CyberheistNews Vol #5 #37 Scam Of The Week: Business Email Compromise

CyberheistNews Vol 5 #37 Sept 1, 2015

Scam Of The Week: Business Email Compromise

Last week, the FBI via their Internet Crime Complaint Center announced some  astounding numbers, worse than ransomware.

There is a 270 percent spike in victims and cash losses caused by a  skyrocketing scam in which cyber criminals spoof emails from executives  at a victim organization in a bid to execute unauthorized international  wire transfers.

According to the new FBI report, thieves stole nearly 750 million in such  scams from more than 7,000 victim companies in the U.S. between October  2013 and August 2015.

In January 2015, the FBI released stats showing that between Oct. 1, 2013  and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in  business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)

The figures show an incredible 270 percent increase in identified  victims and exposed losses. Taking into account international victims, the  losses from BEC scams total more than 1.2 billion dollars, according to the FBI. Here is the link:

There is a clear pattern you need to watch out for. It often begins with  the scammers phishing an executive, dropping a Trojan, and gaining 24/7  access to that individual’s inbox. Then they research the organization  and monitor the email account for months until the right circumstances  arrive, then they pounce. They spoof the CEO's address and send messages  to employees in accounting from a look-alike domain name that is one  or two letters off from the target company’s true domain name.

Why worse than ransomware?

Normally the ransom is about 500 bucks. However, the FBI’s numbers indicate  that the average loss for a BEC victim is a whopping 100,000 dollars.  Some are much higher, earlier this month, tech firm Ubiquiti Networks  disclosed in a quarterly financial report that it suffered a whopping  46.7 million hit because of a BEC scam.

We have noticed that this scam is filtering down to the consumer level.  People that are in the process of buying a house and need to transfer  a sizable down payment are receiving an email from their lawyer or  realtor to transfer that down payment to a certain bank account. When  they call the next day to check if the money has arrived, the lawyer  tells them they did not send any transfer requests, but the money has  disappeared in the meantime. The same scam is done with spoofed  emails from financial brokers.

What you can do about it:
    1. Alert all your employees, from the board level down to the mail room. These scams are getting more sophisticated by the month so be on the lookout.

    2. Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to everyone. (free)

    3. Have a dual-step process in place for bank wires, always verified by phone with trusted parties.
Send this email to all your users, friends and family. Edit if you want:

"Criminals on the Internet have cooked up a new scam. They get you to click on a phishing link and stealthily look at what happens on your computer. Specifically they monitor your email. When it looks like your CEO is out of town, the bad guys send emails that look like they come from the CEO, with urgent requests to wire a large amount of money. Organizations that were tricked by this have lost hundreds of thousands of dollars. 

Recently, this scam has filtered down to the consumer level. The FBI calls this an Email Account Compromise (EAC). At this very moment, bad guys could be looking at your email and patiently wait until the time is right. Be very careful when you make any large bank transfers, for instance when buying a house or putting money into investment accounts. ALWAYS, ALWAYS, ALWAYS initiate contact with the other party by phone and verify that the transfer instructions are correct before you transfer the money."

Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through.  Find out how affordable this is for your organization today.

Just 1% Of Employees Are Responsible For 75% Cloud Security Risks

Just 1 percent of employees are responsible for 75 percent of cloud-related  enterprise security risks, and companies can dramatically reduce their exposure  at very little additional cost by paying extra attention to these users.

According to newly-released research by CloudLock, which analyzed the behavior  of 10 million users during the second quarter of this year, these users are  sending out plain-text passwords, sharing files, accidentally downloading  malware, clicking on phishing links, using risky applications, reusing  passwords, and engaging in other types of dangerous behaviors.

These users include both rank-and-file employees as well as super-privileged  users, software architects, and non-human accounts used to perform automated  tasks. Here is an interesting article on this over at CSO:

Report: Phishing Costs Average Organization 3.7M Per Year

If you extrapolate the total annual cost of phishing for the average  organization it comes to more than 3.7 million dollars. You could shave  that down by 1.8 million though, with the right security awareness  training, according to a new report.

More than 375 IT and IT security practitioners in U.S. organizations were  surveyed in "The Cost of Phishing & Value of Employee Training", which  was conducted by Ponemon Institute and sponsored by our friends at Wombat  Security Technologies.

In a Wednesday email correspondence, Joe Ferrara, Wombat's president and  CEO, told SC Mag that the biggest financial hit from these attacks comes  from loss of productivity. Full story and links to the report at our Blog:

Are You In DevOps and/or Use Docker?

Fill out this quick Docker survey and get entered to win a 100 dollars  gift certificate from Amazon. These are friends of ours and good people:
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
"In dwelling, live close to the ground. In thinking, keep to the simple. In  conflict, be fair and generous. In governing, don't try to control. In work,  do what you enjoy. In family life, be completely present." - Lao Tzu (Philosopher - 6th century BC)

"True happiness comes from the joy of deeds well done, the zest of  creating things new."  - Antoine de Saint-Exupéry - Writer (1900 - 1944)
 Thanks for reading CyberheistNews

Security News

This Week's Five Most Popular HackBusters Posts

    1. Apple will host next iPhone launch Sept. 9:

    2. The Funk Awakens in Darth Punk 'Star Wars'/Daft Punk mashup:

    3. Microsoft Releases Updates To Spy On Windows 7, 8 and 8.1 Users:

    4. PayPal Vulnerability Allows Hackers to Steal All Your Money

    5. 'Star Trek Beyond' cast delivers touching tribute to Leonard Nimoy

Here’s How Iran Resets Your Gmail Password

Tehran’s hackers are getting trickier—and finding new ways to get into your  Gmail, using social engineering. Learn how this sophisticated phishing attack gets around Google’s two-step verification system.

The Citizen Lab’s John Scott-Railton and Katie Kleemola explained a new  way that Iranian hackers can compromise the accounts of political  dissidents, or basically anyone. High-end hacking gangs will use this trick as well for Business Email Compromise attacks.

"Their targets are political, and include Iranian activists, and even a  director at the Electronic Frontier Foundation," said Scott-Railton. "In  some cases they even pretend to be Reuters journalists calling to set  up interviews."

It's obvious that attacks on political targets are not new. Neither are two-factor authentication (2FA) attacks. They were relatively few and far between though. What you can count on now is that this methodology is going to go up massively and that you need to train users to not fall for it if you use Gmail as your corporate email platform. Here are the details:

IBM: Corporations Could Be The Next Target For Ransomware Attacks

Doug Olenick at SC Magazine reported on something noteworthy: "The growing  threat posed by ransomware and the possibility that cybercriminals will  graduate from extorting end users to large corporations topped the worry  list of IBM's X-Force threat team in its Q3 threat intelligence report.

The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly,  3Q 2015," issued Monday, included a look at an increasing number of attacks  coming from the dark web that employ Tor to steal intellectual property.

While ransomware has been a menace for years, John Kuhn, senior threat  researcher, IBM Security X-Force, told it has progressed  from attackers using simplistic scams, such as WinLocker, that simply  annoyed people to well-organized attempts to steal money. More at our Blog:

Target Agrees To Pay Visa 67 Million Dollars For 2013 Data Breach

On Tuesday, Target and Visa confirmed that they had reached a settlement  in which Target would pay up to 67 million dollars to Visa card issuers  for a security breach in 2013 that left 40 million customer credit card  numbers compromised. Visa brokered the deal and will pass the award on  to the card issuers that work within its network.

The settlement deal is considerably larger than the 19M settlement that  Target reached with MasterCard earlier in the proceedings. That settlement was  not approved because MasterCard issuers rejected it for being too low. The Wall  Street Journal reports that Target’s deal with Visa is much more likely to  succeed this time around because the agreement had "already received support  from Visa’s largest card issuers.” 

A representative from JP Morgan Chase & Co. told Ars in an e-mail that the  company was "pleased" with the settlement, but he would not go into detail  about specifics. It also seems that Target is working on a new deal with  MasterCard comparable to the one it cut with Visa. As you can see, these large hacks get extremely expensive, and now the FTC is going to pile on  as well. More at Arstechnica:

Gartner's Avivah Litan: Top New Threats to Banks

Extortionists and insiders operating as criminal "free agents" have emerged  as the top two cybercrime threats to banking institutions, says financial  fraud expert Avivah Litan, an analyst for the consultancy Gartner.

"Cyber-extortion is probably the hottest trend of 2015," she explains during  this exclusive interview with Information Security Media Group. A gang known as DD4BC, which stands for DDoS for Bitcoin, has been targeting  leading banking institutions with ransom schemes that blend malware and  distributed denial-of-service attacks, Litan says.

"They'll get malware on the network, extract information from files and then  threaten to publish it," she says. "Then they wage a denial-of-service  attack against the bank. So, this has been going on for a while, and  banks are paying out." Link:

Cyberheist 'FAVE' LINKS:
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews