| |
|
|
Scam Of The Week: Drowned Syrian Boy
.jpg) Lowlifes are exploiting the recent picture of three-year-old Syrian boy Alyan Kurdi. He drowned while attempting to reach Greece with his family and other refugees.
The picture is used for a variety of scams, Facebook spammers to start with. Their goal is to get as many Facebook likes as possible for their pages, which are called "like-farming scams". Followers are used later for other nefarious uses and sold to marketing firms. This Scam Of The Week focuses on the tactic “1share = 1prayer” which tricks people into sharing the post. I would send the following to your users:
"Scam Of The Week: Edited pictures of a three-year-old Syrian boy Alyan Kurdi. He drowned while attempting to reach Greece with his family and other refugees. Lowlifes use it in several scams, from phishing attacks trying to trick you into charitable gifts at bogus sites to scams on Facebook that use “1share = 1prayer” tactics, but later sell your information to other scammers. Remember, any time you see shocking news that tries you make you do anything, Think Before You Click!"
For KnowBe4 customers, we have a new simulated phishing template in the Current Events category we recommend you send to your users ASAP.
|
Social Engineering Heaven: Combine AshMad Hack With OPM Data
The Office of Personnel Management has just closed a 133 million dollar contract to protect 21.5 million OPM data breach victims for three years. Wow, "Barn, Horse" anyone? This is an egregious waste of our tax money. Spending that kind of IT budget to replace the old systems that were hacked would have been the sane thing to do.
And three years of protection is not enough either, the highly sensitive data that was stolen often lasts a lifetime, including medical forms, Social Security numbers and airline records.
The Chinese cyber army has been working overtime recently. By now, they have cross-referenced the OPM hack info and the AshMad database to filter out the most vulnerable people and their spouses. Throw in some Anthem data in there for good measure.
The data is used to identify and track — or even blackmail and recruit — U.S. undercover operatives and agents overseas. The foreign spy services employ Big Data apps to reveal who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, to create a profile.
You can expect this type of technology to filter down to the criminal level very soon. Exploitation of the AshMad data is already happening. The threat of infidelity of a spouse is an important social engineering tactic, anyone would be tempted to find out if their spouse is on the AshMad list, especially if that spouse is on months-long deployments.
A recent simulated AshMad phishing attack template we released scored an average 4.2% click rate over the dozens of KnowBe4 enterprise accounts who sent that template to their employees.
End-users need to be taught that their business email address is property of the company and they cannot use it for private "endeavors". This is something that should be nipped in the bud with effective security awareness training.
We have cross-referenced the AshMad database with email addresses that our customers have uploaded for phishing tests, and we are in the process of individually notifying customers if there are one or more compromised email addresses so they can take preventive action.
Which of your email addresses are exposed on the Internet and are a target for phishing attacks? You can get a one-time no-charge Email Exposure Check (EEC) sent to you if you want to know how big your email attack surface is:
http://www.knowbe4.com/email-exposure-check/
|
KnowBe4 Grand Opening Sept 2015
September 3rd, 2015, KnowBe4 had the grand opening of our new facility in Tampa Bay, Florida. The 15,000 square foot top floor has a wrap-around 360 panoramic view of the Gulf of Mexico and the Clearwater Beaches. KnowBe4 at the moment has 50 employees (which is rapidly increasing), most of whom you see in the pictures.
In the foreground are the Mayor of Clearwater, Mr. George Cretekos, left of him are Kevin Mitnick and Stu Sjouwerman, KnowBe4 principals. There are stills and a video of the ribbon cutting.
http://blog.knowbe4.com/knowbe4-grand-opening-sept-2015 |
Warm Regards,
Stu Sjouwerman
|
" Magic is believing in yourself, if you can do that, you can make anything happen."
- Johann Wolfgang von Goethe - (1749-1832)
" Why fit in when you were born to stand out?" - Dr. Seuss - Writer (1904 - 1991) |
Thanks for reading CyberheistNews
|
This Week's Five Most Popular HackBusters Posts
Chrysler Catches Flak For Patching Hack Via Mailed USB
Andy Greenberg at Wired makes a good point. Car manufacturers send out USB sticks by mail to patch software in millions of cars - how about that as a new social engineering attack vector?
"Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit. Now it’s getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service.
"Security pros have long warned computer users not to plug in USB sticks sent to them in the mail—just as they shouldn’t plug in thumb drives given to them by strangers or found in their company’s parking lot—for fear that they could be part of a mass malware mailing campaign. Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.
'An auto manufacturer is basically conditioning customers into plugging things into their vehicles,' says Mark Trumpbour, an organizer of the New York hacker conference Summercon whose sister-in-law’s husband received the USB patch in the mail Thursday. 'This could have the potential to backfire at some point in the future.
When WIRED reached out to Chrysler, a spokesperson responded that the USB drives are “read-only”—a fact that certainly wouldn’t protect users from a future spoofed USB mailing—and that the scenario of a mailed USB attack is only 'speculation.'"
Wow, never heard such a weak excuse. This is a sloppy way to fix a problem that is going to cause them more trouble down the road. Here is how the mailed patch with the USB stick looks:
http://www.wired.com/2015/09/chrysler-gets-flak-patching-hack-via-mailed-usb/
|
Cybercrime By Wire Fraud – What’s Covered?
Stacy Collett at CSO has a warning related to funds lost by cyberheists your organization should look into. Here is an excerpt:
"Prevention is far less expensive than losing money to cyber thieves. While executives hash out the terms of cyber insurance coverage, IT and accounting departments can take steps to lessen the risk of social engineering scams that lead to wire fraud.
Companies should start by taking a look at people, policies and procedures, says Stu Sjouwerman, CEO of cyber security awareness company KnowBe4 LLC.
Wire fraud thefts typically start with a simple phishing scam that allows thieves to enter the email server and learn the who, what, when and where of an organization. So security awareness training and penetration testing should be given to all employees. When it comes to wire transfers, have policies in place with the bank for any transfers larger than a certain amount, and have two people sign off on the transfer, Sjouwerman says.
Companies can also require the bank to obtain verbal approval from at least one C-level executive at the company who is aware of the transaction. “Preferably the executive should be calling the bank and initiating the OK instead of the executive being called by someone claiming to be the bank,” he adds.
“Test and train everyone, not just high-risk employees, and send them simulated phishing attacks,” Sjouwerman says. “It doesn’t matter if it’s the C-level or boardroom person who gets compromised or somebody in the mail room. The moment the thieves are in your network, they’re in regardless of the entry point." Read the whole article here:
http://www.csoonline.com/article/2978935/cyber-attacks-espionage/cybercrime-by-wire-fraud-what-s-covered.html
|
SANS Announces September Issue Of OUCH!
SANS said: "We are excited to announce the September issue of OUCH! This month, led by Guest Editor Keith Palmgren, we focus on two-step verification. Specifically, what two-step verification is, why it's so important and the steps to enable it. We ask you share OUCH! with your family, friends and coworkers." English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201509_en.pdf
|
Tech Tips: How To Stay Secure On Vacation
TomsGuide has some very good hints and tips for people on vacation - and for your organization's road warriors as well. Send it to them!
"When Kristina Portillo was at Los Angeles International Airport recently, she briefly connected her laptop to the airport's complimentary Wi-Fi network to get her email messages and information about her connecting flight. Portillo, the founder of BusinessTravelLife.com, said the entire process took only about 5 minutes.
But as soon as she turned her computer back on after takeoff, Portillo started having issues with loading speed and screen blackouts. Her computer was apparently infected with malware.
"I stopped using it immediately, and had to have the IT company that my office used to clean it off when I returned," Portillo said. "It took them over a day to get it working again."
Using public Wi-Fi is one of the most common, and most dangerous, information-security mistakes anyone can make. As Portillo's experience showed, it doesn't take much time for bad guys to infect your computer or mobile device. Fortunately, there are ways to make that public Wi-Fi safe — or to avoid it altogether. More at:
http://www.tomsguide.com/us/stay-secure-vacation-tech,news-21527.html
|
A Cyberheist Subscriber's Own Hacking Horror Story
"Stu, thought I’d give you one. You can use it if you want. Just make it anonymous.
So, being in IT we think we are more secure than most, even though we know the internet is a very scary place. I’m the CTO for a major company, I’m bloody invincible!
Last night I’m relaxing in my recliner and look over at my PC which is in the family room at the desk. I see that apps are opening up and the mouse is moving all over the place with no one sitting in front of it.
For a moment, I sit there bewildered and then realize, I’m watching someone hack my PC. I jump up and grab the mouse to try to shut the PC down and notice my VNC icon is active. We end up fighting for control, so I just power it off.
I’ve installed VNC on the PC and setup a route through the firewall so I can get to my PC remotely. Good idea right? Well apparently, someone guessed my password.
They were on the PC for 29 minutes (found this out after reviewing the event log). Long enough to initiate a 2800 dollars transfer from Paypal to Eduardo Godo with a spainmail.net email address.
Had I not seen it, I probably wouldn’t have found out about it for a few days. The killer here is that we had Paypal setup to remember our ID/password so they didn’t need to crack anything else.
So now the panicked calls to Paypal, Wells Fargo, Barclay. After 90 minutes on the phone, our checking account is cancelled, our credit card is cancelled (they were the two funding sources for Paypal) and Paypal is opening an investigation.
Perusing the event log for VNC server events, I see they have been trying to break in for as long as the log goes back. I notice that about 10 days ago, there was an indication that the password was accepted for access but from an IP address that couldn’t have been me.
However, it disconnected after about 2 seconds. I’m assuming they have a bunch of ‘botted’ PC’s making attempts to get in and when it does, the info gets logged for a human to look at later.
I’m still not sure that the Paypal access was all they did. We’re going to check our accounts daily until we feel secure. Needless to say we’ve gone out and changed our passwords for anything that has to do with money.
I feel so ticked off, mostly at myself for using what was obviously a too simple password that let them get in."
|
The 10 Highest-Paying IT Security Jobs
High-profile security breaches, data loss and the need for companies to safeguard themselves against attacks is driving salaries for IT security specialists through the roof. Here are the 10 highest-paying security roles, but note that these are dependent on the location the job is is.
I personally know two IT Security developers, one who lives in Florida and the other one in Silicon Valley. Despite the fact that the valley job paid almost twice as much, the guy in Florida kept more cash in his pocket at the end of the month. Slideshow at CSOonline:
http://www.csoonline.com/article/2933416/infosec-careers/10-highest-paying-it-security-jobs.html
|
The Web's Ten Most Dangerous Neighborhoods
Wouldn't it be convenient if all the spam and malware sites were all grouped together under one top-level domain -- .evil, say -- so that they would be easy to avoid? According to a new study from Blue Coat, there are in fact ten such top-level domains, where 95 percent or more of sites pose a potential threat to visitors.
The worst offenders were the .zip and the .review top-level domains, with 100 percent of all sites rated as "shady," according to the report.
The report is based on an analysis of tens of millions of websites visited by Blue Coat's 75 million global users. In order to protect its customers, Blue Coat has a database where it ranks websites on whether they have legitimate content, or malware, spam, scams, phishing attacks or other suspicious behaviors.
Great article by Maria Korolov at CSO:
http://www.csoonline.com/article/2978317/data-protection/the-webs-ten-most-dangerous-neighborhoods.html
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|
|
