New Ransomware Strain Encrypts Files From RAM / Scam Of The Week
Security researchers at venture-backed Invincea have discovered a new Russian ransomware strain they called "Fessleak". It delivers its malicious code straight into system memory and does not drop any files on disk. That means almost all antivirus software is not able to catch this.
The infection vector is malicious ads on popular websites. The cybercriminals are able to display these ads by bidding on the adspace through legit ad networks. End-users in their lunch break visit a major site like HuffingtonPost, CBSsports, or Match.com and check out someone's "Granny opening a new iPhone video".
Clicking that one link is enough to get confronted with a full screen that announces all personal or business files, photos and videos have been encrypted and to get them back you need to pay a ransom in Bitcoin.
The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users click on it, they are redirected to the malicious domain which in turn infects their workstation.
Invincea said: "We continue to see new innovations in ransomware. More advanced versions now use file-less infections and communicate via the TOR network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis."
The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. "Now Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection," the researchers say in the same blog post.
So, here are some recommendations to mitigate this type of attack:
Backup, Backup, Backup and take a weekly copy off-site.
Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. www.Secunia.com might help.
Run a UTM and/or a good Proxy, block ads centrally rather than machine by machine. If that's not possible, AdBlocker plugins for each browser.
It is increasingly clear that effective security awareness training is a must these days. End-users need to be on their toes with security top of mind.
Kevin Mitnick security awareness training combined with frequent simulated phishing attacks drops the average employee Phish-prone percentage in 12 months from about 16 percent down to just over 1 percent.
Scam Of The Week: Bank Phishing Attack Using Hacked Hotels
Here is a new scam. Sophisticated hackers first break into the phone system of a well known hotel in their scam target area. They grab one number and redirect it to their own server which provides a robo-voice for people dialing into that number.
Next, they send text messages to hundreds of thousands of people's smartphones in that hotel's area code, claiming there is a problem with their bank account, urging them to call the (hacked) number and follow up the automated voice prompts to verify their credit card. As the number they need to call is in their own area code, people tend to get concerned and dial the number.
The texts are sent in bulk all at the same time, with varying bank names like Bank of America, Fifth Third Bank, and Wells Fargo. When victims call the number, they hear this:
"Thank you for calling [name of bank]. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press 1 now." After pressing 1, the caller is prompted to enter the last four digits of their Social Security number, and then the full card number and expiration date.
This is a mix of scams known as "SMiShing" — phishing attacks sent via SMS text message — and voice phishing aka "vishing," where people are directed to call a number that answers with a voice prompt, spoofing their bank and instructing the caller to enter confidential data. According to Cloudmark, the incidence of SMS bank account phishing in the U.S. more than tripled in September 2014.
So I would send this your users. (Feel free to edit)
"There is a new type of scam going around. You get a fake text from 'your bank' on your cell phone stating there is a problem with your account. They urge you to call a number in your own area code. You get voice prompts that tell you to enter confidential information like your social security and credit card number. Don't fall for this scam. Never call your bank from a number in an email or a text. Always take the number from your bank's website. This is true for the house and also in the office."
For KnowBe4 customers, we have a new Vishing Template with the exact attack that the bad guys use as seen above. You can upload the phone numbers of your employees and send them this phone attack to inoculate them against social engineering attacks like this. Note that this is a feature of the Platinum level, and KnowBe4 offers all customers a 50% discount if they upgrade to Platinum. A new feature of the Platinum level is access to -all- available training modules. This is a Q1 special!
Warm Regards, Stu Sjouwerman
Quotes Of The Week
Quotes of the Week:
"The beauty of a woman must be seen from in her eyes, because that is the doorway to her heart, the place where love resides." - Audrey Hepburn
"The most important kind of freedom is to be what you really are." - Jim Morrison
15 Reviews Of The KnowBe4 Service (Unedited!)
Feb 6, 2015 at 3:40 PM: Cyali said: "I'll be redoing our security policy shortly, as well as spearheading a project to put together a real IT orientation as part of our onboarding process.
"As for KnowBe4, after a year of saying we needed to do a phishing test and train people, I finally got the OK to do one of their free phishing tests. Our overall percentage across all companies was 30% phish prone. One company was at 45%, and would likely have been around 55% or higher if one of the managers didn't go around yelling to people "Hey don't click on that IT message! It's a fake!" That's the behavior we absolutely want in a real situation, but it skewed our results a little in the test.
"After that, I put together a presentation for management and held mandatory meetings with all managers and GMs. After, I was able to convince my boss and the president that $10/user for a one-year subscription was more than worth it for training that could save us tens of thousands of dollars per year just in lost user and IT staff productivity from dealing with viruses.
"My latest campaign is finishing today, and I plan to send out an email today alerting people of the mandatory training we are instituting. In my opinion, it's an excellent solution to a very dire problem, especially in an environment like ours where a large portion of our users are click-happy."
Spear Phishing Attack Makes $17.2 Million In Three Days
Corporate cybercrime on an international scale has hit one of Omaha’s biggest and oldest companies. CEO Chuck Elsea's email address was spoofed and this cost them millions because their controller fell for the scam.
The Scoular Co., an employee-owned commodities trader founded 120 years ago, was a victim of spear-phishing costing them $17.2 million in an international scam, according to federal court documents filed by the FBI last month in U.S. District Court in Omaha.
Scoular's controller McMurtry was the one who was sent spoofed emails, and he wired the money in three installments last summer to a bank in China after receiving emails ordering him to do so.
The three wire transfers, the FBI says, happened in June 2014. They were prompted by emails purported to be from Scoular CEO Elsea, but were sent from an email address that wasn’t his normal company one.
The first email on June 26 instructed McMurtry to wire $780,000, which the FBI statement says he did. The next day, McMurtry was told to wire $7 million, which he also did. Three days later, another email was sent to McMurtry, instructing him to wire $9.4 million. McMurtry again complied.
How the bad guys did it? The first two emails from the spoofed CEO contain the scam's setup, swearing the recipient to secrecy over a blockbuster international deal.
“I need you to take care of this,” read emails from the party pretending to be Elsea. “For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company.... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
Well, that was a very expensive social engineering lesson learned. Don't let this happen to you. Get all employees stepped through effective security awareness training, and especially your C-level execs!
Slideshow: The Worst Of The Worst Phishing Scams
You probably know CSOonline.com, the #1 website that provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.
They regularly publish slideshows about hot topics and this time I was invited to cooperate on one of these. It's called: "The Worst Of The Worst Phishing Scams" and we have dug deep to find the ugliest phishing scams there are. They started the slides with: "The depths a phishing scammer will stoop to in order to gain a buck are remarkable. Here are some of the bottom feeders to guard against in your inbox."
This Week's Links We Like. Tips, Hints And Fun Stuff.
Yesterday I sat in an F16 Combat simulator, wearing an Oculor Rift, and what I was seeing in 360 was the Death Star, me being in an X-Wing and hunting TIE-Fighters with R2D2 behind me. Totally awesome unique experience!: https://www.simcentertampabay.com/
This EMP cannon shuts down a car dead in its tracks. Available in a handgun form factor in 5 years. Time to get back to a pre-1970 car?