CyberheistNews Vol 10 #20 [Scam of the Week] Unemployed Americans Are Now Deceived Into Grabbing ‘Remote Jobs’ as Money Mules

CyberheistNews Vol 10 #20
[Scam of the Week] Unemployed Americans Are Now Deceived Into Grabbing ‘Remote Jobs’ as Money Mules

There are now tens of millions of people suddenly unemployed, looking for ways to make ends meet.

Low-life cyber scum started exploiting the skyrocketing number of these pandemic layoffs to recruit new money mules which can later be used to help them launder money gained from illicit activities.

Some phishing messages discovered by PhishLabs researchers are trying to convince targets from Canada and the United States who might have lost their jobs due to the COVID-19 outbreak to start working from home, promising them 5,000 dollars per month.

The potential victims are not provided with any other info regarding what the remote jobs require but are instead asked to request more info via email.

Personal Assistant Jobs Used as a Lure

Others impersonate Wells Fargo Human Resource (HR) representatives who are supposedly recruiting remote workers from across the United States to take up personal assistant positions that require running errands and doing personal chores.

"Our great company is now short of staff because of the current pandemic outbreak in the works which is very sad," the fraudsters say. "This is a part time job if you interested let us know by your response to this message." If the unemployed victim will accept the crooks' job offer, they will be sent to run a series of common errands the PhishLabs report explains.

However, "[a]t some point, after the cybercriminal has ideally established trust and credibility, the victim will be given the task of moving funds that, unbeknownst to them, are stolen."

These scammers indiscriminately prey on any unemployed individuals who have lost their job during the pandemic and are exposing the accidental money mules to very serious legal consequences that could lead to prison time and fines of hundreds of thousands of US dollars.

"Money mules may be witting or unwitting accomplices who receive ill-gotten funds from the victims and then transfer the funds as directed by the fraudsters," according to a US Department of Justice press release.

"The fraudsters enlist and manipulate the money mules through romance scams or 'work-at-home' scams, though some money mules are knowing co-conspirators who launder the ill-gotten gains for profit," by draining the funds into other accounts that are difficult to trace.

There are now tens of millions of people unemployed, looking for ways to make ends meet:

FBI: Accidental Money Mules Are Still Criminals

Money mule operations used by business email compromise (BEC) and other cybercrime schemes to launder their ill-gotten money can, at times, recruit hundreds of money mules.

They are later organized in international money laundering networks that, eventually, get hunted down by law enforcement and prosecuted.

Last month, the FBI also warned about cyber criminals behind money mule scheme increasingly exploiting the public fear and uncertainty surrounding the COVID-19 pandemic.

"Acting as a money mule—allowing others to use your bank account, or conducting financial transactions on behalf of others—not only jeopardizes your financial security and compromises your personally identifiable information, but is also a crime," the FBI informed.

"Protect yourself by refusing to send or receive money on behalf of individuals and businesses for which you are not personally and professionally responsible."

What to Do About It

I strongly recommend you send the following to your employees, friends and family, they all will know someone who suddenly got unemployed. Feel free to copy/paste/edit:

"A new job scam is doing the rounds, preying on people that want to make 5,000 dollars a month doing work from home. It sounds like a great deal, but this scam is run by criminals that will try to use their victims for money laundering. If you get an email claiming you can make this much money to make ends meet since you or a family member was laid off due to the coronavirus pandemic, use your delete key. In general, be very careful with any Internet "work from home" schemes, many of these are fraudulent. Do not give out any personal information to these criminals and warn your family members and friends."

For KnowBe4 customers, check the new Coronavirus/COVID-19 Phishing category, we now have 5,387 unlimited-use templates in our platform at the moment. New-school security awareness training will make sure that people are inoculated against scams like this.

Please send this blog post to your friends (has links and example screenshots):
[NEW WEBINAR] Your Ransomware Task Force: Response, Recovery, and Remediation Tips From the Pros

When you realize your organization has been hit with a ransomware attack there are a few things that need to happen. One… take a deep breath. Two… contain the damage. And three… initiate your recovery plan IMMEDIATELY.

To help you prepare for a rapid response Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, is moderating a two-part series where he’ll interview two seasoned, hands-on ransomware and data loss professionals.

Earn CPE Credit for attending.

Session 1 – Critical Steps for Responding to a Ransomware Attack

Join us on Wednesday, May 13 @ 2:00 PM ET when Roger interviews John Mullen, of Mullen Coughlin LLC. John has served as a “Breach Coach” to thousands of affected organizations to help them contain and investigate ransomware attacks.

In this session you’ll learn:
  • The number one mistake most ransomware victims are making today
  • When you need to call a “Breach Coach” and what they can do to help
  • Rapid response steps you need to take when your organization gets hit
  • Why new-school security awareness training is more critical than ever before
Date/Time: TOMORROW, Wednesday, May 13 @ 2:00 PM ET

Save Your Spot:

Session 2 – Ransomware Expert Guide: Extortion, Crisis Management, and Recovery

Join us on Wednesday, May 20 @ 2:00 pm ET when Roger interviews Bill Hardin of Charles Rivers Associates. Bill specializes in forensics. He’s the guy that comes in to figure out what happened, secure the environment and perform containment/eradication, restore operations back to normal and more.

In this session you’ll learn:
  • Of the thousands of cyber events Bill has investigated what is different in 2020
  • Tactics and techniques your security team can use to hunt within your environment
  • Bill’s top 3 takeaways regarding ransomware recovery
  • How to enable your users to spot suspicious attacks before they affect you
Date/Time: Wednesday, May 20 @ 2:00 pm ET

Save Your Spot:
How Bad Guys Deceive High-Rank Executives to Give Them Access to Your Office 365 accounts: PerSwaysion

Researchers at Group-IB have discovered a sophisticated spearphishing campaign that’s targeted executives at more than 150 companies around the world since mid-2019. The researchers have named the campaign “PerSwaysion” because the attackers abused the Microsoft Sway presentation program. The attackers seem particularly adept at using social engineering against multiple employees as part of the same attack.

“One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack,” the researchers write. “New round of phishing attempts leveraging current victim’s account usually takes less than 24 hours.

The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations.”

The campaign primarily targets executives, since these employees offer the most value from a social engineering perspective. Importantly, the phishing emails are sent from the real email account of someone the recipient knows—often an executive in another organization.

“The threat actors leverage perfectly orchestrated social engineering technique by ‘persuading’ people holding significant corporate positions to open a non-malicious PDF email attachment coming from an authentic address in their contacts,” Group-IB says.

The PDF contains a convincingly-spoofed Office 365 notification instructing the victim to click a link to read a document. Clicking this link takes the victim to a Microsoft Sway presentation that similarly poses as a notification from Office 365, and leads to a phishing site designed to steal their Microsoft account credentials.

Once the attackers have compromised an executive’s account, they quickly identify the victim’s business contacts and stealthily send them phishing emails from the victim’s account. The researchers emphasize the sophistication of this operation and highlighted the measures the attackers took to fool their victims.

“PerSwaysion campaign is a living example of highly specialized phishing threat actors working together to conduct effective attacks on high ranking officers in large scale,” said Feixiang He, a Senior Threat Intelligence analyst at Group-IB. “They adopt multiple tactics and techniques to avoid traffic detection and automated threat intelligence gathering, such as the use of file-sharing services and web application hosting from reputable vendors.

The campaign pursues non-trivial counterintelligence methods, for example, randomizing malicious JS file names and fingerprinting victim browsers and rejecting repeated visits. Such measures taken by cybercriminals seeking to garner sensitive corporate information requires non-standard approach to their detection and response.”

Executives at any organization are more likely to be targeted by sophisticated social engineering attacks. New-school security awareness training can provide all of your employees with an appropriate level of training for the threats they’re likely to face.

Group-IB has the story:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, May 27 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, May 27 @ 2:00 PM (ET)

Save My Spot!
Fake Zoom Downloader Is the Latest Method of Attack on Remote Workers

Riding on the coattails of the massive rise in popularity in the video conference solution, remote workers new to Zoom need to be wary of where they download the installer.

We’ve written before about the various types of Zoom-related attacks that have sprouted up over the last two months. The latest chapter in this saga involves an actual Zoom installer laden with backdoor malware. Available on malicious third-party sites (and not from Zoom’s official website), these installers are offered up using phishing emails and spam campaigns designed to direct potential victims to these alternative installers.

The compromised installer does deliver an installation of Zoom, but also installs the remote access trojan (RAT) WebMonitor, giving attackers remote access to an infected endpoint via a web browser.

This kind of attack isn’t new, but the rise in necessity and popularity of video conferencing solutions makes Zoom the perfect brand to leverage.

To avoid becoming a victim, the simple answer here is to remind your users to do these two things:
  1. Don’t act on unsolicited emails about software updates, even if they seem pertinent.
  2. Only download software from the official website, if at all.
Users undergoing security awareness training already understand the importance of these two simple best practices. But with so many other types of attacks that seek to trick users into participating, it’s important for users to be continually educated to ensure they don’t make these small understandable mistakes with huge ramifications.

Here is the blog post:
[Heads-Up] Re-Check Your Email Attack Surface Now.

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro (EEC). EEC Pro identifies your at-risk users by crawling business social media information and also thousands of new breach databases.

EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.


Get your EEC Pro report in less than 5 minutes! It’s often an eye-opening discovery. You are probably not going to like the results...

Send Me My Report!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Is it crazy how saying sentences backwards creates sentences saying how crazy it is? :-D
Quotes of the Week
"Life is like a ten-speed bicycle. Most of us have gears we never use."
- Charles M. Schulz, Cartoonist (1922 - 2000)

"Life is without meaning. You bring the meaning to it.
The meaning of life is whatever you ascribe it to be. Being alive is the meaning."

- Joseph Campbell, Author (1904 - 1987)

Thanks for reading CyberheistNews

Security News
Some Phishers Who Know Their Trade

Researchers at Votiro have come across well-crafted phishing emails that purport to come from UPS, FedEx, and DHL. All of the emails contain malicious Excel attachments that will install ransomware on the victim’s computer.

The spoofed emails appear to be sent from legitimate servers belonging to UPS, FedEx, and DHL, and they instruct the recipients to open the attachment to view an invoice. They use legitimate-looking branding and contain links to the companies’ real websites.

“The attacker wanted to make a phishing email appear as if it came from either FedEx, UPS, or DHL by injecting their servers into the header of the messages,” the researchers explain. “Even a well-trained person could be fooled by this phishing attack, as it makes the email sender appear to be legitimate.”

People should be suspicious of any unsolicited email that tells them to open an attachment, no matter how convincing it looks.

“People and businesses – even people who are aware of phishing emails – are susceptible to this email campaign,” the researchers state. “This email campaign was missed by SaaS email protection providers because the macro was both hidden and too novel to be included in existing signature databases.

As of 2pm ET on May 5th, 2020, VirusTotal reports several email protection services that would still miss the UPS and FedEx email. This improves the chances that the attack makes it to business and personal inboxes. If an unsuspecting person received one of these legitimate-looking emails with a Microsoft Excel spreadsheet attached, it is highly likely that they would open the attached Excel spreadsheet and compromise their systems.”

Some phishing emails will always slip past technical defenses, and it only takes one slip to compromise your organization. New-school security awareness training can enable your employees to be on the lookout for malicious tactics in addition to visible signs of phishing emails.

Votiro has the story:
What Is the Right Password Policy?

What is the right password policy? Conventional password policies say you must have a password at least 8-12 characters long…16 characters or longer if it belongs to an elevated privileged account, contain letters, numbers, and symbols (making the password complex), and be changed every 90 days or less.

That’s the password policy we‘ve been taught we need to have for 30 years.

Then in 2015, the National Institutes of Standards & Technology (NIST) changed all of that guidance…their own previous guidance…when they released NIST Special Publication 800-63, titled the Digital Identity Guidelines.

With SP 800-63, NIST declared that using the old password policy would actually make you more likely to be compromised because of that advice compared to if you didn’t follow it at all. Wow!

Now NIST is saying you shouldn’t require long and complex passwords (6-8 characters is fine, artificial complexity is not needed) and they don’t need to be changed unless you know they are compromised. This is essentially the defacto password policy that the computer security world considered as super-weak password policy and spent the entirety of the previous three decades trying to get organizations off of.

Now NIST is saying their new advice is better than having long and complex passwords that are frequently changed. To say this surprised and confounded the computer security world would be an understatement.

Continued at the KnowBe4 Blog:
What KnowBe4 Customers Say

Our firm has been using KnowBe4 for Security Awareness training and information and in January of this year we began using KCM GRC. What an awesome product. We’re still in the development stage but I wanted to tell you that I’ve been working with Mike Maldonado who has been absolutely fantastic. We’re working on the Third-Party Risk Management module now, and always has the answer to every question I have had. So pleasant and professional.

I told Mike that I was getting frustrated and about ready to throw in the towel and he just talks me through each task. Our firm couldn’t be doing this without Mike’s knowledge and help. I’m anxious to get everything in place so I can begin telling other law firms about KCM GRC and how well it works and how it helps our firm. I know you’re very busy and thank you for your time."
- Z.S., IT Governance Manager

Learn more about KCM GRC here:

The 10 Interesting News Items This Week
    1. 5 Reasons Why COVID-19 Budget Cuts Should NOT Include IT Security Spend:

    2. Ransomware mentioned in 1,000+ SEC filings over the past year:

    3. This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020:

    4. Live streaming adult site leaves 7 terabytes of private data exposed. Massive Spear-phish Sextortion Anyone?:

    5. Nation-state hackers are targeting COVID-19 response orgs:

    6. Phishing Attacks Against Banks Jump With Pandemic Used As Lure:

    7. KnowBe4 Announces Winners of the 2020 Sharky Awards:

    8. Businesses overconfident in their ability to deflect ransomware:

    9. RDP Attacks Surged by 330% in The US Amid Pandemic:

    10. A perfect cyber storm is brewing as Nigerian scammers add to COVID-19 response team woes:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews