|
AshleyMadison: Second Nightmare Phishing Problem
Again, we have a nightmare phishing scenario with the brand new AshleyMadison (AM) hack. A few months ago, the Adult Friend Finder (AFF) website was hacked, and now their biggest competitor.
AM is one of the most heavily-trafficked websites in the U.S. and has 37 million registered users, some will overlap with AFF though. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen.
Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to the users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Here Is The Problem
Any of these 37 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.
People that have extramarital affairs can be made to click on links in emails that threaten to out them. I already see the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands.
Mass media has not jumped on this yet, but you can count on this breaking news hitting the press big time. If any of your users has registered on AM, they are going to be worried about it. This is a nightmare phishing scenario. Jilted spouses, divorce attorneys and private investigators are undoubtedly already going to pour over the data.
What To Do About It
I suggest that again you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.
"A few months ago, news broke that the Adult Friend Finder website was hacked. Now it's AshleyMadison, their biggest competitor. These sites are for people who want to cheat on their spouse. The site has 37 million registered users, and these records are now out in the open, exposing highly sensitive personal information. Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening messages like this that slip through and delete them immediately."
As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Social Networking template that lures people into clicking on a link to the "haveibeenpwned" website to see if their personal sensitive information was hacked. The subject of the template is "RE: Pictures from your Ashley Madison account were leaked".
I was interviewed on Channel 10 yesterday about this hack. You can see me and the new KnowBe4 office here: http://www.wtsp.com/story/news/local/2015/07/20/hackers-threaten-to-pull-covers-off-online-cheating-website/30432261/ |
Blackhat 2015 Survey: End-User Wins Easily As IT's #1 Big Worry
According to the new 2015 Black Hat Attendee Survey, nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months -- but they won't have enough time, money, or skilled staff to handle the crisis.
The survey polled some 460 infosec professionals, 61 percent of whom carry "security" as a full-time job title, and two thirds of whom carry a CISSP or other professional security credentials.
More than a third of the Black Hat survey respondents say that their time is consumed by addressing vulnerabilities in internally-developed software (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their budgets are often consumed by compliance issues (25 percent) or sealing accidental leaks (26 percent), leaving them short of resources to fight the real threats. (One way to save half the time and half the cost of an audit is a compliance workflow automation tool like this very useful compliance manager: http://info.knowbe4.com/knowbe4-compliance-manager_lp_14-04-15 )
Nearly a third (31 percent) of Black Hat attendees cited end users as the weakest link in the security chain. "The biggest roadblock I have is a lack of cultural importance on security," said one survey respondent. Here are the survey results, and the #1 problem that needs to be managed is: "End users who violate security policy and are too easily fooled by social engineering attacks".
See the graph with all tabulated answers on the "Weakest Link in IT Defenses" http://blog.knowbe4.com/blackhat-2015-survey-end-user-wins-easily-as-its-big-worry
|
Turn Your Weakest Link In Your Strongest Security Asset
Here is a quote from an article in the WSJ CIO Report by Steve Rosenbush: "In The Art of War, Sun Tzu writes, the message is that one should 'avoid what is strong and … strike at what is weak.' In cyberwar the weak are often your users. Good, smart workers are conscripted by hackers after being lured into opening an email attachment or following a dangerous link. Companies need to better balance security tech investments and the education and engagement of the workforce. By involving the workers in designing the security policies, the firms generate buy-in and support."
That is a good tip. Get buy-in for your awareness training program by surveying your users for input on things they observe as security weaknesses and include these in the program, for instance as emailed Security Hints & Tips.
|
New TeslaCrypt's Shrewd Disguise as CryptoWall
Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types. The attackers are focusing on the U.S. and Germany using malvertising, which had record highs in June - more than in all the previous months this year combined.
The malvertising (malicious ads on large sites like Yahoo, Drudge, CBSSports and HuffPost), is paid for by stolen credit cards. This is very hard to defend against. See the hotmap on our blog, more technical details about how it attacks and suggestions about what you can do about it: http://blog.knowbe4.com/new-teslacrypts-shrewd-disguise-as-cryptowall |
Warm Regards, Stu Sjouwerman
|
"Progress is impossible without change, and those who cannot change their minds cannot change anything." - George Bernard Shaw
"Do not go where the path may lead; Go instead where there is no path and leave a trail." - Ralph Waldo Emerson
"Most people spend more time and energy going around problems than trying to solve them." - Henry Ford
|
Thanks for reading CyberheistNews!
|
A New Ransomware Hostage Rescue Manual
Get this informative and complete hostage rescue manual on Ransomware. The 20-page manual is packed with actionable info you need to prevent infections, and what to do when you are hit with ransomware. You also get a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.
You will learn more about:
- What is Ransomware?
- Am I Infected?
- I’m Infected, Now What?
- Protecting Yourself in the Future
- Resources
Don’t be taken hostage by ransomware. Download now and forward/share to your friends, this is good stuff: http://info.knowbe4.com/ransomware-hostage-rescue-manual-0
Or, read the article in BetaNews first, and then download: http://betanews.com/2015/07/10/how-to-protect-yourself-against-ransomware/
|
This Week's Five Most Popular HackBusters Posts
Poor Communication Can Cost You 52,140.60 Dollars
Marcin Kleczynski, CEO of MalwareBytes posted this blog post a few days ago. Read it and forward it to your own CEO.
"Over the weekend, I received several cryptic e-mails from my CFO, Mark Harris, asking if I had approved the wire template for “the wire I had requested.” We were in the process of making a few wire transfers on Monday but I had already approved those and communicated that to him. He repeated the question a few times, but I still didn’t think anything of it.
He asked me again in person this morning. That’s when I started to dig in." Check out what he found: Sophisticated Social Engineering: http://blog.kleczynski.com/2015/07/poor-communication-can-cost-you-52140-60/
|
You Asked For Training Campaigns And We Built It For You
By far the most requested feature in the KnowBe4 console was Training Campaigns. We're excited to tell you they are here now, in version 5.2 of your console. When it comes to rolling out training for your users, this feature does the heavy lifting for you, saving time and effort associated with setup and chasing down users who need to finish their training for compliance purposes. Keep on reading for one really cool feature.
The new Training Campaigns provide Learning Management System functionality which gives you an easy way to manage your security awareness training while providing sophisticated reporting. Training Campaigns allow you to create ongoing or deadline-based training campaigns for your employees. These campaigns can contain any or all of the courses and limit course availability by group.
Training Campaigns can be set up to automatically send e-mail invitations and signup links to users, prompting them (at various intervals) to complete training by a specified time-frame. This functionality also allows you to train a group of users in a classroom setting and pass them all at once.
Key features of Training Campaigns allow you to:
- Create ongoing (permanent) training campaigns for an organization
- Set up campaigns with a specified deadline for training completion
- Limit course availability for various groups of users
- Automatically send enrollment emails to any number of users, inviting them to take the training
- Automatically send follow up emails to nudge users who have yet to complete the training
- Administrators can pass multiple users at once for group training environments
- Auto-enroll new users who are added to a group or company (invite via email)
- Customizable email notification templates for enrollments and follow-up
The training campaign dashboard also lets you monitor a campaign’s status, completion percentage, and every individual’s progress at a glance. Additionally, campaigns can be extended past their initial deadline, and the amount of active campaigns is limitless.
And here is the one really cool feature:
- Point-of-failure training auto-enrollment
With this, in no time, you set things up so that when anyone clicks on a Phishing Security Test URL they get automatically enrolled in a remedial campaign and they get an email right away that tells them to an awareness training module, and nudges them along until they have done it. All fully automated. Look ma, no hands. Want to see this in a one-on-one demo?
Fill out the form and we'll get you scheduled: http://info.knowbe4.com/one-on-one-demo-new-training-campaigns
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
- Shin Lim performs magic in a way that is beyond anything you have ever seen before. This is quite something:
http://www.flixxy.com/shin-lims-incredible-magic-fools-penn-and-teller.htm?utm_source=4
- 6,900 feet above the ground, Paul Steiner exits the cockpit, walks on the wing and then transfers from one sailplane to the other. No belts, no tricks.
http://www.flixxy.com/skydiver-moves-between-2-sailplanes.htm?utm_source=4
- While we are in the sky, Turkish test pilot Murat Keles performs an impressive take off - reaching an altitude of 15,000 feet in 45 seconds in a General Dynamics F-16 B Falcon jetfighter:
http://www.flixxy.com/15000-feet-altitude-in-45-seconds.htm?utm_source=4
- Third clip about the sky out of the archives. F15 pilot flies with one wing after an accident:
http://www.flixxy.com/pilot-lands-jet-airplane-with-one-wing.htm?utm_source=4
- And now way up, Pluto has mountains made of ice that are as high as those in the Rockies, images from the New Horizons probe have revealed:
http://www.flixxy.com/new-horizons-images-reveal-ice-mountains-on-pluto.htm?utm_source=4
- Obi Wan Kenobi buys a used car... 'A long time ago, I had a Ford Galaxy, far far away...'
http://www.flixxy.com/obi-wan-kenobi-used-car.htm?utm_source=4
- Piff the Magic Dragon: Comedic Magician steals a kiss from Heidi Klum and gets the Golden Buzzer from Neil Patrick Harris, earning a spot at Radio City Music Hall. Hilarious:
http://www.flixxy.com/piff-the-magic-dragon-comedic-magician-americas-got-talent-2015.htm?utm_source=4
- Interesting video with Jeff Bezos showing a multi-billion dollar company in its infancy. Amazon 20 years ago:
http://www.cnet.com/news/rare-early-footage-of-amazons-jeff-bezos/
- It's summer time, break out a good book. Here are the top 10 books about spies:
http://www.theguardian.com/books/2015/jul/15/top-10-books-about-spies-stephen-grey
- This video disproves the idea that cats are stubborn, self-willed and anti-authoritarian creatures who only do whatever they want. Awesome cat:
http://www.flixxy.com/whatever-dogs-can-do-cats-can-do-too.htm?utm_source=4
|
|
|
|
|
|
|