Scam Of The Week: Business Email Compromise
|Last week, the FBI via their Internet Crime Complaint Center announced some astounding numbers, worse than ransomware.
There is a 270 percent spike in victims and cash losses caused by a skyrocketing scam in which cyber criminals spoof emails from executives at a victim organization in a bid to execute unauthorized international wire transfers.
According to the new FBI report, thieves stole nearly 750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)
The figures show an incredible 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than 1.2 billion dollars, according to the FBI. Here is the link:
There is a clear pattern you need to watch out for. It often begins with the scammers phishing an executive, dropping a Trojan, and gaining 24/7 access to that individual’s inbox. Then they research the organization and monitor the email account for months until the right circumstances arrive, then they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company’s true domain name.
Why worse than ransomware?
Normally the ransom is about 500 bucks. However, the FBI’s numbers indicate that the average loss for a BEC victim is a whopping 100,000 dollars. Some are much higher, earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping 46.7 million hit because of a BEC scam.
We have noticed that this scam is filtering down to the consumer level. People that are in the process of buying a house and need to transfer a sizable down payment are receiving an email from their lawyer or realtor to transfer that down payment to a certain bank account. When they call the next day to check if the money has arrived, the lawyer tells them they did not send any transfer requests, but the money has disappeared in the meantime. The same scam is done with spoofed emails from financial brokers.
What you can do about it:
Send this email to all your users, friends and family. Edit if you want:
- Alert all your employees, from the board level down to the mail room. These scams are getting more sophisticated by the month so be on the lookout.
- Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to everyone. (free)
- Have a dual-step process in place for bank wires, always verified by phone with trusted parties.
"Criminals on the Internet have cooked up a new scam. They get you to click on a phishing link and stealthily look at what happens on your computer. Specifically they monitor your email. When it looks like your CEO is out of town, the bad guys send emails that look like they come from the CEO, with urgent requests to wire a large amount of money. Organizations that were tricked by this have lost hundreds of thousands of dollars.
Recently, this scam has filtered down to the consumer level. The FBI calls this an Email Account Compromise (EAC). At this very moment, bad guys could be looking at your email and patiently wait until the time is right. Be very careful when you make any large bank transfers, for instance when buying a house or putting money into investment accounts. ALWAYS, ALWAYS, ALWAYS initiate contact with the other party by phone and verify that the transfer instructions are correct before you transfer the money."
Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through. Find out how affordable this is for your organization today.
Just 1% Of Employees Are Responsible For 75% Cloud Security Risks
|Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risks, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users.
According to newly-released research by CloudLock, which analyzed the behavior of 10 million users during the second quarter of this year, these users are sending out plain-text passwords, sharing files, accidentally downloading malware, clicking on phishing links, using risky applications, reusing passwords, and engaging in other types of dangerous behaviors.
These users include both rank-and-file employees as well as super-privileged users, software architects, and non-human accounts used to perform automated tasks. Here is an interesting article on this over at CSO:
Report: Phishing Costs Average Organization 3.7M Per Year
|If you extrapolate the total annual cost of phishing for the average organization it comes to more than 3.7 million dollars. You could shave that down by 1.8 million though, with the right security awareness training, according to a new report.
More than 375 IT and IT security practitioners in U.S. organizations were surveyed in "The Cost of Phishing & Value of Employee Training", which was conducted by Ponemon Institute and sponsored by our friends at Wombat Security Technologies.
In a Wednesday email correspondence, Joe Ferrara, Wombat's president and CEO, told SC Mag that the biggest financial hit from these attacks comes from loss of productivity. Full story and links to the report at our Blog:
Are You In DevOps and/or Use Docker?
|Fill out this quick Docker survey and get entered to win a 100 dollars gift certificate from Amazon. These are friends of ours and good people:
|"In dwelling, live close to the ground. In thinking, keep to the simple. In conflict, be fair and generous. In governing, don't try to control. In work, do what you enjoy. In family life, be completely present." - Lao Tzu (Philosopher - 6th century BC)
"True happiness comes from the joy of deeds well done, the zest of creating things new." - Antoine de Saint-Exupéry - Writer (1900 - 1944)
| Thanks for reading CyberheistNews
This Week's Five Most Popular HackBusters Posts
Here’s How Iran Resets Your Gmail Password
|Tehran’s hackers are getting trickier—and finding new ways to get into your Gmail, using social engineering. Learn how this sophisticated phishing attack gets around Google’s two-step verification system.
The Citizen Lab’s John Scott-Railton and Katie Kleemola explained a new way that Iranian hackers can compromise the accounts of political dissidents, or basically anyone. High-end hacking gangs will use this trick as well for Business Email Compromise attacks.
"Their targets are political, and include Iranian activists, and even a director at the Electronic Frontier Foundation," said Scott-Railton. "In some cases they even pretend to be Reuters journalists calling to set up interviews."
It's obvious that attacks on political targets are not new. Neither are two-factor authentication (2FA) attacks. They were relatively few and far between though. What you can count on now is that this methodology is going to go up massively and that you need to train users to not fall for it if you use Gmail as your corporate email platform. Here are the details:
IBM: Corporations Could Be The Next Target For Ransomware Attacks
|Doug Olenick at SC Magazine reported on something noteworthy: "The growing threat posed by ransomware and the possibility that cybercriminals will graduate from extorting end users to large corporations topped the worry list of IBM's X-Force threat team in its Q3 threat intelligence report.
The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015," issued Monday, included a look at an increasing number of attacks coming from the dark web that employ Tor to steal intellectual property.
While ransomware has been a menace for years, John Kuhn, senior threat researcher, IBM Security X-Force, told SCMagazine.com it has progressed from attackers using simplistic scams, such as WinLocker, that simply annoyed people to well-organized attempts to steal money. More at our Blog:
Target Agrees To Pay Visa 67 Million Dollars For 2013 Data Breach
|On Tuesday, Target and Visa confirmed that they had reached a settlement in which Target would pay up to 67 million dollars to Visa card issuers for a security breach in 2013 that left 40 million customer credit card numbers compromised. Visa brokered the deal and will pass the award on to the card issuers that work within its network.
The settlement deal is considerably larger than the 19M settlement that Target reached with MasterCard earlier in the proceedings. That settlement was not approved because MasterCard issuers rejected it for being too low. The Wall Street Journal reports that Target’s deal with Visa is much more likely to succeed this time around because the agreement had "already received support from Visa’s largest card issuers.”
A representative from JP Morgan Chase & Co. told Ars in an e-mail that the company was "pleased" with the settlement, but he would not go into detail about specifics. It also seems that Target is working on a new deal with MasterCard comparable to the one it cut with Visa. As you can see, these large hacks get extremely expensive, and now the FTC is going to pile on as well. More at Arstechnica:
Gartner's Avivah Litan: Top New Threats to Banks
|Extortionists and insiders operating as criminal "free agents" have emerged as the top two cybercrime threats to banking institutions, says financial fraud expert Avivah Litan, an analyst for the consultancy Gartner.
"Cyber-extortion is probably the hottest trend of 2015," she explains during this exclusive interview with Information Security Media Group. A gang known as DD4BC, which stands for DDoS for Bitcoin, has been targeting leading banking institutions with ransom schemes that blend malware and distributed denial-of-service attacks, Litan says.
"They'll get malware on the network, extract information from files and then threaten to publish it," she says. "Then they wage a denial-of-service attack against the bank. So, this has been going on for a while, and banks are paying out." Link:
This Week's Links We Like. Tips, Hints And Fun Stuff.
- An incredible 360° cockpit view of the Swiss Air Force aerobatic team 'Patrouille Suisse' flying through the Alps. Click on the right arrow in the top left area of the video screen until you can see the other jets, or just drag the screen with your mouse. This one is spectacular:
- 'Star Wars' and Daft Punk collide in funky mashup. Cool:
- The Brits like to blow stuff up as well, but they do it in their own conservative way:
- Magician Dan White from New York attempts to guess if Tonight Show host Jimmy Fallon is holding a coin in his hand or kept it in his pocket:
- The Ylvis brothers from Norway are up to their usual shenanigans:
- Apparently, the sound of getting hacked, and then losing your job like the CEO of AshMad, is hearing AC/DC Thunderstruck:
- Social Engineer Builds a Complete Hidden Hacking Kit. No, really:
- Watch NASA crash, splash, and obliterate flying machines:
- A mother bear and her five cubs decided to beat the sweltering heat by taking a dip in a backyard swimming pool in Rockaway Township, New Jersey, USA:
- Drone pilot Kevin Miller was exploring a giant wind turbine and was surprised to find a man sunbathing on the top of it: