CyberheistNews Vol 5 #18 May 5, 2015 Your Antivirus Enduser Is Exposed To Phishing Attacks For 17.5 Hours


CyberheistNews Vol 5 #18 May 5, 2015  


Your Antivirus Enduser Is Exposed To Phishing Attacks For 17.5 Hours

The 2015 Websense threat report is abundantly clear about it. "Websense  detected 28 percent of malicious email messages before an anti-virus  signature became available, presenting AV users with an average window  of exposure of 17.5 hours." Here is an excerpt from page 14 of the report:

"Employees can be tricked through social engineering into opening malicious  emails or browsing to a compromised website. Inadvertent data loss can  also occur while attempting to be innovative and productive on the job,  such as using an un-approved cloud service (so-called shadow-IT). 

"The poster child for 2014’s accidental harm comes from the news headlines.  Data breach investigations reveal that most began with a malicious email  or other social engineering tactic. Risky employee behavior has also been  a key factor in the explosion of ransomware incidents.

What To Do About It

"Employee education can reduce their susceptibility to social engineering.  Information sharing can raise awareness and tools can be deployed to test  their knowledge of best practices for identifying phishing emails and other  suspicious content. 

"IT can monitor improved behavior resulting from educational efforts as well  as identify users whose behaviors simply don’t change. Advanced tools can  even proactively identify the high risk user behavior of a disgruntled or  other dangerously motivated employee."

Page 17 has some good quotes on it as well regarding the recycling of  earlier methods and "blended threats". Here is the full report, and you know where to go for that employee education:  

FBI Alert About Scam Of The Week: Nepal Earthquake

More than 7,000 people dead and counting. And you can also count on  cyber-criminals exploiting the disaster. What else is new. Disgusting.

Scammers are now using the Nepal disaster to trick people in clicking on  links, both on Facebook, Twitter and phishing emails trying to solicit  charitable giving for the earthquake victims. Here are some examples: 


  • Facebook pages dedicated to victim relief contain links to scam websites.
  • Tweets are going out with links to charitable websites soliciting  donations, but in reality included spam links or links that lead to a  malware infection.
  • Phishing emails dropping in a user's inbox asking for donations to  the Nepal Earthquake Fund.

Previous disasters have been exploited like this, but the bad guys are  going at it again will all guns blazing. Be wary of anything that is about  the Nepal Earthquake in the following weeks.

Please warn your employees, friends and family against this scam of the  week. If you want to make a donation, go to the website of the charity  of your choice and make a donation. Type the address in your browser, do  not click on any links in emails or text you might get. THINK BEFORE YOU CLICK.

For KnowBe4 customers, we have a new template in Current Events called "Thank  you for your donation to the Nepal Earthquake Fund". Send this to your  employees to inoculate them against scams like this as soon as possible.

Here is the FBI alert about this scam. It might be a good idea to send this  link to all employees, an FBI alert usually has a bit more impact.

Warm regards, and stay safe out there.

10 Lessons Learned From Painful Ryanair $5M Cyberheist

Low-cost airline Ryanair shamefacedly came clean last week that they fell  victim to a cyberheist which stole almost 5 million dollars out of its  dedicated airplane fuel bank account. The money was siphoned out of the  account using an online transfer via a Chinese bank, the Irish Times reported.

"Ryanair confirms that it has investigated a fraudulent electronic transfer  via a Chinese bank last week. The airline has been working with its banks  and the relevant authorities and understands that the funds have now been  frozen," the company said in a statement.

"The airline expects these funds to be repaid shortly, and has taken steps  to ensure that this type of transfer cannot recur. As this matter is  subject to legal proceedings, no further comment will be made."

The fraudsters highly likely came in with a phishing attack using a banking  Trojan such as ZeuS. So, what are the 10 lessons? Computer Business Review  asked experts from Bitdefender, Kaspersky, SecureData and more and they  are here on our blog. Note what Clearswift mentioned as the #1 thing:

Know People In Asia? A New Ransomware Strain Targets Them

Ransomware is being localized for large Asian countries now. There is an  ongoing attack targeting Korea, followed by Malaysia and then Japan. If you  have business partners, subsidiary offices or friends in these countries,  give them a heads-up and send them a link to our blog (link below).

This new strain was just discovered by Symantec. It's called Crypt0l0cker,  an obvious take-off on the original, and changes its menu screens based on  the IP address of the victim's system. This ransomware campaign demands  1.8 bitcoins (about $400) to release a victim's files.

The ransom messages are displayed in English, but the code automatically  changes language based on the system it infects. The translations are rough, looks like they used Google Translate and there are errors. Symantec said this is likely the first ransomware to customize its code for languages in the Far East.

Stepping employees through effective security awareness training is a must  these days as part of your defense-in-depth. Our blog has a screen shot:

PS: Wall Street Journal's Blog: "A cyber conference this week brought  together some 1,600 security experts from around the world. Here’s what  they say keeps them awake at night." Guess what number one is? Ransomware:

Warm Regards,
Stu Sjouwerman
Email me:

Quotes Of The Week:


" The spirit is the true self. The spirit, the will to win, and the will to  excel are the things that endure.  " - Marcus Tullius Cicero, Roman Statesman

" Supreme excellence consists in breaking the enemy's resistance without  fighting. "  - Sun Tzu, General, Strategist and Philosopher




Thanks for reading CyberheistNews!

If you want to unsubscribe, you can do that right here.



Security News



This Week's Five Most Popular HackBusters Posts

What are IT security people talking about? Here are this week's five most  popular hackbusters posts:


New Spear Phishing Purchase Order Has Evil Plugin Twist

Subscriber Patrick Farrell wrote: "We had a nice email come in with a  purchase order for a contract. The person it went to receives many such  legitimate e-mails. Attached was a PDF, also typical of what they would  received. The PDF itself scanned virus free both with our local solution,  our hosted exchanges solution and virus total.

"Attempting to view the PDF tells you to click here to get the required plugin. The plugin is the payload (which fortunately was caught by our virus scanner.) Our business is electronics recycling and we resell a lot of product that's  recycled after it's wiped and tested. Often sold in bulk either as parts,  or e-scrap.

"We do a lot of international business and while the grammar errors might seem  obvious, many of the e-mails we get from offices (including ours) in Asia  have similar mistakes. I just thought I'd pass this on to you as you are  always posting heads up to everyone else. This was the body of the e-mail:

Dear Sir,

Please find attached the draft contract PO and fulfill the info. Then sign  and send back.

They need ETA 30th May. because we confirmed goods is available when we  approached them. Please arrange shipment soon.

  Import and Export Director
4031 15Th Avenue,
Brooklyn, NY 11219 USA

Make sure your accounting people get trained to spot spear phishing  Red Flags like this.

Social Engineering Exploit Fools HR with Infected IT Resumes

Proofpoint threat researchers recently detected a clever email-based attack  that combines phishing and social engineering techniques in order to trick  users into opening a malicious document. In this attack, the bad guys browse  open positions listed on and attach infected Word resumes  to IT job positions in engineering and finance with titles such as “web  developer” “business analyst,” and “middleware developer.”

Issue is, when a resume is submitted, CareerBuilder automatically sends a  notification email to the company that posted the ad, along with the  resume attached to it. Careerbuilder helps deliver the malicious payload,  which is likely to slip past defenses, because it is concealed inside an  image.

When HR (or a recruiter) opens the email and next the attachment, the  document tries to exploits a known vulnerability in Word to place a  malicious binary on the user’s system. The binary then contacts a  command and control server, which downloads and unzips an image file,  which in turn drops a backdoor dubbed Sheldor on the victim’s computer,  Proofpoint said in a blog post describing the attack.

It's a great way to use social engineer the victim because the employee in  HR has basically asked for the resume to be sent.

“Not only are they legitimate emails from a reputable service, but these  emails are expected and even desired by the recipient,” the company said.  And because of how resumes are typically circulated within an organization,  there is a good chance the malicious attachment will be sent to hiring  managers, interviewers, and other stakeholders within the company that  posed the ad, the researchers said.

What To Do About It

  • I would strongly recommend that anyone who opens resumes from job boards  only use the Google Chrome browser VIEW option and DO NOT download any  actual documents.
  • Deploy an automated resume parsing solution (there are a few) which will  take the brunt of the malware threat as part of their service.

And obviously, step all employees in HR through effective security awareness  training. You'll be surprised how affordable this is.

Professional Hackers Talk Social Engineering Threats And Security Awareness

With years of experience pen testing and human hacking, Chris Hadnagy and  Dave Kennedy are experts at how social engineers work, and what techniques  they use to successfully breach an organization. In this discussion with  CSO Chief Editor Joan Goodchild, they dig into the details of how criminals  work and offer tips for shoring up awareness among employees:

Tesla Attack Caused By Social Engineering Of AT&T Support Rep

A few days ago, you may have read the news that Tesla Motors had their  website and Twitter accounts hijacked by pranksters. OpenDNS has a blog  post that goes into great technical detail but here is the upshot.

The website was defaced and Elon Musk's Twitter account was taken over.  Then, they posted the phone number of a small computer repair and told  people to call to get their "free Tesla".

It was a simple social engineering attack. Tesla stated that the pranksters  started with a phone call to AT&T. Someone good at social engineering posed  as a Tesla employee and tricked an AT&T customer support rep to forward  calls to a number not owned by Tesla.

Next, they went to Tesla's domain registrar (Network Solutions) and added  a new email address to the domain admin account using the fraudulently  forwarded phone number.

Then, they reset the passwords, and since the pranksters had control over  the new email address, accessed the Tesla Network Solutions account and  altered the DNS and mail exchanger (MX) records. With the MX-record change,  they got control over Musk's Twitter account for a few hours.

We should be glad that this was a well thought-out prank by digital  delinquents (Possibly Lizard Squad) and not a real attack.

The pranksters did put a finger on a very sore spot though. Often outsourced Customer Support Reps (CSRs) are hired and rewarded to help. It's their  job to solve problems and assist customers. Saying NO to a customer is the  last thing they are trained to do, but sometimes this is the correct action.

Someone who knows what they are doing is usually able to social engineer  Tech Support and get the data to get in. CSRs Especially should be given  security awareness training within an inch of their lives, to make sure  that these types of exploits are blocked from the start.

Cyberheist 'FAVE' LINKS:


Legends Of Aviation. Showreel featuring the Patrouille Suisse, Red Arrows,  Breitling Super Constellation, Swiss Airbus A330, Rimowa JU-52 and many  others. Awesome footage - Watch Full Screen HD!:

Full Keynote: Elon Musk Debuts the Tesla Powerwall: videos and summary at  Reddit. This is BIG and I reserved one of the 10KW units:

Wheel Gymnastics World Champion Jenny Hoffmann. Where did this "wheel gymnastics"  suddenly come from?:

Flashbang Bra Holster as seen on NCIS LA, NCIS Los Angeles. Now that's a way to use your Concealed Carry Permit!:

Not Quite Safe For Work - Cooking chefs offer a hilarious burlesque number  that's OK in France, but probably questionable in America. Hilarious though:

World's First: Kevin Richardson Playing Soccer With Wild Lions:

Hugs? Just like animals, hugs come in all shapes and sizes. Here’s a few. Enjoy!

The 10 Weirdest Job Titles In Tech. Fun:

Burglars in the age of the Internet Of Things. They  break into a modern mansion  and find all the doors open. What is going on? Is this too good to be true?:

Now on Slideshare: The 5 security awareness training generations [CARTOON]

Out of the archives: A pink elephant with yellow dots parades across the street in  front of unsuspecting motorists. This is actually pretty funny candid camera:


 Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 601 Cleveland St. Suite 930, Clearwater, Florida, 33760

                                                        Unsubscribe here                                                                                                                       

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews