CyberheistNews Vol 6 #24 Scam Of The Week: Nasty Two-Factor Auth Text Hack

We all know that two-factor authentication (2FA) is much better than just simple user/password credentials. However, there is a nasty spoofing trick that bypasses 2FA if the user does not pay attention.

Warn your users that have 2FA-enabled accounts against this scam, who are usually key people with access to sensitive information.

It's a classic social engineering attack that plays on preventing a negative consequence and uses two scenarios to pull this off.

Here is the blog post with the 2 scenarios -- one of them the recent cluster of megabreaches comprising a whopping 642 million passwords -- the 4 steps that show how this scam goes down, and a proposed email that you can send to employees, family and friends:
https://blog.knowbe4.com/scam-of-the-week-nasty-two-factor-auth-text-hack

Wayne Rash at eWeek interviewed me about the Crysis malware strain which combines multiple threats and works multi-platform: Mac and Windows.

He started out with: "The latest release of Crysis malware combines ransomware with a data breach, and then spreads on its own. In some ways, the latest variation of Crysis (or Crisis, depending on whom you ask) malware either provides something for everyone, or it's a nightmare scenario, depending on how you look at it.

When Crysis first came to light, it was a fairly typical, if annoying, form of ransomware. It would encrypt some files and then demand ransom, ostensibly offering to decrypt those files if you paid.

Things have changed. Following a series of monthly updates, this malware is now able to exfiltrate critical files and user information, gain administrator rights to the computer it's infecting and take over as an admin user. It also doesn't matter if the computer is a PC or a Mac because Crysis can infect either platform, and once inside a network, it can also attack virtual machines and any server visible to the computer it's on. More:
http://www.eweek.com/security/malware-crysis-new-strain-combines-multiple-threats-platforms.html

If you want a technical analysis of Crysis, Symantec has a good one:
http://tinyurl.com/Crysis-Symantec

A member of the SpiceWorks IT forums reported he had received a new type of hybrid attack: first a phone call to his desk, followed up with a phishing email laced with malware, promoting IBM products.

Hovering over the links clearly showed it was dodgy to say the least. Now, this was in Europe, but like I have mentioned here regularly, that area is very often used as beta test territory and once they have perfected the phishing attack, it gets unleashed on the U.S.

So consider this a heads-up. Receiving a phone call from a vendor, followed up by an email might lower your defenses and you might be a bit less skeptical before you click on a link. Don't fall for it. Always hover over that link before you click!

System Admins are people with a target on their back because they have admin creds and could inadvertently hand over full network access to attackers. Let's stay safe out there. Here is what the attack looks like:
https://blog.knowbe4.com/new-type-of-spear-phishing-directly-targeted-at-it-pros

CSO has a great and very entertaining slide show. They wrote:

"The term "security theater" was coined to describe the array of security measures at U.S. airports -- taking off shoes, patting down children and the elderly -- that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures. We talked to an array of tech experts to discover what security technologies are often just for show."

At least click through to slide 8, where you will find yours truly!
http://www.csoonline.com/article/3078052/security/just-for-show-11-theatrical-security-measures-that-dont-make-your-systems-safer.html?

"The difference between a goal and a dream is a deadline."- Steve Smith

"A man should look for what is, and not for what he thinks should be."
- Albert Einstein

Thanks for reading CyberheistNews

The Internet of Things (IoT) is among the hottest topics in high tech. How will it affect your organization? What are the potential benefits and challenges of IoT that might speed or impede your deployment?

Strategy Analytics is teaming up with KnowBe4 to conduct a survey that examines the business and technology drivers and challenges associated with IoT migrations and deployment.

The survey consists of multiple choice questions and one Essay question. It should only take about 10 minutes to complete. Please leave your Email address in the Essay/Comment question for a chance to win a 100 dollar Amazon gift card. All responses are confidential.

We will publish an Executive Summary of the survey results in an upcoming issue of the KnowBe4 newsletter. In addition, anyone who completes the survey can get a complimentary copy of the Report by Emailing Laura DiDio at:
ldidio@strategyanalytics.com.

Thanks for participating in our IoT 2016 Deployment and Usage Trends Survey! Laura DiDio, Strategy Analytics Director of IoT Research

Stu Sjouwerman,
CEO KnowBe4

Here is the link to the survey: https://www.surveymonkey.com/r/XF7QCQH

Hypponen is a great presenter with a dry sense of humor, and is always fun to read or watch. He highlights five current trends to watch, and explains a bit more about each.

1. Nation State Robs Banks
2. Malware: Locking PCs Since 1989
3. Criminals Build Business Empires
4. Bad Password Practices Still Bite
5. Cybercrime Unicorns: No Myth

Read it, laugh and weep at the same time:
http://www.databreachtoday.com/f-secures-mikko-hypponen-details-5-top-cybercrime-trends-a-9181

The Analysis of SWIFT attacks revealed five additional pieces of malware containing portions of code shared by North Korean Lazarus Group. While security experts continue to investigate the cyber heists that involved SWIFT systems, new evidence collected by a senior security researcher from Anomali Labs link the malware to the hacker crew known as Lazarus Group.

The experts discovered that five additional strains of malware suggest the involvement of the Lazarus Group in the cyber attacks that targeted the banks. Experts at Symantec already linked the malware used in the attack with North Korea. More:
http://securityaffairs.co/wordpress/47941/malware/lazarus-group-swift-attacks.html

"How many layers does your email security need? At least one more layer than the attacker can defeat.

Most IT people find email gateways justifiably boring. They’ve been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail. For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you can think about something else. Out of sight, out of mind, right?

The only problem is, that’s likely completely wrong. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware." Very good article at DarkReading by Chris Harget:
http://www.darkreading.com/operations/how-many-layers-does-your-email-security-need/d/d-id/1325791

FireEye posted something on their blog that caught my eye. Being able to circumvent Redmond's EMET is an impressive technical achievement, too bad these guys are criminals:

"We recently encountered some exploits from Angler Exploit Kit (EK) that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7.

Angler EK uses complex multi-layered code obfuscation and leverages multiple exploits, as seen in Figure 1 and Figure 2. These capabilities make Angler EK one of the more sophisticated exploit kits in use." More:
https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html?

An effective security awareness training program can make a significant difference in enterprises security. Mike O. Villegas listed what makes a good security awareness program at TechTarget. Here are the highlights:

• Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
• All-inclusive: All employees should go through and acknowledge in writing that they have undergone training.
• Relevant: Show the significance of not complying with security.
• Fun!
• Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
• Not overdone: Security awareness should be integrated in the business culture but with moderation.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. Here is the full article, (registration required):
http://searchsecurity.techtarget.com/answer/What-does-a-security-awareness-training-program-need-to-include

The rise of malware that holds data hostage has led companies to buy Bitcoin to use as ransom in case of an attack.

Digital currency Bitcoin is variously promoted as an alternative to gold, a good way to make international transfers, or the future of e-commerce. New research suggests that companies are now stockpiling Bitcoin for a different reason: so they can pay up quickly if their data is held ransom by malicious software. Article at TechnologyReview:
https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals/

• Check out this music video from the 25th AICP show. The computer graphics are state of the art... wow:
  https://player.vimeo.com/video/169599296

• Roberta Mancino flies her wingsuit over and through the volcanic smoke of Villarrica - one of South America's highest active volcanoes". Full Screen - HD!
  http://www.flixxy.com/wingsuit-flight-over-an-active-volcano-roberta-mancino.htm?utm_source=4

• Magician Gael Brinet dazzles the audience at the Championship of Magic France 2013:
  http://www.flixxy.com/gael-brinet-champion-of-magic.htm?utm_source=4

• A Brazilian bird 'Seriema' picks up a golf ball and bounces it on the sidewalk.
  http://www.flixxy.com/bird-bounces-golf-ball-on-the-sidewalk.htm?utm_source=4

• 24 Tons of Towering Stone, Held Together With Compression. Great engineering!:
  https://vimeo.com/167868985

• Weird Video Of The Week: Grocery Shopping Cats:
  http://www.flixxy.com/grocery-shopping-cats.htm?utm_source=4

• Why Doesn't This Fountain Obey the Laws of Science?:
  http://sploid.gizmodo.com/why-doesnt-this-fountain-obey-the-laws-of-science-1781557170

• Funny Ad: A beautiful woman next to a broken down car. How does he know it's a trap?:
  http://www.flixxy.com/toyota-trap.htm?utm_source=4

• Brian Brushwood is is the creator and host of over 400 episodes of Discovery’s Scam School, with over one million subscribers on YouTube. Here's an interview. A selected set of his episodes is available on Netflix. Some are pretty good:
  http://boingboing.net/2016/06/09/interview-with-brian-brushwood.html

• From the archives: A 1920s vintage Dodge Brothers sedan drives down muddy roads and across muddy fields to get to the gushing oil well:
  http://www.flixxy.com/dodge-brothers-wild-ride-1920.htm?utm_source=4

• More from the archives: New York City, Summer 1939. Rarely seen recently surfaced amateur movie, filmed by a French tourist, Jean Vivier, in 16mm Kodachrome:
  http://www.flixxy.com/1939-new-york-in-hd-color.htm?utm_source=4