CyberheistNews Vol #5 #52 Scam Of The Week: Apple ID Suspension Phish With A Twist



OK, this scam is widespread enough to alert your users about it. The email claims to be from Apple Support and says your Apple ID and iCloud are both going to be suspended because you did not complete verification on time.


CyberHeist News CyberheistNews Vol #5 #52 Dec 8, 2015
Scam Of The Week: Apple ID Suspension
Phish With A Twist
Stu Sjouwerman

OK, this scam is widespread enough to alert your users about it. The email claims to be from Apple Support and says your Apple ID and iCloud are both going to be suspended because you did not complete verification on time. With the massive amount of new Apple devices being sold at the moment, this attack may hit many employees.

Supposedly Apple sent you an earlier email about this but they did not receive a response. The email has a "Verify now" link that allows you to complete the verification process and save your account from suspension. (Yeah, sure.) If an employee clicks the link, they land on a bogus Apple login page asking for their credentials. But wait, there's more!

You will be taken to a second fake page that asks for a large amount of your personal and financial information including credit card and banking details. The page is designed to look like a real Apple webpage and even includes seemingly legitimate information explaining in detail why you need to complete the verification process.

This scam even has retaliation against investigators testing the phish. If you enter false data that includes words such as ‘scam’ into fields on the fake form, your browser will automatically redirect you to a preconfigured Google search for pornography.

I suggest you send the following to all employees, and while you are at it, friends and family will also benefit.

"You need to watch out for a phishing scam that seems to come from Apple. The email is supposedly from Apple Support and they threaten that your account is going to be suspended because you did not reply to an earlier verification email. The phishing email has a link that allows you to "verify now" but if you click the link, you land on a bogus webpage that looks like it's Apple but is a fake, and it tries to manipulate you into giving out your password, credit card and other personal information.

Don't fall for this scam. Always go direct to the website of your vendor and do not click on links in emails that look like they are legit. Think Before You Click!" Happy and Safe Holidays."

The Top 5 Reasons To Invest In Cyber Security

Here's a quick condensed overview, which you can use as bullet points in your 2016 budget discussion.

Today, successful data breaches happen on a daily basis. The frequency of the attacks is increasing fast and those who attack are getting more sophisticated. Cyber-attacks have undergone substantial changes and are increasingly difficult to counteract as the attackers’ technology advances.

Everyone’s a target – government and large corporate websites are no longer the only focus. Medium size corporations, small businesses and individuals are all potential victims. That you will be attacked is a given – but what makes the difference is your security posture, how good your defense-in-depth is, and your incident response after the hack.

Here are the Top 5 reasons to invest in cyber security

1) Frequency of attacks

Industry leaders like Symantec, McAfee, FireEye, and Verizon all report increases in attack frequency over the last 8 quarters. You simply get probed for vulnerabilities more often, by more sophisticated means and attack vectors. One example is the recent use of exploit kits combined with malvertising on major news outlets. One click on a poisoned ad is enough, or even simply browsing to an infected page can kick off a drive-by-download.

2) Cost of attacks

The direct cost of an attack, the downtime it causes, the damage to the PR of your organization, loss of business opportunity, the legal fees, and possibly the loss of your CEO who gets fired by the board (Target).

3) Cybercrime focuses on Small to Medium Enterprises (SMEs) as attack targets

Hacked SME's may feel like they’ve had bad luck, or that the bad guys have handpicked them. The reality is that attackers use both automated software that probes websites for vulnerabilities and flaws that are easily breached, and thoroughly tested, massive phishing campaigns to spread botnets, Trojans and ransomware.

It is rare that the bad guys are targeting your company specifically, but it’s your responsibility if your organization is vulnerable enough to be a soft target.

4) The number of bad actors is expanding rapidly

Dozens of nation states are investing billions in their cyberwar attack capabilities. Don't think that's only focused on power and water infrastructure. They go after whole sectors of the economy, and that means degrading individual organizations running stock markets, financials, insurance, manufacturing and more.

Next, cybercrime-as-a-service is taking off – it is easier than ever for beginning cyber criminals to get started with sophisticated tools that are provided by a fast growing cyber-underground economy. Existing mafias are moving into this area with rapid speed and the criminal competition is furious.

5) Bad guys are going after the low-hanging fruit: your employees

Cyber criminals are business people too. Their time is money. Why spend 3 weeks to uncover a vulnerability in a popular piece of software when you can social engineer an employee in 10 seconds? Stepping employees through effective Security Awareness Training is one of the easiest steps to take with fast, measurable, and excellent ROI. Blog post here:
https://blog.knowbe4.com/the-top-5-reasons-to-invest-in-cyber-security

KnowBe4 Offer Ends December 31: Order Silver,
Get Platinum!

"You get a great deal. We make it into the Inc. 500..." KnowBe4 is working really hard to make it into the Inc. 500. And you can benefit from that in a big way. As a year-end special, you can order the Silver Level, but get Platinum, a huge value with a lot of additional features.

Platinum has some pretty cool features to help you manage the social engineering problem a lot better. Having all the training modules as an all year, all-you-can-eat option is great, it includes the essential "Basics Of Credit Card Security" and the brand new Outlook Add-in Phish Alert button.

Send us your PO or signed quote before the end of business December 31 and you'll get all the Platinum goodies for the price of mere Silver. Here is a chart with the feature comparison. Find out how affordable this is for your organization and be pleasantly surprised:
https://info.knowbe4.com/order-silver-get-platinum?

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"The search for the truth is the most important work in the whole world, and the most dangerous."- James Clavell, Writer (1924 - 1994)

"As long as you live, keep learning how to live."- Lucius Annaeus Seneca, Philosopher, Statesman and Writer (4 BC – AD 65)


Thanks for reading CyberheistNews


Security News
This Week's Five Most Popular HackBusters Posts
    1. ALERT: This New Ransomware Steals Passwords Before Encrypting Files:
      http://www.hackbusters.com/news/stories/478284-alert-this-new-ransomware-steals-passwords-before-encrypting-files

    2. Anonymous Takes Down Five Government Websites in Iceland to Protest Whale Hunting:
      http://www.hackbusters.com/news/stories/474157-anonymous-takes-down-five-government-websites-in-iceland-to-protest-whale-hunting

    3. Swedish Court — 'We Can't Ban The Pirate Bay':
      http://www.hackbusters.com/news/stories/474736-swedish-court-we-can-t-ban-the-pirate-bay

    4. A Step-by-Step Guide — How to Install Free HTTPS/SSL Certificate on your Website:
      http://www.hackbusters.com/news/stories/478150-a-step-by-step-guide-how-to-install-free-https-ssl-certificate-on-your-website

    5. AT&T really wants you off that unlimited-data plan:
      http://www.hackbusters.com/news/stories/475050-at-t-really-wants-you-off-that-unlimited-data-plan-cnet
State & Local Government Hit By Malware, Ransomware More Than SMBs

Small and midsized businesses (SMBs) aren't the only ones in the bullseye of ransomware and other malware attacks: worldwide, nearly 70% of state and local government networks triggered malware or ransomware alerts, as did more than 70% of education networks.

Intrusion prevention firm Sentinel IPS found that about 39% of its other customers in its IPS sensor-based network sounded alerts for malware or ransomware between July 1 and November 9 of this year, among some 30 million alerts. An alert signals that malicious traffic is attempting to leave the organization, such as malware trying to "phone home" to its command and control server, for example. The IPS then blocks that traffic. Article at DarkReading:
http://www.darkreading.com/attacks-breaches/state-and-local-government-hit-by-malware-ransomware-more-than-smbs/d/d-id/1323355

Top officials at the Senate Homeland Security and Governmental Affairs Committee also sounded the alarm on the ransomware cybersecurity threat.

Committee Chairman Ron Johnson (R-Wis.) and ranking member Tom Carper (D-Del.) sent letters to Homeland Security Secretary Jeh Johnson and Attorney General Loretta Lynch on Dec. 3, asking for more information on the federal government’s response to the growing trend used by cyber criminals. Article at Federal News Radio:
http://federalnewsradio.com/cybersecurity/2015/12/top-homeland-security-senators-raise-alarm-ransomware/

How Corporate America Keeps Huge Hacks Secret:

The backbone of America -- banks, oil and gas suppliers, the energy grid -- is under constant attack by hackers. But the biggest cyberattacks, the ones that can blow up chemical tanks and burst dams, are kept secret by a law that shields U.S. corporations. They're kept in the dark forever.

You could live near -- or work at -- a major facility that has been hacked repeatedly and investigated by the federal government. But you'd never know. What's more, that secrecy could hurt efforts to defend against future attacks.

The murky information that is publicly available confirms that there is plenty to worry about. Unnamed energy utilities and suppliers often make simple mistakes -- easily exposing the power grid to terrorist hackers and foreign spies. A CNN Money investigation has reviewed public documents issued by regulators that reveal widespread flaws. Here it is:
http://money.cnn.com/2015/11/30/technology/secret-deals-hacked-companies/index.html

2016 Top Projects & Top Priorities

50% of the 182 IT professionals who responded to Computerworld's forecast survey said they plan to increase spending on security technologies in the next 12 months. The digital version of the magazine has an article starting on page 23 on how security has been bumped up in priority and budgets. (link below)

Last column of page 25 and into page 26 makes a good case for security awareness training and why more needs to be done than just the annual training.

"The Bank of Labor in Kansas City requires employees to take part in a security awareness training program annually. But Shaun Miller, the bank’s information security officer, says that schedule renders the program "worthless" because threats change so quickly. To help people remain vigilant, Miller sends out phishing emails "the same way the bad guys do."

If users click on the links in these messages, they’re sent to a landing page and get immediate feedback about what they should have done differently. "I’m not doing this to get employees in trouble," Miller says. "I’m doing the same thing audit firms would do. People learn [best] from their mistakes." Here is the link (Page 25-26):
http://resources.idgenterprise.com/original/AST-0159023_2015_12_Computerworld.pdf

Target Class-action Hacking Settlement: 39 Million

"Target Corporation has agreed to pay financial institutions up to 39 million to settle a class-action suit related to its massive 2013 data breach. According to an announcement from the attorneys representing the plaintiffs, the proposed settlement of up to 39 million will apply to all U.S. financial institutions that issued payment cards put at risk as a result of the data breach. That includes up to 20 million that will go directly to members of the class action and to pay for the notice and administration of the settlement. The remaining 19 million will fund MasterCard’s Account Data Compromise program, according to the announcement."

Like I said, data breaches get more expensive by the year. More at:
http://www.cutimes.com/2015/12/02/target-settles-in-breach-suit?eNL=565f347f150ba08551753d18


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • In China, a steel cable that was laying on the ground got snarled in the rotating broom of a street sweeper. Talk about a freak accident!:
      https://youtu.be/JhuYzIQ1Zos



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews