CyberheistNews Vol #6 #37 Scam Of The Week: A New Type Of Tech Support Fraud



2015_CHN_logo.jpg CyberheistNews Vol 6 #37
Scam Of The Week: A New Type Of Tech Support Fraud
stu_sjouwerman_nov_20131-3.jpg

We spotted an unusual phishing email which revealed a new scam your users will soon find in their inbox. Time to inoculate them before it becomes a problem!

Many online service providers like Microsoft, Google, Facebook, Twitter, and PayPal have adopted a policy to warn users via email when there is a possible security-related event like "unusual sign-in activity".

Copies of these emails have been used for credential phishing for a few years, but the problem is these security notifications are now being used by bad guys as a new attack vector for a tech support scam.

These new "phish" point victims to a 1-800 number where either a scammer picks up, or the victim gets sent to voice mail hell for a while and their number is queued for a fraudulent follow-up call like the one below, which was sent to us by one of our customers -- who were well trained -- and did not fall for the scam.

PS: KnowBe4 uses HubSpot to host our website and for marketing automation so that is where this download link points to. It is safe to click, entertaining and instructive:
http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3

So, I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:

"There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.

Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.

If you do, two things may happen:

1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, "fix" it, and ask for your credit card.

2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the same scam.

Remember, if you get any emails that either promise something too good to be true, OR look like you need to prevent a negative consequence, Think Before You Click and in this case before you pick up the phone.

If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Dont' fall for it!
http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3

The Numbers Are Against You And The FBI Is Outgunned

So, let's do a quick analysis of the cyber battlefield here. What are the bad guys up to? Check Point Software provided some fresh data a few days ago, which gives us the correct order of magnitude of what we are dealing with here. This by the way is great ammo to get more IT security budget.

  • 205 Billion emails sent every day
  • 39% of attachments contain malicious files
  • 34% of links embedded in emails are malicious
  • 77% of all malware is installed via email
  • Malware by file type: 52% are PDF, and 44% are EXE format

Now, how about the good guys? What are the Law Enforcement resources at our disposal to protect us against this digital onslaught? I found a September 7, 2016 interview with FBI Special Agent Lawrence Wolfenden who provided some worrisome stats.

He said: “Accept that a breach is going to occur, the issue is, what do you do about it.” That in itself is nothing new, but here are some interesting numbers:

The FBI has about 800 cyber agents, including 600 agents who conduct investigations, so the agency doesn’t have the ability to address every attack, and must triage the most significant ones.

By law, a 5,000 dollar loss must occur before the FBI can get involved in a case, but as a practical matter, the U.S. Attorney’s Office wants to see about 50,000 dollars or more in losses before the FBI gets involved, and the agency itself generally wants to see 100,000 to 200,000 dollars of loss before it can justify spending investigative resources, Wolfenden said.

In other words, if you get infected with ransomware and the ransom is less than 100-200K, you are on your own. Good thing to know.

Special Agent Wolfenden came up with three things you need to do to protect your network. We listed them at the KnowBe4 Blog:
https://blog.knowbe4.com/tampa-fbi-your-business-is-going-to-get-hacked-or-get-infected-with-ransomware

Seagate Sued By Own Employees For CEO Fraud Attack

Hard drive manufacturer Seagate was sued by its own employees as the result of a successful CEO fraud attack where all the personal information of 10,000 existing and former employees were stolen. Seagate lawyers defend the company claiming that the organization is not responsible for data leaks and that the attack was unexpected. Really?

http://www.law360.com/articles/838218/seagate-says-it-didn-t-see-phishing-scam-coming

The confidential information includes social security numbers, salary details, and W-2 tax information: essentially all that is required to steal someone's identity. Seagate divulged that all this information was stolen through social engineering an employee in HR who sent all the information to the bad guys thinking the request was legit.

In April, a group of employees decided to sue Seagate with a class-action complaint. Here is the PDF with the lawsuit:

https://cases.justia.com/federal/district-courts/california/candce/3:2016cv01958/297715/28/0.pdf

from the US District Court of Northern California. Why did they decide to sue?

The data was almost immediately used to file fraudulent tax returns

Top Class Action said: "The class action claims that employees are already falling victim to identity theft from the private information leak. The complaint alleges that “Almost immediately, the cybercriminals exploited Seagate’s wrongful actions and filed fraudulent federal and state tax returns in the names of the Employees.” The complaint also notes that some of those fraudulent tax returns were filed as joint returns, meaning that the hackers also have at least the social security numbers of employees’ spouses.

"The Seagate employee data breach class action lawsuit asserts that the cyber-criminals “may continue to exploit the data themselves and/or sell the data in the so-called ‘dark markets,’” and that “the Employees and Third-Party Victims are now, and for the rest of their lives will be, at a heightened risk of identity theft.”

The case is scheduled to be heard September 22, 2016 and rest assured we will report on this when there is news.

And we also strongly recommend to phish your own users to prevent these types of very expensive snafus.

Don’t Miss The September Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, September 14, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. See the latest features and how easy it is to train and phish your users:

    • Send Phishing Security Tests to your users and get your Phish-prone percentage.
    • Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
    • Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
    • NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.

    • NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/7414801130161859586

Having Some Phun With Phishers - CEO Fraud Blow-By-Blow

For the last 9 years I have been a board member of the public/private Clearwater Downtown Partnership. And as many public organizations, all the board member information is readily available through the website.

So, some half-smart phishing scammer sent me a CEO fraud email, demanding I send money urgently to a bank account. It was clear as daylight checking the headers that it was a fraud. I decided to see how long we could keep that going, here is the whole email exchange blow-by-blow. Enjoy!
https://blog.knowbe4.com/having-some-phun-with-phishers-ceo-fraud-blow-by-blow

44% Of CSOs Of Financial Services Increase Awareness Training Budget

Great DARKReading article about the shifting mindset of Financial Services CSOs. One part was particularly noteworthy:

"Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks.

"Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.

"Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part." More:
http://www.darkreading.com/vulnerabilities---threats/the-shifting-mindset-of-financial-services-csos/a/d-id/1326836

And Financials are not alone. A majority of healthcare leaders are elevating cybersecurity as a priority, according to HIMSS.

As cybercriminals continue to assault the healthcare industry, most health executives are elevating data security as a business priority, according to the 2016 HIMSS Cybersecurity Survey, released Tuesday.

Eighty-five percent of the report’s 150 surveyed IT security leaders are increasing cybersecurity awareness, motivated by potential phishing attacks (80 percent of acute care providers, 65 percent non-acute); viruses or malware (68 percent acute, 65 percent non-acute); and risk assessment results (64 percent acute, 77 percent non-acute). More:
http://www.healthcareitnews.com/news/majority-healthcare-leaders-elevating-cybersecurity-priority-according-himss

Last but not least, here is a look into the HIPAA Guidelines for Ransomware Incidents. Count on this filtering out to other regulation like GLBA, SOX and potentially PCI-DSS:
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/healthcare-for-ransom-a-look-into-the-hipaa-guidelines-for-ransomware-incidents

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"The greatness of a man is not in how much wealth he acquires, but in his integrity and his ability to affect those around him positively."- Bob Marley

"The price of greatness is responsibility."- Winston Churchill


Thanks for reading CyberheistNews


Security News
But, But, But... I Didn't Click!" False Positives In Phishing Tests

The following question was posted in the SANS Securing The Human forum. I thought it was a very good point and asked our VP Product Greg Kras for his perspective. First the question:

"But I didn't click! Our vendor for phishing assessments uses a custom link for the recipient. It works well except when the recipient forwards the email and someone else clicks on the same link. Can you share with me if you use a different type of tracking mechanism to reduce false positives?"

Greg answered:

"The same thing would happen with our platform, you would only know to whom the original email was sent and not necessarily who was the actual clicker. However what we do have that mitigates this problem is our Phish Alert Button (PAB) which is an add-in for Outlook/Office365 (soon Gmail & Lotus).

"This button is designed for a controlled method of reporting phish emails that ensures that the messages go to the right team and include all of the important information such as original headers. The PAB detects if the message is a simulated phish and lets the user know upon submission that it was simulated, deleting the message and not forwarding it to the incident team."

No-Charge Phish Alert Button for Outlook

When new ransomware campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against ransomware is to roll out KnowBe4's complimentary Phish Alert Button to your employees' desktops.

Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Get your (again, read this: no charge) Phish Alert Button Here:
https://www.knowbe4.com/free-phish-alert?

SANS Announces September OUCH!

"We are excited to announce the September issue of OUCH! This month, led by Guest Editor Robert M. Lee, we focus on Email Do's and Don'ts. Sometimes we get so focused on the bad guys that we forget we can be our own worst enemies. This is especially true of email, as I'm sure many of us have sent an email we regret, emailed the wrong person, or the ever dreaded REPLY-ALL. We cover these issues and more to help people safely navigate the world of email. As such, we ask you share OUCH! with your family, friends, and coworkers." English Version (PDF):
http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201609_en.pdf

Funny Phishing Story: Your Online Order Receipt

A customer sent us this:

"Hi, I wanted to share a funny story with you...

My boss calls me into her office, very serious like. She sits me down and asks “Did you use the company credit card without authorization?” I am very confused, although I have access, I would not order anything without asking.

"I am the only IT person at our workplace, so given the item “ordered”, she came to me. So I said “No….what is it that you have a receipt for?” ….and she shows me this…

"I nearly busted out laughing, but thought better of it and explained that this was a phishing message designed to get you freaked out and click. Thankfully she came to me without clicking it, so the training is working, but gosh, some of these really come back to me haha!"

Thanks,
Name withheld to protect the innocent

This is the KnowBe4 Template that was sent to the end-user:
https://blog.knowbe4.com/funny-phishing-story-your-online-order-receipt


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff

Subscribe To Our Blog


Ransomware Hostage Rescue Manual

Recent Posts




Get the latest about social engineering

Subscribe to CyberheistNews