CyberheistNews Vol 6 #36 [ALERT] A New Criminal Phishing-As-A-Service Steals 688K Credentials

CyberHeist News CyberheistNews Vol 6 #36
[ALERT] A New Criminal Phishing-As-A-Service Steals 688K Credentials
Stu Sjouwerman

Want someone's credentials? Just social engineer them. Phishing is still responsible for 91% of data breaches and has been for the last five years.

A Russian cyber mafia has created a website where just about any aspiring bad guy can generate a realistic-looking credentials phish and send it to whoever they want. This "PHaaS" site allows for potentially stealing the victim's username and passwords with practically no technical knowledge.

Fortinet published a blog post last Wednesday, and they provided details on this Russian-language site called "Fake-Game".

The site claims that it has been used to take over 688,610 accounts, has over 61K registered users, does not charge for usage, but has an upsell to “VIP accounts” that have extra benefits like browsing all other phished accounts. Fake-Game even has tech support, live chat and training videos.

To begin with, an aspiring "cybercrim" selects which website they want to create a credentials phish for. You can choose from a pull-down list that includes Facebook and Instagram, gaming platform Steam, and Email Service Providers like Gmail and

The next thing that Fake-Game does is generate a URL with a unique affiliate ID that allows the site send the stolen credentials to the right "customer". Fake-Game provides the credentials Phish plus infrastructure to run it, but the end-user still needs to be social engineered. Sometimes the landing pages do not look all that good.

Once you have tricked a victim into entering their credentials, the site tells you in Engrish: "In your base entered a new account!", and you see the data with the victim's email address or username, password, IP address, and language.

Unfortunately this PHaaS site lowers the barrier to entry even further for anyone trying to make a living in cybercrime. Hackers can do a lot of things with these creds: send ransomware attacks to others, trade the credentials, sell them or a multitude of other nefarious activities.

You really want to step your users through effective security awareness training when the volume of phishing attacks is rising. Get a quote and find out how affordable this is for your organization. You will be pleasantly surprised. And phishing your own users is plain fun! Do it before the bad guys do...

Scam Of The Week: Tech Support Via Social Media

Proofpoint just blogged about the risks of (mis)using social media for technical support purposes.

It's a simple, brilliant scheme. The bad guys set up a fake PayPal Support page on Twitter, and then monitor the real PayPal Support page on Twitter for potential marks.

When users experiencing problems with PayPal hit the real Twitter PayPal Support account and their cries of woe appear, the bad guys swoop in and respond to these users from their fake PayPal Support account with a social engineering attack.

The response is a classic phish, pointing would-be victims to a fake PayPal support site where users are asked to log in with their PayPal credentials.

And once they do that they've handed over their PayPal credentials to malicious actors, effectively guaranteeing that whatever problems they were experiencing with PayPal will be nothing in comparison to the misery the bad guys will now inflict.

Social media: "That online space where you can not only waste endless hours of your precious time but also advertise yourself to fraud artists as ripe for the picking."

I suggest you send something like this to your employees, friends and family. You're welcome to copy/paste/edit:

"A lot of companies have support pages on social media. A good example is PayPal that has a Twitter support page. You need to watch out for bad guys who are tricking people with fake support pages. Here is how this scam goes down:

    1. The bad guys set up a fake PayPal Support page on Twitter.

    2. They monitor the real PayPal Support page on Twitter for potential victims.

    3. A PayPal user reports a problem on the real Twitter PayPal Support account.

    4. The bad guys swoop in and respond to that user from their fake PayPal Support page and tell the user to log in on a fake PayPal support site with their real PayPal username and password.

    5. Game over. Bad guys now own your account and steal money.

What To Do About It: If you have problems with a vendor, do not use social media to complain and/or resolve the issue because everyone else can see this including the bad guys. Go to that vendor's website and use their existing support webpage to create a trouble-ticket -- not their social media pages.

California Is Outlawing Ransomware. Good Luck With That...

Ransomware may soon be outlawed as a form of extortion in California if legislation S.B. 1137 is approved by governor Jerry Brown. The Bill was introduced by Senator Robert Hertzberg and when it passes may put any culprits behind bars up to 4 years.

The initiative has received widespread support from different quarters that want ransomware attacks to be treated as a felony. The state’s law enforcement unit and the tech sector all support the legislation.

“This is essentially an electronic stickup, and we need to treat it with the same seriousness and severity we would treat any stickup,” said Hertzberg.

One teeny little problem though, 90% of the ransomware mafia are Russian and have air cover from their pal Vladi Putin. Our Law Enforcement does not get much if any cooperation there and Russia does not extradite.

Is this whole thing an exercise in futility? From my perspective mostly, except for perhaps one small benefit: raise awareness about this threat.

Survey: Only 34% of IT Pros ‘Very Confident’ They Could Recover from Ransomware

Tripwire just blogged about research they did regarding the ability to recover from ransomware infections.

They surveyed IT Pros at Blackhat 2016 and when asked if their companies could recover from a ransomware infection without losing critical data, only 34 percent of the respondents said they were “very confident” they could do so. Nearly one in 10 professionals (nine percent) said they were not at all confident.

Now, here comes an interesting case of contrary data:

Tripwire also found that 19 percent of respondents considered ransomware one of two top threats faced by their organizations, and a slightly higher fraction of participants (22 percent) said the same about phishing attacks, a common distribution vector of ransomware.

But...close to half (47 percent) of respondents said they weren’t confident their executives could spot a phish!

Tripwire recommends you can begin to strengthen your security posture by investing in employee security awareness training. We would agree :-D More:

Don’t Miss The September Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, September 14, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. See the latest features and how easy it is to train and phish your users:

    • Send Phishing Security Tests to your users and get your Phish-prone percentage.
    • Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
    • Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
    • NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.

    • NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:

Cybercrime Inc: How Hacking Gangs Are Modeling Themselves On Big Business

Excellent article on ZDNet, which you can send to your bosses as ammo to get more IT security budget. They started out with:

"The clichéd image of a cybercriminal is one of a lone hacker, huddled over a computer in their parent's basement. Today, that stereotype couldn't be further from the truth, because -- now more than ever -- cybercrime is carried out by gangs running sophisticated operations.

"The most organized criminal groups, such as those active on the dark web, are operating like legitimate businesses, with departmentalized teamwork, collaboration tools, training, and even service agreements between malicious software providers and their hacker customers.

"When you start to see malware kits that have customer service agreements and warranties associated with them, you know that you've moved into a pretty professional space," says Nathaniel J Gleicher, former director for cybersecurity policy for the White House's National Security Council."

Send this whole -- very readable -- article up the flagpole, hinting that more IT Security budget is a really good idea:

And while you are at it, here is a great article you can send to your HR team that shows how *they* can help improve cybersecurity and prevent 'spoofing':

Know About Spiceworks? It's A Site For IT People

You may be familiar with SpiceWorks, It's a vertical social network for IT people that gives away network management tools and has a bunch of forums where people discuss technical issues. (They make money selling ads on the forums).

This was posted a few days ago on SpiceWorks, and was super popular:

"Got this series of text messages from my girlfriend, Carla. She's nobody's fool when it comes to scams. Thought some of you might enjoy another scammer story.

"Richard" from the Windows Security Center just called and told me that my computer is downloading malicious and illegal stuff.

He asked if I was in front of my computer and I said, "Yes."

He asked me what I saw. I said, "Facebook." He asked me to minimize it. I said, "But I like Facebook."

He said I need to minimize it. I said nothing. He asked me if I minimized it yet. I said nothing. He asked me again. I said, "No."

He asked me if I wanted malicious software to continue to be downloaded. I said that was okay with me.

He said my computer is doing illegal things. I said, "I like danger."

He said Windows Server would shut down my computer within 48 hours. I didn't respond.

He said, "So, it's okay with you if I shut down your computer?" I said, "Go ahead."

He said my computer should be shut down within 48 hours.

I told him that he was no more "Richard" with Windows Security than I was the Queen of England.

This is why my mother can never have the Internet."

Now that was one very well-trained girlfriend!

Also, someone on SpiceWorks asked:

"Hi All, been in contact with a company called Knowbe4, they offer a simulated phishing attack to your users and discover how high your organization’s Phish-prone percentage is. Anyone heard of them or used them? Any information would be greatly appreciated. Thanks"

And here are the (unedited) answers:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"A positive attitude causes a chain reaction of positive thoughts, events and outcomes. It is a catalyst and it sparks extraordinary results."- Wade Boggs - Athlete

"Negative attitude is nine times more powerful than positive attitude."
- Bikram Choudhury

Thanks for reading CyberheistNews

Security News
Are Mandatory Password Changes Making Things Worse?

Some recent research seems to point in that direction. Why? Users only make small changes and use an algorithm that is very easy to guess. CSO has a good article about this.

"Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC) created something of a media buzz earlier this year when she declared in a blog post that it was, “time to rethink mandatory password changes.”

"She also gave a keynote speech at the BSides security conference in Las Vegas a few weeks ago making the same point. But the message was not new – she has been preaching it for some time. She even gave a TED talk on it more than two years ago."

This is an interesting article that suggests many ways to solve this problem. What Kevin and I have been proposing for organizations that live (partially) in the cloud where all processing is done on browsers, is password managers that create random, super strong strings for each site which are a great way to solve that problem.

If you cannot use that option, the article suggests a few other tactics that are useful like user training, internal password hacking, multi-factor authentication, or use Apple's TouchID to wean users off passwords. More:

Participate In The 2016-2017 Server Hardware / OS Reliability Survey

Many CyberheistNews subscribers have participated in this survey in the past. This is the 5th year we are running it as a co-production with ITIC.

The survey polls organizations on the minimum required reliability and uptime for their server hardware and server operating systems. It also polls you on the biggest issues and challenges that can potentially impact reliability. All responses are confidential. No sales people will call. Anyone who leaves a comment with their Email address is eligible to win a 150 dollar Amazon gift card.

Additionally, anyone who completes the survey can receive a complimentary copy of the results by messaging Once the survey is complete, we’ll post an Executive Summary of the results in CyberheistNews.

Here is the link to the survey:

Vint Cerf's Outlook On Security Of The Internet He Helped Create

The co-developer of TCP/IP comments on the security of the internet, and what needs to change. He lists a multitude of things that need to be in place to make it more secure. This is a very interesting 15 minutes that I strongly recommend, perhaps for a lunch break.

He comments at 09:00 about TCP/IP, that it was for military use and how he worked with the NSA while working in DARPA coding TCP/IP:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • This site sells what appear to be USB flash drives, but are actually destructive. "The USB Kill collects power from the USB power lines (5V, 1 - 3A) until it reaches ~ -240V, upon which it discharges the stored voltage into the USB data lines. It's a device killer!:
    • Bizarre perfume ad by Spike Jonze is a must-see. This gal (Andie McDowell's daughter) is a riot, and there are mashups that are even funnier:

Subscribe To Our Blog

Cybersecurity Awareness Month Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews