Your Antivirus Enduser Is Exposed To Phishing Attacks For 17.5 Hours
The 2015 Websense threat report is abundantly clear about it. "Websense detected 28 percent of malicious email messages before an anti-virus signature became available, presenting AV users with an average window of exposure of 17.5 hours." Here is an excerpt from page 14 of the report:
"Employees can be tricked through social engineering into opening malicious emails or browsing to a compromised website. Inadvertent data loss can also occur while attempting to be innovative and productive on the job, such as using an un-approved cloud service (so-called shadow-IT).
"The poster child for 2014’s accidental harm comes from the news headlines. Data breach investigations reveal that most began with a malicious email or other social engineering tactic. Risky employee behavior has also been a key factor in the explosion of ransomware incidents.
What To Do About It
"Employee education can reduce their susceptibility to social engineering. Information sharing can raise awareness and tools can be deployed to test their knowledge of best practices for identifying phishing emails and other suspicious content.
"IT can monitor improved behavior resulting from educational efforts as well as identify users whose behaviors simply don’t change. Advanced tools can even proactively identify the high risk user behavior of a disgruntled or other dangerously motivated employee."
FBI Alert About Scam Of The Week: Nepal Earthquake
More than 7,000 people dead and counting. And you can also count on cyber-criminals exploiting the disaster. What else is new. Disgusting.
Scammers are now using the Nepal disaster to trick people in clicking on links, both on Facebook, Twitter and phishing emails trying to solicit charitable giving for the earthquake victims. Here are some examples:
Facebook pages dedicated to victim relief contain links to scam websites.
Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
Phishing emails dropping in a user's inbox asking for donations to the Nepal Earthquake Fund.
Previous disasters have been exploited like this, but the bad guys are going at it again will all guns blazing. Be wary of anything that is about the Nepal Earthquake in the following weeks.
Please warn your employees, friends and family against this scam of the week. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser, do not click on any links in emails or text you might get. THINK BEFORE YOU CLICK.
For KnowBe4 customers, we have a new template in Current Events called "Thank you for your donation to the Nepal Earthquake Fund". Send this to your employees to inoculate them against scams like this as soon as possible.
10 Lessons Learned From Painful Ryanair $5M Cyberheist
Low-cost airline Ryanair shamefacedly came clean last week that they fell victim to a cyberheist which stole almost 5 million dollars out of its dedicated airplane fuel bank account. The money was siphoned out of the account using an online transfer via a Chinese bank, the Irish Times reported.
"Ryanair confirms that it has investigated a fraudulent electronic transfer via a Chinese bank last week. The airline has been working with its banks and the relevant authorities and understands that the funds have now been frozen," the company said in a statement.
"The airline expects these funds to be repaid shortly, and has taken steps to ensure that this type of transfer cannot recur. As this matter is subject to legal proceedings, no further comment will be made."
Know People In Asia? A New Ransomware Strain Targets Them
Ransomware is being localized for large Asian countries now. There is an ongoing attack targeting Korea, followed by Malaysia and then Japan. If you have business partners, subsidiary offices or friends in these countries, give them a heads-up and send them a link to our blog (link below).
This new strain was just discovered by Symantec. It's called Crypt0l0cker, an obvious take-off on the original, and changes its menu screens based on the IP address of the victim's system. This ransomware campaign demands 1.8 bitcoins (about $400) to release a victim's files.
The ransom messages are displayed in English, but the code automatically changes language based on the system it infects. The translations are rough, looks like they used Google Translate and there are errors. Symantec said this is likely the first ransomware to customize its code for languages in the Far East.
New Spear Phishing Purchase Order Has Evil Plugin Twist
Subscriber Patrick Farrell wrote: "We had a nice email come in with a purchase order for a contract. The person it went to receives many such legitimate e-mails. Attached was a PDF, also typical of what they would received. The PDF itself scanned virus free both with our local solution, our hosted exchanges solution and virus total.
"Attempting to view the PDF tells you to click here to get the required plugin. The plugin is the payload (which fortunately was caught by our virus scanner.) Our business is electronics recycling and we resell a lot of product that's recycled after it's wiped and tested. Often sold in bulk either as parts, or e-scrap.
"We do a lot of international business and while the grammar errors might seem obvious, many of the e-mails we get from offices (including ours) in Asia have similar mistakes. I just thought I'd pass this on to you as you are always posting heads up to everyone else. This was the body of the e-mail:
Please find attached the draft contract PO and fulfill the info. Then sign and send back.
They need ETA 30th May. because we confirmed goods is available when we approached them. Please arrange shipment soon.
Regards, APAC GLOBAL TRADING (PTE) lTD. Import and Export Director 4031 15Th Avenue, Brooklyn, NY 11219 USA
Make sure your accounting people get trained to spot spear phishing Red Flags like this.
Social Engineering Exploit Fools HR with Infected IT Resumes
Proofpoint threat researchers recently detected a clever email-based attack that combines phishing and social engineering techniques in order to trick users into opening a malicious document. In this attack, the bad guys browse open positions listed on CareerBuilder.com and attach infected Word resumes to IT job positions in engineering and finance with titles such as “web developer” “business analyst,” and “middleware developer.”
Issue is, when a resume is submitted, CareerBuilder automatically sends a notification email to the company that posted the ad, along with the resume attached to it. Careerbuilder helps deliver the malicious payload, which is likely to slip past defenses, because it is concealed inside an image.
When HR (or a recruiter) opens the email and next the attachment, the document tries to exploits a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips an image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer, Proofpoint said in a blog post describing the attack.
It's a great way to use social engineer the victim because the employee in HR has basically asked for the resume to be sent.
“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the company said. And because of how resumes are typically circulated within an organization, there is a good chance the malicious attachment will be sent to hiring managers, interviewers, and other stakeholders within the company that posed the ad, the researchers said.
What To Do About It
I would strongly recommend that anyone who opens resumes from job boards only use the Google Chrome browser VIEW option and DO NOT download any actual documents.
Deploy an automated resume parsing solution (there are a few) which will take the brunt of the malware threat as part of their service.
Tesla Attack Caused By Social Engineering Of AT&T Support Rep
A few days ago, you may have read the news that Tesla Motors had their website and Twitter accounts hijacked by pranksters. OpenDNS has a blog post that goes into great technical detail but here is the upshot.
The website was defaced and Elon Musk's Twitter account was taken over. Then, they posted the phone number of a small computer repair and told people to call to get their "free Tesla".
It was a simple social engineering attack. Tesla stated that the pranksters started with a phone call to AT&T. Someone good at social engineering posed as a Tesla employee and tricked an AT&T customer support rep to forward calls to a number not owned by Tesla.
Next, they went to Tesla's domain registrar (Network Solutions) and added a new email address to the domain admin account using the fraudulently forwarded phone number.
Then, they reset the passwords, and since the pranksters had control over the new email address, accessed the Tesla Network Solutions account and altered the DNS and mail exchanger (MX) records. With the MX-record change, they got control over Musk's Twitter account for a few hours.
We should be glad that this was a well thought-out prank by digital delinquents (Possibly Lizard Squad) and not a real attack.
The pranksters did put a finger on a very sore spot though. Often outsourced Customer Support Reps (CSRs) are hired and rewarded to help. It's their job to solve problems and assist customers. Saying NO to a customer is the last thing they are trained to do, but sometimes this is the correct action.
Someone who knows what they are doing is usually able to social engineer Tech Support and get the data to get in. CSRs Especially should be given security awareness training within an inch of their lives, to make sure that these types of exploits are blocked from the start. http://blog.knowbe4.com/tesla-attack-caused-by-social-engineering
Cyberheist 'FAVE' LINKS:
This Week's Links We Like. Tips, Hints And Fun Stuff.