CyberheistNews Vol 5 #19 Scam Of The Week: Red Bull Money Mule Victims


  Scam Of The Week: Red Bull Money Mule Victims

Warn your employees, friends and family about a cunning money laundering  scam that is currently back on the rise. This lure was first used during  spring break in 2014 and apparently successful because it's back.

It's an email claiming to be from Red Bull and offers offers to place Red Bull ads on the victim's car for 600 bucks a week. It all sounds innocent  enough; wrap your car with advertising and make money driving around town.  There is a nasty catch though.

The scam email explains the benefits of the "business offer" and promises easy money that basically will pay for the whole car, gas money included.  However, if you sign up for it, this deal backfires and the victim is  investigated for money laundering fraud.

How This Scam Works

The first payment that arrives is much larger than originally agreed upon. The criminals apologize for the "error" and would the victim please quickly  deduct their own fee and wire the rest of the money back to them.

However it's either a forged or stolen check the victim received in the first place, or it's a fraudulent wire transfer from an account that was criminally taken over. In both cases the victim is left holding the bag  when the cops come knocking on their door. All initial evidence of the  fraud will point to them.

What To Do About It

I strongly recommend you send the following to your employees, friends and family. Feel free to copy/paste/edit:

"A new job scam is doing the rounds, preying on people that want to  make $600 a week with Red Bull advertising on their car. It sounds like a great deal, but this scam is run by criminals that will try to use their victims for money laundering. If you get an email claiming  to be from Red Bull and offers you an attractive advertising deal, use that delete key. In general, be very careful with any Internet "work  from home" schemes, many of these are fraudulent. Do not give out any  personal information to these criminals and warn your family members."

For KnowBe4 customers, we have a new phishing template in the Online Services campaign called "Advertising for Red Bull Energy Drink". Send  it to your employees and inoculate them against bogus second job offers  before they get into some real trouble.

There is an example of the scam email at the KnowBe4 Blog:

Heads-up: 'Breaking Bad' Ransomware Beta Tested Down Under      

You can expect ransomware in America in the next few weeks which has  a Breaking Bad theme. Take this a bit further and we can expect  ransomware with Halloween themes later this year. Sheesh.

Some criminals are too smart for their own good though, because using  a TV show like this will make it much more recognizable and written  about, defeating the purpose.

Apart from the Breaking Bad theme, CryptoLocker.S. is pretty generic ransomware. It is surprising how fast ransom Trojans have spread.  A year ago every new strain was headline news, now it's on page 3.  This version grabs a wide range of data files, encrypts it using a  random AES key which then is encrypted using a public key.

Your employees can run into this strain like any other ransom Trojan  by opening an infected email attachment. It even opens a legitimate  PDF file to trick your users that everything is fine. In the mean time, back at the server farm... Anyway, block all zip files at the edge if you have not already, and make 100% sure your Backup/Restore actually works. More details and link to Symantec who found  this strain at the KnowBe4 Blog:

Need Your Input On Mobile Security Awareness Training      

We are trying to establish your interest in a mobile security awareness training platform for your employees. This platform is an app that runs on their smartphone, and has several features to help you keep your network safe by improving and reinforcing your human firewall. Please take 1 minute to answer 6 short questions and let us know what you think? Thanks so much in advance!

Here is the link to SurveyMonkey: 
Warm Regards,
Stu Sjouwerman
Quotes Of The Week
     "If you torture data sufficiently, it will confess to almost anything." - F. Menger 

"The confession of evil works is the first beginning of good works."  - Saint Augustine

     Thanks for reading CyberheistNews!
Security News

  Has Anyone Used KnowBe4?

May 14, 2014 7:45 AM BruceyBonus asked the following question at  the SpiceWorks Security Forum:

"Hi All, been in contact with a company called Knowbe4, they offer a  simulated phishing attack to your users and discover how high your  organization’s Phish-prone percentage is...any one heard of them or  used them? any information would be greatly appreciated...Thanks"

Within 2 days there were almost 50 replies. If you want independent, actual users describing their experience in their own words, you should  read these (unedited) answers at the forum:

Combine that with a very positive review in InfoWorld, and you know where to go if you want to do something about users who never learn to  avoid stupid security mistakes that compromise your organization.

InfoWorld's security guru Roger Grimes writes about KnowBe4's integrated  training and phishing platform. Check out this article:


  This Week's Five Most Popular HackBusters Posts       

 What are IT security people talking about? Here are this week's five most  popular Hackbusters posts:
    1. Feds Say That Banned Researcher Commandeered a Plane:
    2. CHIP — The World's First $9 Computer:

    3. Unwilling DNA Samples Used In Advertising:

    4. This Little 3-D Printed Robot Cracks Combination Locks In 30 Seconds:

    5. Police warn of PennDOT 'phishing' scam:

Starbucks Hack: A Great Example Why You Should Not Reuse Passwords

Use this story and send it to your employees as a cautionary tale to  make it real to them they should not reuse passwords in general, but especially not for any online payment accounts!

News broke this week that smart thieves use the Starbucks' mobile app to  steal money from users' bank accounts. You can use the app to pay at the Starbucks checkouts with your smartphone, and you can also set it up  to draw money from a linked account to reload your Starbucks card. The  coffee giant now operates the most popular mobile wallet payment system  in the U.S. so this is a big deal.

The attackers have been breaking into Starbucks accounts to repeatedly transfer money from bank accounts using the app's auto-reload function.  Starbucks hasn’t been able to stop fraudulent transactions even when  they are reported within a few minutes.

The problem is that the cyber thieves just need the user name and  password to get into the account. Starbucks publicly stated that their system has not been breached, but that these thefts are caused by stolen credentials on other sites and cause this problem for people  who reuse their user name and password on multiple sites.

So here are a few rules for online payments:
    1. Use a unique pass-phrase for online payment accounts. Do not  reuse that pass-phrase anywhere else.

    2. DO NOT share passwords across apps. This is hard but not impossible, especially if you use password managers like OnePass or LastPass.

    3. If you link an app for online payments, only use credit cards and never use debit cards or God forbid your bank account which simply is asking for trouble.

    4. Set your credit cards to email you real-time confirmation of expenses.  I have an AMEX card that emails me the amount of any charge over a  threshold I set.
Online payment systems are very convenient, but you need to use common sense and password discipline to make sure they don't become a major pain in the neck.

Wetware: The Major Data Security Threat You've Never Heard Of

Adam Levin, Forbes contributor explains what wetware is to the uninitiated,  and makes the case for more budget for awareness training. This is great  ammo to send to non-IT management level people.

He wrote: "For the first time, according to a recent study, criminal  and state-sponsored hacks have surpassed human error as the leading  cause of health care data breaches, and it could be costing the  industry as much as $6 billion. With an average organization cost  of $2.1 million per breach, the results of the study give rise to  a question: How do you define human error?

"More than half of the respondents in the Ponemon Institute’s Fifth  Annual Benchmark Study on Privacy & Security of Healthcare Data,  said their organization’s incident response team was underfunded or  understaffed and roughly one third of respondents had no incident  response plan in place at all—zip, nada, zilch—a fact that beggars  the imagination at a moment when breaches have become the third  certainty in life, and one that highlights the seeming no-show of  the “first do no harm” approach to patients on the data breach-prone  operations side of the health care industry."  More at Forbes:


The Best Defense Against Cybercrime? Get Your Employees On Board     

The UK-based ITProPortal's Charles Orton-Jones recently surveyed more  than a thousand office workers in the UK to gain insights into employee  attitudes about cyber-security and data theft. Many see data theft as  a victimless crime, especially millennial employees.

That is a problem but it gets worse. The survey also found that more than  72% of millennials believe they are entitled to take data they have  worked on compared with 41 per cent of baby boomers. An organization’s  approach to correcting such misperceptions internally should consider  these generational differences.

The article lists 4 major items that you should address to make  protecting data part of your culture:
    • "Clarify the business risk: Leadership must detail the consequences  of a data breach to the company’s financial results, relationships  with customers, and reputation.

    • "Align with values and culture: Data protection isn’t just the  responsibility of IT, it’s the responsibility of everyone in an  organization. Ensure you have processes in place for employees to  voice concerns, particularly during times of company transition.

    • "Involve employees directly in solutions: The data showed millennials  in particular are motivated by direct engagement in problem-solving,  so enlist them to help develop approaches that will resonate with  their peers.

    • "Partner with the compliance and IT teams: Technology or compliance  training around cyber security should be preceded by awareness  campaigns that reinforce the business urgency."
Quite simply, creating a culture where employees respect data and are  motivated to protect the business is critical to cyber security. More at:
Cyberheist 'FAVE' LINKS:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews