CyberheistNews Vol 5 #16 Apr 21, 2015 - Scam Of The Week: IRS Refund Ransomware

        Scam Of The Week: IRS Refund Ransomware                                                                  

CyberheistNews Vol 5 #16 Apr 21, 2015  


Scam Of The Week: IRS Refund Ransomware

Many of us waited till the last moment before the April 15 tax deadline and  are now holding our collective breath in expectation of that possibly  rewarding refund. The problem is that cybercriminals are very aware of  this anticipation and use social engineering tactics to trick tax payers.

Knowing that many in America are waiting for word from the Internal Revenue  Service concerning pending refunds, the cyber mafia is working hard to get  in first with a massive phishing attack that has a ransomware attachment.

The attachment is an infected Word file, which holds a ransomware payload  and encrypts the files of the unlucky end-user who opens the attachment,  and all connected network drives if there are any.

I suggest you send this Scam Of The Week to all your friends, family and  employees with something like the following message (Feel free to  copy/paste/edit:)

"Cyber criminals are preying on American tax payers that have made the  April 15th deadline and are now waiting to hear about their refund. There is  a massive phishing scam going on right now which tries to trick you into  opening a Microsoft Word attachment. But if you do, all your files will  get hijacked and encrypted. If that happens, you only get your files back  after paying around $500 ransom. Remember, think before you click, and  do not open any attachments you did not ask for!"

Step employees through effective security awareness training, it is how to stay  safe out there on the Wild, Wild, Web. Here is what the email looks like:

New TeslaCrypt Ransomware Uses More Exploit Kits As Infection Vector

The new Internet Security Threat report from Symantec shows that the growth  of file-encrypting ransomware attacks expanded from 8,274 in 2013 to 373,342  in 2014. This is 45 times more crypto-ransomware in the threat landscape  within a one-year span. 

Combine that with the new Verizon Breach Investigations Report last week  which showed that you’ve got one minute and 22 seconds to save your files  from being encrypted and you see the problem. Verizon calculated 82 seconds  as the median time it takes for an employee to open a phishing email that lands  on a company’s network and in their inbox.

TeslaCrypt is one of the latest copycat ransomware strains which has ripped  off the CryptoLocker brand, and is now infecting user's workstations through  multiple exploit kits.

Apart from a laundry list of file types that ransomware normally encrypts,  TeslaCrypt also tries to cash in on the $81 billion game market and encrypts  over 40 file types associated with popular computer video games, like Call  of Duty, Minecraft, and World of Warcraft as well as files related to iTunes.  In other words: "all your files are belong to us". 

Instead of phishing attacks with attachments, the TeslaCrypt strain uses  multiple exploit kits. An exploit kit (EK) is crimeware that gets sold on  the dark web, and allows cyber gangs to infect legit websites. The  workstation of the employee who clicks through to or visits that infected website gets exploited when it is not updated with the latest patches. 

TeslaCrypt started out with the Angler EK, but recently also the Sweet Orange  and Nuclear EKs. The Nuclear kit is used in a campaign right now. Employees that click on a link in a phishing email are being redirected to compromised  Wordpress sites that have this EK installed. 

Brad Duncan, security researcher at Rackspace observed April 16th that in one  case the kit successfully exploited a vulnerability in an out-of-date  version of Flash player ( 

Once the workstation is infected, the delivered ransomware still uses the  Cryptolocker branding. However, when the victim visits the payment site that  instructs them on how to pay the ransom, it becomes obvious you are dealing  with TeslaCrypt, which is the screen shot you see in our blog which has the links to the reports mentioned above as well:

The payment process is run through a website located in the TOR domain. Each  instance of the ransomware has its own Bitcoin BTC address. The files are  encrypted by using the AES cipher, and encrypted files gain the .ecc extension.

What To Do About It


  • The rule "Patch Early, Patch Often" still applies, but these days,  better to "Patch Now" all workstations for both OS fixes and popular third  party apps that are part of your standard image rolled out to end-users. A  product like Secunia can scan for all unpatched third party apps.
  • Make sure your Backup/Restore procedures are in place. Regularly TEST,  TEST, TEST if your restore function actually works. The latter is often overlooked.
  • The TeslaCrypt strain uses social engineering to make a user click on a  link in a phishing email (It does not use email attachments). Also, this  type of ransomware can use malicious ads on legit websites to infect  workstations. End users need to be stepped through effective security  awareness training so that they are on their toes with security top of mind  when they go through their email or browse the web.


Find out how affordable this is for your organization today. You will be  pleasantly surprised.

A Serious Legal Liability: Bad or No Security Awareness Training

If you have trouble getting budget for employee security education, please read this article and then forward it to the head of your legal  department and/or or the person in your organization who is responsible  for compliance. 

The Department of Health and Human Services has stated that bad or no  security awareness training is a main cause for compliance failures.  This is true for not only health care, but all kinds of industries like  banking, finance, manufacturing, and surprisingly, high-tech.

It does not stop with mere compliance failures causing regulatory fines.  Trend Micro reported that 91% of successful data breaches started with  a spear-phishing attack. The problem is that to be "letter of the law"  compliant, you only need to herd your users once a year into the break  room, keep them awake with coffee and donuts, and give them a "death by  PowerPoint" awareness update. However, ineffective security awareness  training could turn out to be a serious legal liability. 

Why? Cybercrime goes after the low-hanging fruit: your users. Why spend  time exploiting complicated software vulnerabilities when you can easily  social engineer an end-user to click on a link? So your end-user did not  get effective awareness training and falls for the hacker trick. Their  workstation gets infected with a keylogger, the hacker now knows their  login and password, and with that penetrates your network.

Three Scenarios

Simply put: if it's the Eastern European cyber-mafia, their focus is to  transfer out money from your operating account over a long weekend.  If it's the Chinese, they will steal your intellectual property. If it's  independent hackers, your customer database and credit card transactions  are exfiltrated and sold on dark web criminal sites.

In all three cases you run the risk of a lawsuit:


  • You might sue the bank for negligence, and they might sue you back.  Massive legal fees are inevitable. If it is found out the attackers came  in by social engineering a user, your case is significantly weakened.  Go to Brian Krebs' site and search for Patco Construction, a nightmare  scenario. Here it is:
  • If the Chinese steal your intellectual property and you are exposed  to a shareholder lawsuit, there will be a lengthy and costly discovery  period. If it is found out the attackers came in by social engineering  a user, your case is significantly weakened.
  • If hackers get into your network, and an investigative journalist  like Brian Krebs discovers a website that has all your customer records  and credit card transactions, a class action lawsuit is not far away.  (This is the legal profession's biggest growth industry). If it is found  out the attackers came in by social engineering a user, your case is  significantly weakened.


See the trend here? Not scaling your training to a level that effectively  mitigates the risk you are exposed to is a severe legal liability. We have  a whitepaper called "Legal Compliance Through Security Awareness Training"  written by KnowBe4 and Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP,  CRISC. He explains the concept of acting "Reasonably" or taking "Appropriate"  or "Necessary" measures.

Reading this whitepaper will help you to prevent violating compliance  laws or regulations. In it, there are some examples of the Massachusetts  Data Security Law and HIPAA to explain what is required. I strongly  recommend you download this whitepaper if you have not already:

Quotes Of The Week


Quotes of the Week:

" There are none so blind as those who will not see.  "  - John Heywood, ca. 1546

" If you light a lamp for someone else it will also brighten your path. "  - Buddha (563 - 483 BC)

" As my friend said to me, and I say to others, "There are two types of people  in the world: Those who have had a major disk failure and those who are  about to... "  - John Harper




Thanks for reading CyberheistNews!

Please forward to your friends. But if you want to unsubscribe, you can do that right here.



Security News



Compliance In Half The Time At Half The Cost

I'm sure you will agree, compliance has become a major headache. It is  a HUGE burden on already limited IT resources. Yearly audits have become  major projects. They are expensive in both dollars and your IT staff time.

Imagine an environment in which your organization is completely compliant  24/7/365. We have a new product, KnowBe4 Compliance Manager (KCM), that  can help you to achieve that state. It is an IT compliance workflow  automation tool that allows you to:


  • Manage all of your specific regulatory requirements in one location    (PCI-DSS, HIPAA, GLBA, SOX, etc...).
  • Eliminate duplication of effort.
  • Assign the Directly Responsible Individual (DRI) for a control.
  • Direct your auditors to one location for evidence of compliance controls being in place and up to date.
  • NEW: Auditor Role, your auditor can log in remotely and save you billable hours.


Go to this link for more info and to request a web demo:

Example Of Whaling: Super Sophisticated Social Engineering

My staff tried to social engineer me the other day, trying to catch me  as a prank. It was a 2-stage attack, trying to get me to reveal my   credentials.

They spoofed our Director of HR, and sent me the email below. This is an  example of very high operational sophistication, typical of top-tier  "whaling" attacks, those cases when an individual is subjected to  spearphishing attempts because they hold valuable information or wield  influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
10:45 AM (1 hour ago)
to: stus 


I noticed that a user named securitybull72 (claiming to be an employee) in  a security forum posted some negative comments about the company in general  (executive compensation mainly) and you in specific (overpaid and incompetent).  He gave detailed instances on his disagreements, and doing so, may have  unwittingly divulged confidential company information regarding pending  transactions.

The post generated quite a few replies, most of them agreeing with negative  statements. While I understand that the employee has the right to his opinion,  perhaps he should have vented his frustrations through appropriate channels  before making this post. The link to the post is located here (it is the  second one in the thread):

Could you please talk to him?


Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned. Yikes.

The Wall Street Journal has woken up to the the threats of spear phishing and ransomware and have a good video about this I suggest you  send to your management levels. This will be real and understandable to them:

90% Of Security Incidents Trace Back To PEBKAC and ID10T Errors

Don't have time to read through the massive Verizon report mentioned in the Editor's Corner? Here is a great summary; 90% of security incidents  are still caused by PEBKAC and ID10T errors, according to Verizon's 2015  Data Breach Investigations Report. Phishing attacks are a prime example  of how the Problem Exists Between Keyboard And Chair as the DBIR said it  takes a mere one minute and 22 seconds after a phishing email is sent  before the first victim clicks on the tainted link. At ComputerWorld: 

Top 10 Tips To Involve Employees In Cyber Security

IT might be accountable for cyber security, but every employees needs  to be responsible for protecting the organization's computing resources. While while technology is good, and quite necessary, it can't work in a  vacuum. People are still the weakest link in the security chain. For  this reason, Kaspersky Lab has published a short e-booklet with Top 10  Tips for Educating Employees about Cybersecurity. Utilizing these tips  along with good security technology will go a long way in helping protect  your business from security events. Read the complete story at NetworkWorld:

While you were offline, this droid stole the Internet. BB-8 on the stage at  Star Wars Celebration 2015. This is one heck of a new cool droid, check it out!

SpaceX just delivered an espresso machines to the International Space Station, including a Zero Gravity Coffee Cup. NASA shows the science of it. Cool!

Astronaut's Daughter Sends Message To Her Father With The Help Of 11 Cars:

Why We Don't Have Teleportation Yet. Hint: It's all Volkswagen's fault!

What is the ability of the human body combined with fantasy? Wheelman  will demonstrate extraordinary things with a smile on his face:

Phone out of juice again? Never again with IKEA's Wireless Charging  collection of furniture, which has built-in Qi-enabled wireless chargers:

Wendy the 'talking, meowing and singing dog' and her human, Marc Métral,  amazed the audience and judges of Britain's Got Talent 2015:

Learn how to quickly and easily peel an orange - it only involves  three cuts of a knife:

A couple takes off in an inflatable 'flyfish' banana boat somewhere in Brazil:

Goalkeeper cat is the best goalie ever!:

Out of the archives: The first car ever that can drive on land, on water and  underwater. I still want one!

And one last Classic Charlie Chaplin - The Lion's Cage. For theses scenes  with the lion, Chaplin made some 200 takes, in many of which he was actually  inside the lion’s cage!:

           Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                      Our mailing address is:  601 Cleveland St. Suite 930, Clearwater, Florida, 33760                                                        
                                                        Unsubscribe here                                                                                                                      

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews