some 250 vendors, and almost $5 million has been lost up to now.

Per the FBI, the scam has several variations, but basically it works like this:

  • The criminals set up fake websites with domain names almost identical to those of real businesses or universities. They do the same for e-mail accounts and also use telephone spoofing techniques to make calls appear to be from the right area codes.
  • Next, the fraudsters—posing as school or business officials—contact a retailer’s customer service center and use social engineering tactics to gather information about the organization’s purchasing account.
  • The criminals then contact the target business and request a quote for products. They use forged documents, complete with letterhead and sometimes even the name of the organization’s actual product manager. They request that the shipments be made on a 30-day credit—and since the real institution often has good credit, vendors usually agree.
  • The criminals provide a U.S. shipping address that might be a warehouse, self-storage facility, or the residence of a victim of an online romance or work-from-home scam. Those at-home victims are directed to re-ship the merchandise to Nigeria and are provided with shipping labels to make the job easy.
  • The vendor eventually bills the real institution and discovers the fraud. By then, the items have been re-shipped overseas, and the retailer must absorb the financial loss.

What To Do About It

Talk to your shipping department right away! The Nigerians have gotten very good at this, but you can spot and prevent this crime, according to a statement from FBI Special Agent Paula Ebersole: "The most important thing is to independently verify shipping addresses," she said, "no matter how legitimate a website or e-mail looks." More at the FBI:
http://www.fbi.gov/news/stories/2014/october/cyber-crime-purchase-order-scam-leaves-a-trail-of-victims/

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Your 2-Minute Virtual Vacation. Take a trip to eight European cities in this pretty cool timelapse video, and try to NOT look at the girl!:
http://www.flixxy.com/europe-trip-hyperlapse.htm?utm_source=4

And here is another wonderful way to get some space. The Albuquerque Balloon Fiesta - the largest hot air balloon event in the world. Watch it Full Screen in HD!:
http://www.flixxy.com/albuquerque-balloon-fiesta-2014-timelapse-short-film.htm?utm_source=4

It's the old sawed-in-half-girl in a new jacket (oil drums). Still interesting to watch and find out how the heck they do it...
http://www.flixxy.com/magic-at-cabaret-television-show-in-istanbul-turkey.htm?utm_source=4

The current flying car prototype AeroMobil 3.0 is now being tested in real flight conditions. I want one but these puppies don't have space for my 6 foot 5 frame! Bummer.
http://www.flixxy.com/the-aeromobil-3-flying-car-has-arrived.htm?utm_source=4

Cirque Du Soleil presents a preview of 'Alegria' at the French television show 'The World's Greatest Cabaret' hosted by Patrick Sebastien: These gals are made from rubber:
http://www.flixxy.com/cirque-du-soleil-alegria.htm?utm_source=4

John Varney of TED-Education explains how a circle is a much more intuitive way to represent rhythm. This is quite interesting!: http://www.flixxy.com/a-different-way-to-visualize-rhythm.htm?utm_source=4

57 skydivers link hands in an elaborate formation as they fall through the air at 180 mph, setting a new world record:
http://www.flixxy.com/skydivers-world-record-jump.htm?utm_source=4

Damian and Tim of the pop group OK Go discuss the making of the music video for 'I Won't Let You Down.'. Fascinating, wait till the end, a monster sized human-created digital display! I have watched this several times:
http://www.flixxy.com/i-wont-let-you-down-by-ok-go-music-video-making-of.htm?utm_source=4

It was a fun day at KnowBe4. We broke all sales records in the book and we still had time for a parade / Starbucks run:
http://www.knowbe4.com/halloween_2014/

NASA rocket explodes during launch at Wallops Island: "Everyone maintain position at your console". Elon Musk: "These are rocket engines made in the sixties."
https://m.youtube.com/watch?v=xF_YCj99VXk

Full moon rising over Mount Victoria Lookout in Wellington, New Zealand. Look at the speed of that thing!:
http://www.flixxy.com/full-moon-rising-in-real-time.htm?utm_source=4

Out of the archives: Rita Hayworth and her co-stars are dancing to "Stayin' Alive" in this brilliantly edited compilation from her most popular movies:
http://www.flixxy.com/rita-hayworth-dancing-to-stayin-alive.htm?utm_source=4

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews