Last week, the FBI via their Internet Crime Complaint Center announced some astounding numbers, worse than ransomware.
There is a 270 percent spike in victims and cash losses caused by a skyrocketing scam in which cyber criminals spoof emails from executives at a victim organization in a bid to execute unauthorized international wire transfers.
According to the new FBI report, thieves stole nearly 750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)
The figures show an incredible 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than 1.2 billion dollars, according to the FBI. Here is the link: http://www.ic3.gov/media/2015/150827-2.aspx
There is a clear pattern you need to watch out for. It often begins with the scammers phishing an executive, dropping a Trojan, and gaining 24/7 access to that individual’s inbox. Then they research the organization and monitor the email account for months until the right circumstances arrive, then they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company’s true domain name.
Why worse than ransomware?
Normally the ransom is about 500 bucks. However, the FBI’s numbers indicate that the average loss for a BEC victim is a whopping 100,000 dollars. Some are much higher, earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping 46.7 million hit because of a BEC scam.
We have noticed that this scam is filtering down to the consumer level. People that are in the process of buying a house and need to transfer a sizable down payment are receiving an email from their lawyer or realtor to transfer that down payment to a certain bank account. When they call the next day to check if the money has arrived, the lawyer tells them they did not send any transfer requests, but the money has disappeared in the meantime. The same scam is done with spoofed emails from financial brokers.
What you can do about it:
Alert all your employees, from the board level down to the mail room. These scams are getting more sophisticated by the month so be on the lookout.
Have a dual-step process in place for bank wires, always verified by phone with trusted parties.
Send this email to all your users, friends and family. Edit if you want:
"Criminals on the Internet have cooked up a new scam. They get you to click on a phishing link and stealthily look at what happens on your computer. Specifically they monitor your email. When it looks like your CEO is out of town, the bad guys send emails that look like they come from the CEO, with urgent requests to wire a large amount of money. Organizations that were tricked by this have lost hundreds of thousands of dollars.
Recently, this scam has filtered down to the consumer level. The FBI calls this an Email Account Compromise (EAC). At this very moment, bad guys could be looking at your email and patiently wait until the time is right. Be very careful when you make any large bank transfers, for instance when buying a house or putting money into investment accounts. ALWAYS, ALWAYS, ALWAYS initiate contact with the other party by phone and verify that the transfer instructions are correct before you transfer the money."
Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through. Find out how affordable this is for your organization today. http://info.knowbe4.com/kmsat_get_a_quote_now
Just 1% Of Employees Are Responsible For 75% Cloud Security Risks
Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risks, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users.
According to newly-released research by CloudLock, which analyzed the behavior of 10 million users during the second quarter of this year, these users are sending out plain-text passwords, sharing files, accidentally downloading malware, clicking on phishing links, using risky applications, reusing passwords, and engaging in other types of dangerous behaviors.
Report: Phishing Costs Average Organization 3.7M Per Year
If you extrapolate the total annual cost of phishing for the average organization it comes to more than 3.7 million dollars. You could shave that down by 1.8 million though, with the right security awareness training, according to a new report.
More than 375 IT and IT security practitioners in U.S. organizations were surveyed in "The Cost of Phishing & Value of Employee Training", which was conducted by Ponemon Institute and sponsored by our friends at Wombat Security Technologies.
Fill out this quick Docker survey and get entered to win a 100 dollars gift certificate from Amazon. These are friends of ours and good people: https://goo.gl/2cexTN
Warm Regards, Stu Sjouwerman
Quotes Of The Week
"In dwelling, live close to the ground. In thinking, keep to the simple. In conflict, be fair and generous. In governing, don't try to control. In work, do what you enjoy. In family life, be completely present." - Lao Tzu (Philosopher - 6th century BC)
"True happiness comes from the joy of deeds well done, the zest of creating things new." - Antoine de Saint-Exupéry - Writer (1900 - 1944)
Tehran’s hackers are getting trickier—and finding new ways to get into your Gmail, using social engineering. Learn how this sophisticated phishing attack gets around Google’s two-step verification system.
The Citizen Lab’s John Scott-Railton and Katie Kleemola explained a new way that Iranian hackers can compromise the accounts of political dissidents, or basically anyone. High-end hacking gangs will use this trick as well for Business Email Compromise attacks.
"Their targets are political, and include Iranian activists, and even a director at the Electronic Frontier Foundation," said Scott-Railton. "In some cases they even pretend to be Reuters journalists calling to set up interviews."
It's obvious that attacks on political targets are not new. Neither are two-factor authentication (2FA) attacks. They were relatively few and far between though. What you can count on now is that this methodology is going to go up massively and that you need to train users to not fall for it if you use Gmail as your corporate email platform. Here are the details: https://citizenlab.org/2015/08/iran_two_factor_phishing/
IBM: Corporations Could Be The Next Target For Ransomware Attacks
Doug Olenick at SC Magazine reported on something noteworthy: "The growing threat posed by ransomware and the possibility that cybercriminals will graduate from extorting end users to large corporations topped the worry list of IBM's X-Force threat team in its Q3 threat intelligence report.
The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015," issued Monday, included a look at an increasing number of attacks coming from the dark web that employ Tor to steal intellectual property.
Target Agrees To Pay Visa 67 Million Dollars For 2013 Data Breach
On Tuesday, Target and Visa confirmed that they had reached a settlement in which Target would pay up to 67 million dollars to Visa card issuers for a security breach in 2013 that left 40 million customer credit card numbers compromised. Visa brokered the deal and will pass the award on to the card issuers that work within its network.
The settlement deal is considerably larger than the 19M settlement that Target reached with MasterCard earlier in the proceedings. That settlement was not approved because MasterCard issuers rejected it for being too low. The Wall Street Journal reports that Target’s deal with Visa is much more likely to succeed this time around because the agreement had "already received support from Visa’s largest card issuers.”
Extortionists and insiders operating as criminal "free agents" have emerged as the top two cybercrime threats to banking institutions, says financial fraud expert Avivah Litan, an analyst for the consultancy Gartner.
"Cyber-extortion is probably the hottest trend of 2015," she explains during this exclusive interview with Information Security Media Group. A gang known as DD4BC, which stands for DDoS for Bitcoin, has been targeting leading banking institutions with ransom schemes that blend malware and distributed denial-of-service attacks, Litan says.