CyberheistNews Vol 5 #43 Near-flawless Social Engineering Attack Spoiled By Single Error



*|CyberHeistNews|*
 
CyberheistNews Vol #5 #43 Oct 13, 2015

Near-flawless Social Engineering Attack Spoiled By Single Error

Steve Ragan at CSO has a great story about a CEO Fraud social engineering attack that was caught just in time because the employees were given effective security awareness training. This is a great read so please share this with your co-workers and colleagues.

"A reader recently shared an email that was sent to their comptroller, which by all accounts was a near-perfect social engineering attempt. However, security awareness training, combined with full executive support to question any suspect request, prevented what could've been a massive financial hit to the organization. The email, which was addressed to the comptroller from an account that (at a glance) belongs to the CEO, is itself similar to prior communications she had gotten from him.

The email mirrors the organization's Outlook template, uses the CEO's image, even the clip and tone of the message itself looks normal. There are spelling errors, and formatting issues, but again these are expected in quick communications and rather common during day-to-day operations."

The full message sent to the comptroller with the one fatal flaw is here:
https://blog.knowbe4.com/near-flawless-social-engineering-attack-spoiled-by-single-flaw

Please share this story with as many co-workers and colleagues as possible. We need to get the word out about this new wave of very destructive cybercrime.

I Need Your Input; Get A Home 'Net Safety Course And Win A 500 Dollar AMEX Card

You need to be compliant and get through audit cycles, and I have a quick, interesting survey for you because I need your feedback regarding your compliance challenges. There is a prize for everyone!

Everyone who fills out the survey gets a complimentary key for the Kevin Mitnick Home Internet Security course. This is an hour's worth of training for your family how to stay safe on the Internet with a value of 29.95. You can also give this course as a gift to 5 friends/family (and not get called to clean off malware from their machines) More at: http://home.knowbe4.com

Next, there will be three 500 dollar AMEX Gift cards, given at random, The odds are pretty good. So please take 3 minutes now? The deadline for this survey is is Friday October 16 so please do this right away? Thanks very much in advance! Here is the survey and remember to leave your email address at the end if you want to get the home training and be entered for the AMEX cards:
https://www.surveymonkey.com/r/GD8Z5LG

National Cyber Security Awareness Month: FBI Hints and Tips

They said: "October is National Cyber Security Awareness Month, administered by the Department of Homeland Security. This is the perfect time of year for individuals, businesses, and other organizations to reflect on the universe of cyber threats and to do their part to protect their networks, their devices, and their data from those threats."

This is to a large degree their PR department at work, which is fine by itself, as long as you know that the FBI is overwhelmed with cyber complaints and that they only get interested when the damage is over 1 million dollars.

KnowBe4 is now regularly contacted by organizations that have lost large amounts of money caused by CEO Fraud scams, and want to prevent that in the future. We agree with the FBI that this month is a great time to start an awareness training initiative:
https://www.fbi.gov/news/stories/2015/october/national-cyber-security-awareness-month
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
"Very little is needed to make a happy life; it is all within yourself, in your way of thinking."
- Marcus Aurelius - Roman Emperor (121 -180 AD)

"Be yourself. The world worships the original." - Ingrid Bergman - Actress (1915 - 1982)
Thanks for reading CyberheistNews

Security News
 

This Week's Five Most Popular HackBusters Posts

    1. What’s in a Boarding Pass Barcode? A Lot:
      http://www.hackbusters.com/news/stories/416756-what-s-in-a-boarding-pass-barcode-a-lot

    2. Incredible! Someone Just Hacked 10,000 Routers to Make them More Secure:
      http://www.hackbusters.com/news/stories/415215-incredible-someone-just-hacked-10-000-routers-to-make-them-more-secure

    3. Anonymous Starts Operation Black October To Target Banking Sector:
      http://www.hackbusters.com/news/stories/417787-anonymous-starts-operation-black-october-to-target-banking-sector

    4. AdBlock Extension has been Sold to an 'Unknown Buyer':
      http://www.hackbusters.com/news/stories/413458-adblock-extension-has-been-sold-to-an-unknown-buyer

    5. Lexus builds a full-size car out of cardboard -- and yeah, it drives:
      http://www.hackbusters.com/news/stories/416970-lexus-builds-a-full-size-car-out-of-cardboard-and-yeah-it-drives

After A Breach, 25% Of Firms Don't Know How The Attackers Got In

Of the firms who did know how the attackers got in, 67 percent said that malware had infiltrated their networks through email, 63 percent named web surfing as a vector of infection, 12 percent cited cloud apps or social media, and 4 percent pointed to instant messaging.

The salient fact here is the 67% that point at email as the culprit, omitting the fact that an employee had a hand in that as well, either by clicking a link or opening an attachment. Here is the story:
http://www.csoonline.com/article/2989957/data-protection/quarter-of-firms-cant-tell-how-hackers-get-in.html?

Postal Employees Fall To Internal Phishing Sting

According to a report of the USPS Inspector General, The Postal Service’s security awareness training related to phishing was not effective. Aaron Boyd wrote: "Determined not to fall victim to another network breach, the U.S. Postal Service is phishing its own employees, testing their ability to recognize a scam before it's too late and their knowledge of the proper procedures to be followed.

The Postal Service suffered from a massive breach last year that exposed the personal information on more than 800,000 current and former employees. Instead of storming the firewalls, the attackers used targeted spear-phishing emails to gain access to the networks, enabling them to get in and exfiltrate information without much difficulty.

As the agency works on strengthening its internal policies, the inspector general's office conducted a sting operation on 3,125 postal employees. The results were in part promising, however the vast majority of those tested failed to comply with Postal Service policies, particularly when it came to reporting requirements. OUCH.

Overall, the U.S. government is actually backsliding in the amount of security awareness training the agencies are providing their employees. A workforce well educated in what’s needed for good security is touted by all sides as a backbone requirement for overall cybersecurity, and the lack of such knowledge is blamed for a spate of “bad cyber hygiene” that has enabled successful phishing attacks on government systems.

For fiscal year 2014, Government Accountability Office reported, fewer agencies than in previous years said at least 90 percent of their users had received awareness training. Perhaps the most worrying item was the fact that, according to the Office of Management and Budget, the 24 agencies surveyed had provided training for just 80 percent of their personnel who have significant security responsibilities, versus 92 percent in fiscal 2013.

It is surprising with the current administration's focus on cyber security that they are not setting a good example: "Do as I say, not as I do". Hmmm. This post has more detail and a link to the actual Office of Inspector General report which is interesting reading:
https://blog.knowbe4.com/postal-employees-fall-to-internal-phishing-sting

Cyber Insurance Claim Rejected Due To Email Phishing

You may have head about the BitPay hack. They are a Bitcoin payment processor and were targeted by a criminal who first went after a business partner. When BitPay filed their cyber insurance claim with Massachusetts Bay Insurance Company (MBIC), the insurance company rejected the filing because the incident that led to the 1.85 million theft compromised a business partner and not BitPay itself.

In other words, since the user (BitPay's CFO Bryan Krohn) was compromised with a phishing email that lead to Krohn giving up his credentials, it did not meet the criteria of loss of unauthorized entry. Here is the wording: "... the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises... The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured..."

The Lessons Learned

    1. Caveat Emptor, make sure you really understand what you buy when you sign a cyber security insurance. It makes sense to have a cyber security lawyer read the fine print of your policy before you sign the deal.

    2. For C-level executives who have a target on their back, it makes even more sense to step them through effective security awareness training.

Shocker: How Girls Easily Trust Strangers On Social Media

Got teenage kids? Better read this. And then have a (another) very serious talk with them after watching this video. Social engineering of kids is very easy if they are not made aware of the online dangers.

Teenagers love being on social media. They use their phones and Facebook to contact their friends; they take pictures and send them via Instagram or SnapChat; they figure out what to buy by taking photos and sending to their friends. Unfortunately, they also are easily lured through social media by sexual predators, child trafficking rings and thieves.

In this video, Coby Persin conducted an experiment to see how easily he could convince teen-age girls to come meet him when all they did was speak to him in chat rooms on social networking sites. There are some very good discussion points for parents listed:
http://www.lifehack.org/317371/youll-shocked-this-social-experiment-how-girls-easily-trust-strangers-social-media-2?

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews