CyberheistNews Vol 6 #25 Scam Of The Week: Lowlife Scum Exploits Recent Orlando Tragedy

CyberHeist News CyberheistNews Vol 6 #25
Scam Of The Week: Lowlife Scum Exploits Recent Orlando Tragedy
Stu Sjouwerman

Just when you think they cannot sink any lower, criminal internet scum are now exploiting the tragedy in Orlando. Unfortunately, from this spot I have been warning about these lowlifes before when earlier similar incidents like this happened. You need to alert your employees, friends and family... again.

Phishers are now sending a raft of scams your way, varying from blood drives to pleas for charitable contributions for victims and their families. Additional attack vectors are messages that promise exclusive or inside information or -- even worse-- smartphone videos shot at the scene.

Unfortunately, this type of scam is the worst kind of phishbait, and it is a very good idea to inoculate people before they get suckered into falling for a scam like this. I suggest you send the following short alert to as many people as you can.

[ALERT] "Lowlife internet scum is trying to benefit from the Orlando shootings. They are now sending out phishing campaigns that try to trick you into clicking on a variety of links about blood drives, charitable donations, "inside" information or "exclusive" videos. Don't let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for!

Anything you receive about the Orlando shootings, be very suspicious. With this topic, think three times before you click. It is very possible that it is a scam, even though it might look legit or was forwarded to you by a friend -- be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may be hacked.

In case you want to donate to charity, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, these precautions are just as important at the house as in the office, and tell your family."

It is unfortunate that we continue to have to warn against the bad guys on the internet that use these tragedies for their own benefit. For KnowBe4 customers, we have three new templates related to this topic in the Current Events - and I strongly suggest you send one or two this week:

  • A friend has asked you to donate blood - find your nearest blood drive/blood center
  • Donations for Families of Orlando Shooting Victims - internal HR style email
  • New ISIS Video Celebrating Orlando Attacks Turns Up On Dark Web - CNN headline

Let's stay safe out there.

New RAA Ransomware Strain Created Entirely Using JavaScript

Larry Abrams, who runs Bleepingcomputer was first to report on a new strain of ransomware called RAA. The criminal coders took the somewhat unusual step of writing the whole thing in JavaScript making it more damaging in certain situations, and also install the Pony password stealer for good measure.

Larry wrote that it is being distributed by email through attachments that pretend to be a regular Doc file. Since JavaScript itself does not have crypto functions, the bad guys use the CryptoJS library which allows them to use AES encryption to lock up their victims' files.

Opening the attachment does not visibly do anything, but appears to the victim as a corrupted file. However, back at the ranch it is busy as a beaver doing its dirty work, including deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered.

The RAA strain is set to be persistent so that the ransomware runs every time Windows is rebooted. More technical detail here:

Ransomware Hostage Rescue Manual

Get the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware. Download here:

Gartner Lists Top 10 Cyber Security Technologies

I was on the road last week and the first stop was the Gartner Security & Risk Summit in DC. We had a booth at the expo hall and met a lot of customers and new people interested in having a good platform to manage the ongoing problem of social engineering.

I was able to sit down with Gartner analysts Joanna Huisman and Perry Carpenter who are in charge of the Magic Quadrant for our space: Security Education (Awareness) Computer Based Training. Great discussion.

Data breaches are forecasted to cost businesses a whopping 2.1 trillion dollars globally by 2019. At the same time cyber security technologies are being developed to stop this. Gartner have attempted to identify up and coming cyber security technologies that are here to fight cyber-crime. Interesting reading if you want a glimpse of your Infosec future:

Top 3 Email Security Concerns For Your Board Of Directors

After Gartner, I keynoted last week's Credit Union Infosecurity Conference in New Orleans. While I was there, I was interviewed by Credit Union Times about the three biggest email threats we see at the moment at KnowBe4. Those email threats are relevant for everyone, not just financial institutions:

  1. CEO Fraud
  2. Ransomware
  3. W-2 Fraud

Paul McGillicuddy has a great slideshow that you should share with your C-level execs who can then send this to their Board. It's great ammo to increase your IT Security budget.

Cyber security is everyone's business including the Board of Directors. According to several studies, Boards are getting it wrong and are leaving cyber awareness and risk management in the hands of the CEO, CISO, and CTOs. In a sense they are abdicating their responsibility to the shareholders.

This slideshare proposes 7 questions every board should be asking their company executives. They're not necessarily all encompassing but will drive the discussion to better and more complete understanding of strategic risk.

Check out slides 14 and 15: Cyber Security's Biggest Obstacle? Low Security Awareness Among Employees. Could not have said it better myself:

Want To Pass An Audit In Half The Time And At Half The Cost?

Take a look the KnowBe4 Compliance Manager (KCM). It simplifies the complexity of getting compliant and eases your burden of staying compliant year round, making passing an audit much, much easier: no more "Excel Hell".

KCM minimizes much of the busy work associated with audits and compliance, and at the same time enables you and your team to remain productive through an audit cycle.

Read the KCM review at Corporate Compliance Insights, request a demo, and see for yourself how much audit time and money you can save with KCM:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"The human race has one really effective weapon, and that is laughter."
- Mark Twain - Author

"Just as a candle cannot burn without fire, men cannot live without a spiritual life."
- Buddha

Thanks for reading CyberheistNews

Security News
How Ransomware Changes Backup And Disaster Recovery

Trevor Pott has some very healthy procedures to follow if you want to protect your files against a ransomware infection.

"In the olden days of IT, a decent data protection scheme involved taking copies of all your data at relevant intervals and placing that data on a local backup server. That server would then either write the data to tape (to be couriered offsite) or send it out across the Internet to a secondary site or service provider.

The local copy of your data means quick recovery in the event of an issue which doesn't involve a site outage. An accidentally deleted file doesn't mean dragging information back across the Internet, and you get the added bonus of being able to clone out copies of your data for test and development purposes, without impacting production workloads.

Ransomware Changed Everything.

Many of today's ransomware packages not only corrupt data on a single computer or server, they corrupt data on backup servers as well. This could be because the backup servers have their shares available; because the ransomware jumped from the primary point of infection over to infecting the backup server; or because the ransomware is exploiting a vulnerability in the operating system or data protection software to corrupt backups directly." More:

Another Megahack: 1,100 Websites With 45 Million Accounts

Mega hacks affecting tens of millions of people are now occurring with depressing regularity. The latest hack is a breach of VerticalScope, which is responsible for more than 1,000 popular websites and forums, including,, and

More than 1,100 websites have been affected by the hack - with information from nearly 45 million user accounts stolen, according to LeakedSource, a website that tracks hacks and data dumps.

The passwords were encrypted, according to LeakedSource, "but less than 10% of the domains which account for a very small amount of leaked records used difficult to break encryption." As a result, LeakedSource - and potentially others - have been able to crack the passwords.

The data taken apparently includes email addresses, encrypted passwords, usernames, and IP addresses. Hacks like these that expose people's passwords are dangerous because they can lead to further hacks and account takeovers elsewhere. More:

The Value Of 'Vintage' Passwords To Hackers

Robert McCarthy at ComputerWorld wrote a good, to-the-point and useful article about the value of these older credential dumps like the 2012 LinkedIn hack. He makes some excellent points:

  • Subsets of these dumps are used to attack other sites
  • Password reuse is rampant and a major vulnerability
  • The value and importance of 2-factor Authentication

This is a recommended read, and was published as part of the IDG Contributor Network:

VIDEO: Cybersecurity Lessons Learned From The Swift Network Hack

The Chertoff Group’s Jim Pflaging discusses the cyber threats to the financial system and national security with Bloomberg’s Ramy Inocencio and Tom Giles on “Bloomberg West.” See the video, this is a good link to send to C-level exec and Board members to explain the urgency for more budget:

A Master Index Of APT Groups:

Steve Ragan at Salted Hash wrote: "Someone took the time to chart all the APT groups that have been identified over the years, and then link the groups between vendors. In addition, the index references the campaigns the groups are associated with, and their geographic location. Dr.Krypt3ia has expressed some thoughts on the list itself." I like Steve's dry sense of humor. The link to Dr.Krypt3ia article is here but he's got steam coming out of his ears and the f-word is rampant. NSFW but funny as heck:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • It's summer. Watch out for highways buckling - as in this video. Dang, that will kill your suspension and send you to the chiropractor!

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews