Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 5 #14 IBM ALERT: 'Dyre Wolf' Uses Spear Phishing For $1Mil+ Cyberheists

     
                                                                                          
                                                                              

    IBM ALERT: 'Dyre Wolf' Uses Spear Phishing For $1Mil+ Cyberheists

    Last week, IBM Security reported on an active cyberheist campaign using  a variant of the Dyre Trojan that has successfully stolen more than  $1 million at a time from targeted enterprise organizations.

    The campaign, named “The Dyre Wolf” by IBM, shows furious innovation from the  once-simple Dyre malware by adding advanced social engineering tactics geared  to circumvent two-factor authentication. In recent incidents, organizations  have lost staggering amounts of $500,000 and $1.5 million to this sophisticated  criminal cyber gang.

    Most banking Trojans target individuals, but Dyre has always been used to  target organizations. Dyre started in 2014 and during the last year has  improved significantly in both features and ease of use. This allows  Eastern European cybercriminals to go for much larger cyberheists. One  powerful feature that allows them to quickly penetrate targeted organizations  is that Dyre's criminal coders included the ability to spread Trojans  using their victims’ email contacts lists.

    A Combo of Spear Phishing, Social Engineering and DDoS Attacks

    IBM reported that the during last 12 months, spear phishing campaigns were used to initially infect employee workstations with the Upatre downloader. Once  infected, this pulls down the Dyre Trojan which starts monitoring the  machine and records which bank sites are accessed. As part of the  installation, the Dyre malware establishes persistence by creating a  service innocuously named “Google Update Service”. This service is set to  run automatically each time the system restarts.  

    Once one of the hundreds of bank sites that Dyre was built to exploit comes up,  Dyre creates a fake screen that tells the user that the bank's site is having  problems and to call a certain number. The employee who calls the number is  connected to an English-speaking criminal operator who already knows what bank  the users think they are contacting.

    The operator then social engineers the user and gets their banking details.  Immediately after, large wire transfers are made out of the compromised account.  The wires are then rapidly moved over a series of international banks until  they are cashed out by money mules. In one instance, IBM said, the gang hit  the victim company with a denial of service attack — essentially bringing down  their Web capabilities — so it would not discover the theft until much later.

    "What's very different in this case, is we saw a pivot of the attackers to use  a set of social engineering techniques that I think are unprecedented," said  Caleb Barlow, vice president of IBM Security. "The focus on wire transfers of  large sums of money really got our attention." 

    What To Do About It

    IBM recommends several technical measures to block this infection in their  technical report on Dyre:
    https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/dyre_wolf_4-2-2015.html?

    And they also clearly stated the following:

    "Organizations will remain only as strong as their weakest link. Proactive  end-user education and security awareness training continue to be critical  in helping prevent incidents like the one described in this advisory:

     

    • Train employees on security best practices and how to report suspicious activity.
    • Consider conducting periodic mock-phishing exercises where employees receive  emails or attachments that simulate malicious behavior. Metrics can be captured  on how many potential incidents would have happened had the exercise been a real  attack. Use these findings as a way to discuss the growing security threats  with employees.
    • Offer security training to employees to help understand threats and measures  they can take to protect the organization.
    • Provide regular reminders to employees on phishing and spam campaigns and  that they shouldn’t open suspicious attachments or links from both work and  personal emails.
    • Train employees in charge of corporate banking to never provide banking  credentials to anyone. The banks will never ask for this information.

     

    We could not agree more. Effective security awareness training is a must  these days to protect against these kinds of attacks. Find out how affordable  this is for your organization today. Get a quote now:
    https://info.knowbe4.com/kmsat_get_a_quote_now

    "Scam Of The Week: E-ZPass Notice To Appear

    A scam, purportedly sent by the American electronic  toll-collection agency, E-ZPass is making the rounds. The email subject is "Notice to Appear." E-ZPass is available on tolled roads, bridges, and tunnels in the United  States and is also accepted at border crossings to Canada.

    The copy states "You have a debt to pay for using a toll road, and you  are kindly asked to service your debt in the shortest time possible. You  can find the invoice in the attachment."  

    The email supposedly comes from a manager of E-ZPass Support, uses the  correct color scheme and logo and appears to be collecting money from  an unpaid toll. The message says you have ignored previous bills and  urges you to pay immediately by downloading an attached 'invoice.'

    This is the latest phishing scam and it's a good idea to send your  employees, friends and family a note stating something like the  following. Feel free to copy/paste and or edit:

    "At the moment there is a phishing scam making the rounds claiming to be from E-ZPass, and that you have ignored previous bills and not  paid a toll. They want you to open the attached invoice or else you need to appear. Opening the invoice may infect your workstation with malware so delete this email the moment it arrives.

    "E-ZPass will never send an email or contact you requesting sensitive  personal information such as credit card number, social security, user  names, passwords, etc. If you are contacted by anyone via email or  the phone stating they are from E-ZPass and they are seeking personal  information, call 1-800-333-8655 to report you have been contacted  by someone attempting to obtain personal information.

    For KnowBe4 customers, we have a new template called Notice to Appear - Past Due, in Current Events that we recommend sending to your employees to inoculate them against this new phishing attack.

    KnowBe4 First Quarter 2015

    Our first quarter knocked it out of the park. Normally Q4 is the highest  quarter in the year, but we eclipsed last year's Q4 handsomely. Year-over-year,  Q1 of 2015 was 354 percent over Q1 2014. We are adding well over 100 enterprise  accounts per month at the moment.

    We have committed to taking the 12-th floor of 33 N Garden Avenue, a 15,000  sq ft floor where we have space to expand to 100 employees. This floor happens  to be the old Sunbelt Software office that was turned over to GFI in 2010  after the acquisition of Sunbelt Software. (Most of us in KnowBe4 are  ex-Sunbelt Software IT security employees.)

    We are doing a complete renovation and are getting rid of all the cubicles  that were there and we are creating a clean-looking open office environment.  Soon you will see the new KnowBe4 logo on the top of this building. You can  see the sales graph and the new building at the KnowBe4 blog: https://blog.knowbe4.com/knowbe4-first-quarter-2015

    New features for KnowBe4 Admin Console V4.1:

    • An account can now have multiple allowed domains (e.g. KnowBe4.com, KnowBe4.net,  KnowBe4.org) and users can sign up with any of the domains associated to an account.
    • When admins upload the CSV with users, the users can have any allowed domain.

    NEW: This Week's Five Most Popular HackBusters Posts

    Here are this week's five most popular hackbusters posts:

     

    1. Google $100 ChromeBit Turns Any TV Into A Computer:

    2. 5 Biggest Hosting Companies Hacked By Syrian Electronic Army:

    3. How Hackers Could Delete Any YouTube Video With Just One Click:

    4. 13-Year-Old SSL/TLS Weakness Exposing Sensitive Data In Plain Text:

    5. TrueCrypt Security Audit Concludes No NSA Backdoor:

     


    Quotes Of The Week
     

    Quotes of the Week:

    "Everything has beauty, but not everyone sees it."  - Confucius (551 - 479 BC)

    "All our dreams can come true, if we have the courage to pursue them."  - Walt Disney (1901-1966)

    Security News
     

     

    NEW Whitepaper: Best Practices for Dealing with Phishing and Next-Generation Malware

    Can users be your first line of defense?

    Phishing and malware threats are skyrocketing as cybercriminals become more  adept, stealthier, and more able to penetrate your IT security defenses.

    The consequences of even a single attack penetrating your network can be  devastating, resulting in enormous potential losses. Large amounts of dollars  stolen directly out of your corporate financial accounts, your CEO first  reading about your data breach in the morning paper, the loss of intellectual  property like trade secrets, and possibly the bankruptcy of your organization.

    To combat phishing attempts and next-generation malware, this new Osterman  Research white paper gives you a list of high-priority actionable items, all  related to IT security. One of these is to learn how users can be mobilized  as your first line of defense using effective security awareness training.  Download Now:
    https://info.knowbe4.com/whitepaper-osterman-bp-phishing

    Are You Spending Enough On Security?

    Both the cost and the likelihood of security breaches are increasing, so your organization needs to boost security measures -- and spending -- to  mitigate the risk to your business. Many CIOs endanger their companies  simply by not spending enough on security.

    Paul Rubens at CSO remarked: "That may seem odd to posit, given that a  recent Pricewaterhouse Coopers survey found that businesses now spend a  higher percentage of their IT budgets on security than ever before.  According to the survey, large organizations spend an average of 11  percent of their IT budgets on security while small businesses spend  nearly 15 percent.

    His article has a simple formula to assess security risk that even  someone who does not understand a thing about IT can grasp. I suggest you read the article so that you have additional ammo to support your  budget request:
    https://www.csoonline.com/article/2905232/metrics-budgets/why-you-should-be-spending-more-on-security.html

    And here is a slideshow that steps you through the process to get the  funding and support you want for your IT security program:
    https://www.csoonline.com/article/2905672/security-leadership/the-process-security-leaders-need-to-get-the-funding-and-support-you-want.html

    Energy Companies Around The World Infected By Newly Discovered Malware

    Researchers have uncovered an ongoing spear phishing-driven espionage  campaign that uses custom developed malware to siphon confidential data out  of energy companies around the world. 

    The malware is called Trojan.Laziok and acts as a reconnaissance tool that  scans infected computers for data including machine name, installed software,  RAM size, hard disk size, GPU details, CPU details, and installed AV,  according to a blog post published Monday by Symantec researchers.

    The attackers then use the obtained data to decide how to infect the machine with additional malware, including versions of Backdoor.Cyberat and Trojan.Zbot  that are tailored for a specific compromised computer.

    The Laziok Trojan exploits a known vulnerability in Windows which actually  was patched in 2012. It can also place data stealing programs on the computers. The majority of targets are in the Middle East.

    "The detailed information enables the attacker to make crucial decisions about  how to proceed further with the attack, or to halt the attack," Symantec  researcher Christian Tripputi wrote. "During the course of our research, we  found that the majority of the targets were linked to the petroleum, gas  and helium industries, suggesting that whoever is behind these attacks may  have a strategic interest in the affairs of the companies affected." Full story at darkreading:
    https://www.darkreading.com/laziok-trojan-exploits-three-year-old-windows-flaw-/d/d-id/1319736

    How to Prepare an SMB For An IT Security Disaster

    Slashdot has a new video section that has some interesting things to watch. One "story" is a short video that covers how to prepare for an IT security disaster before it happens. It's from the "2 ounces of prevention are worth  32 ounces of cure" department. One of the important bits of information is that a small business which suffers a data breach has an over 60% chance to  be out of business in 6 months time. This is great for a 10-minute break, and/or forward this to people in management to support a budget request:
    https://it.slashdot.org/story/15/04/02/1825224/how-to-prepare-for-an-it-security-disaster-video?continuous_video=1

    See Your Company Through the Eyes of a Hacker

    Great article in Harvard Business Review by Nathaniel "Nate" Fick, who is a  former United States Marine Corps officer and the CEO of Endgame. I really like his analogy of "turning the map around" to see your organization from the perspective of an attacker.

    "JP Morgan Chase. Target. Sony. Each has been part of the growing number  of cyber-attacks against private companies around the world in recent years.  In the latter two cases, CEOs were forced to resign in the wake of the  breach. Attacks are growing more sophisticated and more damaging, targeting  what companies value the most: their customer data, their intellectual  property, and their reputations.

    What these attacks – together with breaches to defense, law-enforcement,  and military-contractor networks – reveal is that our cyber-security  efforts over the last two decades have largely failed, and fixing this  will require the attention not only of security officers and IT teams,  but also of boards and CEOs.

    Companies need to take a new approach. They can do so by looking at  themselves through the eyes of their attackers. In the military this  is called turning the map around. The point is to get inside the mind  of the enemy, and to see the situation as they do, in order to anticipate  and prepare for what’s to come. Full article at HBR:
    https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker

    This Week's Links We Like. Tips, Hints And Fun Stuff.

    Texas gun enthusiasts create their own AR with a mini-mill on batteries:
    https://yro.slashdot.org/story/15/03/06/201247/come-and-take-it-texas-gun-enthusiasts-video?continuous_video=1

    This obnoxious birthday card will drive you totally crazy:
    https://www.kickstarter.com/projects/2059520145/the-best-prank-birthday-card-ever                                       
                                                           

     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews