 CyberheistNews Vol #5 #46 Oct 27, 2015 |
| Beautiful Social Engineering Attack By Gorgeous IBM Rep |
"Credit card numbers are small potatoes.
Big-time computer hackers are after proprietary information: source code, pharmaceutical research, legal documents, chemical formulas, blueprints, product designs and other trade secrets that can be sold on the black market for huge profits.
The tactics hackers are using to sneak into business and government networks should curl the hair of any business leader. A few months back, Symantec released a disturbing report on 'Butterfly,' a mysterious and sophisticated group of hackers that it described as 'highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.'
Last week, Ron Taton, president of Cleveland-based IntelliNet Corp., told me about a real-life incident he'd learned about from a security-software vendor. Here's a version of how it went down, and it's right out of a spy novel: You're a chemical engineer at a large company that's working on something special, let's say new battery technology that will triple the range of electric cars. It could mean billions in revenue and freedom from Mideast oil.
You're proud of your work — you should be — and you include your employer info on your Facebook page. And like most guys (yes, it's a man in this example), you're competitive, so you make sure to post photos and updates from your victories at Tuesday night trivia at the local sports bar.
One night, as you wait for a pitcher to be filled at the bar, a beautiful woman two stools down says hello. You look to the left, then the right and realize she is talking to you. You say hello back, and a conversation begins.
She becomes even more attractive when she talks about technology and lets it slip that she works for IBM. You tell her you're an engineer and love tech. She offers to pay for your pitcher. You forget all about trivia night as she discusses her work and gives you a business card with the iconic blue IBM logo. 'I have some swag in my car,' she says. 'Give me a second.' As she heads out to the parking lot, you pop a breath mint and pinch yourself.
'Merry Christmas,' she says when she returns, placing on the bar an IBM coffee mug, T-shirt, mouse pad and 8-gig flash drive. The next morning at work, the coffee tastes extra rich in the new mug, the mouse moves so smoothly on the new pad, and with a new confidence, you push the thumb drive into your computer.
Within seconds, the company's entire email network is compromised, and hackers begin work scraping messages, documents, attachments and images.
The most sophisticated hackers may clean up after they're done, removing traces of the breach and making it even more difficult for companies to know they've been violated — until a competitor in Russia or China unveils a product developed with stolen intelligence.
'Everything is hackable,' says IntelliNet's Taton. 'Assume you are going to be hacked. There is no such thing as a trench around a network. It doesn't exist.' Instead, he says, companies need to be able to be ready to respond, mitigate and play defense. And skip trivia night."
By the way, effective security awareness training would have helped against a honeytrap like this. Find out how affordable it is and be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now
Hat Tip to John Campanelli for this fabulous story.
|
| Scam Of The Week: Enter To Win Tickets To Star Wars |
|
It's "Scam Of The Week" time to warn your users against phishing attacks that try to trick them into winning movie tickets for the new Star Wars movie. The next 2 months this is going to be a highly successful social engineering attack that a lot of users may fall for. This is what the template looks like that KnowBe4 customers can send their employees:
https://blog.knowbe4.com/scam-of-the-week-enter-to-win-tickets-to-star-wars
If you are not a customer yet, I would send them something like this, Edit if you want:
"Scamsters are trying to trick people into getting complimentary tickets for the coming Star Wars Episode VII movie. You may get emails that ask you to enter sweepstakes, fill out surveys, or complimentary coupons for movie tickets. There are many tricks they might use. Don't fall for them and get your computer infected with malware. STOP - LOOK - THINK before you click."
Interestingly enough, this Star Wars simulated phishing template was submitted by one of our customers in the Community section where you can both submit and use templates that were made by peers and sent to their own employees to inoculate them against social engineering.
You can now find it in the System Templates -> Current Events section. May the force be with you.
PS, We have rented a local movie theatre where we are all going to watch the movie in 3D as our holiday party, should be fun.
|
| Remind Your Employees About Top 10 Holiday Scams |
|
As the new holiday cybercrime season rolls in, it's a good idea to look at the scams of last year, which will be recycled with a few small updates.
It’s important for IT departments to give employees a quick refresher on what to look out for. It’s becoming more important as online shopping increases every year and much of that happens on work computers or the devices that employees use for office communication. Here are the Top 10 scams to keep an eye out for this holiday season:
Black Friday Deals
Black Friday and Cyber Monday are the busiest on-line shopping days and the bad guys are out to get rich with your money. Don't buy anything that seems too good to be true.
Complimentary Apple Watch
Watch out for the too-good-to-be-true coupons that offer complimentary watches, phones, or tablets on sites all over the Internet. Don't fall for it. Make sure the offers are from a legitimate company.
Postal Deliveries
Watch out for alerts via email or text that you just received a package from FedEx, UPS or the US Mail, and then asks you for some personal information. Don't enter anything. Think Before You Click.
Fake Refunds
There is a fake refund scam going on that could come from Amazon, a hotel, or a retail chain. It claims there was a "wrong transaction" and wants you to "click for refund" but instead, your device will be infected with malware.
The Grinch E-Card Greetings
Happy Holidays. Your email has an attachment that looks like an e-greeting card, pretty pictures and all. You think that this must be from a friend. Nope. Malicious e-cards are sent by the millions, and especially at the office, never open these things as they might infect your workstation.
The Fake Gift Card Trick
Internet crooks promote a fake gift card through social media but what they really are after is your information, which they then sell to other cyber criminals who use it for identity theft. Here is an example: A Facebook scam offering a complimentary 1,000 dollar Best Buy gift card to the first 20,000 people who sign up for a Best Buy fan page, which is a malicious copy of the original.
The Charity Tricksters
The holidays are traditionally the time for giving. It's also the time that cyber criminals try to pry money out of people that mean well. But making donations to the wrong site could mean you are funding cybercrime or even terrorism. So, watch out for any communications from charities that ask for your contribution, (phone, email, text, and tweets) and make sure they are legit. It’s a good idea to contact the charity to make sure the request did in fact come from them. It is safest to only donate to charities you already know, and refuse all the rest.
The DM-Scam
You tweet about a holiday gift you are trying to find, and you get a direct message (DM) from another twitter user offering to sell you one. Stop - Look - Think, because this could very well be a sophisticated scam. If you do not know that person, be very careful before you continue and never pay up front.
The Extra Holiday-Money Fraud
People always need some extra money during this season, so cyber fraudsters are offering work-from-home scams. The most innocent of these make you fill out a form where you give out confidential information like your Social Security number which will get your identity stolen. The worst of them offer you work where you launder money from a cyberheist which can get you into major trouble.
The Evil Wi-Fi Twin
If you bring your laptop/tablet/smartphone to the mall to scout for gifts and check if you get it cheaper somewhere online. But the bad guys are there too, shopping for your credit card number. They put out a Wi-Fi signal that looks just like a complimentary one you always use. Choose the wrong Wi-Fi and the hacker now sits in the middle and steals your credit card data while you buy online. When you use a Wi-Fi connection in a public place, it is better not to use your credit card.
|
Warm Regards,
Stu Sjouwerman |
|
|
|
