 CyberheistNews Vol 6 #36 |
| [ALERT] A New Criminal Phishing-As-A-Service Steals 688K Credentials |
.jpg)
Want someone's credentials? Just social engineer them. Phishing is still responsible for 91% of data breaches and has been for the last five years.
A Russian cyber mafia has created a website where just about any aspiring bad guy can generate a realistic-looking credentials phish and send it to whoever they want. This "PHaaS" site allows for potentially stealing the victim's username and passwords with practically no technical knowledge.
Fortinet published a blog post last Wednesday, and they provided details on this Russian-language site called "Fake-Game".
The site claims that it has been used to take over 688,610 accounts, has over 61K registered users, does not charge for usage, but has an upsell to “VIP accounts” that have extra benefits like browsing all other phished accounts. Fake-Game even has tech support, live chat and training videos.
To begin with, an aspiring "cybercrim" selects which website they want to create a credentials phish for. You can choose from a pull-down list that includes Facebook and Instagram, gaming platform Steam, and Email Service Providers like Gmail and Mail.ru.
The next thing that Fake-Game does is generate a URL with a unique affiliate ID that allows the site send the stolen credentials to the right "customer". Fake-Game provides the credentials Phish plus infrastructure to run it, but the end-user still needs to be social engineered. Sometimes the landing pages do not look all that good.
Once you have tricked a victim into entering their credentials, the site tells you in Engrish: "In your base entered a new account!", and you see the data with the victim's email address or username, password, IP address, and language.
Unfortunately this PHaaS site lowers the barrier to entry even further for anyone trying to make a living in cybercrime. Hackers can do a lot of things with these creds: send ransomware attacks to others, trade the credentials, sell them or a multitude of other nefarious activities.
You really want to step your users through effective security awareness training when the volume of phishing attacks is rising. Get a quote and find out how affordable this is for your organization. You will be pleasantly surprised. And phishing your own users is plain fun! Do it before the bad guys do...
https://info.knowbe4.com/kmsat_get_a_quote_now
|
| Scam Of The Week: Tech Support Via Social Media |
|
Proofpoint just blogged about the risks of (mis)using social media for technical support purposes.
It's a simple, brilliant scheme. The bad guys set up a fake PayPal Support page on Twitter, and then monitor the real PayPal Support page on Twitter for potential marks.
When users experiencing problems with PayPal hit the real Twitter PayPal Support account and their cries of woe appear, the bad guys swoop in and respond to these users from their fake PayPal Support account with a social engineering attack.
The response is a classic phish, pointing would-be victims to a fake PayPal support site where users are asked to log in with their PayPal credentials.
And once they do that they've handed over their PayPal credentials to malicious actors, effectively guaranteeing that whatever problems they were experiencing with PayPal will be nothing in comparison to the misery the bad guys will now inflict.
Social media: "That online space where you can not only waste endless hours of your precious time but also advertise yourself to fraud artists as ripe for the picking."
I suggest you send something like this to your employees, friends and family. You're welcome to copy/paste/edit:
"A lot of companies have support pages on social media. A good example is PayPal that has a Twitter support page. You need to watch out for bad guys who are tricking people with fake support pages. Here is how this scam goes down:
- The bad guys set up a fake PayPal Support page on Twitter.
- They monitor the real PayPal Support page on Twitter for potential victims.
- A PayPal user reports a problem on the real Twitter PayPal Support account.
- The bad guys swoop in and respond to that user from their fake PayPal Support page and tell the user to log in on a fake PayPal support site with their real PayPal username and password.
- Game over. Bad guys now own your account and steal money.
What To Do About It: If you have problems with a vendor, do not use social media to complain and/or resolve the issue because everyone else can see this including the bad guys. Go to that vendor's website and use their existing support webpage to create a trouble-ticket -- not their social media pages.
|
| California Is Outlawing Ransomware. Good Luck With That... |
|
Ransomware may soon be outlawed as a form of extortion in California if legislation S.B. 1137 is approved by governor Jerry Brown. The Bill was introduced by Senator Robert Hertzberg and when it passes may put any culprits behind bars up to 4 years.
The initiative has received widespread support from different quarters that want ransomware attacks to be treated as a felony. The state’s law enforcement unit and the tech sector all support the legislation.
“This is essentially an electronic stickup, and we need to treat it with the same seriousness and severity we would treat any stickup,” said Hertzberg.
One teeny little problem though, 90% of the ransomware mafia are Russian and have air cover from their pal Vladi Putin. Our Law Enforcement does not get much if any cooperation there and Russia does not extradite.
Is this whole thing an exercise in futility? From my perspective mostly, except for perhaps one small benefit: raise awareness about this threat.
Survey: Only 34% of IT Pros ‘Very Confident’ They Could Recover from Ransomware
Tripwire just blogged about research they did regarding the ability to recover from ransomware infections.
They surveyed IT Pros at Blackhat 2016 and when asked if their companies could recover from a ransomware infection without losing critical data, only 34 percent of the respondents said they were “very confident” they could do so. Nearly one in 10 professionals (nine percent) said they were not at all confident.
Now, here comes an interesting case of contrary data:
Tripwire also found that 19 percent of respondents considered ransomware one of two top threats faced by their organizations, and a slightly higher fraction of participants (22 percent) said the same about phishing attacks, a common distribution vector of ransomware.
But...close to half (47 percent) of respondents said they weren’t confident their executives could spot a phish!
Tripwire recommends you can begin to strengthen your security posture by investing in employee security awareness training. We would agree :-D More:
http://www.tripwire.com/state-of-security/security-data-protection/survey-only-34-of-it-pros-very-confident-they-could-recover-from-ransomware/
|
| Don’t Miss The September Live Demo: New-School Security Awareness Training |
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, September 14, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. See the latest features and how easy it is to train and phish your users:
- Send Phishing Security Tests to your users and get your Phish-prone percentage.
- Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
- Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
- NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.
- NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.
Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/7414801130161859586
|
| Cybercrime Inc: How Hacking Gangs Are Modeling Themselves On Big Business |
|
Excellent article on ZDNet, which you can send to your bosses as ammo to get more IT security budget. They started out with:
"The clichéd image of a cybercriminal is one of a lone hacker, huddled over a computer in their parent's basement. Today, that stereotype couldn't be further from the truth, because -- now more than ever -- cybercrime is carried out by gangs running sophisticated operations.
"The most organized criminal groups, such as those active on the dark web, are operating like legitimate businesses, with departmentalized teamwork, collaboration tools, training, and even service agreements between malicious software providers and their hacker customers.
"When you start to see malware kits that have customer service agreements and warranties associated with them, you know that you've moved into a pretty professional space," says Nathaniel J Gleicher, former director for cybersecurity policy for the White House's National Security Council."
Send this whole -- very readable -- article up the flagpole, hinting that more IT Security budget is a really good idea:
http://www.zdnet.com/article/cybercrime-inc-how-hacking-gangs-are-modeling-themselves-on-big-business/
And while you are at it, here is a great article you can send to your HR team that shows how *they* can help improve cybersecurity and prevent 'spoofing':
http://www.hrdive.com/news/how-hr-can-help-improve-cybersecurity-and-prevent-spoofing/425526/
|
| Know About Spiceworks? It's A Site For IT People |
|
You may be familiar with SpiceWorks, It's a vertical social network for IT people that gives away network management tools and has a bunch of forums where people discuss technical issues. (They make money selling ads on the forums).
This was posted a few days ago on SpiceWorks, and was super popular:
"Got this series of text messages from my girlfriend, Carla. She's nobody's fool when it comes to scams. Thought some of you might enjoy another scammer story.
"Richard" from the Windows Security Center just called and told me that my computer is downloading malicious and illegal stuff.
He asked if I was in front of my computer and I said, "Yes."
He asked me what I saw. I said, "Facebook." He asked me to minimize it. I said, "But I like Facebook."
He said I need to minimize it. I said nothing. He asked me if I minimized it yet. I said nothing. He asked me again. I said, "No."
He asked me if I wanted malicious software to continue to be downloaded. I said that was okay with me.
He said my computer is doing illegal things. I said, "I like danger."
He said Windows Server would shut down my computer within 48 hours. I didn't respond.
He said, "So, it's okay with you if I shut down your computer?" I said, "Go ahead."
He said my computer should be shut down within 48 hours.
I told him that he was no more "Richard" with Windows Security than I was the Queen of England.
This is why my mother can never have the Internet."
Now that was one very well-trained girlfriend!
https://community.spiceworks.com/topic/1794718-microsoft-support-scam-vs-the-girlfriend
Also, someone on SpiceWorks asked:
"Hi All, been in contact with a company called Knowbe4, they offer a simulated phishing attack to your users and discover how high your organization’s Phish-prone percentage is. Anyone heard of them or used them? Any information would be greatly appreciated. Thanks"
And here are the (unedited) answers:
https://community.spiceworks.com/topic/951007-has-anyone-used-knowbe4?
|
Warm Regards,
Stu Sjouwerman |
|
|
|
