CyberheistNews Vol 5 #11 Ransomware: Pay Up Or Fight. What Would You Do?




 
                                                                                                                
                                                                          
                                                                                                                                       

Ransomware: Pay Up Or Fight. What Would You Do?

Ask security experts what to do when hit with ransomware -- the sophisticated  malware that infects a device or network, uses military-grade encryption to  restrict access, and demands payment for the decryption key -- and you'll  typically get the same answer: "never pay the ransom." But for many, that's  simply not an option. I was interviewed by Network World about the pros and cons of paying crypto-ransom. Read more or leave a comment:
https://www.networkworld.com/article/2896761/security0/ransomware-pay-it-or-fight-it.html?

"Security Awareness Programs Will Continue To Fail Until...

...they get the same emphasis and support as technical controls"   This is a quote I just found, tweeted by SANS' Lance Spitzner who runs their Security the Human initiative. 

His point nails it. Unless your "human firewall" is treated the same as technical controls are, you are doomed to successful social engineering  attacks, infected workstations, penetrated networks, and extremely expensive data breaches.

I'm happy to announce that KnowBe4 has become the world’s most popular  integrated Security Awareness Training and Simulated Phishing platform because it give you measurable control over your "human firewall".

Well over 1,000 enterprise accounts are using it, 25% of which are  banks and credit unions. Based on Kevin Mitnick’s 30+ year unique  first-hand hacking experience, you now have a tool to better manage  the urgent IT security problems of social engineering, spear phishing and  ransomware attacks. What are banks and credit unions saying about us?
https://www.knowbe4.com/knowbe4-customers-financials/

Scam Of The Week: Phishing For Apple Watch

Last week, Apple had their big Apple Watch release event, and the  press is full of news about the models and pricing. Pundits are  sprinkling their predictions about features and future sales. But they  are not the only ones jumping on the bandwagon.

Cybercriminals are getting in the game. One example is a gang that set  up a Twitter account named "Apple Giveaways", and began spamming out  messages to random users, telling them they have been "chosen" and  urging them to visit the site linked in the message.

The link leads them to an event page on Facebook, which instructs them  to join the event, invite a minimum of 100 friends, and claim a free  Apple Watch. It also asks them to enter their first and last name including  their Facebook handle which allows the bad guys to spam all their friends.

There will inevitably be more phishing scams using the Apple Watch  close to the April release so I would send your users something to  this extent; feel free to copy and/or edit.

"Scam Alert: With the release of the new Apple Watch, cyber criminals  are jumping on the bandwagon and are using email and social media to  try to trick you into clicking on links, entering contests, or forward  messages to your friends with false promises of a free watch. Don't  fall for it. If you are interested in an Apple Watch, do not click on  links in emails, do not click on ads or links in Facebook or Twitter,  but go to the website yourself. Remember, Think Before You Click!"

For existing KnowBe4 customers, we have a new template in Current Events  called "Claim your free apple watch" that we recommend sending to all  your end-users to inoculate them against this type of phishing attack.

If you are not a customer yet, find out (at no cost) what your phishing  attack surface is. We can scan the entire Internet for any of your  email addresses that are out there, that the bad guys can get their  hands on. Request your free "Email Exposure Check" now:
https://info.knowbe4.com/free-eec-14-02-04-0

Spear Phishing Attack Nearly Costs FL City $500K

A spear-phishing incident last month at Orange Park City Hall almost got away  with $500,000 from the city's bank account. Fortunately it was caught  just in time so that a wire transfer that already had been made could  be clawed back. Security measures have been installed to prevent future  thefts, City Manager Jim Hanson said. 

"Orange Park is a small community; $500,000 is a tremendous amount of  money for us," Hanson said. "We were very worried about it." Hanson said  the FBI is investigating the case out of its Pittsburgh office, and no  arrests have been made. That is highly unlikely as these cyberheists  are normally pulled by Eastern European mafias. 

The heist occurred Feb. 13 when a spear-phishing email with a malicious  attachment was sent to all city hall employees. They were social  engineered and thought they were being sent a file they needed to see.

Opening the attachment downloaded a banking Trojan and keyboard logger  onto the town network that allowed the attackers to find the information  related to the the town's Wells Fargo bank account.

"What this particular virus did was to transmit various banking information  to the people who created the virus," Hanson said. $491,000 was wired from  a general investment account under the town's name to an account at  Deutsche Bank. Town hall staff was on the ball, found out what happened  in half an hour and took quick action. The money was eventually transferred  back in full into the Wells Fargo account.

"One lesson we've learned is that you need to educate your employees never  to open an attachment on an email unless you're expecting it, even if you  think you know who it's coming from," Hanson said. "It could easily be a virus."

We agree that stepping employees through effective security awareness  training is a very good idea to prevent a cyberheist like this. Find  out how affordable this is for your organization today.
https://info.knowbe4.com/kmsat_get_a_quote_now


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

"Magic is believing in yourself, if you can do that, you can make  anything happen." Johann Wolfgang von Goethe - Author (1749-1832)

"Truth can not be suppressed and always is the ultimate victor."  - Yajur Veda (1000 BC)

 


 

 

 

Security News

 

 

CEO Fraud Social Engineering Scam On The Rise

Known variously as the “CEO fraud,” or the “business email compromise,”  highly sophisticated cyber criminals try to social engineer businesses  that work with foreign suppliers. This swindle is increasingly common  and targets businesses that regularly perform (foreign) wire transfer  payments. 

In January 2015, the FBI warned that cyber thieves stole nearly $215  million from businesses in the previous 14 months through such scams,  which start when crooks spoof or hijack the email accounts of business  executives or employees.

The CEO's email gets spoofed while the CEO is traveling and employees  are tasked to transfer large amounts of money out of the country.  In February, con artists made off with a whopping $17.2 million from  one of Omaha, Nebraska’s oldest companies — The Scoular Co., an  employee-owned commodities trader.

According to Omaha.com, an executive with the 800-employee company  wired the money in installments last summer to a bank in China after  receiving emails ordering him to do so.

Brian Krebs has a great article about this type of cybercrime. It is  very important to step employees through effective security awareness  training to make sure they do not fall for social engineering attacks  like this. And adjust your company security policy to include a rule that when the CEO is on the road, money transfers are ONLY made with the bank calling the CEO and gets specific verbal agreement. I recommend  you send this post to your CEO, including this link to Brian's Blog:
https://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/

Privacy Group Wants To Shut Down "Eavesdropping" Barbie

On Valentine's Day, toy maker Mattel introduced its Wi-Fi,  microphone-equipped, interactive Barbie doll which is supposed to recognize speech. 

  The privacy group discovered that recordings of the children's  voices are stored on the doll and transferred to servers at  ToyTalk - the startup that developed the so-called "Hello Barbie"  doll along with Mattel. 

ToyTalk CEO Oren Jacob says the child's replies are recorded,  encoded, encrypted and sent to the company's servers, where  they're processed by voice-recognition software.

Sure, all it takes is one rogue employee in the toy factory and  whatever your child says to its toy is all over the Internet. What could possibly go wrong?
https://www.hackbusters.com/news/stories/286051-privacy-group-wants-to-shut-down-eavesdropping-barbie

New Cryptolocker Ransomware Targets Gamers

A new variant of CryptoLocker which targets gamers has been discovered  in the wild. On Thursday, Bromium Labs security researchers revealed  the existence of new crypto-ransomware which is targeting gamers by  making them pay to unlock what they already own. The malware, which  impacts data files for over 20 games, is distributed from a compromised  website which redirects visitors to the Angler exploit kit by using  a Flash clip. At the time of writing the website has not been revealed, as Bromium  Labs researchers have notified the owner but have yet to receive a  response. The Wordpress-based website is still serving malware, and it is not  known whether the site has fallen prey to a WP exploit. In addition,  the URL which hosts the malicious Flash file keeps changing. Instead  of a typical iframe redirection, the team says the Flash clip is  wrapped in a div tag, potentially in an attempt to avoid detection. more:
https://www.hackbusters.com/news/stories/286086-new-cryptolocker-ransomware-targets-gamers

LiveLeak - Crazy motorcycle chase through shopping center!

https://m.youtube.com/watch?v=Q2-bxutbIPI

95-year-old man smashes 200M indoor sprint World Record. I hope I will be in that good shape when I'm that old!
https://m.youtube.com/watch?v=iD7D8BY2d1c

Chinese War Swords. Here's some guys having fun hacking through a variety  of items and meats. Do you NOT want to be on the receiving end of these  weapons. Want till the end. Yikes:
https://www.youtube.com/watch?v=8PQiaurIiDM                                         

                                                       
                                          
 
                                           



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews