CyberheistNews Vol 5 #18 May 5, 2015 Your Antivirus Enduser Is Exposed To Phishing Attacks For 17.5 Hours

Your Antivirus Enduser Is Exposed To Phishing Attacks For 17.5 Hours

The 2015 Websense threat report is abundantly clear about it. "Websense  detected 28 percent of malicious email messages before an anti-virus  signature became available, presenting AV users with an average window  of exposure of 17.5 hours." Here is an excerpt from page 14 of the report:

"Employees can be tricked through social engineering into opening malicious  emails or browsing to a compromised website. Inadvertent data loss can  also occur while attempting to be innovative and productive on the job,  such as using an un-approved cloud service (so-called shadow-IT). 

"The poster child for 2014’s accidental harm comes from the news headlines.  Data breach investigations reveal that most began with a malicious email  or other social engineering tactic. Risky employee behavior has also been  a key factor in the explosion of ransomware incidents.

What To Do About It

"Employee education can reduce their susceptibility to social engineering.  Information sharing can raise awareness and tools can be deployed to test  their knowledge of best practices for identifying phishing emails and other  suspicious content. 

"IT can monitor improved behavior resulting from educational efforts as well  as identify users whose behaviors simply don’t change. Advanced tools can  even proactively identify the high risk user behavior of a disgruntled or  other dangerously motivated employee."

Page 17 has some good quotes on it as well regarding the recycling of  earlier methods and "blended threats". Here is the full report, and you know where to go for that employee education:
http://www.websense.com/assets/reports/report-2015-threat-report-en.pdf  

FBI Alert About Scam Of The Week: Nepal Earthquake

More than 7,000 people dead and counting. And you can also count on  cyber-criminals exploiting the disaster. What else is new. Disgusting.

Scammers are now using the Nepal disaster to trick people in clicking on  links, both on Facebook, Twitter and phishing emails trying to solicit  charitable giving for the earthquake victims. Here are some examples: 

Previous disasters have been exploited like this, but the bad guys are  going at it again will all guns blazing. Be wary of anything that is about  the Nepal Earthquake in the following weeks.

Please warn your employees, friends and family against this scam of the  week. If you want to make a donation, go to the website of the charity  of your choice and make a donation. Type the address in your browser, do  not click on any links in emails or text you might get. THINK BEFORE YOU CLICK.

For KnowBe4 customers, we have a new template in Current Events called "Thank  you for your donation to the Nepal Earthquake Fund". Send this to your  employees to inoculate them against scams like this as soon as possible.

Here is the FBI alert about this scam. It might be a good idea to send this  link to all employees, an FBI alert usually has a bit more impact.
http://www.fbi.gov/sandiego/press-releases/2015/fbi-warns-public-of-disaster-scams

Warm regards, and stay safe out there.

10 Lessons Learned From Painful Ryanair $5M Cyberheist

Low-cost airline Ryanair shamefacedly came clean last week that they fell  victim to a cyberheist which stole almost 5 million dollars out of its  dedicated airplane fuel bank account. The money was siphoned out of the  account using an online transfer via a Chinese bank, the Irish Times reported.

"Ryanair confirms that it has investigated a fraudulent electronic transfer  via a Chinese bank last week. The airline has been working with its banks  and the relevant authorities and understands that the funds have now been  frozen," the company said in a statement.

"The airline expects these funds to be repaid shortly, and has taken steps  to ensure that this type of transfer cannot recur. As this matter is  subject to legal proceedings, no further comment will be made."

The fraudsters highly likely came in with a phishing attack using a banking  Trojan such as ZeuS. So, what are the 10 lessons? Computer Business Review  asked experts from Bitdefender, Kaspersky, SecureData and more and they  are here on our blog. Note what Clearswift mentioned as the #1 thing:
http://blog.knowbe4.com/10-lessons-learned-from-painful-ryanair-5m-cyberheist

Know People In Asia? A New Ransomware Strain Targets Them

Ransomware is being localized for large Asian countries now. There is an  ongoing attack targeting Korea, followed by Malaysia and then Japan. If you  have business partners, subsidiary offices or friends in these countries,  give them a heads-up and send them a link to our blog (link below).

This new strain was just discovered by Symantec. It's called Crypt0l0cker,  an obvious take-off on the original, and changes its menu screens based on  the IP address of the victim's system. This ransomware campaign demands  1.8 bitcoins (about $400) to release a victim's files.

The ransom messages are displayed in English, but the code automatically  changes language based on the system it infects. The translations are rough, looks like they used Google Translate and there are errors. Symantec said this is likely the first ransomware to customize its code for languages in the Far East.

Stepping employees through effective security awareness training is a must  these days as part of your defense-in-depth. Our blog has a screen shot:
http://blog.knowbe4.com/new-multi-language-ransomware-crypt0l0cker

PS: Wall Street Journal's Blog: "A cyber conference this week brought  together some 1,600 security experts from around the world. Here’s what  they say keeps them awake at night." Guess what number one is? Ransomware:
http://blogs.wsj.com/briefly/2015/04/30/5-things-that-keep-cyber-security-pros-awake-at-night/

Warm Regards,
Stu Sjouwerman
Email me: feedback@knowbe4.com

" The spirit is the true self. The spirit, the will to win, and the will to  excel are the things that endure.  " - Marcus Tullius Cicero, Roman Statesman

" Supreme excellence consists in breaking the enemy's resistance without  fighting. "  - Sun Tzu, General, Strategist and Philosopher

This Week's Five Most Popular HackBusters Posts

What are IT security people talking about? Here are this week's five most  popular hackbusters posts:

New Spear Phishing Purchase Order Has Evil Plugin Twist

Subscriber Patrick Farrell wrote: "We had a nice email come in with a  purchase order for a contract. The person it went to receives many such  legitimate e-mails. Attached was a PDF, also typical of what they would  received. The PDF itself scanned virus free both with our local solution,  our hosted exchanges solution and virus total.

"Attempting to view the PDF tells you to click here to get the required plugin. The plugin is the payload (which fortunately was caught by our virus scanner.) Our business is electronics recycling and we resell a lot of product that's  recycled after it's wiped and tested. Often sold in bulk either as parts,  or e-scrap.

"We do a lot of international business and while the grammar errors might seem  obvious, many of the e-mails we get from offices (including ours) in Asia  have similar mistakes. I just thought I'd pass this on to you as you are  always posting heads up to everyone else. This was the body of the e-mail:

Dear Sir,

Please find attached the draft contract PO and fulfill the info. Then sign  and send back.

They need ETA 30th May. because we confirmed goods is available when we  approached them. Please arrange shipment soon.

Regards,
  APAC GLOBAL TRADING (PTE) lTD.
  Import and Export Director
4031 15Th Avenue,
Brooklyn, NY 11219 USA

Make sure your accounting people get trained to spot spear phishing  Red Flags like this.

Social Engineering Exploit Fools HR with Infected IT Resumes

Proofpoint threat researchers recently detected a clever email-based attack  that combines phishing and social engineering techniques in order to trick  users into opening a malicious document. In this attack, the bad guys browse  open positions listed on CareerBuilder.com and attach infected Word resumes  to IT job positions in engineering and finance with titles such as “web  developer” “business analyst,” and “middleware developer.”

Issue is, when a resume is submitted, CareerBuilder automatically sends a  notification email to the company that posted the ad, along with the  resume attached to it. Careerbuilder helps deliver the malicious payload,  which is likely to slip past defenses, because it is concealed inside an  image.

When HR (or a recruiter) opens the email and next the attachment, the  document tries to exploits a known vulnerability in Word to place a  malicious binary on the user’s system. The binary then contacts a  command and control server, which downloads and unzips an image file,  which in turn drops a backdoor dubbed Sheldor on the victim’s computer,  Proofpoint said in a blog post describing the attack.

It's a great way to use social engineer the victim because the employee in  HR has basically asked for the resume to be sent.

“Not only are they legitimate emails from a reputable service, but these  emails are expected and even desired by the recipient,” the company said.  And because of how resumes are typically circulated within an organization,  there is a good chance the malicious attachment will be sent to hiring  managers, interviewers, and other stakeholders within the company that  posed the ad, the researchers said.

What To Do About It