CyberheistNews Vol 5 #20 Adult Friend Finder Hack Is Nightmare Phishing Problem

Adult Friend Finder Hack Is Nightmare Phishing Problem

Guys, we have a real phishing problem with this Adult Friend Finder (AFF) hack. This particular adult site is one of the most heavily trafficked websites in the U.S. and has 40 million registered users. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen. You may have heard about it, but in short, the story is that the AFF site owed $248,000 to someone, very likely an affiliate that was feeding them web traffic, and apparently AFF did not pay up. The affiliate had a hacker buddy who calls himself ROR[RG] and this guy decided to teach AFF a lesson.

He hacked them, exfiltrated at least 4 million records and then sent them a ransom demand of $100,000 to return the data. Again, apparently AFF did not pay up and ROR[RG] in retaliation posted these records on a Darknet Tor site loaded with a ton of highly personal, sensitive information.

It includes their age, sexual preferences, state, zip code, username, IP address, and if they are married or single, gay or straight, and are looking for a "cheating one night stand" or more let's call it unorthodox sexual activities. With a little bit of digging, these people are relatively easy to find. Bev Robb, who does malware and Dark Web research, wrote a blog post showing how easy it is.

FriendFinder Networks, a California-based company wrote that it had hired FireEye's forensics unit, Mandiant, to investigate along with Holland and Knight, a law firm, and a public relations company specializing in cybersecurity.

"We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected," it said. The company could not be reached for further comment. UK TV Channel 4 reported it first, and stated exposed email addresses are receiving a wave of spam. Here is their 4-minute segment.
https://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web

Here Is The Problem

Any of these 40 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.

People that have extramarital affairs can be made to click on links in emails that threaten to out them. I can already see the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands.

Mass media has jumped on this, the news of this hack is on CNN, NBC, you name it. If any of your users has registered on AFF, they have probably heard about it and are worried. This is a nightmare phishing scenario. Jilted spouses, divorce attorneys and private investigators are undoubtedly already pouring over the data.

What To Do About It

This is not an easy one. I suggest you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I suggest you send something like this to your friends, family and end-users. Feel free to edit:

"Last week, news broke that the Adult Friend Finder website was hacked. This is a one of the top adult website for people that want casual encounters, possibly cheating on their spouse. The site has 40 million registered users, and millions of these records are now out in the open, exposing highly sensitive personal information. Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening messages like this that slip through and delete them immediately."

As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Social Networking template that lures people into clicking on a link to the "haveibeenpwned" website to see if their personal sensitive information was hacked. The subject of the template is "Hey, has your Adult Friend Finder secret come out?"

PS: If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is, and be pleasantly surprised:
https://info.knowbe4.com/kmsat_get_a_quote_now

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Fidelity is the sister of justice." - Horace

"I told my wife the truth. I told her I was seeing a psychiatrist. Then she told me the truth: that she was seeing a psychiatrist, two plumbers, and a bartender." - Rodney Dangerfield

Thanks for reading CyberheistNews!

Security News

What Our Customers Say About Us

"Everything is going great! We got the training integrated into our LMS so everyone is taking it right along all our other required training. Even with a brisk employee turnover, our click rate runs between 0 and 4% depending on how many new employees are here “pre-training.”

"We receive genuine phishing emails from time to time (email security can’t catch them all) and they are quickly detected and promptly reported thanks to the training. I have recommended your security training and phishing exercises to a number of colleagues, and some of them followed up with a purchase.

"Many in my banking security peer group use and recommend you. Nice work, you guys!" - P.J. CISSP, Information Security Officer

InfoWorld's security guru Roger Grimes writes about KnowBe4's integrated training and phishing platform. Check out this article:
https://www.infoworld.com/article/2920804/security/get-real-about-user-security-training.html

This Week's Five Most Popular HackBusters Posts

What are IT security people talking about? Here are this week's five most popular hackbusters posts:

Spy Agencies Hijack Google Play Store to Install Spyware on Smartphones
https://www.hackbusters.com/news/stories/326697-spy-agencies-hijack-google-play-store-to-install-spyware-on-smartphones
NetUSB Driver Flaw Exposes Millions of Routers to Hacking
https://www.hackbusters.com/news/stories/325860-netusb-driver-flaw-exposes-millions-of-routers-to-hacking
Who Really Invented Bitcoin?
https://www.hackbusters.com/news/stories/323830-who-really-invented-bitcoin
Anti-NSA Pranksters Planted Tape Recorders Across New York and Published Your Conversations
https://www.hackbusters.com/news/stories/325983-anti-nsa-pranksters-planted-tape-recorders-across-new-york-and-published-your-conversations
Free Ransomware Decryption and Malware Removal ToolKit
https://www.hackbusters.com/news/stories/326769-free-ransomware-decryption-and-malware-removal-toolkit

Why Isn't User Training A Security Priority?

Only about half of companies offer any kind of security training, a CompTIA survey found. End users are widely seen as a weak link in the enterprise security chain. More than 80 percent of respondents to a QuinStreet Enterprise survey tapped end users as a top security risk for their organizations.

Craig Williams, security outreach manager for Cisco's Talos Security Intelligence and Research Group, said end users working outside the confines of corporate networks are a key entry point for attackers launching malvertising attacks.

"Attackers notice when machines are not up-to-date. They can find one that is not following security best practices and then embed a link so you have a landing page hosting a drive-by download attack. Then they use social engineering to trick users to look at that page, serve up some malware, and you are compromised," he said in an interview with eSecurity Planet earlier this year.

Despite this, however, recent research by IT trade association CompTIA found that just 54 percent of companies offer any kind of security training, with most doing so during employee onboarding. When CompTIA asked companies it surveyed why they did not offer security training to employees, "the biggest reason was there was no reason," said Seth Robinson, senior director of technology analysis at CompTIA. Read the full article at:
https://www.esecurityplanet.com/network-security/why-isnt-user-training-a-security-priority.html

Researchers Observe SVG Files Being Used To Distribute Ransomware

Researchers with AppRiver have observed attackers sending out phishing emails with SVG files attached – these files, when downloaded and executed, open up websites that download what appears to be CryptoWall ransomware.

AppRiver observed thousands of phishing emails – one was sent from a Yahoo address and claimed to include a resume – being sent to small stores, law offices, IT businesses, schools and more, Jon French, security analyst with AppRiver, told SCMagazine.com in a Thursday email correspondence.

In order for an infection to occur, user interaction is required more than once, French indicated. First, a user must download the ZIP attachment in the phishing email, which contains the SVG file. When the user opens the SVG file, a small JavaScript entry will cause their browser to open to a website that leads to another ZIP file being downloaded. This file contains the payload, which must be manually executed.

When downloaded and executed, the SVG files cause websites to open up that download what appears to be CryptoWall ransomware. Read the full article here:
https://www.scmagazine.com/svg-files-attached-to-phishing-emails-distribute-what-is-apparently-cryptowall-ransomware/article/416143/

Study: Employees Acknowledge Risky Security Behavior, Continue To Do It

While most people acknowledge the security risks of opening an email from an unknown sender or downloading an app from an unauthorized app store, many continue to engage in this risky behavior.

A new study from Blue Coat Systems found that 82 percent of U.S. employees knew that opening an email from an unverified source is considered “very risky;” however, 17 percent still admitted to doing so. This 17 percent could be mostly composed of people who weren't aware that this behavior put their systems at-risk, said Hugh Thompson, CTO and senior vice president, Blue Coat, in an interview with SCMagazine.com, although the survey did not relate the two questions.

Even still, Thompson suggested that those knowledgeable of the risk could be opening emails from unknown senders because, in reality, phishing emails are becoming trickier, and their perpetrators are personalizing attacks.

Thompson went on to say that everyone has a weak spot that could entice them to open an email, such as a favorite sports team, for example, and with social media making this information readily available, creating a convincing email isn't too difficult a task.

Considering that of the 250 U.S. respondents to Blue Coat's survey half of whom were at the CIO level, even IT security pros fall victim to various attacks.

“We do live in a time when anyone can be deceived,” Thompson said. “Anyone can be phished, even the most paranoid.” Article at SC Mag:
https://www.scmagazine.com/blue-coat-system-conducts-security-survey/article/415611/

How Employee Training Can Affect The Organization

Employee training and awareness programs will have a huge effect on covered entities, according to all three healthcare leaders. With anything from phishing scams to sophisticated cyber attacks putting health data at risk, it’s important for staff members to have a comprehensive idea of what type of malicious activity to be on alert for.

“The trick is, how do we balance that with everything else that’s required for [employees] to keep up their practices and actually what they need to do: treat patients,” Ewell said.

Not only is employee training critical, according to Sah, employee training at all levels is necessary. Everyone from senior level to contributors to those affiliated with a covered entity’s partners and vendors must have an understanding of proper health data security.

“All can fail if people are not aware,” Sah said. “And they need to be aware in a way that when they see malicious activity or they see something abnormal, that they have the awareness, knowledge, and know-how to take the next step of action.”

For example, if an employee sees what they think might be a phishing email, it’s essential to not only recognize it as malicious activity, but to then take the next step and notify the necessary personnel. That will better help the organization respond to the issue, Sah explained.

“A single person who is not aware can still cause a gap that can then be leveraged to create the types of threats or attacks we’ve seen,” said Sah. “[Employee training] is the most invaluable thing that any organization can do.” Full article at HealthIT Security:
https://healthitsecurity.com/news/important-lessons-for-health-data-privacy-security-in-2015