 CyberheistNews Vol 6 #37 |
| Scam Of The Week: A New Type Of Tech Support Fraud |
We spotted an unusual phishing email which revealed a new scam your users will soon find in their inbox. Time to inoculate them before it becomes a problem!
Many online service providers like Microsoft, Google, Facebook, Twitter, and PayPal have adopted a policy to warn users via email when there is a possible security-related event like "unusual sign-in activity".
Copies of these emails have been used for credential phishing for a few years, but the problem is these security notifications are now being used by bad guys as a new attack vector for a tech support scam.
These new "phish" point victims to a 1-800 number where either a scammer picks up, or the victim gets sent to voice mail hell for a while and their number is queued for a fraudulent follow-up call like the one below, which was sent to us by one of our customers -- who were well trained -- and did not fall for the scam.
PS: KnowBe4 uses HubSpot to host our website and for marketing automation so that is where this download link points to. It is safe to click, entertaining and instructive:
http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3
So, I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:
"There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.
Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.
If you do, two things may happen:
1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, "fix" it, and ask for your credit card.
2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the same scam.
Remember, if you get any emails that either promise something too good to be true, OR look like you need to prevent a negative consequence, Think Before You Click and in this case before you pick up the phone.
If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Dont' fall for it!
http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3
|
| The Numbers Are Against You And The FBI Is Outgunned |
|
So, let's do a quick analysis of the cyber battlefield here. What are the bad guys up to? Check Point Software provided some fresh data a few days ago, which gives us the correct order of magnitude of what we are dealing with here. This by the way is great ammo to get more IT security budget.
- 205 Billion emails sent every day
- 39% of attachments contain malicious files
- 34% of links embedded in emails are malicious
- 77% of all malware is installed via email
- Malware by file type: 52% are PDF, and 44% are EXE format
Now, how about the good guys? What are the Law Enforcement resources at our disposal to protect us against this digital onslaught? I found a September 7, 2016 interview with FBI Special Agent Lawrence Wolfenden who provided some worrisome stats.
He said: “Accept that a breach is going to occur, the issue is, what do you do about it.” That in itself is nothing new, but here are some interesting numbers:
The FBI has about 800 cyber agents, including 600 agents who conduct investigations, so the agency doesn’t have the ability to address every attack, and must triage the most significant ones.
By law, a 5,000 dollar loss must occur before the FBI can get involved in a case, but as a practical matter, the U.S. Attorney’s Office wants to see about 50,000 dollars or more in losses before the FBI gets involved, and the agency itself generally wants to see 100,000 to 200,000 dollars of loss before it can justify spending investigative resources, Wolfenden said.
In other words, if you get infected with ransomware and the ransom is less than 100-200K, you are on your own. Good thing to know.
Special Agent Wolfenden came up with three things you need to do to protect your network. We listed them at the KnowBe4 Blog:
https://blog.knowbe4.com/tampa-fbi-your-business-is-going-to-get-hacked-or-get-infected-with-ransomware
|
| Seagate Sued By Own Employees For CEO Fraud Attack |
|
Hard drive manufacturer Seagate was sued by its own employees as the result of a successful CEO fraud attack where all the personal information of 10,000 existing and former employees were stolen. Seagate lawyers defend the company claiming that the organization is not responsible for data leaks and that the attack was unexpected. Really?
http://www.law360.com/articles/838218/seagate-says-it-didn-t-see-phishing-scam-coming
The confidential information includes social security numbers, salary details, and W-2 tax information: essentially all that is required to steal someone's identity. Seagate divulged that all this information was stolen through social engineering an employee in HR who sent all the information to the bad guys thinking the request was legit.
In April, a group of employees decided to sue Seagate with a class-action complaint. Here is the PDF with the lawsuit:
https://cases.justia.com/federal/district-courts/california/candce/3:2016cv01958/297715/28/0.pdf
from the US District Court of Northern California. Why did they decide to sue?
The data was almost immediately used to file fraudulent tax returns
Top Class Action said: "The class action claims that employees are already falling victim to identity theft from the private information leak. The complaint alleges that “Almost immediately, the cybercriminals exploited Seagate’s wrongful actions and filed fraudulent federal and state tax returns in the names of the Employees.” The complaint also notes that some of those fraudulent tax returns were filed as joint returns, meaning that the hackers also have at least the social security numbers of employees’ spouses.
"The Seagate employee data breach class action lawsuit asserts that the cyber-criminals “may continue to exploit the data themselves and/or sell the data in the so-called ‘dark markets,’” and that “the Employees and Third-Party Victims are now, and for the rest of their lives will be, at a heightened risk of identity theft.”
The case is scheduled to be heard September 22, 2016 and rest assured we will report on this when there is news.
And we also strongly recommend to phish your own users to prevent these types of very expensive snafus.
|
| Don’t Miss The September Live Demo: New-School Security Awareness Training |
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, September 14, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. See the latest features and how easy it is to train and phish your users:
- Send Phishing Security Tests to your users and get your Phish-prone percentage.
- Roll out Training Campaigns for all users (or groups) with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
- Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
- NEW EZXploit™ functionality that allows an internal, fully automated "human pentest”.
- NEW USB Drive Test™ allows you to test your user’s reactions to unknown USBs found.
Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/7414801130161859586
|
| Having Some Phun With Phishers - CEO Fraud Blow-By-Blow |
|
For the last 9 years I have been a board member of the public/private Clearwater Downtown Partnership. And as many public organizations, all the board member information is readily available through the website.
So, some half-smart phishing scammer sent me a CEO fraud email, demanding I send money urgently to a bank account. It was clear as daylight checking the headers that it was a fraud. I decided to see how long we could keep that going, here is the whole email exchange blow-by-blow. Enjoy!
https://blog.knowbe4.com/having-some-phun-with-phishers-ceo-fraud-blow-by-blow
|
| 44% Of CSOs Of Financial Services Increase Awareness Training Budget |
|
Great DARKReading article about the shifting mindset of Financial Services CSOs. One part was particularly noteworthy:
"Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks.
"Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
"Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part." More:
http://www.darkreading.com/vulnerabilities---threats/the-shifting-mindset-of-financial-services-csos/a/d-id/1326836
And Financials are not alone. A majority of healthcare leaders are elevating cybersecurity as a priority, according to HIMSS.
As cybercriminals continue to assault the healthcare industry, most health executives are elevating data security as a business priority, according to the 2016 HIMSS Cybersecurity Survey, released Tuesday.
Eighty-five percent of the report’s 150 surveyed IT security leaders are increasing cybersecurity awareness, motivated by potential phishing attacks (80 percent of acute care providers, 65 percent non-acute); viruses or malware (68 percent acute, 65 percent non-acute); and risk assessment results (64 percent acute, 77 percent non-acute). More:
http://www.healthcareitnews.com/news/majority-healthcare-leaders-elevating-cybersecurity-priority-according-himss
Last but not least, here is a look into the HIPAA Guidelines for Ransomware Incidents. Count on this filtering out to other regulation like GLBA, SOX and potentially PCI-DSS:
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/healthcare-for-ransom-a-look-into-the-hipaa-guidelines-for-ransomware-incidents
|
Warm Regards,
Stu Sjouwerman |
|
|
|
