CyberheistNews Vol 5 #6 Feb 10, 2015 New Ransomware Strain Encrypts Files From RAM / Scam Of The Week


New Ransomware Strain Encrypts Files From RAM / Scam Of The Week

Security researchers at venture-backed Invincea have discovered a new  Russian ransomware strain they called "Fessleak". It delivers its  malicious code straight into system memory and does not drop any files  on disk. That means almost all antivirus software is not able to catch this. 

The infection vector is malicious ads on popular websites. The  cybercriminals are able to display these ads by bidding on the adspace  through legit ad networks. End-users in their lunch break visit a major  site like HuffingtonPost, CBSsports, or and check out someone's  "Granny opening a new iPhone video". 

Clicking that one link is enough to get confronted with a full screen that announces all personal or business files, photos and videos have  been encrypted and to get them back you need to pay a ransom in Bitcoin.

The cybercriminals first set up a short-lived burner domain directing  to a landing page where the exploit kit is hosted. Then they start  real-time bidding for ads pointing to the burner domain. Once their  bad ad is displayed on a popular website and users click on it, they  are redirected to the malicious domain which in turn infects their  workstation.

Invincea said: "We continue to see new innovations in ransomware. More  advanced versions now use file-less infections and communicate via the  TOR network. They can also check to ensure the host is not running on  a virtual machine to frustrate security researchers and analysis."

The same gang is also using 0-day exploits for Flash Player, and is  apparently able to change their malware on the fly to exploit the most  recent vulnerabilities. "Now Fessleak drops a temp file via Flash and  makes calls to icacls.exe, the file that sets permissions on folders  and files. At this time, there is no detection for the malicious binary,  which likely rotates its hash value to avoid AV detection," the researchers  say in the same blog post.

So, here are some recommendations to mitigate this type of attack:

  1. Backup, Backup, Backup and take a weekly copy off-site.
  2. Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. might help.
  3. Run a UTM and/or a good Proxy, block ads centrally rather than machine  by machine. If that's not possible, AdBlocker plugins for each browser.
  4. It is increasingly clear that effective security awareness training is a  must these days. End-users need to be on their toes with security top of mind.

  Kevin Mitnick security awareness training combined with frequent simulated  phishing attacks drops the average employee Phish-prone percentage in  12 months from about 16 percent down to just over 1 percent.

Find out how affordable this is for your organization today.

Scam Of The Week: Bank Phishing Attack Using Hacked Hotels

Here is a new scam. Sophisticated hackers first break into the phone  system of a well known hotel in their scam target area. They grab  one number and redirect it to their own server which provides a  robo-voice for people dialing into that number.

Next, they send text messages to hundreds of thousands of people's smartphones in that hotel's area code, claiming there is a problem  with their bank account, urging them to call the (hacked) number and  follow up the automated voice prompts to verify their credit card.  As the number they need to call is in their own area code, people tend to get concerned and dial the number.

The texts are sent in bulk all at the same time, with varying bank  names like Bank of America, Fifth Third Bank, and Wells Fargo. When victims call the number, they hear this:

"Thank you for calling [name of bank]. A text message has been sent to  inform you that your debit card has been limited due to a security issue.  To reactivate, please press 1 now." After pressing 1, the caller is  prompted to enter the last four digits of their Social Security number,  and then the full card number and expiration date.

This is a mix of scams known as "SMiShing" — phishing attacks sent  via SMS text message — and voice phishing aka "vishing," where people are directed to call a number that answers with a voice prompt, spoofing  their bank and instructing the caller to enter confidential data. According to Cloudmark, the incidence of SMS bank account phishing in  the U.S. more than tripled in September 2014.

So I would send this your users. (Feel free to edit)

"There is a new type of scam going around. You get a fake text from  'your bank' on your cell phone stating there is a problem with your account. They urge you to call a number in your own area code. You get voice prompts that tell you to enter confidential information like your social security and credit card number. Don't fall for this  scam. Never call your bank from a number in an email or a text. Always  take the number from your bank's website. This is true for the house and also in the office." 

For KnowBe4 customers, we have a new Vishing Template with the exact  attack that the bad guys use as seen above. You can upload the phone  numbers of your employees and send them this phone attack to inoculate  them against social engineering attacks like this. Note that this is a  feature of the Platinum level, and KnowBe4 offers all customers a 50%  discount if they upgrade to Platinum. A new feature of the Platinum level is access to -all- available training modules. This is a Q1  special!

Warm Regards,
Stu Sjouwerman

Quotes Of The Week


Quotes of the Week:

"The beauty of a woman must be seen from in her eyes, because that is the  doorway to her heart, the place where love resides."  - Audrey Hepburn

"The most important kind of freedom is to be what you really are."  - Jim Morrison

Security News


15 Reviews Of The KnowBe4 Service (Unedited!)

Feb 6, 2015 at 3:40 PM: Cyali said: "I'll be redoing our security policy  shortly, as well as spearheading a project to put together a real IT  orientation as part of our onboarding process. 

"As for KnowBe4, after a year of saying we needed to do a phishing test  and train people, I finally got the OK to do one of their free phishing  tests. Our overall percentage across all companies was 30% phish prone.  One company was at 45%, and would likely have been around 55% or higher  if one of the managers didn't go around yelling to people "Hey don't  click on that IT message! It's a fake!" That's the behavior we absolutely  want in a real situation, but it skewed our results a little in the test.

"After that, I put together a presentation for management and held  mandatory meetings with all managers and GMs. After, I was able to  convince my boss and the president that $10/user for a one-year  subscription was more than worth it for training that could save us  tens of thousands of dollars per year just in lost user and IT staff  productivity from dealing with viruses. 

"My latest campaign is finishing today, and I plan to send out an email  today alerting people of the mandatory training we are instituting. In my opinion, it's an excellent solution to a very dire problem, especially  in an environment like ours where a large portion of our users are click-happy."

You can see 15 more (unedited!) reviews at Spiceworks. Click on the Ratings Breakout bar and they will show sorted by stars and you can  scroll down. Click on 'Show More Activity' for all of them:

Spear Phishing Attack Makes $17.2 Million In Three Days

Corporate cybercrime on an international scale has hit one of Omaha’s biggest  and oldest companies. CEO Chuck Elsea's email address was spoofed and this  cost them millions because their controller fell for the scam.

The Scoular Co., an employee-owned commodities trader founded 120 years ago,  was a victim of spear-phishing costing them $17.2 million in an international  scam, according to federal court documents filed by the FBI last month in  U.S. District Court in Omaha. 

Scoular's controller McMurtry was the one who was sent spoofed emails, and  he wired the money in three installments last summer to a bank in China  after receiving emails ordering him to do so. 

The three wire transfers, the FBI says, happened in June 2014. They were  prompted by emails purported to be from Scoular CEO Elsea, but were sent  from an email address that wasn’t his normal company one.

The first email on June 26 instructed McMurtry to wire $780,000, which the  FBI statement says he did. The next day, McMurtry was told to wire $7  million, which he also did. Three days later, another email was sent to  McMurtry, instructing him to wire $9.4 million. McMurtry again complied.

How the bad guys did it? The first two emails from the spoofed CEO contain  the scam's setup, swearing the recipient to secrecy over a blockbuster  international deal.

“I need you to take care of this,” read emails from the party pretending  to be Elsea. “For the last months we have been working, in coordination  and under the supervision of the SEC, on acquiring a Chinese company....  This is very sensitive, so please only communicate with me through this  email, in order for us not to infringe SEC regulations.”

Well, that was a very expensive social engineering lesson learned. Don't let  this happen to you. Get all employees stepped through effective security  awareness training, and especially your C-level execs!

Slideshow: The Worst Of The Worst Phishing Scams

You probably know, the #1 website that provides news,  analysis and research on a broad range of security and risk management  topics. Areas of focus include information security, physical security,  business continuity, identity and access management, loss prevention and more.

They regularly publish slideshows about hot topics and this time I was  invited to cooperate on one of these. It's called: "The Worst Of The Worst  Phishing Scams" and we have dug deep to find the ugliest phishing scams  there are. They started the slides with: "The depths a phishing scammer  will stoop to in order to gain a buck are remarkable. Here are some of  the bottom feeders to guard against in your inbox."

A very good thing to send to your users and inoculate them against social  engineering attacks! This is the link to the webpage:

Yesterday I sat in an F16 Combat simulator, wearing an Oculor Rift, and what  I was seeing in 360 was the Death Star, me being in an X-Wing and hunting  TIE-Fighters with R2D2 behind me. Totally awesome unique experience!:

This EMP cannon shuts down a car dead in its tracks. Available in a  handgun form factor in 5 years. Time to get back to a pre-1970 car?


Subscribe To Our Blog

BP future Direction of Security Awareness Training On-Demand Webinar

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews