CyberheistNews Vol 10 #5


CyberheistNews Vol 10 #05
[Heads-Up] Will Proposed New Laws *Ban* Making Ransomware Payments?

The ransomware scourge has become much worse the last 12 months. Highly organized cybercrime gangs have iterated their attacks into a massive extortion racket.

They are focusing on easy prey, and recently dozens of local governments, school systems and non-profits have been infected, apart from very visible large companies that suffered weeks of downtime.

To avoid disruption, ransomware victims continue to pay up. Well over half decided that downtime would be more expensive than the ransom, including infected local governments.

However, taxpayers don’t want their dollars going toward ransomware attacks

A recent survey by PandaSecurity shows that 86% of Americans believe their local government should not pay the ransom on a ransomware attack. Additionally, the results showed that Americans prefer to invest tax dollars in cyber security awareness training and up-to-date software rather than using ethical hackers or insurance.

Enter two senators of New York state. They recently came up with bills to ban government agencies and local municipalities from using public money to pay cybercriminals to get their files back.

The first bill, proposed by Republican NY Senator Phil Boyle, and the second bill, proposed by Democrat NY Senator David Carlucci, are currently in committee. Several industry experts stated that this is the first time any state authorities have proposed a law that outright bans paying the ransom all together.

We had a brief look at both bills "in committee" (which means that lawmakers discuss to either release or not release the bill to the floor to be voted upon). Neither bill covers cyber insurance which adds another wrinkle to this whole mess.

A law like this could force a restructuring of cyber insurance under NY insurance regulation, and these two bills might never get out of committee because of pressure from the cyber insurance sector.

U.S. insurers are ramping up cyber-insurance rates by as much as 25%

Reuters reported that the price hikes follow a challenging year of criminal hackers using ransomware to take down systems that control everything from hospital billing to manufacturing. “Ransomware is more sophisticated and dangerous than we saw in the past,” said Adam Kujawa, director of Malwarebytes Labs.

The average ransom of $41,198 during the 2019 third quarter more than tripled from the first quarter, according to Coveware, which helps negotiate and facilitate the payments.

I strongly suggest you attend the brand-new Roger Grimes Webinar this Jan 30th, and avoid becoming the next victim.
[BRAND-NEW WEBINAR] Now That Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim?

There is a reason more than half of today’s ransomware victims end up paying the ransom. Cyber-criminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff. After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear.

Join us THIS WEEK, Thursday, January 30 @ 2:00 pm (ET), for this webinar where, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will dive into:

  • Why data backups (even offline backups) won’t save you
  • Evolved threats from data-theft, credential leaks, and corporate impersonation
  • Why ransomware isn’t your real problem
  • How your end users can become your best, last line of defense

Date/Time: THIS WEEK, Thursday, January 30 @ 2:00 pm (ET)

Save My Spot!
New Phishing Attack Emerges Targeting ADP Users Wanting Their W2

For those looking to get their taxes done early, watch out for emails impersonating ADP offering a link to retrieve your W2 early!

While everyone pretty much hates taxes, obtaining all your necessary paperwork is something most want to take care of well-ahead of tax time. A new phishing attack purports to be ADP – one of the world’s largest HR and Payroll companies, telling you your W2 is ready!

While your organization may not be using ADP for payroll, this phishing attack is taking more the shotgun approach by impersonating an organization that a material percentage of their potential victims use.

This particular attack brings users to a spoofed ADP logon page, where victims can enter in their ADP credentials. Attackers can then leverage these credentials to log in as the user and change bank accounts for direct deposit. They can also gain access to personal information including birth-date, address, social security number, phone number and more – all to be nefariously used as part of another identity theft scam.

Blog post with links:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us on Wednesday, February 5 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.

Find out how 31,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, February 5 @ 2:00 pm (ET)

Save My Spot!
Scam of the Week: "Kobe Bryant Dead, Dies in Helicopter Crash"

Today, news broke that Kobe Bryant died in a helicopter crash. His daughter Gigi was also on board and died in the crash. This is a celebrity death that the bad guys are going to be exploiting in a variety of ways. You have to warn your users right away that a series of scams are underway using the Bryant helicopter crash as social engineering bait.

Whatever ruse is being used, your users will wind up with either infected workstations at the house or in the office, giving out personal information or unleashing ransomware on your network. Give them a heads-up that especially now they need to Think Before They Click.

I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.

"Today, news broke that sports icon Kobe Bryant and his daughter Gigi died in a helicopter crash. Internet scum are going to exploit this shocking celebrity death in a number of ways, so be careful with anything on anything related to Kobe Bryant's death: emails, attachments, any social media, texts on your phone, anything. There will be a number of scams related to this, so please remember to Think Before You Click!

For KnowBe4 Customers, tomorrow before end of business there will be a new simulated phishing template in the Current Events campaign (search for Kobe Bryant) that I suggest you send to everyone more or less immediately.

Tell Your Friends:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!

Join us, Wednesday, February 5 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.

  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, February 5 @ 1:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Nothing can now be believed which is seen in a newspaper. Truth itself becomes suspicious by being put into that polluted vehicle. The real extent of this state of misinformation is known only to those who are in situations to confront facts within their knowledge with the lies of the day... I will add, that the man who never looks into a newspaper is better informed than he who reads them; inasmuch as he who knows nothing is nearer to truth than he whose mind is filled with falsehoods & errors."
- Thomas Jefferson, 3rd President of the United States from 1801 to 1809

"Plus ça change, plus c'est la même chose".
Literally "The more it changes, the more it’s the same thing."

- An epigram by Jean-Baptiste Alphonse Karr from January 1849.

Thanks for reading CyberheistNews
Security News
Conversation-Hijacking Attacks Make It Almost Impossible to Avoid Becoming a Victim

Email conversation hijacking attacks are on the rise, according to Danny Palmer at ZDNet. These attacks, also known as business email compromise (BEC), involve an attacker breaking into a corporate email account and using it to send extremely convincing spearphishing emails to other employees.

The attacker can lurk in an account for weeks or months unbeknownst to the account’s owner. During this time, the attacker learns who the victim works with, what they talk about, and how to imitate their writing style.

Olesia Klevchuk, senior product manager for email security at Barracuda Networks, told ZDNet that once the attacker is ready, they can launch nearly undetectable phishing attacks against the victim’s coworkers.

“These attacks are highly personalized, including the content, and therefore a lot more effective,” Klevchuk said. “They have the potential of a very large payout, especially when organizations are preparing to make a large payment, purchase or an acquisition....There is a great chance that someone will fall for a conversation-hijacking attack over a more traditional type of phishing.”

These Attacks Increased 400%

Barracuda observed a 400% increase in these types of attacks between July and November of 2019. Palmer emphasizes that these attacks can still be thwarted if employees are aware of them.

“While conversation-hijacking attacks are more sophisticated than regular phishing attacks, they're not impossible to spot,” Palmer writes. “Users should pay attention to the email address a message is coming from and be suspicious if the domain is slightly different compared to what they're used to seeing.

Users should also be wary of sudden demands for payments or transfers and, if there's doubt about the origin of the request, they should contact the person requesting it, either in person, by phone or by starting a new email to their known address.”

Multi-factor authentication combined with strong passwords can protect your own accounts, but they can’t ensure that someone you communicate with won’t be hacked. New-school security awareness training can enable your employees to thwart sophisticated social engineering attacks, even if they appear to come from someone they trust. ZDNet has the story:
The Great Crimeware Awakening

The bad guys are taking advantage of their new digital bounty. Ransomware is just the beginning to show us how bad it is soon going to be. We really had no idea how bad it was going to be... until now.

For a long time, most digital computer malware was intended to be harmless. Funny messages, music, and typed letters on your screen were printed for fun and games. Sure, there were occasional malicious malware programs such as the first ransomware programs like the AIDS Cop virus but most were written for harmless intent.

Around 2005, a switch was made. The first crimeware occurred because Malware writers learned that malicious code could be modified in order to make a financial gain. Over time, nation-states and militaries started to get in the game. After decades, the professional malware creation of US and Israel Stuxnet successfully ruined an adversary's nuclear program.

Now, Cyberwarfare is now a forever permanent part of the world's wars and battles globally.

However, nothing prepared the world for what was to come - ransomware. It started to appear in 2005, with the first industrial-strength strain rearing its ugly head in September 2013: CryptoLocker, followed by a nasty jump in prevalence early 2015.

At first, ransomware was smaller and mostly attacked consumers or home PC's. By 2017, ransomware groups realized that millions of dollars can be extorted from a large organization instead of receiving a small ransom. Entire companies, hospitals, and even cities started to be shut down because of ransomware. And it's getting worse, much worse.

So, what should an organization should do to best to stop the bad guys? To fight social engineering attacks, the best step is to train your end users. Tech Aeris has the full story:
What KnowBe4 Customers Say

"Stu, thanks for reaching out. We're a pretty small shop here and as such we sometimes get a little inundated by wearing too many hats. I just kicked off our HIPAA training yesterday and had assignments sent out to 108 people.

So far, so good. We're now making plans to do the Security Culture survey as well as the Proficiency Assessment and PII training. I have to do a quick Risk Assessment to determine "who" should get the PII training. Part of the learning process because I joined the organization four months ago.

I also wanted to take this time to recognize a few people from your organization. All four have been very helpful in one way or another but my key takeaway is there is a great company culture and each person has a passion for what they are doing.

As a side note, I really worry about our IT Administrators and having relevant training for them because of what they have access to and their ability to elevate privileges/credentials. In my mind I am thinking about improperly configured web servers, web application firewalls, load balancers, routers, switches, WiFi, phone systems, IoT threats, and cloud risks.

The modules that you have today are a great start and certainly help illustrate importance of administering Windows, Linux, Databases and Privileged Access. I look forward to hearing more about a roadmap of training for IT Staff."
- G.P., Senior Information Security Risk Manager
The 10 Interesting News Items This Week
    1. Check out the Gitlab Case Study of KnowBe4!:

    2. [BRAND-NEW WEBINAR] Now That Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim? January 30th, 2020 at 2:00 PM EST! - 1-minute video:

    3. Android Users Beware: These Top Camera Apps May Secretly Be Spying On You:

    4. Rules on deepfakes take hold in the US:

    5. Microsoft blames itself for customer support data leak:

    6. Infiltrating Networks: Easier Than Ever Due to Evil Markets:

    7. Targeted Phishing Campaign Leverages Death of Iranian General Suleimani:

    8. Are We Secure Yet? How to Build a 'Post-Breach' Culture:

    9. Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone:

    10. Why Microsoft, Google and Apple want you to ditch your password:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Your Coronavirus and Work From Home Resource Center

Get the latest about social engineering

Subscribe to CyberheistNews