CyberheistNews Vol 10 #09
A U.S. Natural Gas Operator Shuts Down for 2 Days After a Phishing Attack Infects it With Ransomware
Dan Goodin at Ars Technica reported something worrisome: "A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said last Tuesday.
"Tuesday’s advisory from the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.
"The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the Operational Technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”
"The infection didn’t spread to programmable logic controllers, which actually control compression equipment, and it didn’t cause the facility to lose control of operations, Tuesday’s advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”
"Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes."
James McQuiggan, Security Awareness Advocate at KnowBe4 commented: "Looking at the CISA report on the incident, this could be the norm for an attack on any ICS/OT organization.
The fact that the attacker was in the IT and OT networks for a period of time where they were able to access the various systems, granted, they were read-only systems so it could have been worse.
Organizations that have Operational Technology (OT) environments must consider their OT networks as the crown jewel of their environment and work to properly secure them, isolate them and only allow the necessary access to those environments.
This is further secured by implementing a DMZ environment with single or redundant systems used for machine and interactive user communication. The OT environments need to be isolated, not air gapped and their OT organizations to consider the access to the systems a high priority, with strong accounts and restrictions.
Finally, it's important to educate your employees in cybersecurity. Ransomware often enters via a phishing attack. Teaching users via security awareness training to not engage with suspect or unusual emails is a solid first step in lowering the risk of successful attack." Blog post with link to CISA Alert:
https://blog.knowbe4.com/a-u.s.-natural-gas-operator-shuts-down-for-2-days-after-a-phishing-attack-infects-it-with-ransomware
Dan Goodin at Ars Technica reported something worrisome: "A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said last Tuesday.
"Tuesday’s advisory from the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.
"The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the Operational Technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”
"The infection didn’t spread to programmable logic controllers, which actually control compression equipment, and it didn’t cause the facility to lose control of operations, Tuesday’s advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”
"Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes."
James McQuiggan, Security Awareness Advocate at KnowBe4 commented: "Looking at the CISA report on the incident, this could be the norm for an attack on any ICS/OT organization.
The fact that the attacker was in the IT and OT networks for a period of time where they were able to access the various systems, granted, they were read-only systems so it could have been worse.
Organizations that have Operational Technology (OT) environments must consider their OT networks as the crown jewel of their environment and work to properly secure them, isolate them and only allow the necessary access to those environments.
This is further secured by implementing a DMZ environment with single or redundant systems used for machine and interactive user communication. The OT environments need to be isolated, not air gapped and their OT organizations to consider the access to the systems a high priority, with strong accounts and restrictions.
Finally, it's important to educate your employees in cybersecurity. Ransomware often enters via a phishing attack. Teaching users via security awareness training to not engage with suspect or unusual emails is a solid first step in lowering the risk of successful attack." Blog post with link to CISA Alert:
https://blog.knowbe4.com/a-u.s.-natural-gas-operator-shuts-down-for-2-days-after-a-phishing-attack-infects-it-with-ransomware
Courts: Banks $2 Million in Losses From a BEC Attack Aren’t Covered by Cyberinsurance
Using emails impersonating the wife of a senior executive at Crown Bank, cybercriminals were able to take the bank for $2 million – an amount the courts held the bank responsible for.
When you have a cyber insurance policy that specifically covers “computer crime”, it’s somewhat assumed that a cybercrime will be covered. But Crown Bank got the bad news this week, when New Jersey federal district court handed down an unfavorable ruling in a lawsuit against the bank’s insurance company.
The BEC scam was simple – the bad guys pretended to be an executive’s wife, requesting funds be transferred to a bad guy-controlled account. The banks policy was to a) have the requestor fill out and return a form and b) make a phone call to the requestor to verify the request.
The bank took the first step – at which time the bad guys forged the account holder’s signature. The reason the scam worked here was the bank didn’t place the verification phone call.
We’ve talked about this very same scenario many times here on the blog – it’s absolutely critical that anytime financial transactions are being ordered via email, the employee responsible should verify the request using an alternate medium (e.g., a phone call), using predefined details. This keeps the bad guys from further pretending to be the requestor, given that deepfake audio is now not only possible, but being used as part of cyberattacks.
But that’s not the reason the lawsuit was thrown out.
In the end, the courts found for the insurance company, citing that emailed and printed PDF forms don’t constitute original wire transfer documents – a requirement within the policy. It’s a painful lesson that any organization with a cyber insurance policy should learn; understand the constraints and conditions your policy contains and be certain your financial processes align with the contractual definitions. Blog post with links:
https://blog.knowbe4.com/courts-banks-2-million-in-losses-from-a-bec-attack-arent-covered-by-cyberinsurance
Using emails impersonating the wife of a senior executive at Crown Bank, cybercriminals were able to take the bank for $2 million – an amount the courts held the bank responsible for.
When you have a cyber insurance policy that specifically covers “computer crime”, it’s somewhat assumed that a cybercrime will be covered. But Crown Bank got the bad news this week, when New Jersey federal district court handed down an unfavorable ruling in a lawsuit against the bank’s insurance company.
The BEC scam was simple – the bad guys pretended to be an executive’s wife, requesting funds be transferred to a bad guy-controlled account. The banks policy was to a) have the requestor fill out and return a form and b) make a phone call to the requestor to verify the request.
The bank took the first step – at which time the bad guys forged the account holder’s signature. The reason the scam worked here was the bank didn’t place the verification phone call.
We’ve talked about this very same scenario many times here on the blog – it’s absolutely critical that anytime financial transactions are being ordered via email, the employee responsible should verify the request using an alternate medium (e.g., a phone call), using predefined details. This keeps the bad guys from further pretending to be the requestor, given that deepfake audio is now not only possible, but being used as part of cyberattacks.
But that’s not the reason the lawsuit was thrown out.
In the end, the courts found for the insurance company, citing that emailed and printed PDF forms don’t constitute original wire transfer documents – a requirement within the policy. It’s a painful lesson that any organization with a cyber insurance policy should learn; understand the constraints and conditions your policy contains and be certain your financial processes align with the contractual definitions. Blog post with links:
https://blog.knowbe4.com/courts-banks-2-million-in-losses-from-a-bec-attack-arent-covered-by-cyberinsurance
[LIVE DEMO] See Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, March 4 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
See how easy it is to train and phish your users:
Date/Time: Wednesday, March 4 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2198105/5DA00F49B08FF658A44E49253278C580?partnerref=CHN1
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, March 4 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
See how easy it is to train and phish your users:
- Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
- Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
- NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
- Advanced Reporting on 60+ key awareness training indicators.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Wednesday, March 4 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2198105/5DA00F49B08FF658A44E49253278C580?partnerref=CHN1
[Heads-Up] Ransomware Criminals Hack an Accounting Company and Cause a Data Breach for Their Customers
Last December, a ransomware infection of Albany, New York-based accounting firm BST & Co. CPAs LLC exposed the confidential data of their customers, causing a data breach for one of their health care customers as well as other clients of the firm.
Some of the data has shown up on the publicly accessible website of ransomware gang Maze, which "names and shames" victims into paying ransoms, says Brett Callow, a threat analyst with the security firm Emsisoft.
BST in its statement says the investigation into the attack determined that "certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals' names, dates of birth, medical record numbers, medical billing codes and insurance descriptions. Patient medical records and Social Security numbers were not impacted by this incident."
Exfiltrated Data
The accounting firm says its investigation "did not confirm" that an unauthorized individual obtained individuals' personal information. However, Callow observed that BST data apparently exfiltrated in the December attack was visible on a Maze ransomware gang website by January.
"Some of what's been posted is database backup files," Callow notes, including an image of a check made payable to a BST unit.
Escalating Threats
"In the past, it was often said that backups were the best protection against ransomware. However, the risk of data exfiltration means that is no longer the case," Callow says. "While backups remain critically important, it is also critically important that organizations focus on detection and prevention in order to prevent data leaks."
Third-party Vendor Risk
Healthcare organizations need to be aware of the security risks posed by their service providers, including accountants, Callow says.
"Healthcare organizations cannot simply assume that service providers' security is as it should be; they need to ask questions and perhaps even require that providers have periodic security audits," he adds.
Vendors providing professional services have been implicated in other large health data breaches - including the largest incident in 2019 - a hack on American Medical Collection Agency, which affected more than two dozen of the firm's clients and 20 million individuals.
"The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors," CynergisTek's Hewitt notes. "This avenue allows hackers to leverage the one-to-many relationships and gather data / then extort many different companies."
Managing third-party vendor risk is getting to be a major part of the security puzzle. KnowBe4 can help you with the new KCM Vendor Risk Management module.
https://blog.knowbe4.com/heads-up-ransomware-criminals-hack-an-accounting-company-and-cause-a-data-breach-for-their-customers?
Last December, a ransomware infection of Albany, New York-based accounting firm BST & Co. CPAs LLC exposed the confidential data of their customers, causing a data breach for one of their health care customers as well as other clients of the firm.
Some of the data has shown up on the publicly accessible website of ransomware gang Maze, which "names and shames" victims into paying ransoms, says Brett Callow, a threat analyst with the security firm Emsisoft.
BST in its statement says the investigation into the attack determined that "certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals' names, dates of birth, medical record numbers, medical billing codes and insurance descriptions. Patient medical records and Social Security numbers were not impacted by this incident."
Exfiltrated Data
The accounting firm says its investigation "did not confirm" that an unauthorized individual obtained individuals' personal information. However, Callow observed that BST data apparently exfiltrated in the December attack was visible on a Maze ransomware gang website by January.
"Some of what's been posted is database backup files," Callow notes, including an image of a check made payable to a BST unit.
Escalating Threats
"In the past, it was often said that backups were the best protection against ransomware. However, the risk of data exfiltration means that is no longer the case," Callow says. "While backups remain critically important, it is also critically important that organizations focus on detection and prevention in order to prevent data leaks."
Third-party Vendor Risk
Healthcare organizations need to be aware of the security risks posed by their service providers, including accountants, Callow says.
"Healthcare organizations cannot simply assume that service providers' security is as it should be; they need to ask questions and perhaps even require that providers have periodic security audits," he adds.
Vendors providing professional services have been implicated in other large health data breaches - including the largest incident in 2019 - a hack on American Medical Collection Agency, which affected more than two dozen of the firm's clients and 20 million individuals.
"The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors," CynergisTek's Hewitt notes. "This avenue allows hackers to leverage the one-to-many relationships and gather data / then extort many different companies."
Managing third-party vendor risk is getting to be a major part of the security puzzle. KnowBe4 can help you with the new KCM Vendor Risk Management module.
https://blog.knowbe4.com/heads-up-ransomware-criminals-hack-an-accounting-company-and-cause-a-data-breach-for-their-customers?
[LIVE DEMO] See How You Can Get Audits Done in Half the Time at Half the Cost
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!
Join us Tuesday, March 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
Save My Spot!
https://event.on24.com/wcc/r/2198095/216B4F74D4386719AAB46E06AA9B55D6?partnerref=CHN1
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!
Join us Tuesday, March 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
- NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
https://event.on24.com/wcc/r/2198095/216B4F74D4386719AAB46E06AA9B55D6?partnerref=CHN1
Ransomware Attack Leaves 43,000 Employees Without Email
The recent attack on facilities management company ISS has created a significant disruption in their operations, communication, and services worldwide.
With over 500,000 employees, the last thing Denmark-based facilities company ISS needs is any kind of lapse in operations. But earlier this week, the organization suffered a ransomware attack that crippled email, and required the disabling of services to isolate the attack.
Ransomware such as Ryuk and Sodinokibi focus primarily on enterprises and have been known to materially impact business operations. With documented ransoms running as high as nearly $800,000, it’s no wonder why cybercriminals turn their attention to larger organizations that are presumably flush with cash.
In the case of ISS, this ransomware attack was obviously not limited in scope to a few machines. Impacting all email and needing to be isolated demonstrates the reach the variant involved had inside ISS’ network.
There’s no detail available regarding whether ransoms were paid, whether backups were affected, or what family of ransomware was used. Not a mad idea though to step all users through new-school security awareness training in any case...
The recent attack on facilities management company ISS has created a significant disruption in their operations, communication, and services worldwide.
With over 500,000 employees, the last thing Denmark-based facilities company ISS needs is any kind of lapse in operations. But earlier this week, the organization suffered a ransomware attack that crippled email, and required the disabling of services to isolate the attack.
Ransomware such as Ryuk and Sodinokibi focus primarily on enterprises and have been known to materially impact business operations. With documented ransoms running as high as nearly $800,000, it’s no wonder why cybercriminals turn their attention to larger organizations that are presumably flush with cash.
In the case of ISS, this ransomware attack was obviously not limited in scope to a few machines. Impacting all email and needing to be isolated demonstrates the reach the variant involved had inside ISS’ network.
There’s no detail available regarding whether ransoms were paid, whether backups were affected, or what family of ransomware was used. Not a mad idea though to step all users through new-school security awareness training in any case...
Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment
With email still the #1 attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...
Your email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.
KnowBe4’s Mailserver Security Assessment (MSA) tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.
Here's how it works:
https://info.knowbe4.com/mailserver-security-assessment-CHN
Let's stay safe out there.
PS, Here is the blow-by-blow of a real-life bank phone scam blocked by a security awareness trained employee. Fun read, 2 minutes, and great to share!
https://blog.knowbe4.com/here-is-a-real-life-bank-phone-scam-blocked-by-a-security-awareness-trained-employee
With email still the #1 attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...
Your email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.
KnowBe4’s Mailserver Security Assessment (MSA) tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.
Here's how it works:
- 100% non-malicious packages sent
- Select from 40 automated email message types to test against
- Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
- Validate that your current filtering rules work as expected
- Results in an hour or less!
https://info.knowbe4.com/mailserver-security-assessment-CHN
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS, Here is the blow-by-blow of a real-life bank phone scam blocked by a security awareness trained employee. Fun read, 2 minutes, and great to share!
https://blog.knowbe4.com/here-is-a-real-life-bank-phone-scam-blocked-by-a-security-awareness-trained-employee
Quotes of the Week
"The future belongs to those who believe in the beauty of their dreams."
- Eleanor Roosevelt, First Lady (1884 - 1962)
"Try not to become a man of success, but rather try to become a man of value."
- Albert Einstein, Physicist (1879 - 1955)
Thanks for reading CyberheistNews
- Eleanor Roosevelt, First Lady (1884 - 1962)
"Try not to become a man of success, but rather try to become a man of value."
- Albert Einstein, Physicist (1879 - 1955)
Thanks for reading CyberheistNews
Security News
"The Good Taxi Driver". Wow This Is a Nice Story...
A taxi driver in Roseville, California saved an elderly passenger from being scammed out of $25,000, CNN reports. Rajbir Singh, the owner of Roseville Cab, recently picked up a 92-year-old woman who asked him to drive her to the bank.
As Singh talked with the woman on the way, he learned she was going to the bank to withdraw money to pay the IRS.
Singh knew this sounded fishy, so he asked her for more details. The woman told him that the IRS had called her and asked for the money. Singh told CNN that she didn’t believe him when he told her it could be a scam, but she let him call the number that had called her.
“We called this number again and I asked the man, ‘Do you know this lady?’ He said no,” Singh told CNN. “I knew something was wrong.”
The person on the other end eventually hung up and blocked their number, but the woman still wasn’t convinced it was a scam. At this point, Singh offered to drive her to the local police station to ask an officer for advice, and the woman agreed.
After talking to an officer at the Roseville Police Station, the woman was persuaded that they were dealing with a scammer, and Singh drove her home.
The Roseville police wrote in a Facebook post that Singh was a “great citizen” and commended his quick thinking.
“We love this story because several times throughout, Raj could have just taken his customer to her stop and not worried about her well-being,” the Roseville police said. “He took time from his day and had the great forethought to bring the almost-victim to the police station for an official response.”
This story shows why scammers try to make their victims feel isolated and tell them not to talk to anyone. If someone sees another person being drawn into a scam, they can help pull the person out of it. Awareness, street-smarts, an understanding of how the world works, all of these help, and they can be picked up in many ways. But you can help your employees get wise to the scams with the right kind of program. CNN has the story:
https://www.cnn.com/2020/02/16/us/taxi-driver-prevents-scam-trnd/index.html
A taxi driver in Roseville, California saved an elderly passenger from being scammed out of $25,000, CNN reports. Rajbir Singh, the owner of Roseville Cab, recently picked up a 92-year-old woman who asked him to drive her to the bank.
As Singh talked with the woman on the way, he learned she was going to the bank to withdraw money to pay the IRS.
Singh knew this sounded fishy, so he asked her for more details. The woman told him that the IRS had called her and asked for the money. Singh told CNN that she didn’t believe him when he told her it could be a scam, but she let him call the number that had called her.
“We called this number again and I asked the man, ‘Do you know this lady?’ He said no,” Singh told CNN. “I knew something was wrong.”
The person on the other end eventually hung up and blocked their number, but the woman still wasn’t convinced it was a scam. At this point, Singh offered to drive her to the local police station to ask an officer for advice, and the woman agreed.
After talking to an officer at the Roseville Police Station, the woman was persuaded that they were dealing with a scammer, and Singh drove her home.
The Roseville police wrote in a Facebook post that Singh was a “great citizen” and commended his quick thinking.
“We love this story because several times throughout, Raj could have just taken his customer to her stop and not worried about her well-being,” the Roseville police said. “He took time from his day and had the great forethought to bring the almost-victim to the police station for an official response.”
This story shows why scammers try to make their victims feel isolated and tell them not to talk to anyone. If someone sees another person being drawn into a scam, they can help pull the person out of it. Awareness, street-smarts, an understanding of how the world works, all of these help, and they can be picked up in many ways. But you can help your employees get wise to the scams with the right kind of program. CNN has the story:
https://www.cnn.com/2020/02/16/us/taxi-driver-prevents-scam-trnd/index.html
How the Oldest Trick in the Book Snagged Hundreds of Soldiers: Catphish and Honey Traps
Hundreds of Israeli soldiers had their phones compromised by malware after falling for catfishing attacks purportedly launched by Hamas, Forbes reports.
The Israel Defense Forces (IDF) said the attackers set up fake profiles posing as attractive women on Facebook, Instagram, WhatsApp, and Telegram, and then used the profiles to strike up conversations with IDF soldiers. Eventually, the attackers would convince the soldiers to download one of three different malware-laden dating apps to their Android phones.
When a soldier clicked on the link to install one of these dating apps, they’d be presented with an error message informing them that their device didn’t support that version of the app. In the background, however, the malware was installed as a hidden application.
Once on the phone, the malware would harvest data from the device and send it back to the attackers. The malware had administrative privileges and could access the infected phone’s camera, location, contacts, browser history, and text messages.
Researchers at Check Point analyzed the malware and told Forbes that the operation required a great deal of effort and commitment on the part of the attackers.
“The amount of resources invested is huge,” one of the researchers said. “Think about this—for every soldier targeted, a human responded with text and pictures....Some victims even stated they were in contact, unknowingly, with the Hamas operator for a year.”
The IDF said the attackers used competent social engineering skills to give credibility to their ruse. For example, they claimed they couldn’t speak Hebrew very well or said they had hearing difficulties in order to avoid talking on the phone or video chatting with the victims.
Most people don’t realize how easy it is to trick someone into running malware on their device, especially if an attacker is focused on a particular person. New-school security awareness training can teach your employees to be wary of any message that asks them to click on a link or provide information, even if it appears to come from someone they trust. Forbes has the story:
https://www.forbes.com/sites/zakdoffman/2020/02/16/terrorist-android-malware-exposed-here-are-the-hamas-apps-that-targeted-israeli-soldiers/
Hundreds of Israeli soldiers had their phones compromised by malware after falling for catfishing attacks purportedly launched by Hamas, Forbes reports.
The Israel Defense Forces (IDF) said the attackers set up fake profiles posing as attractive women on Facebook, Instagram, WhatsApp, and Telegram, and then used the profiles to strike up conversations with IDF soldiers. Eventually, the attackers would convince the soldiers to download one of three different malware-laden dating apps to their Android phones.
When a soldier clicked on the link to install one of these dating apps, they’d be presented with an error message informing them that their device didn’t support that version of the app. In the background, however, the malware was installed as a hidden application.
Once on the phone, the malware would harvest data from the device and send it back to the attackers. The malware had administrative privileges and could access the infected phone’s camera, location, contacts, browser history, and text messages.
Researchers at Check Point analyzed the malware and told Forbes that the operation required a great deal of effort and commitment on the part of the attackers.
“The amount of resources invested is huge,” one of the researchers said. “Think about this—for every soldier targeted, a human responded with text and pictures....Some victims even stated they were in contact, unknowingly, with the Hamas operator for a year.”
The IDF said the attackers used competent social engineering skills to give credibility to their ruse. For example, they claimed they couldn’t speak Hebrew very well or said they had hearing difficulties in order to avoid talking on the phone or video chatting with the victims.
Most people don’t realize how easy it is to trick someone into running malware on their device, especially if an attacker is focused on a particular person. New-school security awareness training can teach your employees to be wary of any message that asks them to click on a link or provide information, even if it appears to come from someone they trust. Forbes has the story:
https://www.forbes.com/sites/zakdoffman/2020/02/16/terrorist-android-malware-exposed-here-are-the-hamas-apps-that-targeted-israeli-soldiers/
"This Is the Phone Company: Give Us Your Date-of-Birth, Your Firstborn Child..."
SMS scammers are posing as Verizon Wireless and sending text messages telling recipients to click a link to validate their account security, according to Chris Hoffman at How-To Geek. Hoffman emphasizes that the scam is “shockingly convincing.”
The texts don’t contain any typos and look just like something you would receive from your phone company. The text messages contain a link to “vwireless[.]xyz” which leads to a very convincingly spoofed version of Verizon’s website. The fake login page on this site tries to trick victims into entering their phone number or user ID and their password.
Once they’ve done this, the user will be taken to another form and asked to enter full name and address. After this, they’ll be redirected to Verizon’s real site. All of this information is useful for attackers, particularly the login credentials, although it’s unknown what exactly the end goal was in this case.
“What’s the game?” Hoffman asks. “We didn’t provide real Verizon account details, so we can’t say for sure. The scammer will probably try to take over your Verizon account, order smartphones on credit, and stick you with the bill. That’s a common scam these days, as we discovered when we talked to fake job recruiters.
The scammer could also use your information to execute a phone port-out scam, stealing your phone number and using it to bypass two-step verification on your accounts. If you’ve encountered this scam and given your personal details to the phishing website, you should contact Verizon immediately.”
It’s worth emphasizing that the phishing site in this case looks exactly like Verizon’s real login portal, and the URL is close enough that many people would assume it was legitimate. That’s increasingly common: fraudsters are making better use of professional-looking graphics than before.
New-school security awareness training can teach your employees to instinctively treat unsolicited emails, text messages, and phone calls with suspicion, even if there are no readily apparent warning signs. How-To Geek has the story:
https://www.howtogeek.com/657333/watch-out-this-verizon-smishing-scam-is-crazy-realistic/
SMS scammers are posing as Verizon Wireless and sending text messages telling recipients to click a link to validate their account security, according to Chris Hoffman at How-To Geek. Hoffman emphasizes that the scam is “shockingly convincing.”
The texts don’t contain any typos and look just like something you would receive from your phone company. The text messages contain a link to “vwireless[.]xyz” which leads to a very convincingly spoofed version of Verizon’s website. The fake login page on this site tries to trick victims into entering their phone number or user ID and their password.
Once they’ve done this, the user will be taken to another form and asked to enter full name and address. After this, they’ll be redirected to Verizon’s real site. All of this information is useful for attackers, particularly the login credentials, although it’s unknown what exactly the end goal was in this case.
“What’s the game?” Hoffman asks. “We didn’t provide real Verizon account details, so we can’t say for sure. The scammer will probably try to take over your Verizon account, order smartphones on credit, and stick you with the bill. That’s a common scam these days, as we discovered when we talked to fake job recruiters.
The scammer could also use your information to execute a phone port-out scam, stealing your phone number and using it to bypass two-step verification on your accounts. If you’ve encountered this scam and given your personal details to the phishing website, you should contact Verizon immediately.”
It’s worth emphasizing that the phishing site in this case looks exactly like Verizon’s real login portal, and the URL is close enough that many people would assume it was legitimate. That’s increasingly common: fraudsters are making better use of professional-looking graphics than before.
New-school security awareness training can teach your employees to instinctively treat unsolicited emails, text messages, and phone calls with suspicion, even if there are no readily apparent warning signs. How-To Geek has the story:
https://www.howtogeek.com/657333/watch-out-this-verizon-smishing-scam-is-crazy-realistic/
What KnowBe4 Customers Say
"Stu, here is an interesting attack. Someone hacked a former directors new email and sent emails to the users at our company with a OneDrive link. When the user responded to the new address, confirming if the email was legit, the hacker responded back, and kept responding. SCARY!
I sent out an email warning letting people know to *call* if they really want to be sure it’s legit. Cost me $20 in Starbucks card to the people who caught it and reported it. Money well spent, KnowBe4 training paid off. Thank you!"
- F.M, Director of Information Technology
"We used Inside Man Season 1 for our monthly training campaign. The feedback I received was so overwhelmingly positive that we held a company-wide watch party for the Season Finale (with popcorn, candy, and the works). It's amazing how this series influenced our corporate culture. Employees changed their avatar pictures to characters from the series. People were talking about plot lines wondering what would happen next.
Our employee population was not only entertained, but their overall security awareness increased. Currently our phishing click rate is below 2% and we've noticed other positive observational security practices as well. After we finished Season One, more than once a week I would get asked: "When is Season 2 coming out?" I'm glad that their wait is over. Thanks to everyone at KnowBe4 for providing this "next-level" training."
- G.F. , Security and Compliance Manager
"Stu, here is an interesting attack. Someone hacked a former directors new email and sent emails to the users at our company with a OneDrive link. When the user responded to the new address, confirming if the email was legit, the hacker responded back, and kept responding. SCARY!
I sent out an email warning letting people know to *call* if they really want to be sure it’s legit. Cost me $20 in Starbucks card to the people who caught it and reported it. Money well spent, KnowBe4 training paid off. Thank you!"
- F.M, Director of Information Technology
"We used Inside Man Season 1 for our monthly training campaign. The feedback I received was so overwhelmingly positive that we held a company-wide watch party for the Season Finale (with popcorn, candy, and the works). It's amazing how this series influenced our corporate culture. Employees changed their avatar pictures to characters from the series. People were talking about plot lines wondering what would happen next.
Our employee population was not only entertained, but their overall security awareness increased. Currently our phishing click rate is below 2% and we've noticed other positive observational security practices as well. After we finished Season One, more than once a week I would get asked: "When is Season 2 coming out?" I'm glad that their wait is over. Thanks to everyone at KnowBe4 for providing this "next-level" training."
- G.F. , Security and Compliance Manager
The 10 11 Interesting News Items This Week
- Chinese hackers have breached online betting and gambling sites:
https://www.zdnet.com/article/chinese-hackers-have-breached-online-betting-and-gambling-sites/ - Hackers Were Inside Citrix for Five Months:
https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/ - Details of 10.6 million Las Vegas hotel guests posted on a hacking forum:
https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/ - The White House Finally Hits Russia Back for Online Chaos:
https://www.wired.com/story/us-blames-russia-gru-sweeping-cyberattacks-georgia/ - Firms Improve Threat Detection but Face Increasingly Disruptive Attacks:
https://www.darkreading.com/attacks-breaches/firms-improve-threat-detection-but-face-increasingly-disruptive-attacks/d/d-id/1337097 - Scammers Use Fake Website to Masquerade as Burning Man Organizers:
https://www.tripwire.com/state-of-security/security-data-protection/scammers-use-fake-website-to-masquerade-as-burning-man-organizers/ - U.S. Defense Agency That Secures Trump’s Communications Confirms Data Breach:
https://www.forbes.com/sites/daveywinder/2020/02/21/us-defense-agency-that-secures-trumps-communications-confirms-data-breach/ - State of Minnesota details hundreds of attacks against its IT systems in 2019:
https://www.twincities.com/2020/02/20/state-of-minnesota-details-hundreds-of-attacks-against-its-it-systems-in-2019/ - Ransomware Damage Hit $11.5B in 2019:
https://www.darkreading.com/attacks-breaches/ransomware-damage-hit-$115b-in-2019/d/d-id/1337103 - Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world:
https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/ - BONUS: Lookout Phishing AI provides an inside look into a phishing campaign targeting mobile banking users:
https://blog.lookout.com/lookout-phishing-ai-reveals-mobile-banking-phishing-campaign
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Your 4-min, 4K Virtual Vacation - Colors of Argentina with Stunning Vistas:
https://www.youtube.com/watch?v=8OvfmZ_TTkM - Paul Gertner Returns to Penn & Teller Fool Us a Third Time. "You're a Rat Bastard!" Fooled Again!
https://youtu.be/Cgd07Q4ZNHs - Raffaele Scircoli fools Penn and Teller in a creepy way:
https://www.youtube.com/watch?v=n9Gx0zc0ktc&t=107s - For the first time ever a human being with a wing and four mini jet engines combines taking off, hovering safely and flying aerobatics at high altitude in the same flight:
https://www.flixxy.com/jetman-dubai-takeoff-major-milestone-in-autonomous-human-flight.htm?utm_source=4 - More about that: The Jetman Story - Official Teaser 4K:
https://www.youtube.com/watch?v=qZjDmgYp8ug - The First Manned Aerobatic Racing Drone. A single-person flying drone with a Formula One cockpit for maximum speed. I want one! :
https://www.flixxy.com/first-manned-aerobatic-racing-drone.htm?utm_source=4 - A few days ago, a huge asteroid passed by Earth. Here are the sizes of some asteroids compared to New York City...Whoa Nellie:
https://www.flixxy.com/asteroid-size-comparison.htm?utm_source=4 - From the same crew, "The size of fictional buildings". Pretty awesome graphics:
https://youtu.be/hjIci91FRX4 - Jim Meskimen is a gifted voice artist, but when you combine it with deepfakes...wow!:
https://youtu.be/5rPKeUXjEvE - And talking about crazy deepfakes...Jeff Bezos and Elon Musk face off in 'Star Trek' LOL:
https://mashable.com/article/jeff-bezos-elon-musk-deepfake-star-trek/ - How do you defend against a hostile drone swarm? With Rafael's Laser Drone Dome:
https://www.youtube.com/watch?v=HVNtz8gLhaY&feature=youtu.be - Sci-Fi Short Film "Planet Unknown" presented by DUST:
https://www.youtube.com/watch?v=B4JY_JeodKw - Top 8 FASTEST Super Sport Cars in the world 2020. 10 minutes of pure car lust:
https://www.youtube.com/watch?v=wMYLmgsrgEg - Westworld season 3 trailer teases bloody war, asks if humanity will side with AI:
https://www.tomsguide.com/news/westworld-season-3-trailer-teases-bloody-war-asks-if-humanity-will-side-with-ai - For The Kids - A Funny And Cute Sugar Glider Videos Compilation:
https://www.youtube.com/watch?v=XvUqB-mgLpA