|
|
Scam Of The Week: Deceptive Amazon Account Threat
.jpg) Seeing the fact that Amazon is the World's largest retailer it's surprising that there aren't more of these scams, but this one sticks out as particularly deceptive. Often cyber criminals beta-test their campaigns in English speaking countries like the U.K. and Australia and then unleash a much larger attack on the U.S.
Our friends at Malwarebytes picked up on a phishing scam targeting Amazon users. The emails claim to be from Amazon's customer service, and falsely state that a small number of accounts were breached last month.
The hackers use a clever social engineering trick which requires the victims to complete a "verification process", or else their account will be restricted. But when the user clicks the link to verify their account, they are redirected to a site that mimics Amazon where they need to login and provide personal information, payment card details and security details. The attack was traced back to Chinese cyber criminals.
I recommend you send the following to your employees, friends and family. Edit if you want:
"Cyber criminals are attacking Amazon users with a phishing campaign that falsely claims a small number of accounts have been hacked. The email starts with an "Important Notice" and you are required to "verify" your Amazon account, by providing payment card information and security details. The email threatens that if you do not comply with the verification process, restrictions may be placed on your account.
"Well, Think Before You Click. The email is a scam to try to trick you into revealing your credit card information and more. If you see an email like this that has not been caught by any spam filter, delete it. Remember the rule: "If In Doubt, Throw It Out!" Stay safe out there."
Link to KnowBe4 blog with example screen shot and link to original post:
https://blog.knowbe4.com/scam-of-the-week-amazon-account-threat
PS: This week, ABC Action news wanted a backgrounder on why organizations get infected with ransomware and why thousands of people sit on their hands not being able to access their shared drive. The TV crew came over to our new office and interviewed me:
https://www.knowbe4.com/knowbe4-in-the-news/
PPS: If you want real-time notifications of security news, with now and then some fun thrown in, follow me on Twitter: stuallard
|
BitPay Loses 1.8 Million In Phishing Attack
BitPay lost 1.8 million dollars in a phishing attack late last year, according to lawsuit filed by the bitcoin payment processing firm against an insurer it is trying to get to cover some of the losses.
According to court documents obtained by the Atlanta Business Chronicle, last December BitPay CFO Bryan Krohn received an email from someone purporting to be from a digital currency publication.
However, the sender's email account had been hacked and the email directed Krohn to a site controlled by the hacker where he provided the credentials for his corporate email account.
The crook used the email account to fraudulently transfer 5000 bitcoins worth 1.85 million in three separate transactions. In a statement, BitPay CEO Stephen Pair says: "This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time."
The company is suing Massachusetts Bay Insurance Company, which has refused to pay out on a policy with a limit of 1 million less BitPay's deductible of 50,000 dollars.
If CFO Bryan Krohn would have been effectively security awareness trained, this would not have happened. Don't be that guy. Find out how affordable this is for your organization. Blog post with links to all the documents:
https://blog.knowbe4.com/bitpay-loses-1.8-million-in-phishing-attack
|
What is the REAL cost of a data breach?
A new survey done by Kaspersky with participation of 5,500 companies in 26 countries finally shows the real cost of a data breach broken out by Small and Medium Business (SMB) and Enterprise. They also show the direct and indirect costs for each, which gets you to some hard numbers you can use to request budget.
The data shows that a security breach usually costs large enterprise-level organizations an average of well over half a million dollars (551,000 dollars) and 38,000 dollars for SMBs. And then you can add the indirect costs: 69,000 dollars for larger companies, and 8,000 dollars for SMBs.
You can see that calculating the costs is a worthwhile exercise, as 9 out of 10 companies that took part in the survey admitted to a security breach, and 46% of them even said they've lost critical and sensitive information. Now, I'm sure that the survey was self-selecting so you need to take that 90% with a grain of salt. Still...
Included in the direct costs were hiring IT consultants (69% of the companies), hiring incident response consultants (43%), lawyers (37%), physical security consultants (36%), auditors and accountants (35%), management consultants (35%), and PR and corporate image consultants (24%). The indirect costs are budget you need to spend on additional staff hiring and training, infrastructure upgrades etc.
What worries IT Pros the most regarding data breaches?
The number 1 thing that IT pros and the C-level execs fear is to lose access to critical business information. The second most feared result as the aftermath of a data breach is loss of credibility to the company's name (43%), temporarily losing the ability to trade with other companies (38%), the loss of future contracts (30%), and the costs that come with hiring IT professionals to fix and improve their infrastructure (25%).
Kaspersky's study also shows that only 1 in 5 data breaches make it to the media. What's even worse is that only in 44% of the cases affected clients are informed, 36% of the cases affected suppliers are informed, 32% of the cases all the company's customers are told, and only 29% of the cases local authorities and regulators are contacted.
You can download the full Damage Control: The Cost of Security Breaches from Kaspersky's website. Great ammo for IT Security budget. A whopping 91% of successful data breaches started with a phishing attack, so finding out what your email attack surface is makes a lot of sense. You can do that with the one-time, no-charge KnowBe4 Email Exposure Check. Both links at the KnowBe4 Blog:
https://blog.knowbe4.com/what-is-the-real-cost-of-a-data-breach
|
BOOK Of The Month - Stu's Warmly Recommended
Well-known IT Security Analyst Ben Tomhave alerted me about this new book.
Given the ongoing primary races for the two "major" parties, the timing of Andy Updegrove's The Lafayette Campaign couldn't be much better. In The Lafayette Campaign, intrepid computer security hero Frank Adversego is asked by a super-secret intelligence agency to investigate electronic voting fraud. The farther down the rabbit hole he goes, the crazier things get. The cast of characters seems straight out of the GOP slate. The story will leave you wondering if, as voters, we really do have an actual choice:
http://www.amazon.com/dp/B010RF882O/ref=cm_sw_su_dp |
Warm Regards,
Stu Sjouwerman
|
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure." - Marcus Tullius Cicero, Roman Statesman (106 BC- 43 BC)
"In the sweetness of friendship let there be laughter, and sharing of pleasures. For in the dew of little things the heart finds its morning and is refreshed."
- Khalil Gibran (1883–1931) |
Thanks for reading CyberheistNews
|
This Week's Five Most Popular HackBusters Posts
- Facebook is working on a 'dislike' button:
http://www.hackbusters.com/news/stories/391636-facebook-is-working-on-a-dislike-button
- Microsoft has Built its own Linux Operating System:
http://www.hackbusters.com/news/stories/395276-microsoft-has-built-its-own-linux-operating-system
- The app that plays Nickelback when you try to contact your ex:
http://www.hackbusters.com/news/stories/390631-the-app-that-plays-nickelback-when-you-try-to-contact-your-ex
- Pop-Tart figures freeze Han Solo in carbonite, look delicious:
http://www.hackbusters.com/news/stories/393909-pop-tart-figures-freeze-han-solo-in-carbonite-look-delicious
- 'Ultra-thin invisibility skin cloak' could actually be worn like a garment
http://www.hackbusters.com/news/stories/394101-ultra-thin-invisibility-skin-cloak-could-actually-be-worn-like-a-garment
|
Criminals Test Stolen Credit-Card Numbers on Charity Websites
Many of us volunteer at charities, non-profits and/or churches. Here is a heads-up for the organization that you might be giving your hours to. Criminals are using poorly protected charity websites to test the validity of stolen credit-card numbers, cybersecurity experts said this week, costing some groups thousands of dollars.
Simplified online donation pages make it easy for people to give — but also serve as prime testing ground for credit-card thieves. Article here:
https://philanthropy.com/article/Fraud-Alert-Criminals-Test/233197
|
Tighten Up Your Cyber Security Strategies Now
There are no absolutes. IT Security will never be 100%, it's all about risk mitigation and being a harder target than the next guy. How to get there? Brian Contos summarized this in a short, easy to understand article which includes end-user training as an integral part:
"While there are many security offerings to help an organization better protect itself from the onslaught of cyber threats knocking on its perimeter, no one solution is enough to reduce risk in this dynamic landscape. Each individual security device provides an important piece to the overall puzzle that is cyber security.
After all, if there was one-size fits all solution, organizations would have already implemented it, and the global cyber security industry would not be booming and estimated to grow to 155 billion dollars by 2019.
Despite new security technologies being developed, the best cyber security approach for any organization is an integrated plan that combines technology, technical and analytical threat intelligence, and security policies and procedures to include contingency/continuity planning and user training.
Designing a tailored strategy using all of these vital components will better help position an organization to strengthen its defenses while bolstering its resiliency capability.
Frequent user security awareness training will keep users up to date on the latest security trends, exploits, and scams. While organizations tend to have annual user awareness training, quarterly refreshers are needed to address the dynamic landscape of the cyber threat environment." Full article here:
http://www.csoonline.com/article/2984727/network-security/tighten-up-your-cyber-security-strategies-now.html
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|
|
