CyberheistNews Vol 5 #24 Scam Of The Week: Resume Ransomware & The Truth About The OPMgate Hack



 
                                                       
CyberheistNews Vol 5 #24 June 16, 2015

Scam Of The Week: Resume Ransomware

       
The SANS InfoSec Forums noted that since Monday May 25th new CryptoWall  3.0 ransomware attacks started, using both malicious spam and the Angler  exploit kit (EK). The attack wave has increased significantly since  Monday June 8th, and the use of the Angler EK appears to have started  around the same time.  

Both campaigns are active as of Friday June 12th. SANS published  a flow chart that shows the path to infection, and you can see it at our blog.
http://blog.knowbe4.com/annoying-new-ransomware-attack-uses-girl-resumes

I would send an email to your friends and employees, something like this, edit if you want:

"Warning: there is a ransomware phishing attack  going on which uses attachments with fake girl resumes, and this attack  also uses compromised websites to infect your computer. 

Do NOT open any attachments that look anything like a zipped resume, and  be careful to not go to unknown websites. Make sure that all the applications  on your computer are up to date. (for friends and family you could add  that they can go to Secunia to download the free Secunia PSI which scans  for old versions of software that need to be updated.)"

http://secunia.com/vulnerability_scanning/personal/

It's important to inoculate your users against this new infection tactic.  There is a new template that was shared to the community templates, into  a new category called ransomware. Go to Phishing -> Email Templates ->  Community Templates -> Ransomware and choose "Resume". Use that to send  to all your users sooner rather than later.

By the way, if you created a template yourself that turned out to be  very successful (high Phish-prone percentage) you can share it with your peers at the Community Templates section.

BREAKING NEWS - LastPass Hacked          

There was no time to get this into the newsletter just before publishing deadlines, but here is a blog post with what happened and what you can do about it:

http://blog.knowbe4.com/lastpass-hacked-be-alert-for-phishing-attacks

The Truth About The Massive OPMgate Hacking Scandal

The recent U.S. Government Office of Personnel Management hack is getting worse by the day. In Saturday's Wall Street Journal they revealed that  apart from more than 4 million personal records including SSN, now their security clearance database also has been exfiltrated.

The two security clearance forms, known as Standard Form 85 and 86 contain  extensive information about family members, mental health, drug use, police  record and credit history, and lists of foreign contacts -- people that a  person might know abroad. These forms have more data than a mortgage  application. Because of the unforgivable error that the data was not  encrypted, this is now a full-blown scandal and deserves the hashtag OPMgate.

How Could This Happen?

Well, here is a bit of history. Early 2011 the Immigration & Customs Enforcement  Agency (ICE), part of DHS, noticed a significant uptick in "mail infections  and privacy spills" in its networks. It determined that the spike was due  to ICE employees accessing their personal webmail accounts from office  computers. ICE senior managers then terminated webmail access in September  2011 as a hacking security precaution. 

I would say that was the right thing to do, agreed? Not so fast. The American  Federation of Government Employees filed a grievance with a federal arbitrator,  claiming that any change in access to private email must first be collectively  bargained with the union. 

HUH? Yup.

ICE showed the arbitrator evidence of the keyloggers, Trojans and other  malware that foreign intelligence services had been able to drop on  government employee workstations through (spear) phishing attacks. However, the arbitrator dismissed ICE’s security arguments in a mere 75 words,  stating that the law didn’t give federal agencies "exclusive discretion" to manage its IT systems; so ICE had to give the union a say. You can guess what happened. Today, many federal agencies allow personnel to check their webmail from their government workstations. Unconscionable.

Two Things To Do About It Now

If you have a security clearance, assume all your highly personal data is in the hands of the Chinese and might be used to gain leverage in a multitude of ways. The expression that the price of freedom is  constant vigilance and willingness to fight back is truer than ever.
    1. In an office environment, analyze the different types of data you have, determine the sensitivity levels of that data, and start encrypting your  crown jewels both at rest and in flight ASAP. Make this a TOP priority.

    2. Formulate and disseminate security policy that forbids employees to  check their webmail in the office. Explain why, and tell them they should use their smartphone for that. Block webmail portals in your  firewalls and/or other network edge devices. There are lists available  you can copy and paste.
And oh, stepping all employees through new school security awareness training would not hurt either. That way they will truly understand why security policies are put in place. Find out how affordable this is for your organization. Ask for a quote here and you will be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now
Warm Regards,
Stu Sjouwerman
feedback@knowbe4.com

Quotes Of The Week
 

" The truth is like a lion. You don't have to defend it. Let it loose.  It will defend itself."

- St. Augustine

" Three things cannot be long hidden: the sun, the moon, and the truth."  - Buddha

     Thanks for reading CyberheistNews!

Security News
 

Compliance In Half The Time At Half The Cost

I'm sure you will agree, compliance has become a major headache. It is a  HUGE burden on already limited IT resources. Yearly audits have become  major projects. They are expensive in both dollars and your IT staff time.

Imagine an environment in which your organization is completely compliant  24/7/365. We have a new product, KnowBe4 Compliance Manager (KCM), that  can help you to achieve that state. It is an IT compliance workflow  automation tool that allows you to:
    • Manage all of your specific regulatory requirements in one location  (PCI-DSS, HIPAA, GLBA, SOX, etc...).

    • Eliminate duplication of effort.

    • Assign the Directly Responsible Individual (DRI) for a control.

    • Direct your auditors to one location for evidence of compliance controls  being in place and up to date.
New Features:
    • Auditor Role, your auditor can log in remotely and save you billable hours.

    • Manager Approvals - Now, each Control can be assigned a user responsible,  and a manager responsible.

    • Each Control can now have a level of evidence required in order for it  to be submitted to the approving manager.
Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0

10 Highest-Paying IT Security Jobs         

High-profile security breaches, data loss and the need for companies to  safeguard themselves against attacks is driving salaries for IT security  specialists through the roof. Here are the 10 highest-paying security roles, including a good short description of what each of these jobs is responsible for. 

Interesting slide show over at the CSO site. Check it out, holy schmoly these salaries are high. Problem is, most of these jobs are in areas that are  extremely expensive and have major traffic problems. You can make oodles of  money, but prepare not to have a life and permanent lack of sleep:
http://www.csoonline.com/article/2933416/infosec-careers/10-highest-paying-it-security-jobs.html?

Gone Phishing: How I Taught My Users To Stop Clicking Everything

Familiar with SpiceWorks? It's the world's largest IT Admin community. One user  wrote the 392nd entry in their Spotlight on IT. This is the story. There is a  link at the end to the comments which are a must-read too. 

"We have a problem in our company: people click on EVERYTHING. A file isn’t  opening? Keep clicking on it. A web page isn’t loading? Click on it a few  dozen times. An email comes in from a sender you don’t recognize? Better  click on the links to see what’s in them.

During 2014, we started getting pounded with a ton of spam messages. Luckily  our Barracuda Spam Firewall caught most of them, but we were getting upwards  of 3,000–5,000 spam messages per day when previously we were getting 600–800  or less. This wave of spam was fairly constant throughout most of the year,  and as a result more spam messages were making their way through the  filter — which meant more malicious emails were making their way into users’  mailboxes.

By Q3, we’d had around 80 malicious emails get through our spam filter, some  of which went to multiple users. A few CryptoLocker attachments got through,  but luckily our AV caught them when users tried to open them.

At this point, I’d been begging my boss to let me do a phishing test. I first  brought it up in late 2013 when I noticed our users’ habit of clicking  everything, but I was shot down. He still wasn’t sold on the idea of doing  a phishing test even after the spammy year 2014 was becoming.

Then it happened...

Read the story at our blog:
http://blog.knowbe4.com/gone-phishing-how-i-taught-my-users-to-stop-clicking-everything

Execs Oblivious To Security Threats: Survey

This is good ammo if you run into resistance when you ask for IT security budget. Send them a link to this article that reports on some recent surveys.

"Surveys conducted by two cybersecurity firms reveal C-level overconfidence,  uncertainty and inattentiveness in regards to network security and insider  threats increases the potential for a breach at many organizations.

The Sunnyvale, Calif.-based cybersecurity analytics company RedSeal’s study  uncovered a high level of confusion regarding security issues in the network  infrastructure. Nearly 60% of the 350 C-level executives surveyed believe they  can truthfully assure the board beyond a reasonable doubt that their  organization is secure.

However, upon closer examination, the RedSeal study highlighted that less than  a third of all respondents (32%) claim they have full visibility into their  global network. On top of that, 86% of the respondents acknowledge gaps in  their ability to see and understand what’s really happening inside the network.

At the same time, 79% admit they can’t effectively secure what they can’t see  or understand. When asked if they “know for a fact that their network is  currently under attack by hackers,” 29% said yes. 

See the discrepancy? Read the article here:
http://www.cutimes.com/2015/06/11/execs-oblivious-to-security-threats-survey    

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is:  33 North Garden Ave. Suite 1200, Clearwater, Florida, 33755





Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews